You're probably well aware of how you can use Group Policy to manage Windows XP Professional Edition and Windows 2000 Professional clients. What you might not know, though, is that you can create custom Administrative Templates to use with Group Policy to leverage Group Policy's broad management capabilities for items other than the standard OS-related Group Policy settings. Let's examine why you might want to create your own custom Administrative Templates and how the technology works and explore some caveats. Then, we'll dig into the nuts and bolts of bringing isolated applications under the management umbrella of Group Policy.
The Case for Custom Administrative Templates
Assisting users is certainly easier when they all share a consistent look and feel for a given application. In many cases, you can use custom Administrative Templates to nudge your users toward a more consistent environment, even if an application is manageable via Group Policy out of the box. Likewise, if a specific setting for an application generates confusion and support calls, you can use custom Administrative Templates to configure the setting to a desired value. These settings might include limiting access to or hiding advanced features within applications. You can also use custom Administrative Templates to populate registry-stored data for applications.
Registry-Based Group Policy
Group Policy uses Administrative Templates to implement registry-based policy, which means that any settings configured by a Group Policy Object (GPO) are stored in the registry. These registry-based settings, referred to as System Policy in Windows NT 4.0, comprise the majority of policies implemented through Group Policy.
When you use a vendor-supplied Administrative Template, it stores any changes it makes in one of four approved locations for registry-based policy settings: HKEY_LOCAL_MACHINE\SOFT-WARE\Policies, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current-Version\Policies, HKEY_CURRENT_USER\Software\Policies, or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies. These locations have special permissions to prevent users from tinkering with the subkeys and values therein. Another important distinction about these locations is that any subkeys created by a GPO are removed from the registry when that GPO is removed. Settings stored here are also nonpersistent, meaning that they're removed each time the GPO is reapplied.
This system of approved registry subkeys for important settings works well for the Windows OSs and for applications that are written to take advantage of Group Policy. However, some other applications have registry subkeys outside these approved locations that you'll want to alter. Microsoft supports altering registry subkeys in other locations, but you should consider a few caveats and rules of thumb when doing so.
As I mentioned, subkey changes that adhere to Microsoft's guidelines are nonpersistent. But subkey changes in other locations (such as the ones I show you how to make in this article) are persistent, which means that they remain in the registry even after you remove the GPO that implemented them. Thus, making such changes is known as tattooing the registry. Furthermore, although your GPO-implemented registry settings can be altered manually or by an application, the next GPO refresh will reset them to the GPO-implemented values. Technically, the settings you configure through custom Administrative Templates are preferences rather than GPOs.
Another thing to be aware of when implementing preferences is that the user interface of the application being managed might not be equipped to reflect in a user-friendly manner the changes you make. Applications designed to be managed with Group Policy will gray out or hide certain buttons or menu choices based on Group Policy settings. You should test the behavior of applications that you want to manage in this fashion on a case-by-case basis.
The first rule of thumb in working with custom Administrative Templates is that you should be fairly familiar with the registry and know the potential effects of malformed entries. Creating custom Administrative Templates isn't for novices. Second, don't just customize an existing Administrative Template provided with the OS or with a Group Policyready application. Instead, copy the existing template and use the copy as a boilerplate for a new, renamed template. (Existing Administrative Templates are overwritten by updates such as service packs.) Third, don't reinvent the wheel. Before you begin to create a template to manage a group of settings, make sure a template doesn't already exist that covers the same territory.
You can download Administrative Templates for managing Windows (including Windows Media Player—WMP) at http://www.microsoft.com/downloads/details.aspx?familyid=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en. Other Administrative Templates are available as downloadable resource kit tools. For example, the Microsoft Office 2000 Resource Kit includes System Policy templates for managing Office 2000 applications. You can read about them at http://www.microsoft.com/resources/documentation/office/2000/all/reskit/en-us/95ct_10.mspx. You can download the Microsoft Office 2000 Resource Kit core tool set (orktools.exe), which contains them, at http://www.microsoft.com/office/ork/2000/appndx/toolbox.htm#orktools.
Administrative Template Basics
Administrative templates are text files with an .adm extension stored in the %systemroot%\inf folder. You can load these templates into the Microsoft Management Console (MMC) Group Policy Editor snap-in to display the settings that you can configure and deploy. When you look at an existing .adm file for the first time, you might find it kind of confusing. After you learn the basic components and keywords and how they work together, though, you'll be able to interpret and create your own templates.
The .adm language has eight basic components, each of which can use a group of keywords that define the options that the Group Policy Editor snap-in will make available when you edit a GPO. The sample Administrative Template in Web Listing 1 shows how to use the components and commonly used keywords to manage preferences for WinZip Computing's WinZip. You can download the template and load it per the instructions in this article's "Test, Test, Test" section to see the results of a custom template. Having WinZip installed will let you better see the effects of the sample GPOs. If you don't have WinZip, you can download a 21-day evaluation version from http://www.winzip.com/downwzeval.htm. The eight components are Comments, Strings, CLASS, CATEGORY, POLICY, PART, ITEMLIST, and ACTIONLIST.
Previous
Register
gcd December 08, 2005 (Article Rating: