Home

General GP Concepts
.. GPMC
.. Create/Edit GPOs
.. Targeting GPOs
.. Applying GPOs
.. Developer Issues

Extensions
.. Admin Templates
.... Windows Firewall
.... Internet Explorer
.. Security Policy
.. Software Installation
.. IE Maintenance
.. Scripts

Policy Exceptions
.. Loopback
.. Enforce/Block
.. Slow Links
.. WMI Filters

Reference
.. Third Party Products
.. KB Articles
.. Community

Terms of Use
Trademarks
Privacy Statement

Developer Issues

This page covers Group Policy from the perspective of the application developer. It's focus is on how an application is developed such that it is "policy enabled".

At a high level, there are two common categories of policy-enabled components:

  • Those using ADM templates. Here, the application is associated with an .ADM file that describes the policy settings to which the application responds. The Administrative Templates feature in Group Policy presents an administrative UI that allows configuration of these policy settings. These are targeted (by linking a GPO containing configured policy settings to a site domain or OU) and, once applied at the target machine, are respected by the component. This is by far the easiest way to policy-enable a component. Documentation for creation of custom ADM files can be found at http://go.microsoft.com/fwlink/?linkid=29910.

The interfaces for Group Policy are documented at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/group_policy_interfaces.asp.

You can also get a description of the storage format for registry.pol at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/registry_policy_file_format.asp

  • Those with their own Client Side Extension (CSE). This option is considerably more expensive but affords greater flexibility in terms of the data types supported and the administrative UI presented. 

Careful consideration must be taken when developing CSEs.  Because they run as In Process (InProc) DLLs running in the same process space as WinLogon, a bug inside a custom CSE would have direct adverse affects on the Windows login experience.

There is some documentation on writing CSEs at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/implementing_a_group_policy_client_side_extension.asp.

Criteria for Creating a CSE

As a general rule, when policy-enabling an application consider ADM files the starting point. They are simple and easy to develop and extend a mature codebase. There are two broad reasons why you might need to create a CSE:

  • You want a rich administrative UI that isn't address by the ADM Templates node in GPEdit.
    • ADM Templates only support simple UI types such as edit boxes, combo boxes, listboxes, and dropdown lists.  Support for DataGrids, PictureBoxes, Listviews, Treeviews, and other advanced UI elements requires a custom CSE.
  • You have a very specific data format or storage need that can't be addressed by ADM templates.
    • ADM Templates only support simple data types such as strings and numerics.  Support for binary data, multi-string data, and other advanced data types requires a custom CSE.
Last Modified 1/31/05 5:52 PM

Hide Tools

Site
Changes
Index
Search

User
Log In
Register