Active Roles Provisioning Policies will only be triggered by operations performed by Active Roles clients such as the Active Roles Console, Active Roles Web Interface, Active Roles Management Shell, etc.
Operations performed in native Active Directory clients such as Active Directory Users and Computers or Active Directory PowerShell will not trigger Active Roles Provisioning Policies.
For example, it is possible to configure an onPostCreate script trigger which performed operations on an object which was created in native Active Directory using Active Directory Users and Computers or Active Directory PowerShell or any other client. It's not possible to prevent the creation from happening, but it is possible to trigger an operation in response to the event. This method to, for example: make sure that specific Active Roles Virtual Attribute are stamped upon creation for all users; move users to a specific container if they are created elsewhere; or any post-creation operation that is desired.