[gptalk] Re: Can Group Policy Settings be accessed and set from an application

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 27 Oct 2006 09:34:58 -0700

OK. I think this is getting a little sidetracked. My fault for that--sorry.
The ntuser.pol file is what's called an "archive" file. Its only used at GP
processing time to either remove or add registry policies. The **del you see
in front of that registry value below indicates that the policy no longer
applies so its going to be removed. 
 
If you want to programmatically stuff your policy setting from an
application, then you need to be able to right to the registry.pol file in
SYSVOL on a DC. The snippet from the ADMX file below indicates that your
policy entry is in HKCU\Software\Policies\Microsoft\Windows\AppCompat, and
sets the value DisablePCA (probably to 0 or 1 depending upon whether its
enabled or not). So, you would have to write that value into the
registry.pol file under the SYSVOL part of the GPO. Frankly, it sounds like
this is all new to you, so I would not recommend this method. If you really
need to set this policy, you may just be better off setting it directly into
the registry for the user. The C++ APIs for registry I/O are well known and
much easier to manage. That would be my best advice.
 
Darren

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Webmaster eSupport
Sent: Friday, October 27, 2006 8:58 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from an
application


In Vista, I found ntuser.pol located in C:\ProgramData folder. Your
polviewer tool shows the following registry key:
 
Registry Key: SOFTWARE\Policies\Microsoft\Windows\AppCompat
Registry Value: **del.DisablePCA
Value Type: REG_SZ
 
Also, I find admin template file C:\Windows\PolicyDefinitions\AppCompat.admx
which contains the following:
 
<policy name="AppCompatTurnOffProgramCompatibilityAssistant_1" class="User"
displayName="$(string.AppCompatTurnOffProgramCompatibilityAssistant)"
explainText="$(string.AppCompat_TurnOffProgramCompatibilityAssistant_Help)"
key="Software\Policies\Microsoft\Windows\AppCompat" valueName="DisablePCA">
<parentCategory ref="AppCompat" />
<supportedOn ref="windows:SUPPORTED_WindowsVista" />
</policy>

I don't fully understand how Vista configuration parameters work with the
registry and registry.pol files in the GPOs. For the above Vista
configuration parameter to control enabling or disabling Program
Compatibility Assistant, does it mean it can be controlled by registry key
="Software\Policies\Microsoft\Windows\AppCompat\DisablePCA"? If so, is it
located under HKLM or HKCU? Or, do I need to work with ntuser.pol file? 
 
Dave
 

----- Original Message ----- 
From: Darren Mar-Elia <mailto:darren@xxxxxxxxxx>  
To: gptalk@xxxxxxxxxxxxx 
Sent: Thursday, October 26, 2006 5:15 PM
Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from an
application

Pol files exist in the GPO itself. So, in both XP and Vista, that's in
SYSVOL under the policies folder. You're probably finding ntuser.pol in XP,
which is a slightly different file. It also exists in Vista but maybe its
harder to find...
 
 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Webmaster eSupport
Sent: Thursday, October 26, 2006 2:15 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from an
application


Thanks for the tip about you polviewer utility. I see how it works on XP.
However, I'm not able to find and "pol" files in Vista. Does anyone know
where they are located on Vista? 
 
Dave

----- Original Message ----- 
From: Darren  <mailto:darren@xxxxxxxxxx> Mar-Elia 
To: gptalk@xxxxxxxxxxxxx 
Sent: Thursday, October 26, 2006 12:40 PM
Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from an
application

Admin Templates in Vista, like OS' before it, are governed by template
files. In Vista these are called ADMX files and are XML files that govern
where a particular policy makes a setting in the registry. This was the same
with ADMs in previous OS'. These files serve as the template for values that
are written to the registry.pol files in the GPOs. This file is simply a
Unicode-encoded text file that can be read to and written from (see my
polviewer utility for a registry.pol reader). So, programmatically you could
get into this file and write your setting provided you know the value in the
registry that underlies it, which you can glean from the ADMX files in
c:\windows\policydefinitions. 
 
You might also look at the IGroupPolicy object interface. Others on the list
have more experience with this interface than I do but it does provide some
programmatic access into registry policy.
 
Darren
 
 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Webmaster eSupport
Sent: Thursday, October 26, 2006 9:08 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from an
application


In Vista, there is configuration parameter "Turn Off Program Compatibility
Assistant" defined as a group policy under Computer
Configuration->Administrative Templates->Windows Components->Application
Compatibility. Do you think it's possible to access this configuration
parameter through application code? I've looked up registry.pol on on MSDN
but not seen anything that leads me directly to this parameter. If it's
possible, Vista specific policy info probably not published on MSDN yet. 
 
Dave
 

----- Original Message ----- 
From: Darren  <mailto:darren@xxxxxxxxxx> Mar-Elia 
To: gptalk@xxxxxxxxxxxxx 
Sent: Thursday, October 26, 2006 11:09 AM
Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from an
application

Noting changes in particular in Vista. Note that policy areas such as Admin
Templates, and Software Restriction policy store their settings in a
published format (look up registry.pol in MSDN) so its not completely
opaque, but I think that because each CSE has historically been owned by the
respective product groups within MS, and no one dictated a standard set of
interfaces, it would have been difficult for MS to publish this information.
For example, Admin Template settings are driven by ADM/ADMX files but
security settings, for example, are hard-coded into the GP editor DLL
responsible for that extension (for the most part).
 
Darren

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Webmaster eSupport
Sent: Thursday, October 26, 2006 7:55 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from an
application


 
So if I understand this correctly, it is possible to configure group
policies through an appliction with Microsoft's gpedit.msc application, but
Microsoft is just not sharing the methods with anyone so we're not forced to
use their application. That's unbelievable, but not surprising. Up to now I
think most users do not have a need to touch group policy settings. However,
with Vista Microsoft is relying more heavily on group policy settings for
Vista configuration settings.  
 
Does anyone know a method for accessing group policies specific for Vista. 
 
Dave
 

----- Original Message ----- 
From: Darren  <mailto:darren@xxxxxxxxxx> Mar-Elia 
To: gptalk@xxxxxxxxxxxxx 
Sent: Thursday, October 26, 2006 10:07 AM
Subject: [gptalk] Re: Can Group Policy Settings be accessed and set from an
application


Generally speaking, you can't do this. There is no API that will get you
access to all GP settings. Part of the problem here is that each CSE that MS
ships contains its own mechanism for writing and storing settings, with
their own formats. So, there is no unified API that provides the single
interface.
 
Not a great answer, but one that I've been repeating since about 1999 :).
Maybe one day it will get solved.
 
Darren

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Webmaster eSupport
Sent: Thursday, October 26, 2006 6:57 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Can Group Policy Settings be accessed and set from an
application


Hello All,
 
I have an application where I need to manage group policy settings from an
application. I'm new to Group Policies in Windows, have been reading
everything I can find but so far I've not definitive methods which enable
group policy settings to be read and configured from a C++ application.
Seems to me that if group policies can be configured with Windows group
policy editor, it must be possible to implement my own application. 
 
Appreciate any help anyone can provide to get me up to speed on this. 
 
Thanks in advance,
 
Dave

Other related posts: