Integration of Group Policy with Enterprise Library Applications
The ManageableConfigurationSource class reads configuration overrides from the registry and applies those overrides to an application configuration file. By reading the registry in this way, this configuration source allows you to use Group Policy to specify the settings. A Group Policy template defines the configuration options for each application that is configured in Group Policy and defines the default options in Group Policy for each configuration option. One Group Policy template is required for each application because a separate registry key represents each application. The key is based on the application name.
To simplify the creation of Group Policy templates, you can use the AdministrativeTemplateGenerator class to generate an AdmContent object, and then write this content to a stream in order to generate ADM files from the Enterprise Library configuration tools. These templates use the settings defined in the application configuration file to determine the default settings for each option. They also determine the structure of the ADM template, which must match the contents of the configuration file.
In this version of Enterprise Library, templates and Group Policy support are available for all the application blocks, except for the Validation Application Block, the Policy Injection Application Block, and Unity. Group Policy is a fairly static and flat mechanism, and the configuration for these application blocks is quite dynamic and usually complex. Therefore, it would be almost impossible to provide a useable user interface implementation for these application blocks.
Note
Applications that use Group Policy to specify their settings must define and use a ManageableConfigurationSource in the configuration sources section, and set the EnableGroupPolicy flag on that source to true. You can use the configuration tools to configure this setting.
This section contains the following topics:
- Group Policy Template Structure
- General Settings for the Application Blocks
- Exceptions to the General Template Structure
- Applying Group Policy Settings
- Limitations of Group Policy Support
Group Policy Template Structure
Group Policy templates specify the values described by each policy and the way those values are represented in the user interface of tools used to edit Group Policy objects, such as the Group Policy Management Console (GPMC).
Note
For information about the format of Group Policy templates, see Group Policy File Formats on MSDN®.
Group Policy templates contain a number of different elements, including the following:
- CLASS. This determines whether subsequent categories appear under Computer Configuration (CLASS MACHINE) or User Configuration (CLASS USER) in the Group Policy Object Editor. The template generated from the Enterprise Library Configuration Console contains both CLASS MACHINE and CLASS USER.
- CATEGORY. This determines which categories appear in the Group Policy Editor. Categories may be nested under one another (these may be referred to as sub-categories).
- POLICY. This identifies an element that can be modified by an administrator. The policy appears in a dialog box with an associated control that an administrator can use to set its state.
- PART. This specifies options such as drop-down list boxes, text boxes, and text that appear in the lower pane of the Group Policy Object Editor.
- ITEMLIST. This is a list of items for a drop-down list.
- ACTIONLIST. This a set of arbitrary changes to the registry that are made in response to a control being in a certain state.
The general format for application Group Policy templates is as follows for both machine policies and user policies:
- A category represents the application. This category matches the application's name.
- A sub-category represents each application block.
- A sub-category for each application block's categories represents each of the collections of configuration elements such as the Logging Application Block's formatters or trace listeners configuration objects.
- A policy is used for each configuration element in the configuration elements collections on the collection's category, including parts for each of the configuration element’s properties.
- A policy with parts represents the application block–wide settings on the application block's category. If an application block does not have application block–wide settings, as is true of the Exception Handling Application Block, there will still be policy for it.
General Settings for the Application Blocks
The following ADM code example shows the complete Security Application Block category with the default settings. It shows only the categories and sub-categories for the other application blocks.
CLASS MACHINE
CATEGORY "myapp1"
CATEGORY "Security"
CATEGORY "Authorization providers" POLICY "Specify settings for authorization provider 'RuleProvider'"
KEYNAME "Software\Policies\myapp1\securityConfiguration\authorizationProviders\RuleProvider"
VALUENAME "Available" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
PART "Rules"
EDITTEXT
VALUENAME "rules"
MAXLEN 1024
REQUIRED
END PART
END POLICY
END CATEGORY; "Authorization providers"
CATEGORY "Security cache providers"
POLICY "Specify settings for security cache provider 'Caching Store Provider'"
KEYNAME "Software\Policies\Application\securityConfiguration\securityCacheProviders\Caching Store Provider"
VALUENAME "Available" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
PART "Cache manager"
DROPDOWNLIST
VALUENAME "cacheManager"
ITEMLIST
NAME "Cache Manager" VALUE "Cache Manager"
END ITEMLIST
END PART
PART "Absolute expiration"
NUMERIC
VALUENAME "defaultAbsoluteSessionExpirationInMinutes"
DEFAULT 60
MIN 0
END PART
PART "Sliding expiration"
NUMERIC
VALUENAME "defaultSlidingSessionExpirationInMinutes"
DEFAULT 10
MIN 0
END PART
END POLICY
END CATEGORY ; "Security cache providers"
POLICY "Specify Security Block Settings"
KEYNAME "Software\Policies\myapp1\securityConfiguration"
VALUENAME "Available" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
PART "Default authorization provider"
DROPDOWNLIST
VALUENAME "defaultAuthorizationInstance"
ITEMLIST
NAME "None" VALUE "__none__"
NAME "RuleProvider" VALUE "RuleProvider"
END ITEMLIST
END PART
PART "Default security cache provider"
DROPDOWNLIST
VALUENAME "defaultSecurityCacheInstance"
ITEMLIST
NAME "None" VALUE "__none__"
END ITEMLIST
END PART
END POLICY
END CATEGORY ; "Security"
CATEGORY "Caching"
CATEGORY "Cache managers"
END CATEGORY ; "Cache managers"
END CATEGORY ; "Caching"
CATEGORY "Instrumentation"
END CATEGORY ; "Instrumentation"
CATEGORY "Database"
CATEGORY "Oracle packages"
END CATEGORY ; "Oracle packages"
END CATEGORY ; "Database"
CATEGORY "Database"
CATEGORY "Provider mappings"
END CATEGORY ; "Provider mappings"
END CATEGORY ; "Database"
CATEGORY "Database"
CATEGORY "Connection strings"
END CATEGORY ; "Connection strings"
END CATEGORY ; "Database"
CATEGORY "Exception handling"
CATEGORY "Policy1"
END CATEGORY ; "Policy1"
CATEGORY "Policy2"
END CATEGORY ; "Policy2"
END CATEGORY ; "Exception handling"
CATEGORY "Logging"
CATEGORY "Category sources"
END CATEGORY ; "Category sources"
CATEGORY "Special sources"
END CATEGORY ; "Special sources"
CATEGORY "Log filters"
END CATEGORY ; "Log filters"
CATEGORY "Log formatters"
END CATEGORY ; "Log formatters"
CATEGORY "Listeners"
END CATEGORY ; "Listeners"
END CATEGORY ; "Logging"
CATEGORY "Cryptography"
CATEGORY "Hash providers"
END CATEGORY ; "Hash providers"
CATEGORY "Symmetric crypto providers"
END CATEGORY ; "Symmetric crypto providers"
END CATEGORY ; "Cryptography"
END CATEGORY ; "myapp1"
Exceptions to the General Template Structure
Most application block categories follow the structure of the Group Policy template, but there are some differences. These differences occur in the following categories:
- Instrumentation Category
- Exception Handling Category
- Caching Category
Instrumentation Category
The instrumentation category determines how an application should be instrumented. This category contains a single policy, which is shown in the following ADM code example.
CATEGORY "Instrumentation"
POLICY "Specify settings for the instrumentation section"
KEYNAME "Software\Policies\myapp1\instrumentationConfiguration"
VALUENAME "Available" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
PART "Event logging enabled"
CHECKBOX
VALUENAME "eventLoggingEnabled"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
PART "Performance counters enabled"
CHECKBOX DEFCHECKED
VALUENAME "performanceCountersEnabled"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY ; "Instrumentation"
Exception Handling Category
The exception handling category simplifies the policies. There is one category for each exception handling policy. Each category contains one policy for each exception type. The policy includes sections for the exception type and for its handlers. The following ADM code example shows the exception handling category in a Group Policy template.
CATEGORY "Exception handling"
CATEGORY "Policy1"
POLICY "Specify settings for exception type 'ArgumentException'"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy1\exceptionTypes\ArgumentException"
VALUENAME "Available" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
PART "Post handling action"
DROPDOWNLIST
VALUENAME "postHandlingAction"
ITEMLIST
NAME "None" VALUE "None"
NAME "NotifyRethrow" VALUE "NotifyRethrow"
NAME "ThrowNewException" VALUE "ThrowNewException"
END ITEMLIST
END PART
PART "Handlers"
TEXT
END PART
PART "Handler: 'Replace Handler'"
TEXT
END PART
PART "Exception message"
EDITTEXT
VALUENAME "exceptionMessage"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy1\exceptionTypes\ArgumentException\exceptionHandlers\Replace Handler"
MAXLEN 1024
REQUIRED
DEFAULT "message"
END PART
PART "Exception type"
EDITTEXT
VALUENAME "replaceExceptionType"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy1\exceptionTypes\ArgumentException\exceptionHandlers\Replace Handler"
MAXLEN 1024
REQUIRED
DEFAULT "Microsoft.Practices.EnterpriseLibrary.Security.SyntaxException, Microsoft.Practices.EnterpriseLibrary.Security, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null"
END PART
PART "Handler: 'Wrap Handler'"
TEXT
END PART
PART "Exception message"
EDITTEXT
VALUENAME "exceptionMessage"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy1\exceptionTypes\ArgumentException\exceptionHandlers\Wrap Handler"
MAXLEN 1024
REQUIRED
DEFAULT "message2"
END PART
PART "Exception type"
EDITTEXT
VALUENAME "wrapExceptionType"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy1\exceptionTypes\ArgumentException\exceptionHandlers\Wrap Handler"
MAXLEN 1024
REQUIRED
DEFAULT "Microsoft.Practices.Unity.IncompatibleTypesException, Microsoft.Practices.Unity, Version=1.0.51205.0, Culture=neutral, PublicKeyToken=null"
END PART
END POLICY
POLICY "Specify settings for exception type 'NullReferenceException'"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy1\exceptionTypes\NullReferenceException"
VALUENAME "Available" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
PART "Post handling action"
DROPDOWNLIST
VALUENAME "postHandlingAction"
ITEMLIST
NAME "None" VALUE "None"
NAME "NotifyRethrow" VALUE "NotifyRethrow"
NAME "ThrowNewException" VALUE "ThrowNewException"
END ITEMLIST
END PART
PART "Handlers"
TEXT
END PART
PART "Handler: 'Wrap Handler'"
TEXT
END PART
PART "Exception message"
EDITTEXT
VALUENAME "exceptionMessage"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy1\exceptionTypes\NullReferenceException\exceptionHandlers\Wrap Handler"
MAXLEN 1024
REQUIRED
DEFAULT "message3"
END PART
PART "Exception type"
EDITTEXT
VALUENAME "wrapExceptionType"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy1\exceptionTypes\NullReferenceException\exceptionHandlers\Wrap Handler"
MAXLEN 1024
REQUIRED
DEFAULT "Microsoft.Practices.Unity.DependencyMissingException, Microsoft.Practices.Unity, Version=1.0.51205.0, Culture=neutral, PublicKeyToken=null"
END PART
END POLICY
END CATEGORY ; "Policy1"
CATEGORY "Policy2"
POLICY "Specify settings for exception type 'ArithmeticException'"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy2\exceptionTypes\ArithmeticException"
VALUENAME "Available" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
PART "Post handling action"
DROPDOWNLIST
VALUENAME "postHandlingAction"
ITEMLIST
NAME "None" VALUE "None"
NAME "NotifyRethrow" VALUE "NotifyRethrow"
NAME "ThrowNewException" VALUE "ThrowNewException"
END ITEMLIST
END PART
PART "Handlers"
TEXT
END PART
PART "Handler: 'Logging Handler'"
TEXT
END PART
PART "Title"
EDITTEXT
VALUENAME "title"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy2\exceptionTypes\ArithmeticException\exceptionHandlers\Logging Handler"
MAXLEN 255
REQUIRED
DEFAULT "Enterprise Library Exception Handling"
END PART
PART "Event ID"
NUMERIC
VALUENAME "eventId"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy2\exceptionTypes\ArithmeticException\exceptionHandlers\Logging Handler"
DEFAULT "100"
END PART
PART "Severity"
DROPDOWNLIST
VALUENAME "severity"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy2\exceptionTypes\ArithmeticException\exceptionHandlers\Logging Handler"
ITEMLIST
NAME "Critical" VALUE "Critical"
NAME "Error" VALUE "Error"
NAME "Warning" VALUE "Warning"
NAME "Information" VALUE "Information"
NAME "Verbose" VALUE "Verbose"
NAME "Start" VALUE "Start"
NAME "Stop" VALUE "Stop"
NAME "Suspend" VALUE "Suspend"
NAME "Resume" VALUE "Resume"
NAME "Transfer" VALUE "Transfer"
END ITEMLIST
END PART
PART "Priority"
NUMERIC
VALUENAME "priority"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy2\exceptionTypes\ArithmeticException\exceptionHandlers\Logging Handler"
DEFAULT "0"
END PART
PART "Category"
DROPDOWNLIST
VALUENAME "logCategory"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy2\exceptionTypes\ArithmeticException\exceptionHandlers\Logging Handler"
ITEMLIST
NAME "Category" VALUE "Category"
NAME "General" VALUE "General"
END ITEMLIST
END PART
PART "Formatter"
COMBOBOX
VALUENAME "formatterType"
KEYNAME "Software\Policies\myapp1\exceptionHandling\exceptionPolicies\Policy2\exceptionTypes\ArithmeticException\exceptionHandlers\Logging Handler"
REQUIRED
DEFAULT "Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.XmlExceptionFormatter, Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null"
SUGGESTIONS "Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.TextExceptionFormatter, Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null" "Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.XmlExceptionFormatter, Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null"
END SUGGESTIONS
END PART
END POLICY
END CATEGORY ; "Policy2"
POLICY "Specify settings for the Exception Handling Application Block"
KEYNAME "Software\Policies\myapp1\exceptionHandling"
VALUENAME "Available" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
END POLICY
END CATEGORY ; "Exception handling"
Caching Category
The Caching category structure differs from the standard template in order to conform to the way the configuration tools display the configuration information. The policies for the cache managers contain the parts for the cache manager itself, its backing store, and the backing store's optional encryption provider.
The following ADM code example shows the Caching category from a Group Policy template.
CATEGORY "Caching"
CATEGORY "Cache managers"
POLICY "Specify settings for cache manager 'Cache Manager'"
KEYNAME "Software\Policies\myapp1\cachingConfiguration\cacheManagers\Cache Manager"
VALUENAME "Available" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
PART "Expiration poll frequency (secs.)"
NUMERIC
VALUENAME "expirationPollFrequencyInSeconds"
DEFAULT "60"
END PART
PART "Maximum elements in cache before scavenging"
NUMERIC
VALUENAME "maximumElementsInCacheBeforeScavenging"
DEFAULT "1000"
END PART
PART "Number to remove when scavenging"
NUMERIC
VALUENAME "numberToRemoveWhenScavenging"
DEFAULT "10"
END PART
PART "Backing store settings"
TEXT
END PART
PART "Partition name"
EDITTEXT
VALUENAME "partitionName"
KEYNAME "Software\Policies\myapp1\cachingConfiguration\backingStores\Isolated Storage"
MAXLEN 1024
REQUIRED
DEFAULT "test"
END PART
PART "Encryption provider settings"
TEXT
END PART
PART "Symmetric provider"
DROPDOWNLIST
VALUENAME "symmetricInstance"
KEYNAME "Software\Policies\myapp1\cachingConfiguration\encryptionProviders\Symmetric Storage Encryption"
ITEMLIST
NAME "DESCryptoServiceProvider" VALUE "DESCryptoServiceProvider"
NAME "DPAPI Symmetric Cryptography Provider" VALUE "DPAPI Symmetric Cryptography Provider"
END ITEMLIST
END PART
END POLICY
POLICY "Specify settings for cache manager 'Cache Manager1'"
KEYNAME "Software\Policies\myapp1\cachingConfiguration\cacheManagers\Cache Manager1"
VALUENAME "Available" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
PART "Expiration poll frequency (secs.)"
NUMERIC
VALUENAME "expirationPollFrequencyInSeconds"
DEFAULT "60"
END PART
PART "Maximum elements in cache before scavenging"
NUMERIC
VALUENAME "maximumElementsInCacheBeforeScavenging"
DEFAULT "1000"
END PART
PART "Number to remove when scavenging"
NUMERIC
VALUENAME "numberToRemoveWhenScavenging"
DEFAULT "10"
END PART
PART "Backing store settings"
TEXT
END PART
PART "Database instance"
DROPDOWNLIST
VALUENAME "databaseInstanceName"
KEYNAME "Software\Policies\myapp1\cachingConfiguration\backingStores\Data Cache Storage"
ITEMLIST
NAME "LocalSqlServer" VALUE "LocalSqlServer"
NAME "Marketing" VALUE "Marketing"
END ITEMLIST
END PART
PART "Partition name"
EDITTEXT
VALUENAME "partitionName"
KEYNAME "Software\Policies\myapp1\cachingConfiguration\backingStores\Data Cache Storage"
MAXLEN 255
REQUIRED
DEFAULT "db partition"
END PART
PART "Encryption provider settings"
TEXT
END PART
PART "Symmetric provider"
DROPDOWNLIST
VALUENAME "symmetricInstance"
KEYNAME "Software\Policies\myapp1\cachingConfiguration\encryptionProviders\Symmetric Storage Encryption1"
ITEMLIST
NAME "DESCryptoServiceProvider" VALUE "DESCryptoServiceProvider"
NAME "DPAPI Symmetric Cryptography Provider" VALUE "DPAPI Symmetric Cryptography Provider"
END ITEMLIST
END PART
END POLICY
POLICY "Specify settings for cache manager 'Cache Manager2'"
KEYNAME "Software\Policies\myapp1\cachingConfiguration\cacheManagers\Cache Manager2"
VALUENAME "Available" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
PART "Expiration poll frequency (secs.)"
NUMERIC
VALUENAME "expirationPollFrequencyInSeconds"
DEFAULT "60"
END PART
PART "Maximum elements in cache before scavenging"
NUMERIC
VALUENAME "maximumElementsInCacheBeforeScavenging"
DEFAULT "1000"
END PART
PART "Number to remove when scavenging"
NUMERIC
VALUENAME "numberToRemoveWhenScavenging"
DEFAULT "10"
END PART
PART "Backing store settings"
TEXT
END PART
PART "Partition name"
EDITTEXT
VALUENAME "partitionName"
KEYNAME "Software\Policies\myapp1\cachingConfiguration\backingStores\Isolated Storage1"
MAXLEN 255
REQUIRED
DEFAULT "test2"
END PART
END POLICY
END CATEGORY; "Cache managers"
POLICY "Specify settings for caching block"
KEYNAME "Software\Policies\myapp1\cachingConfiguration"
VALUENAME "Available" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0
PART "Default cache manager"
DROPDOWNLIST
VALUENAME "defaultCacheManager"
ITEMLIST
NAME "Cache Manager" VALUE "Cache Manager"
NAME "Cache Manager1" VALUE "Cache Manager1"
NAME "Cache Manager2" VALUE "Cache Manager2"
END ITEMLIST
END PART
END POLICY
END CATEGORY ; "Caching"
Applying Group Policy Settings
Policies in a Group Policy Object (GPO) can be enabled, disabled, or not configured. Policies that are not configured do not set registry values; they are ignored by the manageable configuration source. Configuration settings related to these policies are unmodified, so the original settings from the configuration file are visible to the consumers of configuration information. If you enable a policy, set values for its parts, and write the values for the policy's parts to the registry, the manageable configuration source retrieves them. The manageable configuration source uses these values to override the properties of the configuration element represented by the policy.
By disabling a policy, you make the configuration elements represented by the policy unavailable. If the policy is associated with a configuration element from a collection, it is removed from the collection, and if the policy represents an entire application block, the configuration section for the application block is removed. The changes originated by GPOs are transient. If policies are updated, the current version of the values for the policies' parts will override the settings from a fresh version of the configuration objects from the configuration file.
In group policies, it is standard for policy settings from machine policies to have precedence over settings from user policies. The application ignores any incorrect values in Group Policy, logs an error, and uses values in the application configuration file instead.
Limitations of Group Policy Support
The user interfaces of the Group Policy Editor and Group Policy Management Console are somewhat limited compared to the flexibility of the configuration tools. For example, it is not possible to select multiple elements from a list or to reference elements from other categories. This limits the configuration overrides that you can perform using Group Policy. Existing configuration objects can be modified or removed, but new ones cannot be created.
Considering the limited user interface alternatives the Group Policy Object Editor provides, some configuration settings that represent multiple elements are edited through a single encoded string. These settings are the following:
- The attributes for all custom providers. These are the following:
- CustomLogFilterData
- CustomFormatterData
- CustomTraceListenerData
- CustomProviderData
- CustomHashProviderData
- CustomSymmetricCryptoProviderData
- CustomHandlerData
- CustomAuthorizationProviderData
- CustomSecurityCacheProviderData
- The package mappings for an OracleConnectionSetting
- The rules for an AuthorizationRuleProviderData
In cases when the settings represent simple name/value pairs, encoded stings are used. The format for the encoded string is: <name = value>(; <name = value>). In this case, the character ';' (a semicolon) must not be part of a name, and it must be escaped in a value with ';;' (two semicolons).
Group Policy provides only simple validations. There is no way to ensure that some policy overrides (such as type names) are correct. For this reason, if a policy value is to be used when overriding a configuration object's properties, there must be a match based on the name.
Because of these limitations, Group Policy templates often have to be regenerated from the configuration tools if changes have been made to the application configuration file.