The role of applications in Group Policy precedence

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The role of applications in Group Policy precedence

The Group Policy infrastructure cannot force applications to use Group Policy. For example, applications that have always looked for registry entries in a particular place that is outside the approved registry trees that are reserved for Group Policy will continue to look there. Group Policy does not copy registry settings from the Group Policy areas to the Windows NT 4.0 System Policy areas, nor does it copy Windows NT 4.0 System Policy settings into the reserved Group Policy areas. For more information, see Windows NT 4.0 system policies and Migration Issues.

Guidelines for writing applications that take advantage of Group Policy are available in the Group Policy Platform SDK that is used by developers. For more information, see "Group Policy" at the Microsoft Web site. Administrators, who need to anticipate the behavior of applications that they do not author, should be aware of the steps taken by properly written applications to obtain the registry data that the applications need.

Initial state of the registry

After the computer starts and the user logs on, the Group Policy registry areas are rewritten to hold the cumulative Group Policy settings that are in effect from the local Group Policy object and from Active Directory. If Windows NT 4.0 System Policy is enabled (which is not recommended for client computers running Windows XP Professional, Windows XP 64-bit Edition (Itanium), and Windows Server 2003 operating systems, or Windows 2000 clients), other registry areas might also change when the user logs on.

Order of events

1. The user starts the application.

2. A typical user-oriented application looks for registry data in the Group Policy reserved area HKEY_LOCAL_MACHINE\Software\Policies. If the application finds what it needs, it looks no further.

   However, an application that changes or replaces features at the level of the operating system (such as the Run command), and which therefore affects the behavior of applications other than itself, might look in the following Group Policy reserved area: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies. If the application finds what it needs, it looks no further.

3. The application looks for HKEY_LOCAL_MACHINE registry data outside the Group Policy reserved area, and if it finds what it needs, it looks no further.

4. The application looks for HKEY_CURRENT_USER registry data outside the Group Policy reserved area, and if it finds what it needs, it looks no further.

5. The application uses .ini files (not recommended) or default settings.

Newly authored, native Windows XP applications might perform only the first three steps. Applications that use Group Policy under Windows XP, but which remain compatible with earlier versions of Windows, continue to step 4 when they run on older operating systems. Applications that predate Windows 2000 never perform steps 2 and 3. Instead, they go directly to step 4.

The order of this sequence of events implies the following:

• For properly written applications that run on client computers running Windows XP Professional, Windows XP 64-bit Edition (Itanium), and Windows Server 2003 operating systems, Group Policy takes precedence over Windows NT 4.0 System Policy. For more information, see Policy inheritance, Order of events when starting up and logging on, and Order of processing settings.

• Older versions of applications, which are not aware of Active Directory and Group Policy, continue to function in Windows XP Professional, Windows XP 64-bit Edition (Itanium), and the Windows Server 2003 family as they did under Windows NT 4.0.

• HKEY_LOCAL_MACHINE settings take precedence over HKEY_CURRENT_USER settings, as they did under Windows NT 4.0.