Description of Group Policy Enrollment (198721)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q198721

SUMMARY

The process of transferring a policy defined in a Group Policy Object (GPO) from its Active Directory home container to one or more recipient objects (user or computer) is known as Policy Enrollment.

MORE INFORMATION

There are three parts to enrolling a policy:
  • Client authentication
  • Request, impersonation, listing, and validation of policy
  • Policy enrollment

CLIENT AUTHENTICATION

To enroll a policy, a client first issues a request to the server for an authenticated connection to the Policy Agent service. The agent is a Windows 2000 service designed to provide policy service support to requesting clients. Using the services of the Security Support Provider Interface (SSPI), the server processes the connection request by matching the requesting client's credentials to those stored at the server. If the credentials provided by the client are valid, the server grants the client's request to connect to the Policy Agent service. A sample request/response authentication packet might look like:

Request Packet

R_LOGON: RPC Client call logon:NetrServerReqChallenge(..)
R_LOGON: LOGONSRV_HANDLE PrimaryName = \\UNIDAD.gob.gq.
R_LOGON: wchar_t ComputerName = JUSTICIA
R_LOGON: PNETLOGON_CREDENTIAL ClientChallenge {..}
R_LOGON: CHAR data [..] = 77 D3 B3 8C 32 A6 E8 9C

Response Packet

R_LOGON: RPC Server response logon:NetrServerReqChallenge(..)
R_LOGON: PNETLOGON_CREDENTIAL ServerChallenge {..}
R_LOGON: CHAR data [..] = 80 73 11 A6 0F 03 7D B3
R_LOGON: Return Value = 0 (0x0)

REQUEST, IMPERSONATION, LISTING, AND VALIDATION OF POLICIES

After it is authenticated, the client issues a policy request packet to the server over the authenticated connection. At the server, the Policy Agent service receives the request and impersonates the requester or security principal context under which the client is running before making a call to the GetGPOList() API which returns a list of policies that are applicable to the requesting client. For each policy returned, a policy validation check is run by calling the LoadPolicy() API. The validated information is extracted and sent to the requesting client. A sample Policy request and impersonation packet might look like: 
SMB: C NT create & X, File = \gob.gq\Policies\{93AD8E69-7982-11D2-B2DB-00C04F8EEC4A}\Machine\registry.pol
SMB: NT status code = 0x0, Facility = System, Severity = Success, Code = (0) STATUS_WAIT_0
SMB: Header: PID = 0x00AC TID = 0x6006 MID = 0x0180 UID = 0x4000
SMB: Command = C NT create & X
SMB: Word count = 24
SMB: Word parameters
SMB: Next offset = 0xDEDE
SMB: Word count = 24
SMB: Word parameters
SMB: Name Length (NT) = 152 (0x98)
SMB: Create Flags DWord = 0x00000016
SMB: Root Dir FID = 0x00000000
SMB: Desired Access = 0x00020089
SMB: File Allocation Size = 0x0000000000000000
SMB: NT File Attributes = 0x00000080
SMB: File Share Access = 0x00000001
SMB: Create Disposition = Open:  If exist, Open, else fail
SMB: Create Options = 68 (0x44)
SMB: Impersonation Level = 0x00000002 <- server impersonation is set here
SMB: Security Flags = 0x03
SMB: Byte count = 155
SMB: File name = \gob.gq\Policies\{93AD8E69-7982-11D2-B2DB-00C04F8EEC4A}\Machine\registry.pol

POLICY ENROLLMENT

As soon as the requesting client receives a response packet from the server containing the validated policies, they are applied or enrolled to the appropriate object (user or computer).
Modification Type:MajorLast Reviewed:11/21/2003
Keywords:kbinfo kbnetwork KB198721
©2003 Microsoft Corporation. All rights reserved.