Applying POLICY programmatically

  • Thread starter Thread starter dejavu
  • Start date Start date
D

dejavu

Hello,
Is there an API or systematic way of applying a POLICY
programmatically?
Suppose I have a .POL file then can I write a C/C++ program so that
this policy gets applied for the current session. I guess there must
be some easy and correct and may be even it is documented in MSDN
somewhere deep down under some weird title or KB artice. May be I am
being too lazy, but if anybody out there has already gone thru this,
then why Re-Invent the wheel? ;-)
Thanks in Advance,
~Semal
 
hmmmm
I'm not aware of an api to do this, but that doesn't mean it can't be done.
What you would probably want to do in this case is just write to the reg
keys as appropriate.

Note that policy probably isn't the right technology for what you are trying
to do. Policy affects security settings on the machine, and the way in which
the gui is displayed for the users, and also some other sorts of settings
(network, ipsec, etc).
What you are trying to do is provision a shell, which has little to do with
policy per say, but rather to do with a shell and the context under which it
runs.
You would probably want to do is change the local policy to restrict the
rights for a given security context (maybe a local account you create),
start the shell in that context, and subsequently acl things on the system
as appropriate for it. Note that the only time policy comes in to play are
for some of the rights this user might have, not for anything else.

~Eric


--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights


dejavu said:
Hello Eric,

I was really very surprised and pleased to see such a quick reply,
thanks a lot. So here is what I am looking for;

We have a web based interface to launch some windows based apps on
Win2k and Windows 2003 terminal servers. We actual execute a certain
control program before actually launching the app.
My product manager tells me that he should be able to provision a
Restricted Shell ( just like kiosk). And even the Apps should run
under a restricted environment. And we want to give Admins a separate
Web Based UI , where in they can relax or tighten the security or
rather Restrictions. They need three levels and if possible an
advanced Customizable Restirction Template ( in MS terminology they
need three deifferent Ploicys and should be able to customize it if
needed).
So applying restrictions in most of the cases should be as easy as
just one or two clicks And MOST IMPORTANT THING IS they DO NOT have
Active Directory Services implemented and hesitate to go for ADS.
And I have already tried the ADS approach gone thru the KB
article, which says create a separate OU put all the Term servers in
that OU . etc etc. But we want independence from ADS for this old
installation. Even if its a really bad unClean way of doing the
things.
I even dont know whether it is possible. I dont want to actually
manipulate each corresponding Registry entry, and hoping that there is
some what better way. I myself is slightly unclear about the whole
thing, but the most important thing is we dont want to rely on ADS.
Suppose I managed to convince them to go for a ADS based approach, how
can I manage the policies programmatically, without having to open
that MMC consoles manually and doing n number of steps manually?
Thanks and Regards,
~Semal


"Eric Fleischman [MSFT]" <[email protected]> wrote in message
Semal,

There are some strange things you can do with policy, but I'm not sure I
understand where you're going with this.
Can you give us a high level of what you're trying to achieve so that we can
understand why you're trying to do this? There are some other approaches
that might be better an easier.

What is the outcome/behavior you're looking for?

Thanks!
~Eric
rights
 
Back
Top