[cifs-protocol] [MS-GPOL] Computer group policy fetch - what credentials are used ?

[Jeremy Allison]

Hi Dochelp,

Here's something I'm working on at the moment,
that unfortunately is as clear as mud from the
docs :-).

When a Windows client downloads machine group
policy objects, what credentials does it use to
do so ?

[MS-GPOL].pdf states:

3.2.5.1 Policy Application
...
Steps 3.2.5.1.3 through 3.2.5.1.7 SHOULD be performed while impersonating the policy target as
specified in [MS-DTYP] section 2.7, Impersonation Abstract Interfaces.
...
Policy target impersonation proceeds as follows:
1. For Computer Policy Application Mode, the Policy Source Mode MUST be set to Normal.
2. The client application retrieves the primary token of the interactive user (the policy target) and
passes it to the Start Impersonation abstract interface as specified in [MS-DTYP] section 2.7.1.

The above implies that "Computer Policies" should be
done under the credential context of the interactive user.

But machine GPO's are fetched *before* user logon.

So either they're fetched using a cached user credential,
or the above isn't correct.

But later in the doc it states:

3.2.5.1.5 GPO Search
...
7. The Policy Target Security Token MUST be initialized to the security token of the Policy Target.
For computer policy mode, retrieve the machine token that is associated with the security
context of the server using Kerberos authentication.<32>
For user policy mode, retrieve the impersonation token of the caller.<33>

which implies that it's done under the credential
context of the machine account.

Which is it ?

Cheers,

Jeremy.