Using Administrative Template Files with Registry- Based Group Policy

This white paper explains the concepts, architecture, and implementation details for registry-based Group Policy in Microsoft® Windows® operating systems. It shows how to create custom Administrative Template (.adm) files and includes a complete reference for the .adm language. In addition, it includes information about changes in .adm files for Windows XP with Service Pack 2 (SP2).

Using Administrative Template Files with Registry- Based Group Policy Microsoft Corporation Published: September 2004 Abstract This white paper explains the concepts, architecture, and implementation details for registry-based Group Policy in Microsoft® Windows® operating systems. It shows how to create custom Administrative Template (.adm) files and includes a complete reference for the .adm language. In addition, it includes information about changes in .adm files for Windows XP with Service Pack 2 (SP2). The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. © 2004 Microsoft Corp. All rights reserved. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Table of Contents Table of Contents ........................................ 3 Introduction ................................................ 6 Overview of RegistryBased Policy and Administrative Template Files ....................................................... 6 Default .adm Files .................................... 7 When to Use RegistryBased Group Policy ................. 8 True Policies vs. Preferences ........................... 8 How to Use Policy Settings and Preferences ........... 9 Design Considerations for Creating Policy Settings ....... 10 When to Create Policy Settings ......................... 11 Controlling Feature Releases to Users ............... 11 Create Policy Settings to Reduce Need for Support . . 11 Control Data ......................................... 12 When Not to Create a Policy ............................ 12 User Interface Design ................................... 12 Policy Names ........................................ 13 Explain Text ......................................... 13 Best Practices for Developing RegistryBased Policy Settings ........................................................ 15 Creating Custom .Adm Files .............................. 16 How to Write a Simple .Adm File for Registrybased Group Policy ........................................................... 18 Testing Administrative Template Files ..................... 22 Creating an .Adm Test File .............................. 23 Loading an .Adm File into the Group Policy Snapin . . 24 Maintaining and Managing .Adm Files ....................... 24 Importance of Timestamps for .Adm Files ................ 25 Duplicate CATEGORY Sections .......................... 25 .Adm Files Used by the Group Policy Object Editor ...... 26 .Adm Files Used by GPMC ................................. 26 Controlling .Adm File Replication ...................... 26 Turn Off Automatic Updates of .Adm Files ............. 26 Always Use Local .Adm Files for Group Policy Object Editor ..................................................... 27 Maintaining .Adm files on Administrative Workstations 27 Multilanguage Administration Issues .................. 28 Operating System and Service Pack Release Issues ....... 28 Keyboard Shortcuts for Administrative Templates Node 29 What’s New for Administrative Template Files in Windows XP SP2 ........................................................... 30 Changes to LISTBOX ADDITIVE ........................... 30 Managing Policy Settings on Earlier Operating Systems or Service Packs ........................................... 31 “String Too Long…” Hotfix for Earlier Operating Systems and Service Packs ........................................ 32 Language Reference for Administrative Template Files ...... 33 .Adm File Language Versions ............................ 33 Comments ................................................ 34 Strings ................................................. 34 CLASS ................................................... 34 Syntax ............................................... 34 Example .............................................. 35 CATEGORY ................................................ 35 Syntax ............................................... 35 Example .............................................. 36 Supported Tag ........................................ 37 CATEGORY Keywords .................................... 37 POLICY .................................................. 38 Syntax ............................................... 38 POLICY Example ....................................... 39 POLICY Keywords ...................................... 40 PART .................................................... 40 Syntax ............................................... 40 Using PART Types to Add Controls to the User Interface 42 CHECKBOX PART Type ................................... 42 TEXT PART Type ....................................... 44 EDITTEXT PART Type ................................... 45 NUMERIC PART Type ................................... 48 COMBOBOX PART Type ................................... 50 DROPDOWNLIST PART Type ............................... 51 LISTBOX PART Type .................................... 52 ACTIONLIST .............................................. 53 Additional Elements ..................................... 55 Introduction 5 .Adm File String/Tag Limits ............................ 59 Related Links .............................................. 60 Introduction 6 Introduction Administrators can use Group Policy to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory® directory service environment. The majority of available policy settings are provided through Administrative Template files (.adm files) and are designed to modify specific keys in the registry. This is known as registry-based policy. For many applications, the use of registry-based policy delivered by .adm files is the simplest and best way to support centralized management of policy settings. Intended for IT administrators and developers, this document describes how to implement registry- based Group Policy by using .adm files. For detailed instructions about enabling applications for Group Policy, see “Group Policy” in the Microsoft Platform Software Development Kit at http://go.microsoft.com/fwlink/?LinkId=26258. Overview of Registry Based Policy and Administrative Template Files By using registry-based policy, operating system components and applications can respond to registry key settings that administrators can manage centrally with Group Policy. These policy settings determine the behavior of the application for targeted computers or users. As long as a component or application has been policy-enabled (that is, its behavior changes based on registry values indicated in the .adm file), you can manage its features and settings through registry-based policy. .Adm files are UNICODE text files that Group Policy uses to describe where registry-based policy settings are stored in the registry. All registry-based policy settings appear and are configured in the Group Policy Object Editor under the Administrative Templates node. .Adm files do not apply policy settings; they simply enable administrators to view the policy settings in the Group Policy Object Editor. Administrators can then create Group Policy objects (GPOs) containing the policy settings that they want to use. For example, you might have one GPO that contains various policy settings for managing the Active Desktop feature. With the release of Microsoft® Windows XP Service Pack 2 (SP2), IT administrators have more than 1,300 Administrative Template policy settings available for their use. In addition, administrators and developers can add their own custom settings. Language Reference for Administrative Template Files 7 Registry-based Group Policy uses .adm files in the following manner: • The Group Policy Object Editor reads the .adm files. By default, when an administrator opens a GPO, a comparison is made between the timestamps of the .adm files stored in the GPO being edited and those on the local computer. If the local .adm files have a more recent timestamp then they are uploaded to the domain controller and replicated throughout the domain. • The Group Policy Object Editor console (gpedit.msc) displays the settings, and, depending on the .adm file, the policy settings can be displayed in a localized language. • The Group Policy Object Editor uses .adm files to configure user interface settings such as dialog boxes, radio buttons, and drop-down lists, thereby enabling administrators to manage these settings centrally. • The Group Policy Management Console (GPMC) uses .adm files to display policy settings when using Group Policy Results or Group Policy Modeling, also known as Resultant Set of Policy (RSoP). Note Windows XP SP2 includes modifications to the LISTBOX ADDITIVE behavior in .adm files (implemented by a new version of gptext.dll, the .dll used by the Group Policy Object Editor.) For details about these changes, see the, “What’s New for .Adm Files in Windows section later in this document XP SP2” For more information about the architecture of Administrative Templates, see Administrative Templates Extension Technical Reference at http://go.microsoft.com/fwlink/?LinkId=35291. Default .adm Files The Group Policy Object Editor displays the policy settings within the .adm files that are included with the operating system by default. These .adm files are: • System.adm. Provides policy settings to configure the operating system. System.adm is installed by default in Windows Server™ 2003, Windows XP, and Windows 2000 Server operating systems. • Inetres.adm. Provides policy settings to configure Internet Explorer. Inetres.adm is installed by default in Windows Server 2003, Windows XP, and Windows 2000 Server operating systems. • Wuau.adm. Provides policy settings to configure Windows Update. Wuau.adm is installed by default in Windows Server 2003, Windows XP Service Pack 1 (SP1), and Windows 2000 Server Service Pack 3 (SP3) operating systems. 8 Using Administrative Template Files with RegistryBased Group Policy • Wmplayer.adm. Provides policy settings to configure Windows Media Player. Wmplayer.adm is installed by default in Windows Server 2003 and Windows XP operating systems. Wmplayer.adm is not available on 64-bit versions of the Windows Server 2003 operating system and Windows XP 64-Bit Edition. • Conf.adm. Provides policy settings to configure NetMeeting. Conf.adm is installed by default in Windows Server 2003, Windows XP, and Windows 2000 Server operating systems. Conf.adm is not available on 64-bit versions of the Windows Server 2003 operating system and Windows XP 64-Bit Edition. Most Group Policy settings are contained in the System.adm file. The .adm files that ship with Windows Server 2003, Windows XP Professional, and Windows 2000 Server operating systems are located in the %windir%\inf\ folder. (for example, C:\Windows\inf). For more information about .adm file maintenance, see the “Maintaining and Managing .Adm Files” in this document. When to Use RegistryBased Group Policy In general, if a policy setting can be configured using a simple user interface, and any configuration input can be stored in the registry as plain text, you should consider using registry-based policy. Specifically, registry-based Group Policy is an appropriate solution for the following scenarios: • Creating available and unavailable (on/off, or yes/no) functionality. You can use registry- based policy as if it were a switch, to turn functionality on or off. For example, you can create a policy setting to allow administrators to control whether a certain item is displayed on the desktop. • Defining a set of static modes. For example, you can set the language used on a computer. You can set up a static list of the possible language selections, and when the policy setting is enabled, the administrator can select a language from the pre-created list. This action is typically shown in the user interface as a drop-down list. • Creating a policy setting that requires simple input that can be stored in the registry as plain text. For example, you can create a policy setting to define the screensaver or bitmap that is displayed on the user’s desktop. With this policy setting enabled, Group Policy administrators are provided with a text dialog box into which they can enter the name and path of the bitmap file to be used. This information is then stored in the registry as plain text. True Policies vs. Preferences Group Policy settings that administrators can fully manage are known as “true policies.” In contrast, settings that users configure or that reflect the default state of the operating system at installation time are known as “preferences.” Both true policies and preferences contain information that modifies the registry on users’ computers. True policy settings take precedence over preference settings. Language Reference for Administrative Template Files 9 Registry values for true policies are stored under the approved registry keys as listed in Table 1. Users cannot change or disable these settings. Table 1 Approved Registry Key Locations for Group Policy Settings For Computer Policy Settings: For User Policy Settings: HKLM\Software\Policies (The HKCU\Software\Policies (The preferred location) preferred location) HKLM\Software\Microsoft\Window HKCU\Software\Microsoft\Windows s\CurrentVersion\Policies \CurrentVersion\Policies Preferences are set by the user or by the operating system at installation time. The registry values that store preferences are located outside the approved Group Policy keys listed in Table 1. They are located in other areas of the registry. Users can typically change their preferences at any time. For example, users can decide to change the location of their local dictionary to a different location, or set their wallpaper to a different bitmap. Most users are familiar with setting preferences that are available to them through the operating system or application user interface. It is possible for an administrator to write an .adm file that sets registry values outside of the approved Group Policy registry trees included in Table 1. In this case, the administrator is only ensuring that a given registry key or value is set in a particular way. With this approach, the administrator configures preference settings, instead of true policy settings, and marks the registry with these settings (that is, the settings persist in the registry even if the preference setting is disabled or deleted). If you configure preference settings by using a GPO in this manner, the GPOs that you create do not have Access Control List (ACL) restrictions. As a result, users might be able to change these values in the registry. When the GPO goes out of scope (that is, it is unlinked, disabled, or deleted), these values are not removed from the registry. In contrast to this, true registry policy settings do have ACL restrictions to prevent users from changing them, and the policy values are removed when the GPO that set them goes out of scope. For this reason, true policies are considered to be policy settings that can be fully managed. By default, the Group Policy Object Editor only shows policy settings that can be fully managed. To view preferences in the Group Policy Object Editor, you need to click the Administrative Templates node, click View, then click Filtering, and then clear Only show policy settings that can be fully managed. Although Group Policy settings take priority over preferences, they do not overwrite or modify the registry keys used by the preferences. If a policy setting is deployed that conflicts with a preference, the policy setting takes precedence over the preference setting. If a conflicting policy setting is removed, the original user preference setting is restored. How to Use Policy Settings and Preferences Applications commonly include a user preference and a policy setting that perform similar or related functions. For example, you might want to offer users the ability to configure part of a component through a user preference setting, and also centrally control this setting by using a registry-based policy setting. 10 Using Administrative Template Files with RegistryBased Group Policy An example of where both a policy and preference can co-exist is the configuration of the wallpaper on a Windows desktop. Users can set their desktop wallpaper to be displayed (or not displayed) by using the Display icon in Control Panel. You can also use a policy setting to configure desktop wallpaper. To specify the desktop wallpaper that displays on users’ desktops, administrators can use the Active Desktop Wallpaper policy setting (found in the Group Policy Object Editor, under the User Configuration\Administrative Templates\Desktop\Active Desktop. As a result, the user can choose to display or not display the wallpaper, but the administrator can choose which wallpaper is displayed when the display setting is ON. Table 2 lists the resultant behavior for Group Policy settings and preferences. Table 2 Results of Group Policy Settings and Preferences Policy Preference Resultant Scenario Present Present Behavior No policy or No No Default preference behavior. Preference Only No Yes Preference configures behavior. Policy only Yes No Policy configures behavior. Both policy and Yes Yes Policy preference configures behavior. Preference is ignored. In all cases, policy overrides preference. Design Considerations for Creating Policy Settings This section addresses essential issues for creating and configuring custom policy settings in .adm files. Use the following questions as a guide to help you design Group Policy settings. • What is the default behavior (that is, when the policy is set to Not Configured)? Language Reference for Administrative Template Files 11 • What is the behavior when the policy is Enabled, Disabled, or Not Configured? The Enabled behavior should always be the opposite of the default behavior (that is, Not Configured). • Do administrators need to explicitly disable a feature? • Do the proposed policy settings affect users or computers or both? • What are some potential future ramifications of the new policy settings? When new products are released, you must continue to maintain the previous .adm settings to manage computers running legacy software. New products and settings must be able to co-exist with earlier versions. When to Create Policy Settings An administrator should consider creating a policy setting for the following purposes: • To help administrators manage and increase security of their desktop computers. • To hide or disable a user interface that can lead users into a situation in which they must call the helpdesk for support. • To hide or disable new behavior that might confuse users. A policy setting created for this purpose allows administrators to manage the introduction of new features until after user training has taken place. • To hide settings and options that might take up too much of users’ time. Controlling Feature Releases to Users An administrator can use .adm files to provide policy settings to manage new features of a new or updated application. By creating a single GPO for all new features, or by creating a GPO for each logical grouping of new features, an administrator can reduce the need for support and potential user frustration. A GPO should also be considered for specific features that administrators need to control after the new features have been enabled. By enabling policy settings in this area, the administrator can control how and when users get new product features. By grouping related features, the administrator can prevent users from using a new feature set until they have been trained. Create Policy Settings to Reduce Need for Support To reduce the need for support, administrators can start by determining the top issues that users have and considering ways in which they can use policy settings to prevent support calls. For example, you could use policy settings to control software settings in the following scenarios: • When proper configuration settings require advanced knowledge of the application. 12 Using Administrative Template Files with RegistryBased Group Policy • When there are complicated or advanced configuration settings that the typical user does not need to use. In these scenarios, it would be appropriate to use Group Policy to give an administrator the ability to control access to the configuration settings. Control Data You can create policy settings to populate data for your application. Such data usually exists in small sets in the form of numbers, text strings, and so on. For example, a phone dialer could use policy settings to enable administrators to mandate that certain items exist in the phone directory. When Not to Create a Policy Although registry-based Group Policy provides an effective way of managing components and applications, there are some circumstances where its use is not recommended. For example: • Do not create a policy for all of your application settings because large applications typically contain hundreds or even thousands of settings, and only a subset of these needs to be managed through Group Policy. Be selective about the features you want to enable or disable. Because Group Policy provides centralized management of the setting, you should evaluate whether administrators would want this kind of management before adding the policy setting. • Do not create a policy if you do not intend to provide support for the policy setting. Treat each policy as a feature that needs to be tested, validated, and supported. User Interface Design Effective policy settings should be clearly written and displayed. You must also ensure that the user interface is clear and easy to understand. For example, review these user interface design options for disabling My Network Places: • Create an error message. For example, the user clicks My Network Places and the following error message appears: “This option has been disabled by your administrator.” In response, the user calls the administrator or support desk to ask why this feature has been disabled. • Disable the user interface. For example, a user interface feature in My Network Places is disabled (grayed-out). This implies to the user that there is a way to enable the user interface. In response, the user might spend a lot of time trying to get this feature to work. In the end, the user might either give up in frustration or call the support desk. • Hide the user interface feature. For example, a user interface feature in My Network Places is hidden. In response, the user does not recognize that anything is missing or unavailable. This is the preferred choice in this scenario. • Do nothing. For example, when a user clicks My Network Places, and the screen does not change (that is, nothing happens). In response, the user assumes that something is wrong and calls the support desk. Language Reference for Administrative Template Files 13 Policy Names You set the name of the policy setting at the same time that you create it. The name of the policy setting is displayed in the Group Policy Object Editor. Use the following guidelines for creating policy names: • Use a verb that reflects the effect of the policy setting. Examples of verbs commonly used in policy setting names include: allow, permit, turn on, prohibit, hide, and prevent. • Do not use the terms “enabled” or “disabled” in your policy setting names. Instead, consider using the terms “turn on” and “turn off,” or “allow” and “prevent.” • Avoid overly technical jargon that might not be understood by administrators who are not experts in a particular component. Include technical details of the policy setting in the Explain text. • Use short, descriptive names that accurately reflect the function of the policy setting, for example, Turn off Internet File Association service. Note Policy names are limited to 256 characters. However, depending on the font used on the user’s workstation, a smaller number of characters are displayed, and all others truncated. On most systems, you can assume that you have the ability to display policy names up to 65 characters. (Using a Resolution of 1024 / 768 with small fonts installed). When Group Policy names are translated into additional languages, they typically require additional characters. Therefore, if you are using English to name a Group Policy, limit the name to 49 characters. This limitation allows your title to grow by 33 percent during translation, without causing any truncation issues. Explain Text Explain text provides information about the behavior of the policy setting, its interaction with other policy settings, and can include any other information that you would like administrators to be aware of. When an administrator selects a policy setting, and then clicks the Explain tab, the Explain text appears in the policy setting’s Properties dialog box . Explain text is limited to a maximum of 4096 characters, and Category Explain text is limited to a maximum of 256 characters. Use the following guidelines when you create the Explain text: Note Do not try to supplement a Group Policy setting title in the user interface with tip text that can be displayed in the user interface. Include any tips for using the policy setting in the Explain text. 14 Using Administrative Template Files with RegistryBased Group Policy • Draft the Explain text soon after creating the specification document for the policy setting. This serves as a high-level roadmap for developers, and assists testers in creating a test plan for the policy. • Make sure your documentation team is available to help create the Explain text. • Target the Explain text to the Group Policy administrator, rather than the end user. Use the following template for the Explain text, and make sure that you include the following items: • Write a one- or two-line description of the policy setting. • Write a one- or two-line description of the feature that the policy setting affects. • Use separate paragraphs within your Explain text for each policy setting state, as follows: • If you enable this policy setting…. • If you disable this policy setting…. • If you do not configure this policy setting…. • Include tips for using the policy setting. • Include notes or interactions that this policy has with other settings. As a best practice, you should also provide information about the following: • Items that are not covered by this policy setting. • Any other policy settings that are required for your policy setting to function. • Any other policy settings that are related to the same component that your policy setting affects and which may have a higher or lower priority. For example, if you have a policy setting to restrict access to the LAN settings for a computer. This policy setting takes priority over more specific policy settings regarding the actual items you can configure within a LAN connection. • Any related policies that the administrator needs to be aware of. The following Explain text is from the Active Desktop Wallpaper policy setting in the User Configuration\Administrative Templates\Desktop\Active Desktop. This policy setting controls the desktop background (wallpaper) that is displayed on users' desktops. Specifies the desktop background ("wallpaper") displayed on all users' desktops. This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp), JPEG (*.jpg), or HTML (*.htm, *.html) file. To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this Language Reference for Administrative Template Files 15 setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification. If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. Note: You need to enable the Active Desktop to use this setting. Note: This setting does not apply to Terminal Server sessions. Best Practices for Developing RegistryBased Policy Settings It is strongly recommended that you do not try to create a single policy setting to control all aspects of your component. Group Policy is easier to implement and use if you have several smaller policy settings. This approach gives you more flexibility in designing and modifying your policy settings. All policy settings should have an associated behavior for each of the three possible states shown in Table 3: Table 3 Policy States and Associated Behaviors Enabled Disabled Not Configured Turns on the Turns off the Has no effect – behavior indicated behavior indicated default behavior by the policy name by the policy name Consider the following guidelines when you design your policy settings: • Policy settings are never removed from the .adm files supplied by Windows operating systems. Even if subsequent versions of Windows no longer support the policy setting, Microsoft will continue to include that policy setting in .adm files for all future Windows operating systems that support Group Policy. • Computer policy settings should override user policy settings. 16 Using Administrative Template Files with RegistryBased Group Policy • The Enabled behavior should be the opposite of the default behavior. For example, if a feature is on by default, the policy setting should be named using something like “Turn off ”, for example, Turn off reminder balloons. By default, reminder balloons are displayed when the Offline Files feature is enabled; they are used to notify users when they have lost the connection to a networked file and are working on a local copy of the file. If Turn off reminder balloons is set to Enabled, the system hides the reminder balloons, and prevents users from displaying them. • Consider whether administrators need to explicitly disable a feature. You must understand the differences between the Not Configured state (which implies that the administrator does not care) and the Disabled state (which means that the administrator cares and wants to implement a very specific behavior). • Make sure that your documentation team is involved with creating the Explain text. Well- written Explain text can help reduce support calls. • Each component should expose a user interface that always reflects the policy setting that is applied. For example, if a Group Policy setting removes the ability for the user to set a preference for a component, the user interface should clearly indicate this and access to that particular item in the component should be removed (for example, the item is disabled and grayed-out, or it is not visible to users). Creating Custom .Adm Files You can create custom .adm files to extend the use of registry-based policy settings to new applications and components. Creating and implementing custom .adm files involves the following tasks: • The application or component must be enabled to use Group Policy-enabled. Many off-the- shelf applications for Windows are already Group Policy-enabled. For example, Microsoft Office is developed to work with Group Policy settings, and applicable .adm files are included in the Office Resource Kit. If a developer’s application is not already Group Policy-enabled, the developer must write code that changes the application so that an administrator can apply the application-specific Group Policy settings. For more information, see Microsoft Platform Software Development Kit at http://go.microsoft.com/fwlink/?LinkId=20540. • After the application or component is Group Policy-enabled, a developer or administrator must write an .adm file that includes the appropriate settings for that application. Custom .adm files are created as text files that describe policy settings. A framework language is provided for .adm files, as described in “Language Reference for Administrative Template Files” later in this document. When you create a new policy setting in a custom .adm file, it is more efficient if you copy and modify existing policy settings that are similar to the ones that you want to create, rather than write new policy settings from scratch. To use an existing .adm file as a template for a custom .adm file, first copy the original .adm file into a new file with a different file name, and then edit the new file. Similar policy settings can provide: • A model to use as a basis for your Group Policy settings. • Consistency with available policy settings. Language Reference for Administrative Template Files 17 • Information about possible interactions between policies. • Administrators use the Group Policy Management Console to view and manage GPOs and use the Group Policy Object Editor to view the Administrative Templates node under Computer Configuration or User Configuration. Caution Treat the .adm files that ship in the operating system as readonly files. These files are often updated when you install service packs or future releases of the product. Policy settings should never be removed from .adm files that are included in the operating system by default. Keep in mind that by itself, the .adm file does not actually apply Group Policy to the client computer. You must have a corresponding component or application that responds to the registry key that is affected by the policy setting. The following code example illustrates a simple .adm file. CLASS USER CATEGORY !!DesktopLockDown POLICY !!DisableTaskMgr EXPLAIN !!DisableTaskMgr_Explain VALUENAME "DisableTaskMgr" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 KEYNAME "Software\Policies\System" END POLICY END CATEGORY [strings] DisableTaskMgr="Disable Task Manager" DisableTaskMgr_Explain="Prevents users from starting Task Manager" DesktopLockDown="Desktop Settings" This sample code exists in the System.adm file. It allows you to configure a policy called Disable Task Manager, which appears in the Group Policy Object Editor namespace in User Configuration\Administrative Templates\Desktop Settings. This policy setting defines the following behavior: • If an administrator enables this policy setting, it creates a registry key called DisableTaskMgr and set its value to 1. The VALUEON tag implements this behavior. In this case, users cannot start Task Manager. • If an administrator disables this policy setting, it creates a registry key called DisableTaskMgr and set its value to 0. The VALUEOFF tag implements this behavior. In this case, users can start Task Manager. 18 Using Administrative Template Files with RegistryBased Group Policy • In both cases, the DisableTaskMgr registry key is created below HKCU\Software\Policies\System in the registry. Note that the key is created under CLASS USER and not under CLASS MACHINE because this is a user policy setting. • If an administrator sets this policy setting to Not Configured, it deletes the registry key called DisableTaskMgr. In this case, users can start Task Manager. Table 4 lists where registry-based policy settings are stored in any of the four approved registry locations for Group Policy. Table 4 Approved Registry Key Locations for Group Policy Settings Computer Policy Settings User Policy Setting: HKLM\Software\Policies (The HKCU\Software\Policies (The preferred location) preferred location) HKLM\Software\Microsoft\Window HKCU\Software\Microsoft\Windows s\CurrentVersion\Policies \CurrentVersion\Policies The registry keys are created when a GPO containing an enabled or disabled registry-based policy setting is applied. If the GPO is later removed (for example, unlinked from an OU in which a user resides), the registry keys associated with it are also removed. Security prohibits a standard user from changing the registry keys. A local administrator can overwrite these registry keys, and thus change or disable the behavior of the policy setting. For this reason, as a Group Policy administrator, you might want to enable the Registry policy processing policy setting (located in Computer Configuration\Administrative Templates\System\Group Policy)and select the following option: Process even if the Group Policy objects have not changed. Selecting this option updates and reapplies the policy settings even if you -- the Group Policy administrator -- have not changed the policy settings. This provides an additional safeguard in the event that local administrators try to change policy settings through the registry. Policy settings are reapplied during the regular background refresh of Group Policy, which occurs by default every 90 minutes with a randomized delay of up to 30 minutes. How to Write a Simple .Adm File for Registry based Group Policy This section shows you how to create a simple .adm file for delivering registry-based Group Policy settings. The code samples provided are parts of a single .adm file. Please refer to “Language Reference for Administrative Template Files,” later in this document for full details about the .adm language. The sections of the sample .adm file illustrate how to set a registry value to: Language Reference for Administrative Template Files 19 • Turn a feature on or off. • Allow the selection of one or more values from a list. • Display a list with add and remove buttons. • Enter EDITTEXT and static text. • Display a numeric list to the administrator. • Display a numeric list to the administrator, using a spin control. • Display an actionable list to an administrator. To Set a Registry Value to Turn a Feature ON or OFF This sample code displays a check box. The value is set in the registry with the REG_DWORD type. By default, the check box is clear. If the check box is selected, it writes the value 1 to the registry. If the check box is clear, it writes the value 0 to the registry. CLASS USER CATEGORY!!SampleCategory KEYNAME "SOFTWARE\Policies\Microsoft\ADM_Samples" POLICY!!Sample_ADM_FeatureOnOff #if version >= 4 SUPPORTED!!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_FeatureOnOff_Help VALUENAME "ADM_Sample_FeatureOnOff" VALUEON 1 VALUEOFF 0 END POLICY END CATEGORY To Set a Registry Value to Allow the Selection of One or More Values from a List You can use DROPDOWNLIST to display a combo box with a drop-down style list. You can pre- populate the list of items that are displayed in the list and the corresponding registry value to be written for each item in the list. 20 Using Administrative Template Files with RegistryBased Group Policy POLICY!!Sample_ADM_DropDownList #if version >= 4 SUPPORTED!!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_DropDownList_Help PART!!Sample_ADM_DropDownList DROPDOWNLIST REQUIRED VALUENAME "Sample_ADM_DropDownList" ITEMLIST NAME !!Sample_ADM_DropDownList_Always VALUE NUMERIC 1 DEFAULT NAME !!Sample_ADM_DropDownList_WorkStationOnly VALUE NUMERIC 2 NAME !!Sample_ADM_DropDownList_ServerOnly VALUE NUMERIC 3 END ITEMLIST END PART END POLICY To Set a Registry Value to Display a List with Add and Remove Buttons You can use registry-based Group Policy to display a list box that contains Add and Remove buttons. By default, only one column appears in the list box, and for each entry, a value is created where the name and value are the same. For example, a name entry in the list box creates a value called name that contains data labeled name. POLICY!!Sample_ADM_ListBox #if version >= 4 SUPPORTED !!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_ListBox_Help PART!!Sample_ADM_DropDownList LISTBOX KEYNAME "Sample_ADM_ListBox" END PART END POLICY To Set a Registry Value for EDITTEXT and Static Text This setting allows the user to type alphanumeric text in an edit field. The text is set in the registry with the REG_SZ type. The following code is an example of how you can use the EDITTEXT PART type. POLICY!!Sample_ADM_EditText #if version >= 4 SUPPORTED !!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_EditText_Help PART!!Sample_ADM_EditText EDITTEXT VALUENAME "ADM_Sample_EditText" END PART

Tải về miễn phí