Re: GPO extension
- From: Johni <john.silverdear@xxxxxxxxx>
- Date: Thu, 24 Jul 2008 00:21:24 -0700 (PDT)
On 23 juil, 13:04, "Mark Heitbrink [MVP]" <spam-
o...@xxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,
Johni schrieb:
I want to build a GPO extension for my application, but I don't find a
lot of resources about this.
to do what?
Just a "policy aware" application?
Save all your settings in the registry and define 2 places to
look at.
1. Check if settings exist in .\policies, if so, accept.
2. If they do not exist, check setting in .\software\yourapp\
create a ADM, so that Admins can control it.
How can I declare this on the server ? How can I use the AD Group
policy container to store my data ?
MMC programming? Sorry, co clue.
But believe me: You do not want to stare data in AD, you want to store
the settings in a file inside SYSVL. Why? If you want to store data in
the AD, you need to change/extend the Schema.
I know a lot of Admins (simply ALL) who will not change the Schema, just to
get a 30 day trial software running.
MSDN gives a sample about processing policies on the client side
(ProcessGroupPolicy), but what GUID should I use in the GPExtensions
keys ?
just oe, that does not exist. Usually the CSEs are processed
with ascending GUIDs.
Another question : if I use registry based policies on my AD (with
a .adm), is it possible to process this policy on the client side with
ProcessGroupPolicy ?
An ADM is applied by CSE Registry. It´s just a silent import of
some kind of a reg file. But Reg_Binary oder Reg_Multi_SZT are not
possible by using a classic ADM. Even ADMX can´t do that.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage:www.gruppenrichtlinien.de- deutsch
Discuss :www.freelists.org/list/gpupdate
Thanks you Mark. Let me please explain what I want to do.
Today we use registry policies (adm) for our security application.
We want to sign our application policies. On the server side, a hash
would be computed for each Group Policy Object, and signed by a
specifc person (not the AD admin).
On the client side, the signature is checked and the policies are only
applied if it is verified. Each GPO is signed and must be
independently checked on the client. We can't just get the RSOP,
because we need to know the detail of each GPO to check each
signature.
I tried the GetGPOList function to get each GPO, but I get an 'access
denied' when I tried to get the registry key with a basic
authenticated user. It works only with an AD admin account.
I thought about using the ProcessGroupPolicy hook, but judging from
what you said it is not possible, we can't hook registry policy
processing.
Do you have an idea about how I can sign (and verify) my GPOs ? Do I
have to build a complete custom policy extension ?
Thanks for any idea or help.
J.
.
- Follow-Ups:
- Re: GPO extension
- From: Mark Heitbrink [MVP]
- Re: GPO extension
- References:
- GPO extension
- From: Johni
- Re: GPO extension
- From: Mark Heitbrink [MVP]
- GPO extension
- Prev by Date: Re: Do scripts always run before GPSI?
- Next by Date: Re: Do scripts always run before GPSI?
- Previous by thread: Re: GPO extension
- Next by thread: Re: GPO extension
- Index(es):
Relevant Pages
|
