What is the purpose of the FullArmor Container in AD as used by GPA?

  • 7021218
  • 22-Aug-2017
  • 22-Aug-2017


NetIQ Group Policy Administrator 6.x


What is the purpose of the FullArmor Container in AD as used by GPA?
Why does GPA create a FullArmor Container in AD?


What is the FULLARMOR container?
     GPA uses the CN=FULLARMOR as a temporary container in AD for the repository GPOs.
     GPA creates the container (or suggests the users to manually create) for each of the domains managed in the repository.

How is the FULLARMOR container created?

     The FULLARMOR container is created at the root of the domain.
     The sub-containers are created with the hierarchy FULLARMOR / FAZAM GP REPOSITORY SERVERS / [SERVER NAME] / SYSTEM / POLICES / [GUID for GPO Container]
         [SERVER NAME] : The GPA Repository Server that manages the domain.
         [GUID for GPO Container] : The temporary container for repository GPO. This container is used to store the directory portion of the repository GPOs.

When are the Group policy containers created in the FULLARMOR container?

     There are three operations or workflows in the GPA repository that creates the group policy container. That group policy container gets deleted once the operation is complete.

     1. Most of the reports on GPA console that involves repository GPO.
             Settings report of a GPO,
             GPO comparison/diff,
             RSoP report (if repository GPO is selected in the what if analysis)

     2. Checking out a GPO in the repository creates a group policy container. The container gets deleted once the GPO is checked in or undo-checked out.

     3. GPA server creates group policy containers while indexing the GPO data. Deletes the same once data is collected for that GPO.
             Note - If a new GPO is created or any settings of a GPO is modified\saved in the repository, the GPA server updates the group policy indexes in the local machine. The GPA server generates settings report of that GPO to collect the required data.
                         The indexed data is used for GPO search.

Why is the group policy container required to be created in the FULLARMOR container?
         GPA uses native APIs for reporting and editing group policy objects.
         MS APIs for reporting:
             Microsoft.GroupPolicy.Reporting.GPO and Microsoft.GroupPolicy.Gpo https://msdn.microsoft.com/en-us/library/windows/desktop/microsoft.grouppolicy.gpo(v=vs.85).aspx

         MS APIs for editing:
             Microsoft Group Policy Object Editor snap-ins and IGPEInformation interface https://msdn.microsoft.com/en-us/library/aa374189(v=vs.85).aspx

         These native APIs requires a group policy environment that is similar to live AD.
         Since the Repository GPOs are kept in a secure offline store (in SQL DB), these APIs can not be used directly.
         So, the FULLARMOR container is used by GPA to simulate the live group policy environment for repository GPOs. Please find more details below.

         As we know, the " CN=POLICIES,CN=SYSTEM " container is the AD store for live GPOs.
         The FULLARMOR container created to act like AD store for offline repository GPOs. The policies container is located as " CN=POLICIES,CN=SYSTEM,CN=[SERVER NAME],CN=FAZAM GP REPOSITORY SERVERS,CN=FULLARMOR ".

         For the repository GPOs, the "Local GPOs" folder on the GPA console machine acts like the live Sysvol folder.
         The gPCFileSysPath attribute of the group policy containers created under FULLARMOR points to "Local GPOs" folder.
         The conclusion is, GPA saves the repository GPO's AD data to FULLARMOR container and the GPO files to "Local GPOs" folder, to simulate live AD and Sysvol respectively.