Architecture of Windows Group Policy for Windows Server 2008 and Windows Vista

  • 3/5/2008
Contents

Client-Side Extensions

Client-side extensions (CSEs) provide much of the intelligence behind Group Policy. CSEs are files that must reside on the computer that is consuming Group Policy settings. The CSEs are divided into logical categories that match the nodes within the GPO, which can be seen in the structure of the GPO in the GPME. For example, the Security Settings node and all of the settings under it are controlled by the security CSE. The Drive Maps policy under the Preferences nodes is controlled by its own CSE, the Group Policy Drive Maps CSE.

The CSEs are .dll files that contain code that applies the settings to the target computer. The settings are delivered from the domain controllers to the computer receiving the policy settings during Group Policy processing. The data delivered to the target computer is the information stored in the files that makes up the GPT of the GPO. When these raw settings are delivered to the target computer, the appropriate CSEs perform the correct action on the target computer. Each CSE is tracked and managed by a GUID. The GUID ensures that the CSE is unique”we saw earlier that the GPC tracks the correct CSE in the gPCMachineExtensionNames and gPCUserExtentionNames attributes.

Table 4-4 provides information about all of the CSEs that are supported in Windows Server 2008 and Windows Vista. The CSEs are referenced in the registry, where this information is kept and tracked. You can see the full list of CSEs in the registry at HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.

Table 4-4. Group Policy Client-Side Extensions

Client-Side Extension

CSE DLL

GUID

Wireless Group Policy

Wlgpclnt.dll

{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}

Group Policy Environment

Gpprefcl.dll

{0E28E245-9368-4853-AD84-6DA3BA35BB75}

Group Policy Local Users and Groups

Gpprefcl.dll

{17D89FEC-5C44-4972-B12D-241CAEF74509}

Group Policy Device Settings

Gpprefcl.dll

{1A6364EB-776B-4120-ADE1-B63A406A76B5}

Folder Restriction

Fdeploy.dll

{25537BA6-77A8-11D2-9B6C-0000F8080861}

Microsoft Disk Quota

Diskquota.dll

{3610eda5-77ef-11d2-8dc5-00c04fa31a66}

Group Policy Network Options

Gpprefcl.dll

{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}

QoS Packet Scheduler

Gptext.dll

{426031c0-0b47-4852-b0ca-ac3d37bfcb39}

Scripts

Gpscript.dll

{42B5FAAE-6536-11d2-AE5A-0000F87571E3}

Internet Explorer Zonemapping

Iedkcs32.dll

{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}

Group Policy Drive Maps

Gpprefcl.dll

{5794DAFD-BE60-433f-88A2-1A31939AC01F}

Group Policy Folders

Gpprefcl.dll

{6232C319-91AC-4931-9385-E70C2B099F0E}

Group Policy Network Shares

Gpprefcl.dll

{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}

Group Policy Files

Gpprefcl.dll

{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}

Group Policy Data Sources

Gpprefcl.dll

{728EE579-943C-4519-9EF7-AB56765798ED}

Group Policy Ini Files

Gpprefcl.dll

{74EE6C03-5363-4554-B161-627540339CAB}

Windows Search Group Policy Extension

Srchadmin.dll

{7933F41E-56F8-41d6-A31C-4148A711EE93}

Security

Scecli.dll

{827D319E-6EAC-11D2-A4EA-00C04F79F83A}

Deployed Printer Connections

Gpprnext.dll

{8A28E2C5-8D06-49A4-A08C-632DAA493E17}

Group Policy Services

Gpprefcl.dll

{91FBB303-0CD5-4055-BF42-E512A681B325}

Internet Explorer Branding

Iedkcs32.dll

{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}

Group Policy Folder Options

Gpprefcl.dll

{A3F3E39B-5D83-4940-B954-28315B82F0A8}

Group Policy Scheduled Tasks

Gpprefcl.dll

{AADCED64-746C-4633-A97C-D61349046527}

Group Policy Registry

Gpprefcl.dll

{B087BE9D-ED37-454f-AF9C-04291E351182}

EFS Recovery

Scecli.dll

{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}

802.3 Group Policy

Dot3gpclnt.dll

{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}

Group Policy Printers

Gpprefcl.dll

{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}

Group Policy Shortcuts

Gpprefcl.dll

{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}

Microsoft Offline Files

Cscobj.dll

{C631DF4C-088F-4156-B058-4375F0853CD8}

Software Installation

Appmgmts.dll

{c6dc5466-785a-11d2-84d0-00c04fb169f7}

IP Security

Polstore.dll

{e437bc1c-aa7d-11d2-a382-00c04f991e27}

Group Policy Internet Settings

Gpprefcl.dll

{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}

Group Policy Start Menu Settings

Gpprefcl.dll

{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}

Group Policy Regional Options

Gpprefcl.dll

{E5094040-C46C-4115-B030-04FB2E545B00}

Group Policy Power Options

Gpprefcl.dll

{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}

Group Policy Applications

Gpprefcl.dll

{F9C77450-3A41-477E-9310-9ACD617BD9E3}

Enterprise QoS

Gptext.dll

{FB2CA36D-0B40-4307-821B-A13B252DE56C}

You can see from Table 4-4 that some CSEs use the same file to store the code needed to apply settings delivered from the domain controller.

NOTE

httpatomoreillycomsourcemspimages561763.jpg

If a target computer is missing a CSE during Group Policy processing, the settings that are delivered from the domain controller will not apply to the computer.

IMPORTANT

httpatomoreillycomsourcemspimages561755.jpg

The CSEs for the Group Policy Preferences must be installed on all computers running Windows XP SP2, Windows Server 2003 SP1, and Windows Vista that will consume these settings. You can download the CSEs from here: http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx. The CSEs are all contained in one .dll file. The file is best distributed using Group Policy, because it is wrapped up in an .msi file. The .dll CSE files are stored in the C:\Windows\System32 folder. For more information about Group Policy Preferences, refer to Chapter 12, “Group Policy Preferences,” which provides details on these settings.

Each CSE is defined and tracked in the registry and includes a set of registry values that define and control its behavior. Clicking a CSE GUID in the registry will expose the registry settings that are configured by default and can be modified, as shown in Figure 4-12. The full list of possible registry value settings is shown in Table 4-5.

Figure 4-12

Figure 4-12 Each CSE in the registry has a set of values that control the behavior of the CSE.

WARNING

httpatomoreillycomsourcemspimages561841.jpg

Modifying a registry value for a CSE could cause instability or operating system failure. Be sure to test all changes to any setting in the registry before deploying to any production computer. For more information about the registry values for the CSEs, refer to Table 4-4 and the TechNet article “NoSlowLink Entry,” at http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx, which covers all registry entries and supported values for each.

Table 4-5. Possible Group Policy Extension Registry Values

Registry Value

Value Type

Possible Values

(Default)

REG_SZ

<Name of Group Policy>

DisplayName

REG_EXPAND_SZ

@<CSE DLL>, -1 to -????

DLLName

REG_EXPAND_SZ

Name or path to DLL

EnableSynchronousProcessing

REG_DWORD

<0 or 1>

EnableAsynchronousProcessing

REG_BINARY or REG_DWORD

<0 or 01>

ExtensionDebugLevel

REG_DWORD

<0 or 1>

ExtensionEventSource

REG_SZ

Varies

ExtensionRsopPlanningDebugLevel

REG_DWORD

<0 or 1>

EventSources

REG_MULTI_SZ

Varies

GenerateGroupPolicy

REG_SZ

Varies

MaxNGPListChangesInterval

REG_DWORD

<0 or 1>

NoBackgroundPolicy

REG_DWORD

<0 or 1>

NoGPOListChanges

REG_DWORD

<0 or 1>

NoMachinePolicy

REG_DWORD

<0 or 1>

NoSlowLink

REG_DWORD

<0 or 1>

NotifyLinkTransition

REG_DWORD

<0 or 1>

NoUserPolicy

REG_DWORD

<0 or 1>

PerUserLocalSettings

REG_DWORD

<0 or 1>

ProcessGroupPolicy

REG_SZ

Varies

ProcessGroupPolicyEx

REG_SZ

Varies

RequireSuccessfulRegistry

REG_DWORD

<0 or 1>
Save to your account

This chapter is from the book