Partager via


3.2.5 Message Processing Events and Sequencing Rules

The client-side plug-in GPOs MUST be triggered by the Group Policy framework whenever applicable GPOs need to be processed. When such an event occurs, the client-side plug-in takes the appropriate actions.

When triggered, the client-side plug-in expects a list of applicable GPOs. It MUST then go through this list and, for each GPO, locate and retrieve the contained security policy.

After all the security policies are retrieved, each policy MUST be opened and the contained security policy settings MUST be extracted and applied.

When the policy application step is completed, an appropriate error code MUST be returned to the Group Policy framework, as specified in [MS-GPOL], to indicate the success or failure of the operation.

The Group Policy: Core Protocol MUST invoke the client-side plug-in for each GPO that it identifies as containing Group Policy: Security Protocol Extension protocol settings. For each of those GPOs, one file with the format (as specified in section 2.2) MUST be copied from the Group Policy: Core Protocol server. If any file cannot be read, the client-side plug-in MUST ignore the failure and continue to copy files for other GPOs.

The Group Policy: Core Protocol client MUST determine a list of GPOs for which this protocol MUST be executed, as specified in [MS-GPOL] section 3.2.5.1.

For each GPO, the client-side plug-in MUST do the following:

  1. Perform an SMB File Open on the file specified by <gpo path>\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf (where <gpo path> is the GPO path in the GPO). If an error is encountered while opening the file, an error MUST be indicated to the Group Policy system (as specified in [MS-GPOL] section 2.2.7) on the client machine and processing MUST be stopped.

  2. Perform a series of SMB File Reads to read the entire contents of the opened file until the entire file has been read or an error in reading occurs. If an error is encountered while reading the file, an error MUST be indicated to the Group Policy system (as specified in [MS-GPOL]) on the client machine and processing MUST be aborted.

  3. Perform an SMB File Close to close the file.

When using SMB to open or read files as described in the preceding steps, the client-side plug-in SHOULD handle error codes returned by the SMB protocol as specified in [MS-SMB] section 2.2.2.4 or [MS-SMB2].

The client-side plug-in MUST parse the file according to the format specified in section 2.2. If the file does not conform to that format, the entire configuration operation MUST be ignored. If the file does conform to that format, the settings MUST be applied to the corresponding security parameters on the system.

In applying security policies, several Group Policy: Security Protocol Extension setting names correspond to Abstract Data Model shared variables for which the normative definition is provided in other documents (see section 3.2.1.) The setting name and the corresponding Abstract Data Model shared variables are provided in the following tables. For each such setting that is read from a GPO .inf file, the client-side plug-in MUST set the value of the ADM variable in the right-hand column of the table to the value for the setting in the left-hand column.