Options for Providing Policy

You can choose one of the following options to provide policy for your application:

Be aware that in some cases, you must ensure that your policy extension includes support for Resultant Set of Policy (RSoP). For example, if you write an extension to enhance the RSoP capabilities of Group Policy, you must include RSoP support. For more information, see Supporting and Extending RSoP.

Adhere to System Policy Settings Only

The least complex method of providing policy to an application is to adhere only to system policy settings. System policy allows administrators to control and manage their users' computing environments by mandating specific user and computer settings across the network. All applications should provide at least this level of policy support. This level of support is related to requirements of the Windows logo program.

System-level policies may be set by administrators to control specific system abilities. For example, an administrator could set a policy to hide the CD-ROM drive on certain users' computers. To conform to this policy, your application must hide the CD-ROM drive in the File Open common dialog box and in any other location where the CD-ROM drive icon appears.

For more information, see Adhering to System Policy Settings.

Extend Registry-based Policy using Administrative Template Files

The Group Policy Object Editor obtains registry-based policy settings from an administrative template file. An administrative template (.adm) file is a text file that specifies the registry-based policy that can be modified through the Group Policy Object Editor. To provide policy settings specific to your application, extend registry-based policy by using .adm files. The Administrative Templates extension to Group Policy provides this capability. The extension writes the settings that you specify to secure registry keys. Your application can read the registry keys and use them accordingly.

Registry-based data is appropriate for many types of policy settings, and it is also recommended way to create your own policy settings. In addition, registry-based policy managed through .adm files automatically supports Resultant Set of Policy (RSoP) capabilities.

Applications designed for Windows use the registry to store policy settings. This is the recommended method to create policy settings for your productivity applications.

For more information, see Extending Registry-based Policy, Implementing Registry-based Policy, and Administrative Template File Format.

Write an Extension to Group Policy

Writing an extension to the Group Policy Object Editor is a complex, but recommended method to create policy settings.

You must write an extension to Group Policy to handle the following situations:

  • Registry-based policy is not adequate for your application.
  • You require a private data store for policy settings.
  • You must create a rich user interface through the Group Policy Object Editor.
  • You must implement client-side processing for policy.

Writing an extension enables you to provide any or all of these elements, or combine them with existing parts of the Group Policy infrastructure. For more information, see Writing a Group Policy Extension and Implementing a Group Policy Client-side Extension.

Third-party extensions require additional code to support the RSoP infrastructure. If you wrote an extension prior to the introduction of RSoP, you must update it to include RSoP support. For more information, see Supporting and Extending RSoP. You can use the RSoP infrastructure to write your own tools to report, troubleshoot, and audit Group Policy.