3.2.5.1.2 New or Changed GPO List Processing
For each Group Policy Object in the New or Changed GPO list (as specified in section 3.2.1.2), one Registry Policy Message will be read from the Group Policy server, as specified in the following paragraphs. If any message cannot be read, the message sequence MUST be terminated; this means that no further Registry Policy Messages can be exchanged during this instance of the Policy Application mode sequence.
The following message sequence MUST occur for each <gpo path> that the Group Policy: Core Protocol has determined contains registry settings. This sequence attempts to retrieve a Registry Policy Message for a given <gpo path>:
For User Policy Mode, the Impersonation Token abstract data model element SHOULD be used to impersonate the user for all file operations in this sequence.
Remote File Open from Client to Server: The file that MUST be used is "<gpo path>\User\registry.pol" for User Policy Mode and "<gpo path>\Machine\registry.pol" for Computer Policy Mode. The remote File Open MUST request Shared Read permission. If the Open request returns a failure status, the Group Policy: Registry Extension Encoding sequence MUST be terminated.
Remote File Read Sequences: The client MUST then perform a series of remote file reads until either the entire contents of the opened file are obtained or an error occurs. If an error occurs, the Group Policy: Registry Extension Encoding sequence MUST be terminated.
File Close: The client MUST then issue a file close operation.
For User Policy Mode, impersonation SHOULD be terminated.
After all messages have been retrieved, the client MUST update its registry according to the following specified rules. If the signature check of the registry.pol file fails, the file is invalid and MUST be skipped. Any errors writing to this database MUST be ignored.<10> There is no surfacing of such ignored errors to other protocols, so the Group Policy: Core Protocol as a whole will be unaffected by errors in updating the local database.
For each Instruction found in the file, create the Database Key using the Key in the Instruction. Under this key, create a record with:
The Value Name from the Value in the Instruction.
The Value Type from the Type found in the Instruction.
The Data found in the Instruction for DataValue.
However, if the Value Name is one of the following, follow the rules in the table instead. Note that the Value Name listed in the table is case-insensitive but otherwise MUST be taken literally except where a replacement token in angle brackets is specified. In these special cases, the Type MUST be REG_SZ except in the **SecureKey case, where it MUST be REG_DWORD and **soft.<valuename> where Type is unrestricted.
Value Name
Meaning
**DeleteValues
A semicolon-delimited list of values to delete, specified under DataValue.
Example: In the following example, the values EnableURL and TabURL are deleted.
Key: Software\Policies\Microsoft\Communicator
Value Name: **DeleteValues
Type: REG_SZ
DataValue: "EnableURL;TabURL"
**Del.<valuename>
Deletes the value <valuename>. In this case, DataValue is ignored but MUST contain a null-terminated string with a single space character.
Example: In the following example, the value ShowPoliciesOnly is deleted.
Key: Software\Policies\Microsoft\Windows\Group Policy Editor
Value Name: **Del.ShowPoliciesOnly
Type: REG_SZ
DataValue: " "
**DelVals.
Deletes all values in the key. In this case, DataValue is ignored but MUST contain a null-terminated string with a single space character.
Example: In the following example, all the values under the Run key are deleted.
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Value Name: **DelVals.
Type: REG_SZ
DataValue: " "
**DeleteKeys
A semicolon-delimited list of keys that are immediate subkeys of this key to delete.
Example: In the following example, the subkeys NoRun and NoFind under the Run key are deleted.
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Value Name: **DeleteKeys
Type: REG_SZ
DataValue: "NoRun;NoFind"
**SecureKey
A DataValue of 1 secures the key, giving administrators and the system full control and giving users read-only access.
Any other DataValue except as mentioned above resets access to the key to whatever is set on the HKCU for User and on the HKLM for Computer.
Example: In the following example, the Run key is secured so that administrators and the system have full control, whereas users have read-only access.
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Value Name: **SecureKey
Type: REG_DWORD
DataValue: 1
**soft.<valuename>
Create the value <valuename> if it does not exist.
Example: In this example, the value ApplyPolicies is created only if the ApplyPolicies value does not exist.
Key: Software\Policies\Microsoft\Windows\Group Policy Editor
Value Name: **soft.ApplyPolicies
Type: REG_DWORD
DataValue: 1
Example: In this example, the value RootPath is created only if the RootPath value does not exist.
Key: Software\Policies\Microsoft\Windows\Group Policy Editor
Value Name: **soft.RootPath
Type: REG_SZ
DataValue: %PROGRAMFILES%
The Instruction elements MUST be processed in the order in which they occur, sequentially from the start of the Registry Policy message. The necessity of this is demonstrated by an example in which an Instruction requires a database value to be set to 1 and another Instruction requires it to be set to 0. Depending on the order in which those instructions are performed, the final value will be either 1 or 0. To ensure predictable operation, Instructions MUST be performed sequentially, beginning with the first Instruction in the Registry Policy message.
Applications that query this database for behavior after the Group Policy: Registry Extension Encoding invocation can then conform to the specified settings.