Windows Tip Sheet
Making Everything Manageable
Get your house in order with ADM templates.
Since Windows 95 introduced the registry to the masses, applications
have been written to more or less comply with Microsoft's idea of
having the registry as a central repository for configuration information.
While that makes the registry a giant "eggs all in one basket"
liability, it also enables technologies like Group Policy, which
allow us to centrally manage a number of aspects of Windows and
other applications.
Group Policy for You
First, a quick refresher: Group Policy can push out both policies
and preferences. The former is what Group Policy prefers to do;
these settings primarily go into HKEY_CURRENT_USER\SOFTWARE\Policies
and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
\Policies,
as well as the corresponding locations in HKEY_LOCAL_MACHINE. The
nifty part about the registry keys in these locations is that they're
not "sticky." In other words, if you unlink the GPO that
applied those keys, the keys will disappear. Policies, then, are
only enforced while there's a GPO actively doing so.
Preferences are like old-style WinNT and Win9x System Policies:
They're any old registry key. You can push them out with a GPO,
if you know how, but if you later unlink that GPO, the preferences
stay put. The only way to turn them off centrally is to apply a
GPO that does so. Obviously, policies are preferable to preferences
(say that three times fast), so much so that Microsoft doesn't even
display preferences in the GPO Editor by default. To see them, you
have to select the Administrative Templates section (in User and/or
Computer configuration), and deselect Show Policies Only from the
View menu.
Most Microsoft apps—like Office—are written to look
in the Policies section for configuration information, and come
with ADM templates that allow you to configure those applications
via Group Policy. Sadly, many other applications—I'll go so
far as to say most, in fact—haven't twigged to the Policies
section yet and still store user configurations in the other parts
of the registry. Notable examples include Macromedia Shockwave,
RealNetworks, and all the settings for my current Web browser. That
doesn't mean these applications can't be centrally configured using
GPOs, though. You can make your own ADM templates that push settings—preferences—to
these applications' registry keys.
An ADM template is just a specially formatted text file that looks
something like this:
CLASS USER
CATEGORY Sounds
POLICY "Sound to hear when exiting Windows"
KEYNAME "AppEvents\Schemes\Apps\.Default\SystemExit\.Current"
PART "What sound do you want?" EDITTEXT REQUIRED
VALUENAME ""
END PART
END POLICY
END CATEGORY
I've borrowed this example from Jeremy Moskowitz's book Windows
2000 Group Policy, Profiles, and IntelliMirror, an excellent
source on the subject of Group Policy (it's now available in a new
edition covering Win2003 and WinXP). Here's how this works:
• The CLASS statement sets this
up as affecting HKEY_CURRENT_USER, which will be the base location
for any included registry keys.
• The CATEGORY defines the folder
name within the Administrative Templates folder of the GPO Editor.
• The POLICY statement is the policy—okay,
preference—name as listed in the GPO Editor.
• KEYNAME is, of course, the name
of the registry key that controls this preference.
• The PART section defines the user
interface you'll use in the GPO Editor. This sets up a text box
(EDITTEXT) that you must provide a value
for (REQUIRED).
• There's no particular VALUENAME,
meaning the registry key's default value will be modified.
Obviously this ADM stuff has capabilities beyond what I can cover
in this short Tip Sheet, but it's worth checking out. Even those
legacy corporate apps might be controllable via registry keys, allowing
you to centrally push and maintain a desired configuration state,
all via the convenience of Group Policy.
Micro
Tips |
ADM files can be written to work
both with modern Group Policy as well as older System
Policies for Win9x and NT. This makes it possible
to use a single template to configure both new and
older clients. Planning complex Group Policy
deployments can be … well, complex. Sometimes
it helps to have them all laid out in front of
you in a spreadsheet or something so that you
can plan everything out on paper before deploying
to your clients. Hop over to
http://www.jsiinc.com/SUBP/tip7600/rh7682.htm
to download a spreadsheet of all policy settings,
including new policies in WinXP SP2.
|
|
|
More Resources:
• Jeremy's Group Policy-oriented Web site is at http://www.gpanswers.com
• Office Resource Kits include ADM templates for centrally
managing Microsoft Office; the Office XP Resource Kit is at
http://www.microsoft.com/office/ork/xp/default.htm.
• Hate Notepad? Use a graphical tool like ADM Template Editor
to create your ADM templates: http://www.tucows.com/preview/353049.html
or the Policy Template Editor:
http://www.tools4ever.com/products/utilities/policytemplateeditor/
release.asp.
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.