[gptalk] Re: Can Group Policy Settings be accessed and set from an application

Yes, working with group policy is all new to me. I'm very familar with 
accessing the registry through Windows API, so if that accomplishes what I need 
then that would be the preferred method. I've just verified that the AppCompat 
registry setting works as I would expect in Vista, so think I understand it all 
now. 

Thanks,

Dave

  ----- Original Message ----- 
  From: Darren Mar-Elia 
  To: gptalk@xxxxxxxxxxxxx 
  Sent: Friday, October 27, 2006 12:34 PM
  Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from an 
application


  OK. I think this is getting a little sidetracked. My fault for that--sorry. 
The ntuser.pol file is what's called an "archive" file. Its only used at GP 
processing time to either remove or add registry policies. The **del you see in 
front of that registry value below indicates that the policy no longer applies 
so its going to be removed. 

  If you want to programmatically stuff your policy setting from an 
application, then you need to be able to right to the registry.pol file in 
SYSVOL on a DC. The snippet from the ADMX file below indicates that your policy 
entry is in HKCU\Software\Policies\Microsoft\Windows\AppCompat, and sets the 
value DisablePCA (probably to 0 or 1 depending upon whether its enabled or 
not). So, you would have to write that value into the registry.pol file under 
the SYSVOL part of the GPO. Frankly, it sounds like this is all new to you, so 
I would not recommend this method. If you really need to set this policy, you 
may just be better off setting it directly into the registry for the user. The 
C++ APIs for registry I/O are well known and much easier to manage. That would 
be my best advice.

  Darren



------------------------------------------------------------------------------
  From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Webmaster eSupport
  Sent: Friday, October 27, 2006 8:58 AM
  To: gptalk@xxxxxxxxxxxxx
  Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from an 
application


  In Vista, I found ntuser.pol located in C:\ProgramData folder. Your polviewer 
tool shows the following registry key:

  Registry Key: SOFTWARE\Policies\Microsoft\Windows\AppCompat
  Registry Value: **del.DisablePCA
  Value Type: REG_SZ

  Also, I find admin template file C:\Windows\PolicyDefinitions\AppCompat.admx 
which contains the following:

  <policy name="AppCompatTurnOffProgramCompatibilityAssistant_1" class="User" 
displayName="$(string.AppCompatTurnOffProgramCompatibilityAssistant)" 
explainText="$(string.AppCompat_TurnOffProgramCompatibilityAssistant_Help)" 
key="Software\Policies\Microsoft\Windows\AppCompat" valueName="DisablePCA">
  <parentCategory ref="AppCompat" />
  <supportedOn ref="windows:SUPPORTED_WindowsVista" />
  </policy>

  I don't fully understand how Vista configuration parameters work with the 
registry and registry.pol files in the GPOs. For the above Vista configuration 
parameter to control enabling or disabling Program Compatibility Assistant, 
does it mean it can be controlled by registry key 
="Software\Policies\Microsoft\Windows\AppCompat\DisablePCA"? If so, is it 
located under HKLM or HKCU? Or, do I need to work with ntuser.pol file? 

  Dave

    ----- Original Message ----- 
    From: Darren Mar-Elia 
    To: gptalk@xxxxxxxxxxxxx 
    Sent: Thursday, October 26, 2006 5:15 PM
    Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from an 
application


    Pol files exist in the GPO itself. So, in both XP and Vista, that's in 
SYSVOL under the policies folder. You're probably finding ntuser.pol in XP, 
which is a slightly different file. It also exists in Vista but maybe its 
harder to find...





----------------------------------------------------------------------------
    From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Webmaster eSupport
    Sent: Thursday, October 26, 2006 2:15 PM
    To: gptalk@xxxxxxxxxxxxx
    Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from an 
application


    Thanks for the tip about you polviewer utility. I see how it works on XP. 
However, I'm not able to find and "pol" files in Vista. Does anyone know where 
they are located on Vista? 

    Dave
      ----- Original Message ----- 
      From: Darren Mar-Elia 
      To: gptalk@xxxxxxxxxxxxx 
      Sent: Thursday, October 26, 2006 12:40 PM
      Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from 
an application


      Admin Templates in Vista, like OS' before it, are governed by template 
files. In Vista these are called ADMX files and are XML files that govern where 
a particular policy makes a setting in the registry. This was the same with 
ADMs in previous OS'. These files serve as the template for values that are 
written to the registry.pol files in the GPOs. This file is simply a 
Unicode-encoded text file that can be read to and written from (see my 
polviewer utility for a registry.pol reader). So, programmatically you could 
get into this file and write your setting provided you know the value in the 
registry that underlies it, which you can glean from the ADMX files in 
c:\windows\policydefinitions. 

      You might also look at the IGroupPolicy object interface. Others on the 
list have more experience with this interface than I do but it does provide 
some programmatic access into registry policy.

      Darren





--------------------------------------------------------------------------
      From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Webmaster eSupport
      Sent: Thursday, October 26, 2006 9:08 AM
      To: gptalk@xxxxxxxxxxxxx
      Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from 
an application


      In Vista, there is configuration parameter "Turn Off Program 
Compatibility Assistant" defined as a group policy under Computer 
Configuration->Administrative Templates->Windows Components->Application 
Compatibility. Do you think it's possible to access this configuration 
parameter through application code? I've looked up registry.pol on on MSDN but 
not seen anything that leads me directly to this parameter. If it's possible, 
Vista specific policy info probably not published on MSDN yet. 

      Dave

        ----- Original Message ----- 
        From: Darren Mar-Elia 
        To: gptalk@xxxxxxxxxxxxx 
        Sent: Thursday, October 26, 2006 11:09 AM
        Subject: [gptalk] Re: Can Group Policy Settings be accessed and set 
from an application


        Noting changes in particular in Vista. Note that policy areas such as 
Admin Templates, and Software Restriction policy store their settings in a 
published format (look up registry.pol in MSDN) so its not completely opaque, 
but I think that because each CSE has historically been owned by the respective 
product groups within MS, and no one dictated a standard set of interfaces, it 
would have been difficult for MS to publish this information. For example, 
Admin Template settings are driven by ADM/ADMX files but security settings, for 
example, are hard-coded into the GP editor DLL responsible for that extension 
(for the most part).

        Darren



------------------------------------------------------------------------
        From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] 
On Behalf Of Webmaster eSupport
        Sent: Thursday, October 26, 2006 7:55 AM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: Can Group Policy Settings be accessed and set 
from an application



        So if I understand this correctly, it is possible to configure group 
policies through an appliction with Microsoft's gpedit.msc application, but 
Microsoft is just not sharing the methods with anyone so we're not forced to 
use their application. That's unbelievable, but not surprising. Up to now I 
think most users do not have a need to touch group policy settings. However, 
with Vista Microsoft is relying more heavily on group policy settings for Vista 
configuration settings.  

        Does anyone know a method for accessing group policies specific for 
Vista. 

        Dave

          ----- Original Message ----- 
          From: Darren Mar-Elia 
          To: gptalk@xxxxxxxxxxxxx 
          Sent: Thursday, October 26, 2006 10:07 AM
          Subject: [gptalk] Re: Can Group Policy Settings be accessed and set 
from an application


          Generally speaking, you can't do this. There is no API that will get 
you access to all GP settings. Part of the problem here is that each CSE that 
MS ships contains its own mechanism for writing and storing settings, with 
their own formats. So, there is no unified API that provides the single 
interface.

          Not a great answer, but one that I've been repeating since about 1999 
:). Maybe one day it will get solved.

          Darren



----------------------------------------------------------------------
          From: gptalk-bounce@xxxxxxxxxxxxx 
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Webmaster eSupport
          Sent: Thursday, October 26, 2006 6:57 AM
          To: gptalk@xxxxxxxxxxxxx
          Subject: [gptalk] Can Group Policy Settings be accessed and set from 
an application


          Hello All,

          I have an application where I need to manage group policy settings 
from an application. I'm new to Group Policies in Windows, have been reading 
everything I can find but so far I've not definitive methods which enable group 
policy settings to be read and configured from a C++ application. Seems to me 
that if group policies can be configured with Windows group policy editor, it 
must be possible to implement my own application. 

          Appreciate any help anyone can provide to get me up to speed on this. 

          Thanks in advance,

          Dave

Other related posts: