Login/Register
How to make an application GPO aware?
Asked Answered
Solved windowsdelphigroup-policy
E

1

7

I'm writing an application in Delphi 2010, and I'd like to provide the option to the administrator to configure it via Group Policy. Any recommendations on good ways to make my application GPO aware? Note, I am only looking to create a computer based GPO, not user.

My current solution involves simply first determining if any values have been written to the registry at HKLM\software\policies\MyProgram. If they have, I assume that GPO has been applied and I use this location to read configuration.

If nothing exists at the above registry location, I proceed to reading configuration at the standard location, whether that's an INI file, or another reg key does not matter. At this point, I make the assumption in the program that group policies are not being used.

Would anyone suggest a better way to make this application GPO aware?

Excrescent answered 7/12, 2010 at 16:23 Comment(3)
i only looked lightly into Group Policy Objects, but my understanding is that they are shipped to computers as definable registry entries. It sounds to me that you create a group policy template that defines your registry entries, and you're done. Is this not so?Crosswind
That's essentially correct for deploying them. However, my question is about the best manner for my application to read these GPO's. The answer may be the simplest, which is check the GPO location, and if not there, check standard (e.g. non-gpo) location.Excrescent
My understanding is that is the exact intention of custom group policy templates: you have a friendly UI which is used to manage registry keys that a program reads; and it can send those registry keys to the entire domain. i'll put that in the form of an answer, and see if cat licks it up.Crosswind
C
5

It's not that you have to be group policy aware, it's that the group policy has to be aware of the registry keys your program uses.

The purpose of custom Group Policy Templates is to have a user-interface for managing a custom set of registry keys used by a particular program. The domain administrator sets the policy to the desired values, and the policy is pushed out to machines on the domain.

In your case, the custom policy template will define the corresponding HKLM registry keys that your program uses. You can now trust that the values stored in:

HKLM\Software\MickSoftware\My Program 2010

are what the administrator has desired be there.

Note: The following "policy" registry locations are non-persistent:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
HKEY_CURRENT_USER\SOFTWARE\Policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

"This means that when you log off the computer or when you shut down the computer, the policy settings are removed."

So it seems to me you want to store your registry values where you normally store them, e.g.:

HKLM\Software\Avatar Software Creations\HelpDesk\DatabaseServer
    ServerName: REG_SZ = "lithium"
    UserID: REG_SZ = "helpdesk"
    Password: REG_SZ = "aSBsb3ZlIHlvdSBLaXJzdGVuIFNoZWxieSBHdXllcg=="
Crosswind answered 7/12, 2010 at 17:2 Comment(5)
Do you really want to leak helpdesk's password hash? :)Bloomington
Only settings under the Policies keys are managed, BUT this also means that if you create policies under non managed keys and removed them later or set a value to undefined, the registry settings are not removed. They will remain forever in that specific GPO.Variometer
@user205376 That's not a hash ;) It's actually a base64 encoded value that i generated just for this question (i figured few would think to decode it). In reality the password would be encrypted, and then base64 encoded to be easily stored in the registry.Crosswind
@MikeyB SWYgb25seSBzaGUgZmVsdCB0aGUgc2FtZSA6KA==Crosswind
I hope she's your wife .. still ;)Monosyllable

© 2022 - 2024 — McMap. All rights reserved.