Revision Summary
Date
|
Revision History
|
Revision Class
|
Comments
|
3/2/2007
|
1.0
|
Major
|
Updated and revised the technical content.
|
4/3/2007
|
1.1
|
Minor
|
Clarified the meaning of the technical content.
|
5/11/2007
|
2.0
|
Major
|
New format
|
6/1/2007
|
2.0.1
|
Editorial
|
Changed language and formatting in the technical content.
|
7/3/2007
|
2.0.2
|
Editorial
|
Changed language and formatting in the technical content.
|
8/10/2007
|
3.0
|
Major
|
Updated and revised the technical content.
|
9/28/2007
|
3.0.1
|
Editorial
|
Changed language and formatting in the technical content.
|
10/23/2007
|
4.0
|
Major
|
Updated and revised the technical content.
|
1/25/2008
|
4.0.1
|
Editorial
|
Changed language and formatting in the technical content.
|
3/14/2008
|
4.0.2
|
Editorial
|
Changed language and formatting in the technical content.
|
6/20/2008
|
4.0.3
|
Editorial
|
Changed language and formatting in the technical content.
|
7/25/2008
|
4.0.4
|
Editorial
|
Changed language and formatting in the technical content.
|
8/29/2008
|
4.0.5
|
Editorial
|
Changed language and formatting in the technical content.
|
10/24/2008
|
5.0
|
Major
|
Updated and revised the technical content.
|
12/5/2008
|
5.1
|
Minor
|
Clarified the meaning of the technical content.
|
1/16/2009
|
5.1.1
|
Editorial
|
Changed language and formatting in the technical content.
|
2/27/2009
|
5.1.2
|
Editorial
|
Changed language and formatting in the technical content.
|
4/10/2009
|
5.1.3
|
Editorial
|
Changed language and formatting in the technical content.
|
5/22/2009
|
5.1.4
|
Editorial
|
Changed language and formatting in the technical content.
|
7/2/2009
|
6.0
|
Major
|
Updated and revised the technical content.
|
8/14/2009
|
6.1
|
Minor
|
Clarified the meaning of the technical content.
|
9/25/2009
|
6.2
|
Minor
|
Clarified the meaning of the technical content.
|
11/6/2009
|
6.3
|
Minor
|
Clarified the meaning of the technical content.
|
12/18/2009
|
6.3.1
|
Editorial
|
Changed language and formatting in the technical content.
|
1/29/2010
|
6.4
|
Minor
|
Clarified the meaning of the technical content.
|
3/12/2010
|
6.5
|
Minor
|
Clarified the meaning of the technical content.
|
4/23/2010
|
6.5.1
|
Editorial
|
Changed language and formatting in the technical content.
|
6/4/2010
|
6.6
|
Minor
|
Clarified the meaning of the technical content.
|
7/16/2010
|
6.7
|
Minor
|
Clarified the meaning of the technical content.
|
8/27/2010
|
7.0
|
Major
|
Updated and revised the technical content.
|
10/8/2010
|
8.0
|
Major
|
Updated and revised the technical content.
|
11/19/2010
|
9.0
|
Major
|
Updated and revised the technical content.
|
1/7/2011
|
10.0
|
Major
|
Updated and revised the technical content.
|
2/11/2011
|
11.0
|
Major
|
Updated and revised the technical content.
|
3/25/2011
|
12.0
|
Major
|
Updated and revised the technical content.
|
5/6/2011
|
13.0
|
Major
|
Updated and revised the technical content.
|
6/17/2011
|
13.1
|
Minor
|
Clarified the meaning of the technical content.
|
9/23/2011
|
14.0
|
Major
|
Updated and revised the technical content.
|
12/16/2011
|
15.0
|
Major
|
Updated and revised the technical content.
|
3/30/2012
|
15.0
|
None
|
No changes to the meaning, language, or formatting of the technical content.
|
7/12/2012
|
15.0
|
None
|
No changes to the meaning, language, or formatting of the technical content.
|
10/25/2012
|
16.0
|
Major
|
Updated and revised the technical content.
|
1/31/2013
|
16.1
|
Minor
|
Clarified the meaning of the technical content.
|
8/8/2013
|
16.1
|
None
|
No changes to the meaning, language, or formatting of the technical content.
|
11/14/2013
|
16.1
|
None
|
No changes to the meaning, language, or formatting of the technical content.
|
2/13/2014
|
16.1
|
None
|
No changes to the meaning, language, or formatting of the technical content.
|
5/15/2014
|
16.1
|
None
|
No changes to the meaning, language, or formatting of the technical content.
|
6/30/2015
|
16.1
|
None
|
No changes to the meaning, language, or formatting of the technical content.
|
10/16/2015
|
16.1
|
None
|
No changes to the meaning, language, or formatting of the technical content.
|
7/14/2016
|
16.1
|
None
|
No changes to the meaning, language, or formatting of the technical content.
|
Table of Contents
1Introduction 6
1.1Glossary 6
1.2References 8
1.2.1Normative References 8
1.2.2Informative References 8
1.3Overview 9
1.3.1Background 9
1.3.2Internet Explorer Maintenance Extension Protocol Overview 9
1.4Relationship to Other Protocols 10
1.5Prerequisites/Preconditions 10
1.6Applicability Statement 10
1.7Versioning and Capability Negotiation 10
1.8Vendor-Extensible Fields 11
1.9Standards Assignments 11
2Messages 12
2.1Transport 12
2.2Message Syntax 12
2.2.1SYSVOL Structure 12
3Protocol Details 14
3.1Administrative Tool Plug-in Details 14
3.1.1Abstract Data Model 14
3.1.1.1Administered GPO (Public) 14
3.1.2Timers 14
3.1.3Initialization 14
3.1.4Higher-Layer Triggered Events 14
3.1.5Message Processing Events and Sequencing Rules 14
3.1.6Timer Events 15
3.1.7Other Local Events 15
3.2Client-Side Plug-in Details 15
3.2.1Abstract Data Model 15
3.2.1.1Client-Side State 15
3.2.2Timers 15
3.2.3Initialization 15
3.2.4Higher-Layer Triggered Events 15
3.2.4.1Process Group Policy 15
3.2.5Message Processing Events and Sequencing Rules 15
3.2.6Timer Events 16
3.2.7Other Local Events 16
4Protocol Examples 17
4.1File Formats 17
4.1.1INS File Format 17
4.1.2ADM File Format 34
4.1.3INF File Format 34
4.1.3.1File Format used by Seczones.INF, Authcode.INF, Ratings.INF, and Programs.INF 35
4.1.3.1.1Part A 35
4.1.3.1.2Part B 36
4.1.3.2Seczrsop.INF File Format 37
4.1.3.3Ratrsop.INF File Format 39
4.1.4BMP File Format 39
4.1.5ICO File Format 40
4.1.6CONNECT.RAS File Format 40
4.1.7CS.DAT File Format 40
4.2INSTALL.INS Example 41
4.3Examples of Seczones.INF, Authcode.INF, Ratings.INF, and Programs.INF 41
4.3.1SECZONES.INF Example 41
4.3.2AUTHCODE.INF Example 42
4.3.3RATINGS.INF Example 43
4.3.4PROGRAMS.INF Example 44
4.4SECZRSOP.INF Example 45
4.5RATRSOP.INF Example 46
5Security 47
5.1Security Considerations for Implementers 47
5.2Index of Security Parameters 47
6Appendix A: Product Behavior 48
7Change Tracking 49
8Index 50
Introduction
This document specifies the Group Policy: Internet Explorer Maintenance Extension protocol.
Sections 1.5, 1.8, 1.9, 2, and 3 of this specification are normative. All other sections and examples in this specification are informative.
Glossary
This document uses the following terms:
Active Directory: A general-purpose network directory service. Active Directory also refers to the Windows implementation of a directory service. Active Directory stores information about a variety of objects in the network. Importantly, user accounts, computer accounts, groups, and all related credential information used by the Windows implementation of Kerberos are stored in Active Directory. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). [MS-ADTS] describes both forms. For more information, see [MS-AUTHSOD] section 1.1.1.5.2, Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Kerberos, and DNS.
Administrative tool: An implementation-specific tool, such as the Group Policy Management Console, that allows administrators to read and write policy settings from and to a Group Policy Object (GPO) and policy files. The Group Policy Administrative tool uses the Extension list of a GPO to determine which Administrative tool extensions are required to read settings from and write settings to the logical and physical components of a GPO.
American National Standards Institute (ANSI) character set: A character set defined by a code page approved by the American National Standards Institute (ANSI). The term "ANSI" as used to signify Windows code pages is a historical reference and a misnomer that persists in the Windows community. The source of this misnomer stems from the fact that the Windows code page 1252 was originally based on an ANSI draft, which became International Organization for Standardization (ISO) Standard 8859-1 [ISO/IEC-8859-1]. In Windows, the ANSI character set can be any of the following code pages: 1252, 1250, 1251, 1253, 1254, 1255, 1256, 1257, 1258, 874, 932, 936, 949, or 950. For example, "ANSI application" is usually a reference to a non-Unicode or code-page-based application. Therefore, "ANSI character set" is often misused to refer to one of the character sets defined by a Windows code page that can be used as an active system code page; for example, character sets defined by code page 1252 or character sets defined by code page 950. Windows is now based on Unicode, so the use of ANSI character sets is strongly discouraged unless they are used to interoperate with legacy applications or legacy data.
Augmented Backus-Naur Form (ABNF): A modified version of Backus-Naur Form (BNF), commonly used by Internet specifications. ABNF notation balances compactness and simplicity with reasonable representational power. ABNF differs from standard BNF in its definitions and uses of naming rules, repetition, alternatives, order-independence, and value ranges. For more information, see [RFC5234].
client: A client, also called a client computer, is a computer that receives and applies settings of a Group Policy Object (GPO), as specified in [MS-GPOL].
client-side extension GUID (CSE GUID): A GUID that enables a specific client-side extension on the Group Policy client to be associated with policy data that is stored in the logical and physical components of a Group Policy Object (GPO) on the Group Policy server, for that particular extension.
directory: The database that stores information about objects such as users, groups, computers, printers, and the directory service that makes this information available to users and applications.
fully qualified domain name (FQDN): An unambiguous domain name (2) that gives an absolute location in the Domain Name System's (DNS) hierarchy tree, as defined in [RFC1035] section 3.1 and [RFC2181] section 11.
globally unique identifier (GUID): A term used interchangeably with universally unique identifier (UUID) in Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the value. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the GUID. See also universally unique identifier (UUID).
Group Policy Object (GPO): A collection of administrator-defined specifications of the policy settings that can be applied to groups of computers in a domain. Each GPO includes two elements: an object that resides in the Active Directory for the domain, and a corresponding file system subdirectory that resides on the sysvol DFS share of the Group Policy server for the domain.
Group Policy Object (GPO) GUID: A curly braced GUID string that uniquely identifies a Group Policy Object (GPO).
Group Policy Object (GPO) path: A domain-based Distributed File System (DFS) path for a directory on the server that is accessible through the DFS/SMB protocols. This path will always be a Universal Naming Convention (UNC) path of the form: "\\\sysvol\\policies\", where is the DNS domain name of the domain and is a Group Policy Object (GPO) GUID.
Group Policy server: A server holding a database of Group Policy Objects (GPOs) that can be retrieved by other machines. The Group Policy server must be a domain controller (DC).
Lightweight Directory Access Protocol (LDAP): The primary access protocol for Active Directory. Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol, established by the Internet Engineering Task Force (IETF), which allows users to query and update information in a directory service (DS), as described in [MS-ADTS]. The Lightweight Directory Access Protocol can be either version 2 [RFC1777] or version 3 [RFC3377].
policy target: A user or computer account for which policy settings can be obtained from a server in the same domain, as specified in [MS-GPOL]. For user policy mode, the policy target is a user account. For computer policy mode, the policy target is a computer account.
share: A resource offered by a Common Internet File System (CIFS) server for access by CIFS clients over the network. A share typically represents a directory tree and its included files (referred to commonly as a "disk share" or "file share") or a printer (a "print share"). If the information about the share is saved in persistent store (for example, Windows registry) and reloaded when a file server is restarted, then the share is referred to as a "sticky share". Some share names are reserved for specific functions and are referred to as special shares: IPC$, reserved for interprocess communication, ADMIN$, reserved for remote administration, and A$, B$, C$ (and other local disk names followed by a dollar sign), assigned to local disk devices.
system volume (SYSVOL): A shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain.
tool extension GUID or administrative plug-in GUID: A GUID defined separately for each of the user policy settings and computer policy settings that associates a specific administrative tool plug-in with a set of policy settings that can be stored in a Group Policy Object (GPO).
Unicode: A character encoding standard developed by the Unicode Consortium that represents almost all of the written languages of the world. The Unicode standard [UNICODE5.0.0/2007] provides three forms (UTF-8, UTF-16, and UTF-32) and seven schemes (UTF-8, UTF-16, UTF-16 BE, UTF-16 LE, UTF-32, UTF-32 LE, and UTF-32 BE).
Universal Naming Convention (UNC): A string format that specifies the location of a resource. For more information, see [MS-DTYP] section 2.2.57.
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.
|