Professional Documents
Culture Documents
WindowServer 2003
WindowServer 2003
Abstract This white paper explains the concepts, architecture, and implementation details or registry!ased Group Policy in "icroso t# $indows# operating systems% &t shows how to create custom Administrative Template '%adm( iles and includes a complete re erence or the %adm language% &n addition, it includes in ormation a!out changes in %adm iles or $indows )P with *ervice Pac+ , '*P,(%
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. M C!"#"$T M%&'# (" W%!!%(T '#, ')P!'##, MP* '+ "! #T%T,T"!-, %# T" T.' ($"!M%T "( ( T. # +"C,M'(T. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means /electronic, mechanical, photocopying, recording, or otherwise0, or for any purpose, without the e1press written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering sub2ect matter in this document. '1cept as e1pressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ,nless otherwise noted, the e1ample companies, organi3ations, products, domain names, e4mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organi3ation, product, domain name, e4mail address, logo, person, place or event is intended or should be inferred. 5 6778 Microsoft Corp. %ll rights reserved. Microsoft, %ctive +irectory, Windows, Windows (T, and Windows #erver are either registered trademarks or trademarks of Microsoft Corporation in the ,nited #tates and9or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents
Introduction............................................................................................ 4 Overview of Registry-Based Policy and Administrative Tem late !iles...4 "esign Considerations for Creating Policy #ettings ...............................$ %ow to &rite a #im le .Adm !ile for Registry-based 'rou Policy........() Testing Administrative Tem late !iles.................................................*+ ,aintaining and ,anaging .Adm !iles..................................................** &-at.s /ew for Administrative Tem late !iles in &indows 0P #P*......*$ 1anguage Reference for Administrative Tem late !iles.......................2( Related 1in3s........................................................................................ 45
Introduction
Introduction
Administrators can use Group Policy to deliver and apply one or more desired con igurations or policy settings to a set o targeted users and computers within an Active -irectory# directory service environment% The ma.ority o availa!le policy settings are provided through Administrative Template iles '%adm iles( and are designed to modi y speci ic +eys in the registry% This is +nown as registry-!ased policy% For many applications, the use o registry-!ased policy delivered !y %adm iles is the simplest and !est way to support centrali/ed management o policy settings% &ntended or &T administrators and developers, this document descri!es how to implement registry-!ased Group Policy !y using %adm iles% For detailed instructions a!out ena!ling applications or Group Policy, see 0Group Policy1 in the "icroso t Plat orm *o tware -evelopment 2it at http344go%microso t%com4 wlin+456in+&d7,8,9:%
/ote
&indows 0P #P* includes modifications to t-e 1I#TBO0 A""ITI67 be-avior in .adm files 8im lemented by a new version of g te9t.dll: t-e .dll used by t-e 'rou Policy Ob;ect 7ditor.< !or details about t-ese c-anges: see t-e: =&-at.s /ew for .Adm !iles in &indows 0P #P*> section later in t-is document
Registry-!ased Group Policy uses %adm iles in the ollowing manner3 The Group Policy =!.ect >ditor reads the %adm iles% By de ault, when an administrator opens a GP=, a comparison is made !etween the timestamps o the %adm iles stored in the GP= !eing edited and those on the local computer% & the local %adm iles have a more recent timestamp then they are uploaded to the domain controller and replicated throughout the domain% The Group Policy =!.ect >ditor console 'gpedit%msc( displays the settings, and, depending on the %adm ile, the policy settings can !e displayed in a locali/ed language% The Group Policy =!.ect >ditor uses %adm iles to con igure user inter ace settings such as dialog !oxes, radio !uttons, and drop-down lists, there!y ena!ling administrators to manage these settings centrally% The Group Policy "anagement <onsole 'GP"<( uses %adm iles to display policy settings when using Group Policy Results or Group Policy "odeling, also +nown as Resultant *et o Policy 'R*oP(%
For more in ormation a!out the architecture o Administrative Templates, see Administrative Templates >xtension Technical Re erence at http344go%microso t%com4 wlin+456in+&d7A9,C@%
Conf.adm. Provides policy settings to con igure ;et"eeting% <on %adm is installed !y de ault in $indows *erver ,BBA, $indows )P, and $indows ,BBB *erver operating systems% <on %adm is not availa!le on 8E-!it versions o the $indows *erver ,BBA operating system and $indows )P 8E-Bit >dition%
"ost Group Policy settings are contained in the *ystem%adm ile% The %adm iles that ship with $indows *erver ,BBA, $indows )P Pro essional, and $indows ,BBB *erver operating systems are located in the FwindirFGin G older% ' or example, <3G$indowsGin (% For more in ormation a!out %adm ile maintenance, see the 0"aintaining and "anaging %Adm Files1 in this document%
Table (
!or Com uter Policy #ettingsA %@1,B#oftwareBPolicies 8T-e referred location< %@1,B#oftwareB,icrosoftB&indowsBC urrent6ersionBPolicies
Pre erences are set !y the user or !y the operating system at installation time% The registry values that store pre erences are located outside the approved Group Policy +eys listed in Ta!le @% They are located in other areas o the registry% Users can typically change their pre erences at any time% For example, users can decide to change the location o their local dictionary to a di erent location, or set their wallpaper to a di erent !itmap% "ost users are amiliar with setting pre erences that are availa!le to them through the operating system or application user inter ace% &t is possi!le or an administrator to write an %adm ile that sets registry values outside o the approved Group Policy registry trees included in Ta!le @% &n this case, the administrator is only ensuring that a given registry +ey or value is set in a particular way% $ith this approach, the administrator con igures pre erence settings, instead o true policy settings, and mar+s the registry with these settings 'that is, the settings persist in the registry even i the pre erence setting is disa!led or deleted(% & you con igure pre erence settings !y using a GP= in this manner, the GP=s that you create do not have Access <ontrol 6ist 'A<6( restrictions% As a result, users might !e a!le to change these values in the registry% $hen the GP= goes out o scope 'that is, it is unlin+ed, disa!led, or deleted(, these values are not removed rom the registry% &n contrast to this, true registry policy settings do have A<6 restrictions to prevent users rom changing them, and the policy values are removed when the GP= that set them goes out o scope% For this reason, true policies are considered to !e policy settings that can !e ully managed% By de ault, the Group Policy =!.ect >ditor only shows policy settings that can !e ully managed% To view pre erences in the Group Policy =!.ect >ditor, you need to clic+ the "dministrative #emplates node, clic+ $ie%, then clic+ &iltering, and then clear 'nly sho% policy settings that can be fully managed% Although Group Policy settings ta+e priority over pre erences, they do not overwrite or modi y the registry +eys used !y the pre erences% & a policy setting is deployed that con licts with a pre erence, the policy setting ta+es precedence over the pre erence setting% & a con licting policy setting is removed, the original user pre erence setting is restored%
con igure des+top wallpaper% To speci y the des+top wallpaper that displays on usersI des+tops, administrators can use the "ctive Des(top Wallpaper policy setting ' ound in the Group Policy =!.ect >ditor, under the )ser Configuration*"dministrative #emplates*Des(top*"ctive Des(top% As a result, the user can choose to display or not display the wallpaper, !ut the administrator can choose which wallpaper is displayed when the display setting is =;% Ta!le , lists the resultant !ehavior or Group Policy settings and pre erences% Table * Results of 'rou Policy #ettings and Preferences
#cenario /o olicy or reference Preference Only Policy Present /o /o /o Ces Preference Present Resultant Be-avior "efault be-avior. Preference configures be-avior. Policy configures be-avior. Policy configures be-avior. Preference is ignored. In all cases: olicy overrides reference.
Ces Ces
/o Ces
$hat are some potential uture rami ications o the new policy settings5 $hen new products are released, you must continue to maintain the previous %adm settings to manage computers running legacy so tware% ;ew products and settings must !e a!le to co-exist with earlier versions%
ort
To reduce the need or support, administrators can start !y determining the top issues that users have and considering ways in which they can use policy settings to prevent support calls% For example, you could use policy settings to control so tware settings in the ollowing scenarios3 $hen proper con iguration settings reJuire advanced +nowledge o the application% $hen there are complicated or advanced con iguration settings that the typical user does not need to use%
&n these scenarios, it would !e appropriate to use Group Policy to give an administrator the a!ility to control access to the con iguration settings%
&'
Control "ata
Hou can create policy settings to populate data or your application% *uch data usually exists in small sets in the orm o num!ers, text strings, and so on% For example, a phone dialer could use policy settings to ena!le administrators to mandate that certain items exist in the phone directory%
&&
/ote
"o notnames Policy try to su are limited lementto a 'rou *4) c-aracters. Policy setting %owever: title in t-e user de ending interface witon t-e ti te9t fontt-at used can on be t-e dis user.s layed wor3station: in t-e usera smaller number ofInclude interface. c-aracters any are ti s dis for using layed:t-e and olicy all ot-ers setting truncated. in t-e On most te9t. ()plain systems: you can assume t-at you -ave t-e ability to dis lay olicy names u to )4 c-aracters. 8?sing a Resolution of (+*4 D 5)$ wit- small fonts installed<. &-en 'rou Policy names are translated into additional languages: t-ey ty ically reEuire additional c-aracters. T-erefore: if you are using 7nglis- to name a 'rou Policy: limit t-e name to 4F c-aracters. T-is limitation allows your title to grow by 22 ercent during translation: wit-out causing any truncation issues.
Policy /ames
Hou set the name o the policy setting at the same time that you create it% The name o the policy setting is displayed in the Group Policy =!.ect >ditor% Use the ollowing guidelines or creating policy names3 Use a ver! that re lects the e ect o the policy setting% >xamples o ver!s commonly used in policy setting names include3 allow, permit, turn on, prohi!it, hide, and prevent% -o not use the terms 0ena!led1 or 0disa!led1 in your policy setting names% &nstead, consider using the terms 0turn on1 and 0turn o ,1 or 0allow1 and 0prevent%1 Avoid overly technical .argon that might not !e understood !y administrators who are not experts in a particular component% &nclude technical details o the policy setting in the >xplain text% Use short, descriptive names that accurately re lect the unction o the policy setting, or example, Turn o &nternet File Association service%
79 lain Te9t
>xplain text provides in ormation a!out the !ehavior o the policy setting, its interaction with other policy settings, and can include any other in ormation that you would li+e administrators to !e aware o % $hen an administrator selects a policy setting, and then clic+s the ,!plain ta!, the >xplain text appears in the policy settingIs .roperties dialog !ox % >xplain text is limited to a maximum o EBC8 characters, and <ategory >xplain text is limited to a maximum o ,98 characters% Use the ollowing guidelines when you create the ,!plain text3 -ra t the ,!plain text soon a ter creating the speci ication document or the policy setting% This serves as a high-level roadmap or developers, and assists testers in creating a test plan or the policy% "a+e sure your documentation team is availa!le to help create the >xplain text% Target the >xplain text to the Group Policy administrator, rather than the end user%
&*
Use the ollowing template or the >xplain text, and ma+e sure that you include the ollowing items3 $rite a one- or two-line description o the policy setting% $rite a one- or two-line description o the eature that the policy setting a ects% Use separate paragraphs within your >xplain text or each policy setting state, as ollows3 & you ena!le this policy settingKLdescri!e ena!led !ehaviorM% & you disa!le this policy settingKLdescri!e disa!led !ehaviorM% & you do not con igure this policy settingKLdescri!e de ault !ehaviorM% &nclude tips or using the policy setting% &nclude notes or interactions that this policy has with other settings% &tems that are not covered !y this policy setting% Any other policy settings that are reJuired or your policy setting to unction% Any other policy settings that are related to the same component that your policy setting a ects and which may have a higher or lower priority% For example, i you have a policy setting to restrict access to the 6A; settings or a computer% This policy setting ta+es priority over more speci ic policy settings regarding the actual items you can con igure within a 6A; connection% Any related policies that the administrator needs to !e aware o %
As a !est practice, you should also provide in ormation a!out the ollowing3
The ollowing >xplain text is rom the "ctive Des(top Wallpaper policy setting in the )ser Configuration*"dministrative #emplates*Des(top*"ctive Des(top% This policy setting controls the des+top !ac+ground 'wallpaper( that is displayed on usersN des+tops%
Specifies the desktop background ("wallpaper") displayed on all users' desktops. This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp), JPEG (*.jpg), or HTML (*.htm, *.html) file. To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification. If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice.
Language Reference for Administrative Template Files Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. Note: You need to enable the Active Desktop to use this setting. Note: This setting does not apply to Terminal Server sessions.
&+
<onsider the ollowing guidelines when you design your policy settings3 Policy settings are never removed rom the %adm iles supplied !y $indows operating systems% >ven i su!seJuent versions o $indows no longer support the policy setting, "icroso t will continue to include that policy setting in %adm iles or all uture $indows operating systems that support Group Policy% <omputer policy settings should override user policy settings% The ,nabled !ehavior should !e the opposite o the de ault !ehavior% For example, i a eature is on !y de ault, the policy setting should !e named using something li+e 0Turn o L eatureM1, or example, #urn off reminder balloons% By de ault, reminder !alloons are displayed when the = line Files eature is ena!led? they are used to noti y users when they have lost the connection to a networ+ed ile and are wor+ing on a local copy o the ile% & #urn off reminder balloons is set to ,nabled, the system hides the reminder !alloons, and prevents users rom displaying them% <onsider whether administrators need to explicitly disa!le a eature% Hou must understand the di erences !etween the +ot Configured state 'which implies that the administrator does not care( and the Disabled state 'which means that the administrator cares and wants to implement a very speci ic !ehavior(%
&,
"a+e sure that your documentation team is involved with creating the >xplain text% $ell-written >xplain text can help reduce support calls% >ach component should expose a user inter ace that always re lects the policy setting that is applied% For example, i a Group Policy setting removes the a!ility or the user to set a pre erence or a component, the user inter ace should clearly indicate this and access to that particular item in the component should !e removed ' or example, the item is disa!led and grayed-out, or it is not visi!le to users(%
Administrators use the Group Policy "anagement <onsole to view and manage GP=s and use the Group Policy =!.ect >ditor to view the "dministrative #emplates node under Computer Configuration or )ser Configuration%
&5
Caution
Treat t-e .adm files t-at s-i in t-e o erating system as readonly files. T-ese files are often u dated w-en you install service ac3s or future releases of t-e roduct. Policy settings s-ould never be removed from .adm files t-at are included in t-e o erating system by default.
2eep in mind that !y itsel , the %adm ile does not actually apply Group Policy to the client computer% Hou must have a corresponding component or application that responds to the registry +ey that is a ected !y the policy setting% The ollowing code example illustrates a simple %adm ile%
CLASS USER CATEGORY !!DesktopLockDown POLICY !!DisableTaskMgr EXPLAIN !!DisableTaskMgr_Explain VALUENAME "DisableTaskMgr" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 KEYNAME "Software\Policies\System" END POLICY END CATEGORY [strings] DisableTaskMgr="Disable Task Manager" DisableTaskMgr_Explain="Prevents users from starting Task Manager" DesktopLockDown="Desktop Settings"
This sample code exists in the *ystem%adm ile% &t allows you to con igure a policy called Disable #as( -anager, which appears in the Group Policy =!.ect >ditor namespace in )ser Configuration*"dministrative #emplates*Des(top Settings% This policy setting de ines the ollowing !ehavior3 & an administrator ena!les this policy setting, it creates a registry +ey called Disable#as(-gr and set its value to @% The $"0),'+ tag implements this !ehavior% &n this case, users cannot start Tas+ "anager% & an administrator disa!les this policy setting, it creates a registry +ey called Disable#as(-gr and set its value to B% The $"0),'&& tag implements this !ehavior% &n this case, users can start Tas+ "anager% &n !oth cases, the Disable#as(-gr registry +ey is created !elow /1C)*Soft%are*.olicies*System in the registry% ;ote that the +ey is created under C0"SS )S,2 and not under C0"SS -"C/I+, !ecause this is a user policy setting% & an administrator sets this policy setting to +ot Configured, it deletes the registry +ey called Disable#as(-gr. &n this case, users can start #as( -anager%
&6
Ta!le E lists where registry-!ased policy settings are stored in any o the our approved registry locations or Group Policy% Table 4 A roved Registry @ey 1ocations for 'rou Policy #ettings
?ser Policy #ettingA %@C?B#oftwareBPolicies 8T-e referred location< %@C?B#oftwareB,icrosoftB&indowsBC urrent6ersionBPolicies Com uter Policy #ettings %@1,B#oftwareBPolicies 8T-e referred location< %@1,B#oftwareB,icrosoftB&indowsBC urrent6ersionBPolicies
The registry +eys are created when a GP= containing an ena!led or disa!led registry-!ased policy setting is applied% & the GP= is later removed ' or example, unlin+ed rom an =U in which a user resides(, the registry +eys associated with it are also removed% *ecurity prohi!its a standard user rom changing the registry +eys% A local administrator can overwrite these registry +eys, and thus change or disa!le the !ehavior o the policy setting% For this reason, as a Group Policy administrator, you might want to ena!le the 2egistry policy processing policy setting 'located in Computer Configuration*"dministrative #emplates*System*3roup .olicy (and select the ollowing option3 .rocess even if the 3roup .olicy ob4ects have not changed. *electing this option updates and reapplies the policy settings even i you -- the Group Policy administrator -- have not changed the policy settings% This provides an additional sa eguard in the event that local administrators try to change policy settings through the registry% Policy settings are reapplied during the regular !ac+ground re resh o Group Policy, which occurs !y de ault every CB minutes with a randomi/ed delay o up to AB minutes%
&#
-isplay a numeric list to the administrator% -isplay a numeric list to the administrator, using a spin control% -isplay an actiona!le list to an administrator%
To #et a Registry 6alue to Allow t-e #election of One or ,ore 6alues from a 1ist
Hou can use D2'.D'W+0IS# to display a com!o !ox with a drop-down style list% Hou can pre-populate the list o items that are displayed in the list and the corresponding registry value to !e written or each item in the list%
POLICY!!Sample_ADM_DropDownList #if version >= 4 SUPPORTED!!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_DropDownList_Help PART!!Sample_ADM_DropDownList DROPDOWNLIST REQUIRED VALUENAME "Sample_ADM_DropDownList" ITEMLIST NAME !!Sample_ADM_DropDownList_Always VALUE NUMERIC 1 DEFAULT NAME !!Sample_ADM_DropDownList_WorkStationOnly VALUE NUMERIC 2 NAME !!Sample_ADM_DropDownList_ServerOnly VALUE NUMERIC 3 END ITEMLIST END PART END POLICY
&$
To #et a Registry 6alue to "is lay a 1ist wit- Add and Remove Buttons
Hou can use registry-!ased Group Policy to display a list !ox that contains Add and Remove !uttons% By de ault, only one column appears in the list !ox, and or each entry, a value is created where the name and value are the same% For example, a name entry in the list !ox creates a value called name that contains data la!eled name%
POLICY!!Sample_ADM_ListBox #if version >= 4 SUPPORTED !!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_ListBox_Help PART!!Sample_ADM_DropDownList LISTBOX KEYNAME "Sample_ADM_ListBox" END PART END POLICY
&%
To #et a Registry 6alue for "is laying a /umeric 1ist to t-e Administrator
To display a list o num!ers rom which administrators can select one o the prede ined numeric values, you can use a ;U">R&< PART type%
POLICY!!Sample_ADM_Numeric #if version >= 4 SUPPORTED !!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_Numeric_Help PART!!Sample_ADM_Numeric NUMERIC VALUENAME "ADM_Sample_Numeric" END PART END POLICY
To #et a Registry 6alue for "is laying a /umeric 1ist to t-e Administrator: ?sing #PI/ Control
To display a list o num!ers rom which administrators can select one o the prede ined numeric values, you can use a *P&; control%
POLICY!!Sample_ADM_Spinner #if version >= 4 SUPPORTED !!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_Spinner_Help PART!!Sample_ADM_Spinner NUMERIC VALUENAME "ADM_Sample_Spinner" MIN 5 MAX 23 DEFAULT 14 SPIN 3 END PART END POLICY
*'
*&
<hanges in the user inter ace when a policy setting is ena!led, disa!led, or not con igured The possi!le settings that the policy setting can !e con igured as The associated !ehavior% For example, does con iguring the policy setting a ect other policy settings, or is one policy setting dependent on another5 Any associated pre erences The !ehavior o the associated pre erences The !ehavior in the event o invalid input !y an administrator
First, test your new policy settings individually% ;ext, test how each policy setting interacts with other policy settings that are similar, or policy settings that are also designed to manage the a ected component% *uppose or example that you create a policy setting to con igure the wallpaper that is displayed on your clientsI des+tops% The list o policy settings that ship with $indows *erver ,BBA includes other wallpaper policy settings% &n this scenario, you should test how these policy settings interact% Any issues that arise should !e addressed or documented in the >xplain text% Testing should ensure that the user inter ace is policy-aware% & the user inter ace is not aware o the policy setting, the user experience might !e con using% For example, i your policy setting restricts access to a certain item in a component, then no access to this component and its con iguration should !e availa!le in the user inter ace% *ome ways to achieve this are3 Removing the item completely visually Gray-out the item and disa!le it
**
$indows *erver ,BBA and $indows )P include the ollowing additional %adm iles3
*+
/ote Caution
Because If you create of t-e a 'PO im ortance and do not of timestam edit it: you s on will .adm create file a 'rou Policy tem late management: it wit-out is recommended any associated t-at you .adm do files. not edit systemsu lied .adm files. If a new olicy setting is reEuired: it is -ig-ly recommended t-at you create a custom .adm file. T-is revents t-e override of system-su lied .adm files w-enever service ac3s are released.
$uau%adm
*,
*5
/ote
If t-is In &indows olicy*+++ setting o is erating enabled: systems: t-e Turn w-en off you automatic edit a 'PO for t-e first time updates of adm t-e local files.adm olicy files setting are u is loaded also imto lied. t-e #ysvol: wit-out regard to -ow t-is olicy setting is set. If t-is olicy setting is enabled in &indows 0P: .adm files are not u loaded w-en a 'PO is edited for t-e first time. T-e first time t-at t-e 'PO is edited mig-t or mig-t not be w-en t-e 'PO is created.
Always ?se 1ocal .Adm !iles for 'rou Policy Ob;ect 7ditor
The "l%ays use local "D- files for 3roup .olicy 'b4ect ,ditor policy setting is availa!le under Computer Configuration*"dministrative #emplates*System*3roup .olicy in $indows *erver ,BBA and $indows )P Pro essional% $hen a GP= is created, this policy setting has no immediate e ect, and the %adm iles on the local computer are still uploaded to the *ysvol% Qowever, when you edit an existing GP=, any %adm iles that are stored in the *ysvol are ignored, and Group Policy =!.ect >ditor uses the %adm iles rom the local computer only% & a policy setting has !een set in the GP=, !ut the corresponding %adm ile that descri!es the policy setting is not availa!le on the local computer, Group Policy =!.ect >ditor does not display that policy setting%
*6
/ote
Because t-e wor3station adm files are stored in t-e Hwindir HBInf folder: any rocess t-at is used to distribute t-ese files must run in t-e conte9t of an account t-at -as administrative credentials on t-e wor3station.
*#
/ote
T-e Always use local adm files for !roup "olicy .01ect (ditor olicy is ty ically used wit- t-e Turn off automatic updates of adm files olicy setting: 8t-at is: w-en it is su orted by t-e o erating system from w-ic- you are running 'rou Policy Ob;ect 7ditor<.
will not typically create pro!lems, assuming that the %adm iles that are !eing used have not !een edited% &n some situations, an operating system or service pac+ release includes a su!set o the %adm iles that were provided with earlier releases% This has the potential to present an earlier su!set o the %adm iles, resulting in policy settings no longer !eing visi!le to administrators when they use Group Policy =!.ect >ditor% Qowever, the policy settings will remain active in the GP=--only the visi!ility o the policy settings in Group Policy =!.ect >ditor is a ected% Any active 'either ,nabled or Disabled( policy settings are not visi!le in Group Policy =!.ect >ditor, !ut remain active% Because the settings are not visi!le, it is not possi!le or the administrator to view or edit these policy settings% To wor+ around this issue, administrators must !ecome amiliar with the %adm iles that are included with each operating system or service pac+ release !e ore using the Group Policy =!.ect >ditor on that operating system, +eeping in mind that the act o viewing a GP= is enough to update the %adm iles in the GPT, when the timestamp comparison determines an update is appropriate% To plan or this in your environment, it is recommended that you either3 -e ine a standard operating system4service pac+ rom which all viewing and editing o GP=s occurs, ma+ing sure that the %adm iles !eing used include the policy settings or all plat orms% Use the #urn off automatic updates of adm files policy setting or all Group Policy administrators to ma+e sure that %adm iles are not overwritten in the *ysvol !y any Group Policy =!.ect >ditor session, and ma+e sure that you are using the latest %adm iles that are availa!le rom "icroso t%
*$
$hen the .roperties page appears, move it out rom in ront o the Group Policy =!.ect >ditor window% Then, clic+ !ac+ one o the .olicies in the results pane% Hou can now use the cursor +eys to navigate up and down the list% ;otice that the in ormation in the .roperties page changes% This method also wor+s or the text on the ,!plain ta!% Hou can also use the Ta! +ey to move !ac+ and orth !etween the tree pane and the results pane, while leaving the .roperties page open%
$ithout the additive +eyword, only the values -, >, and F in GP= y are applied to the registry o targeted computers% This is !ecause GP= y is the last GP= applied% $ith the additive +eyword, all o the values rom !oth GP=s are applied3 A, B, <, -, >, and F%
*%
The 6&*TB=) A--&T&U> !ehavior in $indows )P with *P, gives you more lexi!ility in determining the values that will !e applied to targets in a given Active -irectory container% For example, the a!ility to disa!le policy settings rom lower precedent GP=s is a +ey tenet o Group Policy management% Prior to $indows )P with *P,, the disa!led !ehavior had no e ect or policy settings that used 6&*TB=) A--&T&U>% Furthermore, prior to $indows )P with *P,, 6&*TB=) A--&T&U> was only ound in several, rarely used policy settings a ecting o line iles% &n $indows )P with *P,, 6&*TB=) A--&T&U> is used more prominently including policy settings that a ect $indows Firewall and &nternet >xplorer% There ore, in $indows )P with *P,, the disa!led !ehavior now unctions as expected3 removing any entries inherited rom other lower precedent GP=s% For example, suppose GP=s with values A, B, and < is normally applied to all computers in a domain% But, as an =U administrator, you wish to prevent these values rom ta+ing e ect on computers in your =U% Hou can create a new GP= to disa!le values A, B, and <% This is illustrated in the ollowing example3 GP= x% >na!les values A, B, and < or all computers in the domain% GP= /% -isa!les values A, B, and <% or all computers in your =U% GP= y% >na!les values -, >, and F or all computers in the domain%
&n this scenario, the values -, >, and F are applied to the computers in your =U% Because, the disa!led unctionality only wor+s when using the latest version o the gptext%dll, all policy settings that use 6&*TB=) A--&T&U> are enclosed !y the Vi version M 9 KVend i construct% This eliminates the possi!ility o having multiple administrators experiencing di erent disa!led !ehavior i they are using earlier versions o gptext%dll% <onseJuently, the policy settings that use 6&*TB=) A--&T&U> are not visi!le when editing a GP= rom a computer running $indows *erver ,BBA, $indows )P with *P@, or $indows ,BBB operating systems% & you have administrative wor+stations that are not using $indows )P with *P,, you will need to install a hot ix in order to manage these policy settings% For more in ormation, see the 0W*tring too longKI Qot ix or >arlier =perating *ystems or *ervice Pac+s1 section later in this document%
+'
version M7 9 4 Vendi 1 construct in the inetres%adm and system%adm iles% Although clic+ing '1 on all the pop-up error messages does result in the %adm iles loading correctly, the new $indows )P *P, policy settings that use the 6&*TB=) syntax will not !e displayed% 'This pro!lem does not occur on computers running $indows )P with *P, or computers that have !een updated with the latest version o gpedit%( This issue is o particular signi icance !ecause o the way %adm iles are distri!uted through a domain% By de ault, when a GP= is opened, a comparison is made !etween the timestamps o the %adm iles stored in the GP= !eing edited and those on the local computer% & the local %adm iles have a more recent timestamp then they are uploaded to the domain controller and replicated throughout the domain% From that point, all earlier versions o gpedit use the new %adm iles% This scenario is illustrated in the ollowing steps% (. &nstall $indows )P *P, on the administrative computer% *. =pen existing GP= in Group Policy =!.ect >ditor% The %adm ile stored on the administrative computer is uploaded to domain controller% GP= is XupgradedX to $indows )P *P,% 2. This %adm ile is replicated to all domain controllers in the domain% 4. & the GP= is opened !y other administrative wor+stations in the domain that are not running $indows )P with *P, or the latest version o gpedit, error messages appear%
=#tring Too 1ongI> %otfi9 for 7arlier O erating #ystems and #ervice Pac3s
& you or other administrators in your organi/ation are going to manage policy settings on computers running earlier operating systems or service pac+s ' or example, $indows *erver ,BBA or $indows )P with *P@(, you need to install a hot ix in order or policy settings to appear correctly in the Group Policy =!.ect >ditor% These hot ixes are availa!le or the ollowing3 $indows *erver ,BBA $indows )P with *P@ $indows ,BBB
To o!tain these hot ixes, see article :E,CAA, XXThe ollowing entry in the YstringsZ section is too long and has !een truncatedX error message when you try to modi y or to view GP=s in $indows *erver ,BBA, $indows )P Pro essional, or $indows ,BBB,X in the "icroso t 2nowledge Base at http344go%microso t%com4 wlin+456in+&d7EEE@% & you are going to manage policy settings rom wor+station computers running $indows )P with *P, only, you will !e a!le to manage policy settings without applying any hot ixes% For example, you will !e a!le to run the Group Policy =!.ect >ditor and view all the new policy settings delivered with $indows )P *P,%
+&
Im ortant
O ening a 'PO on a com uter running &indows 0P wit- #P* causes all ot-er administrative wor3stations to use t-e new .adm files 8note t-at no c-anges need be made to t-e 'PO for t-is to occur<. T-is will generate error messages w-en earlier versions of g edit are loaded. !or more information about t-is issue: see article $4*F22: JJT-e following entry in t-e KstringsL section is too long and -as been truncatedJ error message w-en you try to modify or to view 'POs in &indows #erver *++2: &indows 0P Professional: or &indows *+++:J in t-e ,icrosoft @nowledge Base at -tt ADDgo.microsoft.comDfwlin3DM1in3IdN444(.
By installing the hot ix or $indows *erver ,BBA, $indows )P with *ervice Pac+ @, and $indows ,BBB, you ensure that the $indows )P *P, %adm iles load correctly on these plat orms%
+*
Comments
Hou can use two methods to add comments to an %adm ile% Hou can precede the comment either with a semicolon '?( or with two orward slashes '44(% Hou can place comments at the end o any valid line%
#trings
To add strings to an %adm ile, precede the text with two exclamation points '[[(% At the end o the %adm ile, all strings must !e de ined in the YstringsZ section% The strings must !e enclosed in Juotation mar+s 'X(% =ptionally, you can enclose a varia!le name or hard-coded string in Juotation mar+s%
79am le
POLICY 34]!!LimitSize EXPLAIN!!LimitSize_Explain TIP1 Limit Profile Size to ; This string is stored in the strings section ; This string is hard coded
Best Practice
Place all strings in the YstringsZ section o the %adm ile% This acilitates conversion o the %adm ile to other languages 'that is, or locali/ation(, as you only need to modi y the YstringsZ section o an %adm ile to port it to di erent languages%
++
/ote
Cou can create define multi c-ild nodes le -LA22 by nesting U2(R a or-AT(!.R/ -LA22 3A-4I5( wit-in sections -AT(!.R/ anot-er in an .adm file. . &-en t-e file is rocessed: all t-e -LA22 U2(R sections are merged: and all -LA22 3A-4I5( sections are merged. %owever: for ease of ongoing .adm file management: it is recommended t-at you define -LA22 U2(R or -LA22 3A-4I5( once.
C1A##
This component de ines where your policy setting is displayed in the Group Policy =!.ect >ditor% The irst entry in the %adm ile is the +eyword C0"SS% This speci ies whether the su!seJuent entries should !e displayed under the Computer Configuration or )ser Configuration node o Group Policy =!.ect >ditor%
#ynta9
The C0"SS syntax is as ollows3
CLASS name
Name
This de ines the name o the C0"SS, which must !e "A<Q&;> or U*>R% & the %adm ile contains a C0"SS other than the valid classes '"A<Q&;> or U*>R(, the errors are ignored when loaded in Group Policy =!.ect >ditor%
79am le
The ollowing examples illustrate the use o the <6A** component%
CLASS MACHINE CLASS USER
CAT7'ORC
A ter you de ine the C0"SS component, you can use the C"#,3'26 component to display a node name under which your policy setting is displayed in the Group Policy =!.ect >ditor%
#ynta9
To speci y a C"#,3'26, use the ollowing syntax%
CATEGORY!!name KEYNAME key name [policy definition statements]
+,
Using Administrative Template Files with Registry- ased !roup "olicy END CATEGORY
name
The C"#,3'26 name as it should appear in the Group Policy =!.ect >ditor list !ox% =ptionally, you can enclose the varia!le name in Juotation mar+s 'X(% ;ames with spaces must !e enclosed in Juotation mar+s%
key name
The +ey name is an optional path to the registry +ey to use or the C"#,3'26% -o not use /1,680'C"08-"C/I+, or /1,68C)22,+#8)S,2 in the registry path as the preceding C0"SS statement speci ies the +eys to use% & you speci y a +ey name, all child categories, policies, and parts will use this +ey name, unless they speci ically provide a +ey name o their own% ;ames with spaces must !e enclosed in dou!le Juotation mar+s% & a +ey name is not speci ied and i no higher level category speci ies a +ey name, each policy in this category must speci y its own +ey name3 otherwise, the +ey name or the next category that does speci y a +ey name will !e used%
79am le
CLASS USER
END CATEGORY
+5
#u
orted Tag
The Group Policy =!.ect >ditor uses the Supported tag to populate the 2e uirements ield% This tag in orms the Group Policy administrator a!out the plat orms or applications or which the policy setting is supported% For example, many o the policy settings included in the *ystem%adm ile use a Supported tag that speci ies a speci ic service pac+ release% = ten, the string used or the *upported tag will ma+e re erence to multiple operating system or service pac+s% $hile operating system components generally use an operating system or service pac+ re erence in this ield, applications \ which can !e updated outside the release o a service pac+ \ can re er to a speci ic version o an application% The Supported tag is an essential element in the data presented to Group Policy administrators to ensure they are eJuipped with the right in ormation to ma+e in ormed decisions a!out the use o the policy setting% Because your %adm ile may !e locali/ed, it is highly recommended that the Supported tag use the ::Stringname construct, which allows the re erenced string to !e locali/ed easily% &n addition, since the Supported tag is only supported in $indows )P and later operating systems, it should !e enclosed within a $ersion construct, as ollows 'this ensures that the $indows ,BBB version o Group Policy =!.ect >ditor does not attempt to interpret the Supported tag(3
#if version >= 4 SUPPORTED!!SUPPORTED_MyApplication #endif
CAT7'ORC @eywords
The valid +eywords or C"#,3'26 are3 1,6+"-, C"#,3'26 .'0IC6 ,+D S)..'2#,D
+6
/ote
If you -ave a -AT(!.R/ defined wit- a default 6(/5A3( in it: and t-e same category is found again later in t-e .adm file: t-at same default 6(/5A3( is still in effect. T-is means t-at you can get an error message about @7C/A,7 being defined twice: w-en it was actually ;ust defined in t-e same category earlier. To remove t-e error condition: remove t-e du licate category entry.
PO1ICC
To identi y a policy setting that the user can modi y, use the +eyword .'0IC6% The policy and its associated controls are displayed in a dialog !ox that administrators use to set the state o the policy% Hou can use multiple .'0IC6 +ey names under one 1,6+"-,% The ollowing examples illustrate the syntax o P=6&<H%
#ynta9
POLICY name [KEYNAME key name] [EXPLAIN help string] [VALUENAME value name] [CLIENTEXT guid] [part definition statements] END POLICY
name
The name o the policy as it should !e displayed in the Group Policy =!.ect >ditor namespace%
key name
This is an optional path to the registry +ey to use or the category% -o not include /1,680'C"08-"C/I+, or /1,68C)22,+#8)S,2 in the registry path as the preceding <6A** statement determines which o these +eys is used% & you speci y a +ey name, all ."2# de inition statements will use this +ey name unless they speci ically provide a +ey name o their own% & a +ey name is not speci ied and i no higher level category speci ies a +ey name, each policy in this category must speci y its own +ey name3 otherwise, the +ey name or the next category that does speci y a +ey name will !e used%
help string
The Qelp string is the text displayed in the ,!plain ta! o the dialog !ox or the policy setting%
+#
value name
Ualue name is the registry value to modi y% *electing this option sets the value as a R>GO-$=R- o @% <learing the option removes the registry value% To speci y values other than the de ault values, use the $"0),'+ and $"0),'&& statements directly ollowing the corresponding $"0),+"-, statement% These statements are speci ied as ollows3
VALUEON on value VALUEOFF off value
$hen you use these statements, the !ehavior is modi ied such that i the administrator selects the option, the value is set to on value% & the administrator clears the option, the value is set to off value%
guid
This is an optional value that speci ies the glo!ally uniJue identi ier 'GU&-( o the snap-in extension%
PO1ICC 79am le
CLASS MACHINE
CATEGORY!!DiskQuota
KEYNAME "Software\Policies\MS\DiskQuota"
TEXT
+$
Using Administrative Template Files with Registry- ased !roup "olicy END CATEGORY
[strings] DiskQuota="Disk Quotas" DQ_Enable="Enable disk quotas" DQ_Enable_Help="Enables and disables disk quota management" DQ_EnableTip1="Enable disk quotas for all NTFS volumes"
PO1ICC @eywords
The valid +eywords or P=6&<H are3 1,6+"-, ."2# $"0),+"-, $"0),'+ $"0),'&& "C#I'+0IS#'+ "C#I'+0IS#'&& ,+D /,0. C0I,+#,5# .'0IC6
PART
Use ."2# to speci y various options, such as drop-down list !oxes, text !oxes, and text in the lower pane o Group Policy =!.ect >ditor% For a simple policy where you only need to set a registry +ey to either @ or B, you do not need to use ."2#% PART allows a richer system administrator experience, and collects more in ormation rom the administrator through simple controls%
#ynta9
PART name part-type type-dependent data [KEYNAME key name] [VALUENAME value name]
+%
name
*peci ies the ."2# name as it should appear in Group Policy =!.ect >ditor% Hou can enclose it in Juotation mar+s 'X(% ;ames with spaces must !e enclosed in Juotation mar+s 'X(%
part-type
A policy ."2# type% Ta!le 8 lists the valid types or .'0IC6% Table ) Policy PART Ty es
Ty e C%7C@BO0 "escri tion "is lays a c-ec3 bo9. T-e value is set in t-e registry wit- t-e R(!789.R8 ty e. T-e value is ot-er t-an Pero if t-e c-ec3 bo9 is selected and Pero if it is not selected. "is lays a combo bo9. "is lays a combo bo9 wit- a dro -down list style. T-e user may c-oose only one of t-e entries su lied. "is lays a list bo9 wit- Add and Remove buttons. T-is is t-e only PART ty e t-at can be used to manage multi le values under one 3ey. "is lays a te9t bo9 t-at acce ts al -anumeric te9t. T-e te9t is set in t-e registry wit- eit-er t-e R7'Q#R or t-e R7'Q70PA/"Q#R ty e. "is lays a line of static te9t. T-ere is no associated registry value wit- t-is PART ty e. "is lays a te9t bo9 wit- an o tional s in control t-at acce ts a numeric value. T-e value is set in t-e registry wit- t-e R7'Q"&OR" ty e.
CO,BOBO0 "ROP"O&/1I#T
1I#TBO0
7"ITT70T
T70T /?,7RIC
type-dependent data
This is in ormation a!out the ."2#%
key name
This is an optional path to the registry +ey to use% -o not include /1,680'C"08-"C/I+, or /1,68C)22,+#8)S,2 in the registry path as the preceding C0"SS statement determines which o these +eys is used% & no +ey name is speci ied, the previous +ey name in the hierarchy is used%
value name
The value name indicates the registry value to modi y% *electing this option sets the value to a R>GO-$=R- o @, and clearing the option removes the registry value% & you want to speci y values other than the de ault values, use the $"0),'+ and $"0),'&& statements directly ollowing the corresponding $"0),+"-, statement% Hou speci y these statements as ollows3
,'
Using Administrative Template Files with Registry- ased !roup "olicy VALUEON on value VALUEOFF off value
@eywords
The valid +eywords or ."2# are3 C/,C17'5 #,5# ,DI##,5# +)-,2IC C'-7'7'5 D2'.D'W+0IS# 0IS#7'5 ,+D C0I,+#,5# ."2#
C%7C@BO0 PART Ty e
This ."2# type displays a chec+ !ox on the .roperty page o a policy setting% The value is set in the registry with the R>GO-$=R- type% The de ault !ehavior is as ollows3 By de ault the chec+ !ox is not selected% A chec+ !ox writes the value @ to the registry i it is selected and B i it is not selected%
#ynta9
PART text CHECKBOX VALUENAME value name END PART
,&
text
This represents the text to !e displayed on the right o the chec+ !ox that you are creating% Hou can hard code it and enclose it in Juotation mar+s 'X( or you can ma+e the string a varia!le !y putting :: in ront o the varia!le name%
value name
&ndicates the registry value to which the selected value will !e written% *electing the option sets the value as a R>GO-$=R- o @% <learing the option removes the registry value% To speci y values other than the de ault values, use the $"0),'+ and $"0),'&& statements directly ollowing the corresponding $"0),+"-, statement% These statements are speci ied as ollows3
VALUEON on value VALUEOFF off value
$hen you use these statements, the !ehavior is modi ied such that i the administrator selects the option, the value is set to on value% & the administrator clears the option, the value is set to off value% To override the de ault !ehavior3 To have the chec+ !ox selected !y de ault use D,&C/,C1,D% &n the preceding sample, the syntax would !e3
PART !!SampleChkBox_NotChked CHECKBOX DEFCHECKED VALUENAME "test1" END PART
Hou can use $"0),'+ and $"0),'&&% This example accomplishes the ollowing33 $rites the string 0>na!led1 to the registry when the chec+ !ox is selected% $rites a numeric value o @, when the chec+ !ox is not selected%
PART !!SampleChkBox_NotChked CHECKBOX VALUENAME "test1" VALUEON Enabled VALUEOFF NUMERIC 12 END PART
To modi y more than one registry +ey, use an A<T&=;6&*T% The valid +eywords or C/,C17'5 are3 2>H;A"> UA6U>;A"> UA6U>=; UA6U>=FF
,*
T70T PART Ty e
The ."2# type #,5# can !e used to display text on the .roperty page o a policy setting% Text uses the ollowing syntax%
PART text TEXT END PART
text
Text that is to !e displayed is entered here% Hou can hard code it and enclose it in Juotation mar+s 'X(, or you can ma+e the string a varia!le !y putting :: !e ore the varia!le name% The ollowing example illustrates the use o #,5#% The Disable "ctive Des(top policy deactivates Active -es+top and prevents users rom ena!ling or disa!ling Active -es+top, or rom modi ying the con iguration%
T70T 79am le
POLICY !!NoActiveDesktop KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" EXPLAIN!!NoActiveDesktop_Help VALUENAME "NoActiveDesktop"
TEXT
END POLICY
7"ITT70T PART Ty e
The ,DI##,5# option allows the user to input alphanumeric text into an edit ield% The text is set in the registry with the R>GO*P type%
#ynta9
PART !!text EDITTEXT
Language Reference for Administrative Template Files VALUENAME value name END PART
,+
text
Text to !e displayed is entered here% Hou can hard code it and enclose it in Juotation mar+s 'X( or you can ma+e the string a varia!le !y putting two explanation points '::( !e ore the varia!le name% This text is displayed on the le t side o the edit !ox%
value name
The value name indicates the registry value to which the users input entered in the >dit Text !ox will !e written% Ta!le T lists the options or ,DI##,5#. Table 5 O tions for 7"ITT70T
O tion "7!A?1T value ,A017/ value R7S?IR7" "escri tion # ecifies t-e initial string to lace in t-e edit field. If t-is o tion is not s ecified: t-e field is initially em ty. # ecifies t-e ma9imum lengt- of a string. T-e string in t-e edit field is limited to t-is lengt-. # ecifies t-at t-e 'rou Policy Ob;ect 7ditor does not allow a olicy containing t-is PART to be enabled: unless a value -as been entered for t-is PART. #ets t-e 7#QO7,CO/67RT style in t-e edit field so t-at ty ed te9t is ma ed from A#CII to O7, and bac3. 7#QO7,CO/67RT converts te9t entered in t-e edit control. T-e te9t is converted from t-e &indows c-aracter set 8A#CII< to t-e O7, c-aracter set and t-en bac3 to t-e &indows set. T-is ensures ro er c-aracter conversion w-en t-e a lication calls t-e C-arToOem TUava#cri tA--ob;Q(.Clic38<V function to convert an A#CII string in t-e edit control to O7, c-aracters. T-is style is most useful for edit controls t-at contain file names. # ecifies t-at t-e te9t is set in t-e registry wit- t-e R7'Q70PA/"Q#R ty e. By default: t-e te9t is set in t-e registry wit- t-e R7'Q#R ty e
O7,CO/67RT
70PA/"AB17T70T
The valid +eywords or ,DI##,5# are3 1,6+"-, $"0),+"-, D,&")0# 2,;)I2,D -"50,+3#/
,,
7"ITT70T 79am le
An example o use o the ."2# component with ,DI##,5# and #,5# ollows3
CLASS USER CATEGORY !!DesktopLockDown
TEXT
EDITTEXT
END POLICY
END CATEGORY
[strings] DesktopLockDown="Desktop Settings" Wallpaper="Desktop Wallpaper" Wallpaper_Explain="Used to set the desktop wallpaper" Wallpaper_FileName="Filename" Wallpaper_Tip1="Specify UNC Path for selected wallpaper"
,5
&n the preceding example, the text entered into the edit ield is written to the registry +ey /1,68C)22,+#8)S,2*Soft%are*.olicies*System*Wallpaper% The text can !e a maximum o 8B characters% $hen this policy setting is +ot Configured or Disabled, this +ey is not written%
70PA/"AB17T70T 79am le
The ollowing example writes a value to registry with data type R>GO>)PA;-O*P% For example3
PART!!MyVariable EDITTEXT EXPANDABLETEXT
R7S?IR7" 79am le
The ollowing example generates an error i the user does not enter a value when reJuired%
PART!!MyVariable EDITTEXT REQUIRED
,A017/ 79am le
The ollowing example speci ies the maximum length o text%
PART!!MyVariable EDITTEXT
"7!A?1T 79am le
The ollowing example speci ies a de ault value% This can !e used or text or numeric data%
PART!!MyVariable EDITTEXT
,6
/?,7RIC PART Ty e
-isplays an edit ield with an optional spinner control 'an up-down control( that accepts a numeric value%
/?,7RIC #ynta9
PART text NUMERIC VALUENAME value name MIN value MAX value ...DEFAULT value ...SPIN value END PART
text
This represents the text to !e displayed on the right o the spin control that you are creating% Hou can hard code it and enclose it in Juotation mar+s 'X( or you can ma+e the string a varia!le !y putting [[ !e ore the varia!le name%
value name
&ndicates the registry value to which the selected value will !e written%
Ta!le : shows the options or the +)-,2IC type% Table $ O tions for /?,7RIC
O tion "7!A?1T value "escri tion # ecifies t-e initial numeric value for t-e edit field. If t-is o tion is not s ecified: t-e field is initially em ty. # ecifies t-e ma9imum value for t-e number. T-e default value is FFFF. # ecifies t-e minimum value for t-e number. T-e default value is +. # ecifies t-at t-e 'rou Policy Ob;ect 7ditor does not allow a olicy containing t-is PART to be enabled unless a value -as been entered for t-is
,#
PART. #PI/ value # ecifies increments to use for t-e s inner control. T-e default is #PI/ (. #PI/ + removes t-e s inner control. &rites values as R7'Q#R strings 8=(>: =*>: or =(*$>< rat-er t-an as binary values.
T0TCO/67RT
The valid +eywords or +)-,2IC are3 2>H;A"> UA6U>;A"> "&; "A) *P&; ->FAU6T R>]U&R>T)T<=;U>RT >;<6&>;T>)T
The ollowing example illustrates use o the minimum and maximum valid values or a varia!le%
PART!!MyVariable NUMERIC MIN 100 MAX 999 DEFAULT 55 VALUENAME ValueToBeChanged END PART
The ollowing example illustrates use o the +)-,2IC ."2# type using S.I+% &n this case, increments o @BB are used or the spin control%
PART !!ProfileSize NUMERIC REQUIRED SPIN 100
,$
Using Administrative Template Files with Registry- ased !roup "olicy VALUENAME "MaxProfileSize" DEFAULT 30000 MAX 30000 MIN 300 END PART
The ollowing example illustrates use o the +)-,2IC ."2# type using the #5#C'+$,2# option, which writes values as 2,38S< strings 'such as 08B1( instead o !inary values%
PART !!ScreenSaverTimeOutFreqSpin NUMERIC DEFAULT 900 MIN 0 MAX 599940 SPIN 60 TXTCONVERT VALUENAME "ScreenSaveTimeOut" END PART
CO,BOBO0 PART Ty e
This ."2# type displays a com!o !ox% &t accepts the same options as ,DI##,5#, as well as the S)33,S#I'+S option, which !egins a list o suggestions to !e placed in the drop-down list% S)33,S#I'+S are separated with spaces and must !e enclosed in Juotation mar+s 'X( when a value includes spaces% & a suggestion name includes white space, it must !e enclosed in Juotation mar+s% The list ends with ,+D S)33,S#I'+S%
79am le
The ollowing example illustrates the use o the S)33,S#I'+S option%
SUGGESTIONS Alaska Alabama Mississippi New York END SUGGESTIONS
@eywords
The valid +eywords or C'-7'7'5 are3 1,6+"-, $"0),+"-, D,&")0# S)33,S#I'+S 2,;)I2,D -"50,+3#/ ',-C'+$,2#
,%
/ote
'P,C reEuires t-at you define t-e 3ey name and value name before you s ecify "ROP"O&/1I#T.
"ROP"O&/1I#T PART Ty e
-isplays a com!o !ox with a drop-down list style% The user may choose only one o the entries supplied%
"ROP"O&/1I#T #ynta9
D2'.D'W+0IS# uses the ollowing syntax%
PART !!text DROPDOWNLIST ITEMLIST NAME name VALUE value .. NAME name VALUE value END ITEMLIST END PART
text
This represents the text to !e displayed on the right o the spin control that you are creating% Hou can hard code it and enclose it in Juotation mar+s 'X( or you can ma+e the string a varia!le !y putting :: in ront o the varia!le name%
name
This is text that will !e displayed in the drop-down list or a particular item%
value
The value to !e written to the speci ied registry +ey i this item is selected% Ualues are assumed to !e strings, unless they are preceded !y +)-,2IC% The ollowing example shows !oth string and numeric values3
VALUE Some value VALUE NUMERIC 1
5'
1I#TBO0 PART Ty e
The 6&*TB=) ."2# component speci ies various options such as drop-down list !oxes, text !oxes, and text in the lower pane o the Group Policy =!.ect >ditor% 0IS#7'5 accepts the options shown in Ta!le C% Table F 1I#TBO0 O tions
1I#TBO0 O tion A""ITI67 "escri tion By default: t-e content of list bo9es overrides any values set in t-e target registry. T-is means t-at a control value is inserted in t-e olicy file t-at causes e9isting values to be deleted before t-e values set in t-e olicy file are merged. If t-is o tion is s ecified: e9isting values are not deleted: and t-e values set in t-e list bo9 is in addition to w-atever values e9ist in t-e target registry. T-is o tion ma3es t-e user s ecify t-e value data and t-e value name. T-e list bo9 s-ows two columns: one for t-e name and one for t-e data. T-is o tion cannot be used wit- t-e 6A1?7PR7!I0 o tion. T-e refi9 you s ecify is used in determining value names. If a refi9 is s ecified: t-e refi9 and an incremented integer are used: instead of t-e default value naming sc-eme described reviously. !or e9am le: a refi9 of =#am le/ame> generates t-e value names =#am le/ame(>: =#am le/ame*>: and so on. T-e refi9 can be em ty 8=><: w-ic- causes t-e value names to be =(>: =*>: and so on.
70P1ICIT6A1?7
6A1?7PR7!I0 refi9
By de ault, only one column appears in the list !ox, and or each entry a value is created whose name and value are the same% For instance, a 0name1 entry in the list !ox creates a value called 0name1 that contains data called 0name1% $hen using a 0IS#7'5, use the "DDI#I$, +eyword unless you have a speci ic reason not to do so%
5&
/ote
&indows 0P #P* fi9ed issues relating to t-e 1I#TBO0 A""ITI67 functionality. !or more information: see t-e =C-anges to 1I#TBO0 A""ITI67> section in t-is document.
The valid +eywords or 0IS#7'5 are3 1,6+"-, $"0),.2,&I5 "DDI#I$, +'S'2# ,5.0ICI#$"0), ,5."+D"70,#,5# ,+D C0I,+#,5#
ACTIO/1I#T
Hou can use an action list to speci y a set o ar!itrary registry changes to ma+e in response to a control !eing set to a particular state%
#ynta9
The "C#I'+0IS# syntax is as ollows3
ACTIONLIST [KEYNAME key name] VALUENAME value name VALUE value END ACTIONLIST
key name
This is an optional path to the registry +ey% -o not include Q2>HO6=<A6O"A<Q&;> or Q2>HO<URR>;TOU*>R in the registry path as the preceding <6A** statement determines which o these +eys is used% & no +ey name is speci ied, the previous +ey name in the hierarchy is used%
value name
&ndicates the registry value to modi y% *electing this option sets the value to a R>GO-$=R- o @, and clearing the option removes the registry value% & you want to speci y values other than the de ault values, use the UA6U>=; and UA6U>=FF statements directly ollowing the corresponding UA6U>;A"> statement% Hou speci y these statements as ollows3
5*
Using Administrative Template Files with Registry- ased !roup "olicy VALUEON on value VALUEOFF off value
value
Ualues are treated as strings unless they are preceded !y ;U">R&<, as in the ollowing examples3
VALUE "Some value" VALUE NUMERIC 1
& $"0), is ollowed !y D,0,#, ' or example, $"0), D,0,#,(, the registry entry is deleted% Ta!le @B lists the two variants or "C#I'+0IS# that can !e used with .'0IC6 and C/,C17'5% Table (+ 6ariants for ACTIO/1I#T
6ariant ACTIO/1I#TO/ ACTIO/1I#TO!! "escri tion # ecifies an o tional action list to be used if t-e c-ec3 bo9 is selected. # ecifies an o tional action list to be used if t-e c-ec3 bo9 is not selected.
ACTIO/1I#T 79am le
The ollowing example illustrates the use o "C#I'+0IS#'+ and "C#I'+0IS#'&&%
POLICY "Deny connections requests" EXPLAIN "If enabled, TS will stop accepting connections" ACTIONLISTON VALUENAME "fDenyTSConnections" VALUE NUMERIC 1 END ACTIONLISTON ACTIONLISTOFF VALUENAME "fDenyTSConnections" VALUE NUMERIC 0 END ACTIONLISTOFF END POLICY
Additional 7lements
The %adm language supports the ollowing elements3
@7C/A,7
The 1,6+"-, +eyword is used within a C"#,3'26 to de ine which +ey within the registry is modi ied as a result o an action here% 1,6+"-, should !e ollowed !y the registry path to the +ey that contains the value that you want to change% -o not include
5+
/1,680'C"08-"C/I+, or /1,68C)22,+#8)S,2 in the registry path as the preceding <6A** statement determines which o these +eys is used% & the 1,6+"-, contains a space, you must enclose the string in Juotation mar+s 'X(%
6A1?7/A,7
-e ines the options availa!le within a .'0IC6% First identi y the registry value that is to !e modi ied as a result o using the +eyword $"0),+"-,% For example, $"0),+"-, "yFirstUalue% The ollowing example illustrates the use o $"0),+"-,% The -isa!le Boot 4 *hutdown 4 6ogon 4 6ogo status messages policy prevents the display o system status messages%
POLICY!!DisableStatusMessages KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\System" EXPLAIN!!DisableStatusMessages_Help VALUENAME "DisableStatusMessages" END POLICY
Unless you speci y otherwise, the value is written in the ollowing ormat when the user chec+s or clears the option3 <hec+ed% Uses a R>GO-$=R- type with a value o @% <leared% Removes the value%
Hou can speci y options other than these de aults !y using $"0),'&& and $"0),'+% & the option is to !e selected within the lower pane o the Group Policy =!.ect >ditor, the $"0),+"-, needs to !e within a ."2# scope%
C1I7/T70T
The C0I,+#,5# +eyword is used to speci y which client-side extension to the Group Policy =!.ect >ditor needs to process the particular settings on the client computer% By de ault, the registry extension processes all settings con igured under the Administrative Templates node% The C0I,+#,5# +eyword changes the de ault !ehavior and causes the speci ied extension to process these settings a ter the registry extension has placed them in the registry% C0I,+#,5# must !e used within either the .'0IC6 scope or the ."2# scope and should ollow the $"0),+"-, statement% The ollowing example illustrates use o C0I,+#,5#%
POLICY !!DQ_Enforce #if version >= 4 SUPPORTED !!SUPPORTED_Win2k #endif EXPLAIN !!DQ_Enforce_Help VALUENAME "Enforce" VALUEON NUMERIC 1
5,
Using Administrative Template Files with Registry- ased !roup "olicy VALUEOFF NUMERIC 0 CLIENTEXT {3610eda5-77ef-11d2-8dc5-00c04fa31a66} END POLICY
The GU&- that ollows the C0I,+#,5# +eyword is the GU&- o the client-side extension% The client-side extensions are listed in the registry under /1,680'C"08-"C/I+,*S'&#W"2,*-icrosoft*Windo%s+#*Current$ersion*Winlog on*3.,!tensions%
KEYNAME key name POLICY!!MyPolicy VALUENAME ValueToBeChanged VALUEON 5 VALUEOFF 10 END POLICY
?sing #im le Policies and Policies wit- t-e 6A1?7O!! and 6A1?7O/ #tatements
This section presents two examples that illustrate the di erence !etween using the de ault policy states and speci ying $"0),'+ and $"0),'&& statements% There is a signi icant di erence !etween the two example policies%
79am le (
&n this example, no explicit $"0),'+ or $"0),'&& statements are used% This means that the Administrative Templates use the de ault !ehavior when the user changes the state o this policy%
POLICY!!EnableSlowLinkDetect EXPLAIN !!EnableSlowLinkDetect_Help KEYNAME "Software\Policies\Microsoft\Windows\System" VALUENAME "SlowLinkDetectEnabled" END POLICY
55
;ote the policy-disa!led state% The value is not written to the registry with the value o B^ instead it is explicitly deleted% This means that a component reading the policy will not ind the value in the registry, and will all !ac+ to using the de ault in the code%
79am le *
&n this example, the state values are explicitly de ined, so when the user changes the policy, the Administrative Templates use these values%
POLICY!!EnableSlowLinkDetect EXPLAIN!!EnableSlowLinkDetect_Help KEYNAME "Software\Policies\Microsoft\Windows\System" VALUENAME "SlowLinkDetectEnabled" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY
70P1AI/
The ,5.0"I+ +eyword is used to provide online Qelp text or a speci ic Group Policy% &n $indows ,BBB, the .roperties page or each policy setting includes an ,!plain ta!, which provides details a!out the policy settings% >ach Group Policy that you create should include one ,5.0"I+ +eyword, ollowed !y at least one space, and then the ,5.0"I+ string in Juotation mar+s 'X( or a re erence to the Qelp string% For example3
56
Using Administrative Template Files with Registry- ased !roup "olicy POLICY!!Pol_NoConfigCache #if VERSION >= 3 EXPLAIN!!Pol_NoConfigCache_Help #endif VALUENAME "NoConfigCache" PART!!Lbl_NoConfigCacheHelp1 END PART END POLICY .....
TEXT
[Strings] Pol_NoConfigCache_Help="Prevents users from changing the automatic synchronization behavior at logoff."
&n the preceding example, Qelp is o ered or one o the = line Files options% The ,5.0"I+ +eyword wrapped in the =if $,2SI'+ allows this %adm ile to !e used with the $indows ,BBB Group Policy =!.ect >ditor 'version A(%
1ine Brea3s
To start text on a new line or to create a line !rea+, use this syntax3
\n = Starts a new line \n\n = Creates a line break
The valid operators are listed in Ta!le @A% Table (2 6alid O erators for t-e 6ersion #tatement /umber
O erator V 8'T< #ignifies 'reater t-an. !or e9am le: a V b means a is greater t-an b.
5#
1ess t-an. !or e9am le: a T b means a is less t-an b. 7Eual. !or e9am le: a NN b means a is eEual to b. /ot eEual. 'reater t-an or eEual to. !or e9am le: a VN b means a is greater t-an or eEual to b. 1ess t-an or eEual to. !or e9am le: a TN b means a is less t-an or eEual to b.
Related 1in3s
To learn more a!out Group Policy, see the ollowing resources3 "icroso t Group Policy Qome Page at http344go%microso t%com4 wlin+45 6in+&d7@9B::% Group Policy A-" Files at http344go%microso t%com4 wlin+45lin+id7A@B9T% "anaging $indows )P *ervice Pac+ , Features Using Group Policy on the Tech;et $e! site at http344go%microso t%com4 wlin+456in+&d7A@CTE% Group Policy in the "icroso t Plat orm *-2 at http344go%microso t%com4 wlin+45 6in+&d7,8,9:% Group Policy "anagement <onsole on the "*-; $e! site at http344go%microso t%com4 wlin+456in+&d7@TC@,%
5$
Group Policy in $indows *erver ,BBA on the "icroso t $e! site at http344go%microso t%com4 wlin+45lin+id7,C,8C% Article :@888,, 0Recommendations or "anaging Group Policy Administrative Template '%adm( Files,1 in the "icroso t 2nowledge Base at http344go%microso t%com4 wlin+456in+&d7EEE@% The <ore Group Policy Technical Re erence collection o the 0$indows *erver ,BBA Technical Re erence1 at http344go%microso t%com4 wlin+456in+&d7A@T::% The 0-esigning a "anaged >nvironment1 !oo+ o the Microsoft Windows Server 2003 Deployment Kit on the "icroso t $e! site at http344go%microso t%com4 wlin+456in+&d7AB89B%