Editing Local Policies

Policies are different from preferences, and comparing the two helps you better understand how Windows XP uses policies. Users set preferences, such as their desktop wallpaper. They can change preferences any time. Administrators set policies, such as the location of the My Documents folder, and they have precedence over the equivalent user preference. Windows XP stores policies in the registry separately from user preferences. If the policy exists, the operating system uses the setting that policy specifies. If the policy doesn't exist, the operating system uses the user's preference. In the absence of the user's preference, the operating system uses a default setting. The important thing is that a policy does not change the equivalent user preference and, if they both exist at the same time, the policy has precedence. Also, if the administrator removes the policy, the user's preference is once again used. In other words, Group Policy does not tattoo the registry. (See the sidebar "Tattoos on the Registry," later in this chapter.) Table 6-1 summarizes this behavior.

start sidebar
Tattoos on the Registry

Group Policy and System Policy, policies that versions of Windows earlier than Windows 2000 use, handle changes differently. Windows XP automatically removes a GPO's settings from the registry when the GPO no longer applies to the user or computer. Also, Group Policy doesn't overwrite users' preferences. So if you delete a GPO from Active Directory, Windows XP removes that GPO's settings from the registry and reverts back to users' preferences. Likewise, if you remove an individual policy from a GPO, Windows XP removes that setting from the registry and restores users' existing preferences. Group Policy doesn't make permanent, irreversible changes to the registry.

System Policy does make permanent, irreversible changes to the registry, though. In other words, it tattoos the registry. Removing System Policy leaves all the policies it contained in the registry. The only way to restore users' preferences, assuming these policies don't overwrite their preferences, is to manually remove the policy from the registry or explicitly change the setting in System Policy. This is one of the scenarios you learn to grapple with in Chapter 15, "Working Around IT Problems." One of the nastier incarnations of this behavior can occur when you upgrade from an earlier version of Windows to Windows XP. When you upgrade, policies in the registry are permanent, and you must manually remove them from the registry; Windows XP doesn't remove them automatically.

end sidebar

Table 6-1: Policies Compared to Preferences

Policy defined?

Preference defined?

Behavior

No

No

Default

No

Yes

Preference configures

Yes

No

Policy configures

Yes

Yes

Policy configures, ignoring the preference

Windows XP combines policies together in a Group Policy object (GPO). In Active Directory, you have multiple GPOs, which apply to users and computers, depending on where they are in the directory. In Windows XP, you have only one GPO, and that's the local GPO. Settings in this GPO apply to the local computer and every user who logs on to it. Because the local GPO is the first GPO that Windows XP applies when it starts and when users log on to it, network GPOs can override settings in it. For example, if you define a local policy that enables you to install Windows Installer-based programs with elevated privileges but the network administrator sets a network policy that disallows that, the network policy wins, and you won't be able to install these programs unless you're a local administrator for that computer; otherwise, you can install Windows Installer-based programs no matter the group in which your account is a member.

GPOs include settings for both computer configurations and user configurations. Because Group Policy settings apply to either computers or users, GPOs contain branches for each:

  • Computer Configuration. These are per-computer policy settings that specify operating system behavior, desktop behavior, security settings, computer startup and shutdown scripts, computer-assigned applications, and application settings. Windows XP applies per-computer policies when the operating system starts and at regular intervals.

  • User Configuration. These are per-user policy settings that specify operating system behavior, desktop settings, security settings, assigned and published applications, folder redirection settings, user logon and logoff scripts, and application settings. Windows XP applies per-user policies when the user logs on to the computer and at regular intervals.

You edit the local GPO using the Group Policy editor, shown in Figure 6-1. To open the Group Policy editor, type gpedit.msc in the Run dialog box. The left and right panes you see in the editor are similar to those in Registry Editor (Regedit), so I won't explain how to use them here. Immediately under Local Computer Policy, you see Computer Configuration and User Configuration. Computer Configuration contains per-computer policies, and User Configuration contains per-user policies. Registry-based policies, this chapter's focus, are in Administrative Templates under either branch.

click to expand
Figure 6-1: The Extended and Standard view tabs are new for Windows XP. Click the Extended tab to display help for the selected policy setting.

Typing gpedit.msc in the Run dialog box is the quick way to edit the local computer's GPO, but you can create your own console in Microsoft Management Console (MMC) to edit a remote computer's GPO. Editing local policies on a remote computer is useful if your organization isn't using Active Directory, but it's too cumbersome to use as a general management tool, so I'd use it in one-off scenarios:

  1. In the Run dialog box, type mmc, and press Enter.

  2. On the File menu, click Add/Remove Snap-In.

  3. In the Add Standalone Snap-In dialog box, on the Standalone tab, click Add.

  4. Click Group Policy, and then click Add.

  5. In the Select Group Policy Object dialog box, click Browse. In the Browse For A Group Policy Object dialog box, on the Computers tab, select the Another Computer option, type the remote computer's name in the space provided, and then click OK.

    Note 

    Windows XP doesn't allow you to specify security settings in a remote computer's local GPO. Thus, when you open Security Settings for a remote computer, you don't see these settings. Even though you can't apply these settings to remote computers, you can include them in a disk image for deployment, which you learn more about in the section "Deploying Registry-Based Policy," later in this chapter.

Group Policy Extensions

Group Policy has several extensions that you can use to configure GPOs. In fact, each of the different nodes that you see in the Group Policy editor is an extension. By default, the editor loads all the available extensions when you start it. There are different extensions in Computer Configuration and User Configuration, and you see more extensions when you're editing a network GPO in Active Directory than when you're editing a local GPO. The following list summarizes some of the extensions that Group Policy provides in a local GPO (network GPOs provide more):

  • Scripts. You can assign scripts to users that run when they log on to or log off of Windows XP. You can assign scripts to computers that run when Windows XP starts and when it shuts down. You see this extension in the Windows Settings folder.

  • Security Settings. You can manage security settings, including password, audit, and lockout policies. You can also manage user rights and restrict the applications that users can run. You see this extension in the Windows Settings folder.

  • Administrative Templates. Group Policy creates a file containing registry settings that are written to HKCU or HKLM in the registry. Windows XP loads settings from this file as the operating system starts and when users log on to the computer. These are registry-based policies.

Registry-Based Policy

Registry-based policies and administrative policies are two names for the same thing. They're registry settings that override users' preferences, and users can't change them for good reasons that you'll learn about in this section. Other policies, including security settings, might or might not be registry settings. In the Group Policy editor, you find registrybased policies in the Administrative Templates folder under Computer Configuration or User Configuration.

Figure 6-2 on the next page shows the workflow using registry-based policies. Administrators define policies using the Group Policy editor, which you saw in Figure 6-1. Administrative templates, files with the .adm extension, define the policies they can set. Administrative templates and policy templates are the same thing, and you frequently see the short name ADM files. These templates describe the user interface for collecting settings from the administrator and their locations in the registry. When the administrator defines policies, the editor stores them in a file called Registry.pol. Windows XP loads the settings contained in the file Registry.pol when the operating system starts, when users log on to it, and at regular intervals. The next section describes where in the registry Windows XP stores policies and where you find the Registry.pol file.

click to expand
Figure 6-2: Registry-based policies start with administrative templates, which define the settings that are available and the location where they are stored in the registry.

The following components combine to implement registry-based policy:

  • The Administrative Templates extension, which you use to edit policy settings. This extension is the Administrative Templates folder in the editor. It creates the Registry.pol file based on settings that the administrator defines.

  • A built-in registry client-side extension, which processes policies and creates their corresponding values in the registry (available only in Windows 2000 or later). Although the client-side extension is responsible for reading settings from the Registry.pol file and writing them to the registry, Windows XP and other applications must look for and use these settings to give them meaning.

Windows XP comes with administrative templates that define all the proper policies that the operating system supports. If you want to use policies for an application, such as one in Microsoft Office XP, you must load the administrative templates for it. In fact, the Office XP Resource Kit comes with a big handful of administrative templates that help IT professionals better manage the entire productivity suite. Windows XP provides the following administrative templates:

  • System.adm. Core settings and primary template file, defining most of the settings you see in Administrative Templates

  • Wmplayer.adm. Windows Media settings

  • Conf.adm. NetMeeting conferencing software

  • Inetres.adm. Internet Explorer

All registry-based policies can be in one of three states: Enabled, Disabled, or Not Configured. Figure 6-3 shows these settings on a sample policy. Enabled explicitly turns on the setting by adding the setting to the registry with a value of 0x01. Disabled explicitly turns off the setting by adding the setting to the registry with a value of 0x00 or removing the value altogether. The Not Configured option removes the setting from the registry altogether, which yields to the user's preference. Many policies collect additional settings, as shown in the figure.

click to expand
Figure 6-3: Each policy has three states, Enabled, Disabled, or Not Configured, and some policies collect additional information.

When setting a policy, pay particular attention to the language to ensure that you get the result you want. Some policies are positive, so enabling the policy turns on the feature. Other policies are negative, however, so turning on those policies actually disables those features. To make things more confusing, outside of Windows XP, you frequently see policies that you have to enable and then turn the setting on or off. In other words, to turn on a setting, you have to enable the policy and then select or clear a second check box to turn on or off the setting. The Office XP policy templates are notorious for this extra level of indirection. All this just illustrates that you have to pay close attention to the names of policies when setting them. Read their names out loud, prefixing the sentences with the words enable or disable—just to be sure.

Group Policy Storage

Where does Windows XP store policies in the registry and on the disk? The branch \Software\Policies is the preferred branch for registry-based policies. This branch in HKLM contains per-computer policies, and the branch in HKCU contains per-user policies. Another branch, inherited from earlier versions of Windows, is \Software\Microsoft\Windows\CurrentVersion\Policies. Policies in this branch tend to tattoo the registry, which means they make permanent changes to the registry that you must explicitly change. What prevents users from changing these keys, and thus the policies they enforce, is their ACLs (Access Control Lists). The Users and Power Users local groups do not have permission to change values in these keys. An administrator can overwrite these keys directly and change the policy, however.

That covers the location of policies in the registry; now for their location on the file system. The local GPO is in %SYSTEMROOT%\System32\GroupPolicy. This is a super-hidden folder. To show it in Windows Explorer, click Tools, Options; on the Folder Options dialog box's View tab, select the Show Hidden Files And Folders option, and then clear the Hide Protected Operating System Files check box. It contains the following subfolders and files (our focus is the file Registry.pol):

  • \Adm. Contains all the ADM files for the local GPO.

  • \User. Includes the file Registry.pol, which contains registry-based policies for users. When users log on to the computer, Windows XP applies these to HKCU.

  • \User\Scripts. Contains the local GPO's per-user scripts. The scripts in \Logon run when users log on to Windows XP, and the scripts in \Logoff run when they log off of the operating system.

  • \Machine. Includes the file Registry.pol, which contains registry-based policies for the computer. When Windows XP starts, it applies these settings to HKLM.

  • \Machine\Scripts. Contains the local GPO's per-computer scripts. The scripts in \Startup run when Windows XP starts, and the scripts in \Shutdown run when the operating systems shuts down.

If you're familiar with System Policy and the file Ntconfig.pol, you're probably wondering whether the files Registry.pol and Ntconfig.pol use similar formats. They don't. Both are binary files, but Registry.pol is much simpler. It contains a simple list of settings, including their value names, type, and data, in a binary format. Ntconfig.pol is actually a registry hive file that you can load and browse in Regedit. Unfortunately, you can't do the same with Registry.pol.

Note 

Domain GPOs are more complicated than local GPOs. Active Directory stores policies in \\Server\SYSVOL\Domain\Policies, where Server is the name of the domain controller, and Domain is the name of the domain. Each GPO is in a subfolder, and the name of the subfolder is the GPO's GUID (see Chapter 1, "Learning the Basics"). The structure of each GPO's subfolder is similar to the structure of the local GPO described in this chapter. The \User and \Machine folders have additional subfolders, though, and the various Group Policy extensions create these.



Microsoft Windows XP Registry Guide
Microsoft Windows XP Registry Guide (Bpg-Other)
ISBN: 0735617880
EAN: 2147483647
Year: 2005
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net