Group policy is one of those things that you live with, and unless you are an administrator, don't pay much attention to, until someone asks you to write a group policy extension. Most group policies are simple registry changes. However, some more complex tasks call for the creation of a group policy extension, which is basically a DLL which gets invoked by the group policy infrastructure when a targeted group policy arrives. We use such an approach to change a group policy data to a different subsystem's format (XML), when a new group policy arrives. Group policy extensions are documented in the microsoft documentation. Poorly, I might add. The sample they provide is the following: Processing a changed GPO
But really, the devil here is in the details.. What do you do with the policy object inside the loop? The policy change data is not in the object you receive, and really nowhere obvious in sight.
What we know Okay, so let's figure out what we know. To create group policy extension, we need to create DLL, with a method implementing either ProcessGroupPolicy or ProcessGroupPolicyEx callbacks. We then need to create registration and unregistration functions (although, that may not be specifically required, if you can register through other means). These registration functions will register our extension in the registry, and advertise the entry point. So far so good. And the missing part Once implemented per microsoft specifications, you will start receiving GPO delete and change messages. To process these, here's what you need to know:
So the flow to handle a GPO change (or deletion, for that matter):
Hope this helps. By the way, if you are writing this in C++, ensure you export your callback method as plain C. Also, due to the callback calling convention, this will probably not work in managed code.
0 Comments
Leave a Reply. |
ArchivesCategories
All
|