0

What is required on my (app) side, to honor a group policy and how to I implement it - if that is actually possible?

My thoughts are:

  • I define a bunch of group policy strings, each with a type and default value
    • ... to turn on/off features in the app interface
  • an admin implements them on an active directory somewhere somehow
  • I check some system provided List/Dictionary for those GPO strings
    • .. if they are present and what their values are
    • .. then do a bunch of button.enabled = false stuff

Edit + Solution:

Other sources say, someone should just create Registry-Values at the usual CURRENT_USER SOFTWARE APPNAME place (no policy related key!). Then create a ADM/ADMX template to go with the registry key + values (for the admin to load the template as config extension to the GPOs). That means, not to take special care for an Active Directory configuration, since GPOs can modify/restrict write access to registry values - and push them via AD.

Edit 2:

Found a few tools, that do convert .reg files into ADMX(L) GPO config xml template files. So it is correct to say, you can have a GPO group in GPO Console with the APP NAME, and have options with readable titles with extra explanations and a configuration to be set to "not configured", "disabled", "enabled" with a value or default value. Each linked to a reg entry. There is no need to communicate with the AD service.

BananaAcid
  • 3,221
  • 35
  • 38
  • 1
    You can use LDAP to get the GPO Object. https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/ – Svek May 16 '17 at 05:44
  • possible duplicate of "Let my Application be controlled by GPOs" : http://stackoverflow.com/questions/8804970/let-my-application-be-controlled-by-gpos – BananaAcid May 16 '17 at 06:30
  • possible duplicate of "How to make an application GPO aware? ": http://stackoverflow.com/q/4378942/1644202 – BananaAcid May 16 '17 at 06:38

1 Answers1

0

It is possible to check if a user belongs to active directory group against LDAP server (DC) on the local network.
using : System.DirectoryServices, System.Security.Principal namespaces.
search for that namespaces you will find alot of code examples and documentation.

your thought:

an admin implements them on an active directory somewhere somehow

yes, IT team will create those active directory groups according to required permissions you will provide to them ("basic user","guest", "power user", "admin" etc...). that job belongs to the system admins.

your thought:

.. if they are present and what their values are

technically, LDAP server will return collection of AD groups strings for each User you will pass. you can also check if his credentials are valid and you will get true\false values.

your thoughts:

... to turn on/off features in the app interface .. then do a bunch of button.enabled = false stuff

you are right that the final aftermath will be disable\enable some features on GUI, BUT its an object oriented language you are using, best practice is to write modular and maintainable program that in the future it will be easy to make changes,not just straight forward code that can get unnecessarily messy and laborious to manage.

good luck with your project.

Jonathan Applebaum
  • 5,738
  • 4
  • 33
  • 52
  • so for GPOs its only about getting the user group of the current user and decide what features to enable, and its __not__ possible to get a list of specific options that the IT crowd had enabled for a specific user (that is what I had in mind)? – BananaAcid May 16 '17 at 06:13
  • @BananaAcid basically yes, you will have to develop that logic inside your app, the ad group will be the "user profile". Allthough there are security applications in the market (or domestic development of the organization security department) that can provide more values, but still the logic is inside your app – Jonathan Applebaum May 16 '17 at 06:36