Microsoft KB Archive/198721

= Description of Group Policy Enrollment =

Article ID: 198721

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q198721



SUMMARY
The process of transferring a policy defined in a Group Policy Object (GPO) from its Active Directory home container to one or more recipient objects (user or computer) is known as Policy Enrollment.



MORE INFORMATION
There are three parts to enrolling a policy:
 * Client authentication
 * Request, impersonation, listing, and validation of policy
 * Policy enrollment

CLIENT AUTHENTICATION
To enroll a policy, a client first issues a request to the server for an authenticated connection to the Policy Agent service. The agent is a Windows 2000 service designed to provide policy service support to requesting clients. Using the services of the Security Support Provider Interface (SSPI), the server processes the connection request by matching the requesting client's credentials to those stored at the server. If the credentials provided by the client are valid, the server grants the client's request to connect to the Policy Agent service. A sample request/response authentication packet might look like:

Request Packet
R_LOGON: RPC Client call logon:NetrServerReqChallenge(..) R_LOGON: LOGONSRV_HANDLE PrimaryName = \\UNIDAD.gob.gq. R_LOGON: wchar_t ComputerName = JUSTICIA R_LOGON: PNETLOGON_CREDENTIAL ClientChallenge {..} R_LOGON: CHAR data [..] = 77 D3 B3 8C 32 A6 E8 9C

Response Packet
R_LOGON: RPC Server response logon:NetrServerReqChallenge(..) R_LOGON: PNETLOGON_CREDENTIAL ServerChallenge {..} R_LOGON: CHAR data [..] = 80 73 11 A6 0F 03 7D B3 R_LOGON: Return Value = 0 (0x0)

REQUEST, IMPERSONATION, LISTING, AND VALIDATION OF POLICIES
After it is authenticated, the client issues a policy request packet to the server over the authenticated connection. At the server, the Policy Agent service receives the request and impersonates the requester or security principal context under which the client is running before making a call to the GetGPOList API which returns a list of policies that are applicable to the requesting client. For each policy returned, a policy validation check is run by calling the LoadPolicy API. The validated information is extracted and sent to the requesting client. A sample Policy request and impersonation packet might look like: SMB: C NT create & X, File = \gob.gq\Policies\{93AD8E69-7982-11D2-B2DB-00C04F8EEC4A}\Machine\registry.pol SMB: NT status code = 0x0, Facility = System, Severity = Success, Code = (0) STATUS_WAIT_0 SMB: Header: PID = 0x00AC TID = 0x6006 MID = 0x0180 UID = 0x4000 SMB: Command = C NT create & X SMB: Word count = 24 SMB: Word parameters SMB: Next offset = 0xDEDE SMB: Word count = 24 SMB: Word parameters SMB: Name Length (NT) = 152 (0x98) SMB: Create Flags DWord = 0x00000016 SMB: Root Dir FID = 0x00000000 SMB: Desired Access = 0x00020089 SMB: File Allocation Size = 0x0000000000000000 SMB: NT File Attributes = 0x00000080 SMB: File Share Access = 0x00000001 SMB: Create Disposition = Open: If exist, Open, else fail SMB: Create Options = 68 (0x44) SMB: Impersonation Level = 0x00000002 <- server impersonation is set here SMB: Security Flags = 0x03 SMB: Byte count = 155 SMB: File name = \gob.gq\Policies\{93AD8E69-7982-11D2-B2DB-00C04F8EEC4A}\Machine\registry.pol

POLICY ENROLLMENT
As soon as the requesting client receives a response packet from the server containing the validated policies, they are applied or enrolled to the appropriate object (user or computer).

Additional query words: 2000

Keywords: kbinfo kbnetwork KB198721

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.