3.2.5.1.5 GPO Search

This message requires the success of all previous messages that have retrieved a scope of management and a gpLink that are associated with each of the SOMs, and have stored them in the SOM list. If this message is invalid, policy application MUST be terminated and an event logged using an implementation-specific mechanism, as defined in section 3.2.5.1.

The following steps MUST be used to create a prioritized list of GPOs:

  1. Set Allow-Enforced-GPOs-Only to FALSE.

  2. For each SOM in the SOM list, beginning with the first SOM:

    1. Retrieve gpLink and gpOptions attributes of current SOM: searchRequest defined by baseObject: DN of SOM, scope: zero, filter: objectClass=*, attributes: gpLink and gpOptions.

    2. The client MUST parse the gpLink value into a list of individual directory strings of the following format, as specified in section 2.2.2.

       [<GPO DN>;<GPLinkOptions>]
      

      For each directory string in the list, if the decimal representation of the GPLinkOptions bit field does not specify that the GPO DN MUST be ignored, an element MUST be appended to the end of SOM GPLink list as follows:

      1. GPO DN field MUST be set to the GPO DN in the directory string.

      2. The Enforced field MUST be set to TRUE, if the decimal representation of the GPLinkOptions bit field specifies that the GPO DN is an enforced GPO; otherwise, it MUST be set to FALSE.

    3.  For each element in the SOM GPLink list, beginning with the first element:

      1. If the Enforced field is FALSE, and Allow-Enforced-GPOs-Only is set to FALSE, the GPO DN MUST be prepended to the beginning of the Non-enforced GPLink list.

      2. The element MUST be removed from the SOM GPLink list.

    4. For each element that remains in the SOM GPLink list, beginning with the first element:

      1. GPO DN MUST be appended to the end of the Enforced GPLink list.

      2. The element MUST be removed from the SOM GPLink list.

    5. If the gpOptions value for the SOM is set to directory string "1", as specified in section 2.2.2, Allow-Enforced-GPOs-Only MUST be set to TRUE.

  3. For each GPO DN in the Non-enforced GPLink list, beginning with the first element, GPO DN MUST be appended to the end of the GPLink list.

  4. For each GPO DN in the Enforced GPLink list, beginning with the first element, GPO DN MUST be appended to the end of the GPLink list.

  5. The list of GPO DNs MUST be grouped on the basis of domain. In each domain, all of the GPO DNs in that domain MUST be placed as a logical OR in the LDAP Filter. Initialize "invalid" flag to False. While "invalid" flag is False, the next group of GPO DNs MUST be queried as follows:

    1. If the current group's domain is different from that stored in abstract element Policy Target Domain DN, bind to the new domain using the sequence shown in  section 3.2.5.1.1, DC Discovery and AD Connection Establishment.

    2. Disable LDAP_OPT_REFERRALS, as specified in [MS-ADTS] section 7.6.1.2, Setting an LDAP Option on an ADConnection.

    3. Perform an LDAP SearchRequest as specified in section 2.2.4 to verify the specified requirements.

      1. If the LDAPMessage response buffer is empty, log an error and set "invalid" flag to True.

      2. Otherwise, every LDAPMessage response buffer, along with the current domain's LDAP handle used for generating the query, can be cached within the abstract element GPLink List for later retrieval of attribute values.  For each GPO in the group, the following file access sequences MUST be generated:

        • File Open request for the gpt.ini file (defined in section 2.2.4) stored on the server.

        • One or more file reads MUST be done until either the entire contents of the opened file are read or an error in reading occurs.

        • A file close operation MUST then be issued.

          If there are any errors in processing the previous messages, policy application MUST be terminated and an event logged using an implementation-specific mechanism, as defined in section 3.2.5.1.

  6. For each DN in the GPLink list, beginning with the first element:

    • If the GPO was returned in the LDAP searchResponse (it is expected that not all GPOs in the search will be returned due to access control issues or replication issues), an element MUST be added to GPO list as follows:

      1. The GPO Versions field MUST be updated by the GPO container version and GPO file system version, as specified in section 3.2.1.4.

      2. The Scoped GPO DN field MUST be set to a Unicode computer-scoped GPO DN or user-scoped GPO DN by prefixing "CN=Machine," or "CN=User," to the current DN of GPLink list.

      3. The Scoped GPO Path field MUST be set to a Unicode computer-scoped GPO path or user-scoped GPO path by appending "\Machine," or "\User," to the transformed value of the directory string attribute gPCFileSysPath in the LDAP searchResponse.

      4. The GPO GUID field MUST be set to the value of the cn attribute in the LDAP searchResponse.

      5. The displayName field MUST be set to the value of the displayName attribute in the LDAP searchResponse.

      6. The ExtensionList field MUST be set to an array of curly braced GUID strings formed by parsing CSE GUID from the value of the gPCMachineExtensionNames or gPCUserExtensionNames attributes in the LDAP searchResponse.

      7. The FunctionalityVersion field MUST set the value of the gPCFunctionalityVersion attribute in the LDAP searchResponse.

      8. The SecurityDescriptor field MUST be set to the value of the ntSecurityDescriptor attribute in the LDAP searchResponse.

      9. The WMI Filter field MUST be updated with the value of the gpcWQLFilter attribute, if present in the LDAP searchResponse.

    • If the GPO was not returned in the LDAP searchResponse, the GPO MUST be ignored.

  7. The Policy Target Security Token MUST be initialized to the security token of the Policy Target.

    • For computer policy mode, retrieve the machine token that is associated with the security context of the server using Kerberos authentication.<18>

    • For user policy mode, retrieve the impersonation token of the caller.<19>

  8. For each GPO in the GPO list, beginning with the first element:

    1. The checks specified in section 3.2.5.1.6 MUST be performed.

    2. If the represented GPO passes access checking:

      1. WMI filter evaluation (section 3.2.5.1.7) can be performed.

      2. If the represented GPO is considered allowed, append it to abstract element Filtered GPO list.

If there are any errors in processing the previous messages, policy application MUST be terminated and an event logged using an implementation-specific mechanism, as defined in section 3.2.5.1.