Home > Sample chapters > Servers > Windows Server

Architecture of Windows Group Policy for Windows Server 2008 and Windows Vista

Client-Side Extensions

Client-side extensions (CSEs) provide much of the intelligence behind Group Policy. CSEs are files that must reside on the computer that is consuming Group Policy settings. The CSEs are divided into logical categories that match the nodes within the GPO, which can be seen in the structure of the GPO in the GPME. For example, the Security Settings node and all of the settings under it are controlled by the security CSE. The Drive Maps policy under the Preferences nodes is controlled by its own CSE, the Group Policy Drive Maps CSE.

The CSEs are .dll files that contain code that applies the settings to the target computer. The settings are delivered from the domain controllers to the computer receiving the policy settings during Group Policy processing. The data delivered to the target computer is the information stored in the files that makes up the GPT of the GPO. When these raw settings are delivered to the target computer, the appropriate CSEs perform the correct action on the target computer. Each CSE is tracked and managed by a GUID. The GUID ensures that the CSE is unique”we saw earlier that the GPC tracks the correct CSE in the gPCMachineExtensionNames and gPCUserExtentionNames attributes.

Table 4-4 provides information about all of the CSEs that are supported in Windows Server 2008 and Windows Vista. The CSEs are referenced in the registry, where this information is kept and tracked. You can see the full list of CSEs in the registry at HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.

Table 4-4. Group Policy Client-Side Extensions

Client-Side Extension

CSE DLL

GUID

Wireless Group Policy

Wlgpclnt.dll

{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}

Group Policy Environment

Gpprefcl.dll

{0E28E245-9368-4853-AD84-6DA3BA35BB75}

Group Policy Local Users and Groups

Gpprefcl.dll

{17D89FEC-5C44-4972-B12D-241CAEF74509}

Group Policy Device Settings

Gpprefcl.dll

{1A6364EB-776B-4120-ADE1-B63A406A76B5}

Folder Restriction

Fdeploy.dll

{25537BA6-77A8-11D2-9B6C-0000F8080861}

Microsoft Disk Quota

Diskquota.dll

{3610eda5-77ef-11d2-8dc5-00c04fa31a66}

Group Policy Network Options

Gpprefcl.dll

{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}

QoS Packet Scheduler

Gptext.dll

{426031c0-0b47-4852-b0ca-ac3d37bfcb39}

Scripts

Gpscript.dll

{42B5FAAE-6536-11d2-AE5A-0000F87571E3}

Internet Explorer Zonemapping

Iedkcs32.dll

{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}

Group Policy Drive Maps

Gpprefcl.dll

{5794DAFD-BE60-433f-88A2-1A31939AC01F}

Group Policy Folders

Gpprefcl.dll

{6232C319-91AC-4931-9385-E70C2B099F0E}

Group Policy Network Shares

Gpprefcl.dll

{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}

Group Policy Files

Gpprefcl.dll

{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}

Group Policy Data Sources

Gpprefcl.dll

{728EE579-943C-4519-9EF7-AB56765798ED}

Group Policy Ini Files

Gpprefcl.dll

{74EE6C03-5363-4554-B161-627540339CAB}

Windows Search Group Policy Extension

Srchadmin.dll

{7933F41E-56F8-41d6-A31C-4148A711EE93}

Security

Scecli.dll

{827D319E-6EAC-11D2-A4EA-00C04F79F83A}

Deployed Printer Connections

Gpprnext.dll

{8A28E2C5-8D06-49A4-A08C-632DAA493E17}

Group Policy Services

Gpprefcl.dll

{91FBB303-0CD5-4055-BF42-E512A681B325}

Internet Explorer Branding

Iedkcs32.dll

{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}

Group Policy Folder Options

Gpprefcl.dll

{A3F3E39B-5D83-4940-B954-28315B82F0A8}

Group Policy Scheduled Tasks

Gpprefcl.dll

{AADCED64-746C-4633-A97C-D61349046527}

Group Policy Registry

Gpprefcl.dll

{B087BE9D-ED37-454f-AF9C-04291E351182}

EFS Recovery

Scecli.dll

{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}

802.3 Group Policy

Dot3gpclnt.dll

{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}

Group Policy Printers

Gpprefcl.dll

{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}

Group Policy Shortcuts

Gpprefcl.dll

{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}

Microsoft Offline Files

Cscobj.dll

{C631DF4C-088F-4156-B058-4375F0853CD8}

Software Installation

Appmgmts.dll

{c6dc5466-785a-11d2-84d0-00c04fb169f7}

IP Security

Polstore.dll

{e437bc1c-aa7d-11d2-a382-00c04f991e27}

Group Policy Internet Settings

Gpprefcl.dll

{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}

Group Policy Start Menu Settings

Gpprefcl.dll

{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}

Group Policy Regional Options

Gpprefcl.dll

{E5094040-C46C-4115-B030-04FB2E545B00}

Group Policy Power Options

Gpprefcl.dll

{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}

Group Policy Applications

Gpprefcl.dll

{F9C77450-3A41-477E-9310-9ACD617BD9E3}

Enterprise QoS

Gptext.dll

{FB2CA36D-0B40-4307-821B-A13B252DE56C}

You can see from Table 4-4 that some CSEs use the same file to store the code needed to apply settings delivered from the domain controller.

Each CSE is defined and tracked in the registry and includes a set of registry values that define and control its behavior. Clicking a CSE GUID in the registry will expose the registry settings that are configured by default and can be modified, as shown in Figure 4-12. The full list of possible registry value settings is shown in Table 4-5.

Figure 4-12

Figure 4-12 Each CSE in the registry has a set of values that control the behavior of the CSE.

Table 4-5. Possible Group Policy Extension Registry Values

Registry Value

Value Type

Possible Values

(Default)

REG_SZ

<Name of Group Policy>

DisplayName

REG_EXPAND_SZ

@<CSE DLL>, -1 to -????

DLLName

REG_EXPAND_SZ

Name or path to DLL

EnableSynchronousProcessing

REG_DWORD

<0 or 1>

EnableAsynchronousProcessing

REG_BINARY or REG_DWORD

<0 or 01>

ExtensionDebugLevel

REG_DWORD

<0 or 1>

ExtensionEventSource

REG_SZ

Varies

ExtensionRsopPlanningDebugLevel

REG_DWORD

<0 or 1>

EventSources

REG_MULTI_SZ

Varies

GenerateGroupPolicy

REG_SZ

Varies

MaxNGPListChangesInterval

REG_DWORD

<0 or 1>

NoBackgroundPolicy

REG_DWORD

<0 or 1>

NoGPOListChanges

REG_DWORD

<0 or 1>

NoMachinePolicy

REG_DWORD

<0 or 1>

NoSlowLink

REG_DWORD

<0 or 1>

NotifyLinkTransition

REG_DWORD

<0 or 1>

NoUserPolicy

REG_DWORD

<0 or 1>

PerUserLocalSettings

REG_DWORD

<0 or 1>

ProcessGroupPolicy

REG_SZ

Varies

ProcessGroupPolicyEx

REG_SZ

Varies

RequireSuccessfulRegistry

REG_DWORD

<0 or 1>