Re: GPO extension
- From: "Mark Heitbrink [MVP]" <spam-only@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 29 Jul 2008 21:02:00 +0200
Hi,
Johni schrieb:
Thanks you Mark. Let me please explain what I want to do.
[...]
We want to sign our application policies. On the server side, a hash
would be computed for each Group Policy Object, and signed by a
specifc person (not the AD admin).
On the client side, the signature is checked and the policies are only
applied if it is verified. [...]
Do you have an idea about how I can sign (and verify) my GPOs ? Do I
have to build a complete custom policy extension ?
Yes, because actual the client is not checking on certificates or
hashes at time the GPO is read and applied.
Simplif:
Today it´s a simple list, based on AD structure (OUs, dsacls, WMI) and
based on the GIUDs the client takes a look inside SYSVOL to read the
mentioned GPOs. Wether the GUID in AD nor the files in SYSVOL are
verified. It´s just reading LDAP and NTFS Filesystem.
If you want to change this, you need to change the winlogon.exe
If you only want to control your special application settings, but
none else, you ntegrate a new DLL as a CSE (winlogon.exe will call every
registered CSE) that is only applying your settings, if they are certified.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Discuss : www.freelists.org/list/gpupdate
.
- References:
- GPO extension
- From: Johni
- Re: GPO extension
- From: Mark Heitbrink [MVP]
- Re: GPO extension
- From: Johni
- GPO extension
- Prev by Date: Re: Folder Redirection and Group Policy
- Next by Date: Windows Time Service
- Previous by thread: Re: GPO extension
- Next by thread: Do scripts always run before GPSI?
- Index(es):
Relevant Pages
|
