On enterprise machines read policy from the registry.

components/policy/core/common/policy_loader_win.cc

 // Copyright (c) 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/policy/core/common/policy_loader_win.h"
 
 #include <windows.h>
 #include <lm.h>       // For limits.
 #include <ntdsapi.h>  // For Ds[Un]Bind
 #include <rpc.h>      // For struct GUID
@@ skipping 372 matching lines @@
 
   // Policy scope and corresponding hive.
   static const struct {
     PolicyScope scope;
     HKEY hive;
   } kScopes[] = {
     { POLICY_SCOPE_MACHINE, HKEY_LOCAL_MACHINE },
     { POLICY_SCOPE_USER,    HKEY_CURRENT_USER  },
   };
 
+  bool is_enterprise = base::win::IsEnrolledToDomain();
+
   // Load policy data for the different scopes/levels and merge them.
   scoped_ptr<PolicyBundle> bundle(new PolicyBundle());
   PolicyMap* chrome_policy =
       &bundle->Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()));
   for (size_t i = 0; i < arraysize(kScopes); ++i) {
     PolicyScope scope = kScopes[i].scope;
     PolicyLoadStatusSample status;
     RegistryDict gpo_dict;
 
     // Note: GPO rules mandate a call to EnterCriticalPolicySection() here, and
     // a matching LeaveCriticalPolicySection() call below after the
     // ReadPolicyFromGPO() block. Unfortunately, the policy mutex may be
     // unavailable for extended periods of time, and there are reports of this
     // happening in the wild: http://crbug.com/265862.
     //
     // Blocking for minutes is neither acceptable for Chrome startup, nor on
     // the FILE thread on which this code runs in steady state. Given that
     // there have never been any reports of issues due to partially-applied /
     // corrupt group policy, this code intentionally omits the
     // EnterCriticalPolicySection() call.
     //
     // If there's ever reason to revisit this decision, one option could be to
     // make the EnterCriticalPolicySection() call on a dedicated thread and
     // timeout on it more aggressively. For now, there's no justification for
     // the additional effort this would introduce.
 
-    if (!ReadPolicyFromGPO(scope, &gpo_dict, &status)) {
-      VLOG(1) << "Failed to read GPO files for " << scope
-              << " falling back to registry.";
+    VLOG(1) << "Reading policy from the registry is "
+            << (is_enterprise ? "enabled." : "disabled.");

[Mattias Nissler (ping if slow), 2014/02/06 10:13:57]

Move this before the loop.

[pastarmovj, 2014/02/06 12:30:04]

Done.

+    if (is_enterprise || !ReadPolicyFromGPO(scope, &gpo_dict, &status)) {
+      VLOG_IF(1, !is_enterprise) << "Failed to read GPO files for " << scope
+                                 << " falling back to registry.";
       gpo_dict.ReadRegistry(kScopes[i].hive, chrome_policy_key_);
     }
 
     // Remove special-cased entries from the GPO dictionary.
     scoped_ptr<RegistryDict> recommended_dict(
         gpo_dict.RemoveKey(kKeyRecommended));
     scoped_ptr<RegistryDict> third_party_dict(
         gpo_dict.RemoveKey(kKeyThirdParty));
 
     // Load Chrome policy.
@@ skipping 205 matching lines @@
 
 void PolicyLoaderWin::OnObjectSignaled(HANDLE object) {
   DCHECK(object == user_policy_changed_event_.handle() ||
          object == machine_policy_changed_event_.handle())
       << "unexpected object signaled policy reload, obj = "
       << std::showbase << std::hex << object;
   Reload(false);
 }
 
 }  // namespace policy