How to make an application GPO aware? - windows

I'm writing an application in Delphi 2010, and I'd like to provide the option to the administrator to configure it via Group Policy. Any recommendations on good ways to make my application GPO aware? Note, I am only looking to create a computer based GPO, not user.
My current solution involves simply first determining if any values have been written to the registry at HKLM\software\policies\MyProgram. If they have, I assume that GPO has been applied and I use this location to read configuration.
If nothing exists at the above registry location, I proceed to reading configuration at the standard location, whether that's an INI file, or another reg key does not matter. At this point, I make the assumption in the program that group policies are not being used.
Would anyone suggest a better way to make this application GPO aware?

It's not that you have to be group policy aware, it's that the group policy has to be aware of the registry keys your program uses.
The purpose of custom Group Policy Templates is to have a user-interface for managing a custom set of registry keys used by a particular program. The domain administrator sets the policy to the desired values, and the policy is pushed out to machines on the domain.
In your case, the custom policy template will define the corresponding HKLM registry keys that your program uses. You can now trust that the values stored in:
HKLM\Software\MickSoftware\My Program 2010
are what the administrator has desired be there.
Note: The following "policy" registry locations are non-persistent:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
HKEY_CURRENT_USER\SOFTWARE\Policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
"This means that when you log off the computer or when you shut down the computer, the policy settings are removed."
So it seems to me you want to store your registry values where you normally store them, e.g.:
HKLM\Software\Avatar Software Creations\HelpDesk\DatabaseServer
ServerName: REG_SZ = "lithium"
UserID: REG_SZ = "helpdesk"
Password: REG_SZ = "aSBsb3ZlIHlvdSBLaXJzdGVuIFNoZWxieSBHdXllcg=="

Related

Unable to update group policy(local gpo) status to "Not Configured" using Powershell

With PowerShell, by updating corresponding registry keys we can able to toggle the local GPO status to "Enabled" or "Disabled", but I have a specific requirement to make sure that certain local GPOs are set to "Not configured". Tried deleting corresponding registry keys but it didn't help.
Is there any way to achieve this in PowerShell?
If I run Local Group Policy Editor (gpedit.msc) as Administrator and set the Computer Configuration\Administrative Templates\System\Removable Storage Access\Removable Disks: Deny write access policy to Enabled or Disabled, according to Process Monitor that is actually setting the Deny_Write value at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{GUIDGUID-GUID-GUID-GUID-GUIDGUIDGUID}Machine\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
If I modify, delete, or rename that Deny_Write value as Administrator then I see the change reflected in Local Group Policy Editor when I edit/reopen that policy. I'm not exactly certain how it is that a machine policy is being set under a user's registry; perhaps there's a symbolic link or loaded hive at play. Process Monitor indicates that C:\Windows\System32\GroupPolicy\Machine\Registry.pol is also modified at the time I set the policy, so that must be the underlying storage for Group Policy-based registry changes.

How to get EVERY user token on a PC for SHGetKnownFolderPath?

I'm working on a System Service project with SYSTEM privilege (cleaning utility)... It does not interactive with any user interface.
My goal is to check files in "Desktop" and "AppData" folders for any user that exists on the PC.
I'm using NetUserEnum() to get the user list on the PC. Then I want to get the path of each user's Desktop and AppData with SHGetKnownFolderPath(), but I can't find a way to get each user's access token for SHGetKnownFolderPath(). Without a token defined in SHGetKnownFolderPath(), it returns the path for SYSTEM and not specific users.
Q1. How can I get the token of each user for SHGetKnownFolderPath()?
Q2. If no answer for Q1, is there any documented way to get the desktop & appdata path of each user in the PC?
I understand this can be achieved with dirty way ---> Registry key with some string replacement. However, the Registry key method is undocumented, which may easily break in future updates to Windows.
Edit Update:
#RaymondChen Thanks for pointing out that some user profiles may not exist. Also,
About Q1 : #Remy Lebeau provides a solution with LogonUser/Ex(),login to each user with their credentials,might be the only answer that fits the need of Q1.
About Q2 : There might have no documented way to achieve this. The only method might have to stick with Windows Registry (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) , as #Remy Lebeau and #Olaf Hess said. I tried to dig more information on Microsoft Community Forum and I got Microsoft would never allow access other users' profile with their native API for security reason. They do not provide APIs that can possibly violate the security rules. Each user profile can only access by its credentials.
btw, I totally understand that "Cleaning utility" aka "Windows-breaking tool", especially when the tool is not being well codded(ex. compatibility problem). For the sake of avoiding to make it become a totally Windows-Destroyer, I tried to use more documented API as possible.
For Windows Vista with SP1 / Server 2008 and better you can query the existing user profiles using the WMI class Win32_UserProfile. This allows you to retrieve the profile path and check whether it is a local or roaming profile and to get status information. The rest (retrieving the paths to APPDATA, DESKTOP, etc.) is likely going to involve reading values straight from the registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders).

adding registry key for Windows local SYSTEM user

I am somewhat new to Registry Keys in Windows. What I want to do is add a registry key ONCE that will take effect on the local SYSTEM user (for as long as my program is installed). This registry key will need to be added through a batch file while logged on as a regular user (not the SYSTEM user). What I am doing exactly is running a batch script that creates a windows service. This service is running as the local system user. The service is trying to do something that requires a registry key to be set. I tried manually setting the registry key in HKEY_LOCAL_MACHINE but I am still hitting the roadblock when my service is run. Is this the correct place to change registry keys so that the local system account will see them? Any knowledge on the subject would be greatly appreciated!

Cross-user registry values

I'd come to this conclusion through experience and various things I've read on this internet, but in stating it to a co-worker, it seems illogical. Can you verify the following statement is true, or provide a counter to it?
On Vista/Win7, two standard (non-elevated users) cannot read/write the same location in the registry.
On Vista/Win7, two standard (non-elevated users) cannot read/write the same location in the registry.
This is a false statment
On Vista/Win7, two standard (non-elevated users) cannot write the same location in the registry in the default configuration.
But this is true. By default, users only have write access to their own hive (HKEY_CURRENT_USER) and read access to the machine hive (HKEY_LOCAL_MACHINE).
If you want to configure a location where any user can read and write, you can certainly do by configuring a key's ACL, as #Dark Falcon said. A good place for this is somewhere inside your application's key in HKEY_LOCAL_MACHINE, and at install time (when your installer has elevated privileges to do so).
That would be incorrect. A registry key can have an ACL specified which allows any user, elevated or not, to write to it. By default, I am not aware of any keys which have this configured, but it certainly is possible.

Required Registry location common to all users to avoid registry virtualisation in Vista

In Vista standard user can no more create or write to keys under HKLM\Software. So to port the code according to Vista standards in to which key i should write the application configuration data. Same way like %AllUsers%/AppData for folders. My main requirement is I should avoid writting to HKLM\Software, but the key location should be common to all users under registry.
Thanks,
F
The registry is a secure-able object.
i.e. you can, during the administrative install, alter the ACL of a key you create, to create an all users read / write key in HKLM.
That said, Users\public\AppData might not work they way you think. The ACLs on that folder allow read by all users, but only creators can write. Which means you still can't have two users editing the same documents.

Resources