Overview
Windows XP Professional stores configurations for all users, and computers, as policies.
(Windows XP Home does not support policies.) By default, no policies are set, but an administrator can easily set policies for a group of users or for the entire system. It's possible to set some policies by manually "hacking" the registry. However, that's the hard way. An easier way to change policies is to use one of the policy tools that Microsoft provides.
The first question on your mind is, "What does this have to do with the registry?" Well, of all things in Windows XP Professional, policies affect (and change) the registry more than anything else. With policy settings, you can change the way hardware and software behave and can be used.
An Introduction to Policies
Policies govern a site, a domain, or an organizational unit (often referred to as an OU) but not a specific user or computer. Policy is applied in a hierarchy, with higher-level policies used where no lower-level policy exists. For example, policy is applied as site (the highest level), then domain, organizational unit, and user. Policies in the domain override those they conflict with in the site, while conflicts between the domain and organizational unit are resolved with
the organizational unit taking precedence. Conflicts between nested organizational units are resolved with the lower-level organizational unit taking precedence.
Note Policy objects and settings can be set, unset, or not configured.
Policy settings are configured in objects called group policy objects (GPOs). GPOs are edited using the Microsoft Management Console (MMC).
The Official Order of Policy Implementation Is...
When Windows XP Professional (when joined to a domain) implements system policies, the policies are applied in this order:
1. Policies inherited from previous versions of Windows. For example, Windows NT 4 policies are contained in the NTConfig.pol file. Note that Windows NT 4 policies need not exist, and they will not exist on a clean installation of Windows XP Professional.
2. The policies contained in the local group policy object.
3. Site group policy objects, in the order specified by the administrator.
4. Domain group policy objects, in the order specified by the administrator.
5. Organizational unit group policy objects, from higher-level to lower-level organizational unit (parent to child organizational unit), and in administratively specified order at the level of each organizational unit.
Organizational units may be nested. That is, you can have an organizational unit called
Students. Within Students, you then might have Freshmen, Sophomores, Juniors, and Seniors, representing the four classes. (You might also have Graduate Students, Master's, or Doctoral.) Nesting can be as simple or as complex as your organization is.
When nesting organizational units, policy may be either inherited or not. You, the administrator, specify inheritance rules, within the following framework:
• Inheritance is downward only. In the example above, Freshmen inherit from Students, but Students never inherit from Freshmen.
• Settings that have not been configured are not inherited.
• Settings that are disabled are inherited as disabled.
• When a setting is configured in the higher-level organizational unit, and not
configured in the lower-level organizational unit, then the lower-level organizational unit inherits the setting from the parent organizational unit.
• When settings between the higher-level organizational unit and a lower-level
organizational unit don't conflict (are compatible), but are not the same, both are used to form the lower-level organizational unit's policy.
• When settings between the higher-level organizational unit and a lower-level
organizational unit do conflict (are incompatible), but are not the same, the lower-level organizational unit's policy is used.
Note Well, almost always...An attribute called No Override, if selected at the higher-level
organizational unit, will cause the lower-level organizational unit to always execute the higher-level OU's policy.
Just More Confusion?
In the previous section, you saw that policies are set for sites, domains, and organizational units. Now, I'm going to confuse things a bit and say that policies are divided into two parts, Computer Configuration and User Configuration. Computer Configuration specifies policies that are applied to a computer without regard to who the user is. User Configuration specifies policies that are applied to a user without regard to which computer the user logs on to.
Both the Computer Configuration and the User Configuration are made up of three sections:
Software Settings Everything in Software Settings deals with software installation policy-for example, what can be installed, what must be uninstalled, and when.
Windows Settings Settings for Windows XP Professional are controlled in this section. There are more items in the Windows Settings section for the User Configuration than for the
Computer Configuration.
Administrative Templates The extensible section, almost a catchall for everything that doesn't fall into the other two sections, is the Administrative Templates section. Items are added to Administrative Templates using .adm files.
Note Though we are talking about Office throughout this chapter, many other Microsoft components use .adm files, including Microsoft Internet Explorer.
Software Settings
The Software Settings section contains policies that deal with software installation and maintenance, such as what applications can be installed, what must be uninstalled and when, what maintenance must be done, and so on.
For example, if you configure Microsoft Word XP under Software Settings, and a user logs on to a computer that doesn't have Microsoft Word XP installed already, the user will still see a Start menu selection (shortcut) for Microsoft Word XP. If the user selects this shortcut, Microsoft Word XP will install itself (from a network share) for the user to use.
Windows Settings
In both Computer Configuration and User Configuration, you'll find a Windows Settings section. For Computer Configuration, the settings are applied to each user who logs on to the computer. For User Configuration, the settings are applied to users who log on regardless of the computer they log on to.
Administrative Templates
The Administrative Templates section contains all registry-based information. Two hives are used:
• HKEY_CURRENT_USER, the location where user configuration settings are saved
• HKEY_LOCAL_MACHINE, the location where computer configuration information is saved
Both user application policy items and policy for Windows XP Professional are managed in Administrative Templates. Adding policy items to Administrative Templates is simple. Most applications (that support policy) come with .adm files that contain information about which registry settings can be configured. For example, Microsoft Office XP has an .adm file named word10.adm (to Microsoft, Word XP is also known as both Microsoft Word version 10 and Microsoft Word 2002).
You can download the Microsoft Office policy tools from Microsoft's Internet website. They are part of the Microsoft Office Resource Kit located at
http://www.microsoft.com/office/techinfo/reskit/default.htm.
A small fraction of the Microsoft Word XP.adm file is:
CLASS USER
PART "Check to enforce setting on; uncheck to enforce setting off"
CHECKBOX
VALUENAME StartupDialog VALUEON NUMERIC 1
VALUEOFF NUMERIC 0 END PART
END POLICY POLICY "Highlight"
PART "Check to enforce setting on; uncheck to enforce setting off"
CHECKBOX
VALUENAME fShowHighlight_533_1 VALUEON NUMERIC 1
VALUEOFF NUMERIC 0 END PART
END POLICY POLICY "Bookmarks"
PART "Check to enforce setting on; uncheck to enforce setting off"
CHECKBOX
VALUENAME grpfvisi_146_1 VALUEON NUMERIC 1
VALUEOFF NUMERIC 0 END PART
END POLICY
POLICY "Status bar"
PART "Check to enforce setting on; uncheck to enforce setting off"
CHECKBOX
VALUENAME fStatusBar_83_1 VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
VALUENAME fStatLine_3_1 VALUE NUMERIC 1 END ACTIONLISTON
ACTIONLISTOFF
VALUENAME fStatLine_3_1 VALUE NUMERIC 0 END ACTIONLISTOFF
END PART ACTIONLISTOFF
VALUENAME fStatLine_3_1 VALUE DELETE END ACTIONLISTOFF
END POLICY
POLICY "ScreenTips"
PART "Check to enforce setting on; uncheck to enforce setting off"
CHECKBOX
VALUENAME grpfvisi_159_1 VALUEON NUMERIC 1
VALUEOFF NUMERIC 0 END PART
END POLICY
<Many deleted lines...>
POLICY "Tools | Compare and Merge Documents, Legal blackline"
KEYNAME Software\Policies\Microsoft\Office\10.0\Word\Options\vpref PART "Check to enforce setting on; uncheck to enforce setting off"
CHECKBOX
VALUENAME fDefaultToCompare_1848_1 VALUEON 1
VALUEOFF 0 END PART PART " " TEXT END PART
PART "When this option is turned on, a comparison between two documents"
TEXT
END PART
PART "automatically generates a new Legal Blackline document, leaving"
TEXT
END PART
PART "the originals unchanged." TEXT END PART
END POLICY END CATEGORY END CATEGORY
In this example, we see that the registry section being changed is HKEY_CURRENT_USER.
The key being set (or changed) is
Software\Policies\Microsoft\Office\10.0\Word\Options\vpref (vpref stands for "view preferences"). The key to be changed is shown in a KEYNAME line in the .adm file.
Checking Microsoft Word XP's menu structure, we see a top-level menu item called Tools, and under Tools is a menu selection called Options. Clicking Options will display Microsoft Word XP's Options dialog box (see Figure 5.1), which has a tab named View. On the View tab is a section called Show. Each of these items correlates to a CATEGORY line in the .adm file, shown partially in the above listing.
Figure 5.1: User options in Microsoft Word XP are set in the Options dialog box.
Finally, in the .adm file, we have the POLICY lines. The first POLICY line shown is Startup Task Pane.
Figure 5.2 shows the MMC Group Policy window with the Administrative Templates settings opened under User Configuration. The Start Menu & Taskbar settings are being displayed.
You can select from a wide variety of options, one of which is to add a logoff command to the Start menu.
Figure 5.2: Microsoft Windows XP Professional group policy for user configuration.
Back to the above listing, under POLICY, there's a PART line with the text "Check to enforce setting on; uncheck to enforce setting off", followed by the keyword CHECKBOX.
CHECKBOX specifies that this policy is toggled on and off (that is, checked and unchecked).
If on, the value of the key will be 1 (specified with the line VALUEON NUMERIC 1) or 0 (specified by the next line, VALUEOFF NUMERIC 0).
The next two lines end blocks that start at PART (ends at the END PART line) and POLICY (ends at the END POLICY line). Each policy has one or more parts; most policies have only a single part, however.
Armed with this information, you can go out and create policy files for other applications.
Granted, if you are not the application's creator, it will be difficult-but not impossible-to set things like defaults using policies.
The changes made under Administrative Templates are saved in two Registry.pol files. These files are stored in subdirectories under %SystemRoot%, one called Machine (which contains the Registry.pol file that is used to update HKEY_LOCAL_MACHINE) and the other called User (which contains the Registry.pol file that is used to update HKEY_CURRENT_USER).
Finding Registry.pol Files
I can't say where the Registry.pol files are, except to tell you to use the Windows Find feature, or a command session's dir command. Why? Well, each installation is unique in the locations where these files are stored; for example, on my computer, I have the following Registry.pol files:
G:\WINNT\System32\GroupPolicy\Machine\Registry.pol G:\WINNT\System32\GroupPolicy\User\Registry.pol
G:\WINNT\SysVol\Domain\Policies\{31B2F340-016D-11D2-945F- 00C04FB984F9}\MACHINE\Registry.pol
G:\WINNT\SysVol\Domain\Policies\{6AC1786C-016F-11D2-945F- 00C04fB984F9}\USER\Registry.pol
G:\WINNT\SysVol\Domain\Policies\{EE520C60-1F3E-11D3-A6E8- 00A024D2DD82}\User\Registry.pol
G:\WINNT\SysVol\SysVol\darkstar.mv.com\Policies\{31B2F340- 016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol
G:\WINNT\SysVol\SysVol\darkstar.mv.com\Policies\{6AC1786C- 016F-11D2-945F-00C04fB984F9}\USER\Registry.pol
G:\WINNT\SysVol\SysVol\darkstar.mv.com\Policies\{EE520C60- 1F3E-11D3-A6E8-00A024D2DD82}\User\Registry.pol
Notice the use of GUIDs (globally unique identifiers) for some of the directory names-those may be different for each installation.
The Microsoft System Policies for Windows XP
Windows XP Professional supplies several tools for setting policies. The System Policy Editor, which is used to set policy in Windows NT 4, is still included, and may be used, but it is definitely not recommended. Now you use the Active Directory Users and Computers to manage policy. Changes made to policy are made to the registry, either immediately or when a given user or member of an organizational unit logs on, or when the computer starts. Policy is a registry issue, and a complex one at that.
Warning Wait a minute-I know I changed that registry entry! With policies, it is possible to
"hack," or change, the registry and have the change go nowhere fast. That's right: the policy will be reapplied automatically, wiping out whatever changes you have made to the registry, all without even telling you it is happening! If you ever find your changes mysteriously disappearing, round up the usual suspects, and make sure that policy is high on the suspect list!
You can edit policy in a number of different ways:
System Policy Editor This utility, which is becoming obsolete, is retained for compatibility with Windows NT 4. Neither Microsoft nor I recommend that you use the System Policy Editor.
Microsoft Management Console (MMC) This program is used to manage many facets of Windows XP. The MMC is able to load whatever functionality you need through the use of a custom extension called a snap-in. With Windows XP Professional, Microsoft provides about 40 different snap-ins to use with the MMC. Windows XP Home Edition provides about 20 different snap-ins to use with the MMC.
Active Directory Users and Computers This administrative tool (select Start → Programs
→ Administrative Tools) allows management of computers, users, groups, domain
controllers, and policy. Actually, this is the MMC, using a snap-in to do Active Directory.
When you choose to edit policies, the MMC is used with the policy snap-in.
Active Directory Site and Services This administrative tool (select Start → Programs → Administrative Tools) allows management of sites (an Active Directory organizational level) and services.
Note Each of these Windows XP administrative tools actually uses the MMC as a common interface. And each in turn uses the MMC to edit policy. It's not uncommon to have many copies of the MMC open at the same time.
Each of these tools requires that you select certain objects to enable editing of group policies.
The next section describes how to use each policy-editing tool.
System Policy Editor
The System Policy Editor is obsolete, retained only for compatibility with NT 4. Neither Microsoft nor I recommend that you use the System Policy Editor if you can possibly avoid using it. To start the System Policy Editor, from the Start menu's Run command, enter poledit and click OK. See "The Microsoft System Policy Editor for Windows NT 4" later in this chapter for information on how to use the Microsoft System Policy Editor.
Microsoft Management Console (MMC)
The MMC is a "universal" management tool that Microsoft has created to manage Windows XP (Home Edition and Professional). Using the MMC is easy, and since the MMC presents a standardized appearance and operating methods, it will become the preferred tool to use for management.
To start the MMC, from the Start menu's Run command, enter MMC and click OK. Once started, the MMC is able to load whatever functionality is needed.
Group Policy not yet installed in the MMC? That's easy to fix; just follow these simple steps:
1. Start the MMC. In addition to using the Run command as described above, you can also type MMC at a command prompt.
2. In the File menu, select Add/Remove Snap-In (see Figure 5.3).
Figure 5.3: Add MMC snap-in components from the MMC File menu selection.
3. In the Add/Remove Snap-In dialog box, select the Standalone tab (shown in Figure 5.4). Make sure that Console Root is displayed in the Snap-Ins Added To list box, and then click Add. The Add Standalone Snap-In dialog box opens.
Figure 5.4: Use the Add/Remove Snap-In dialog box to add functionality to the MMC.
4. In the Add Standalone Snap-In dialog box, select Group Policy, as shown in Figure 5.5. Scroll through the list as necessary. Click the Add button to start the Group Policy Wizard.
Figure 5.5: Scroll until you get to Group Policy.
5. In the Select Group Policy Object window (see Figure 5.6), select Local Computer for the Group Policy Object. Then click Finish.
Figure 5.6: The Group Ploicy Wizard lets you configure the Group Policy Object.
Note There is no Group Policy snap-in for XP Home Edition. Once you create a policy using the Group Policy snap-in, you have to link it to the proper level-sites, domains, or organizational units. Otherwise the policy just sits there and does nothing.
6. Click Close in the Add Standalone Snap-In dialog box, and click OK in the Add/Remove Snap-In dialog box.
Using the MMC to manage group policy is easy! First, it is trivial to create an MMC console file that is configured to display a given GPO policy object. Just follow these steps:
1. Open the administrative tool Active Directory Users and Computers.
2. Right-click the organizational unit that uses the policy to be edited to display its context menu. If you're creating a new policy, select the organizational unit that will use the policy once it is created. If creating policy for a domain, select the domain.
Figure 5.7 shows how I've expanded Local Computer Policy, then User Configuration, Windows Settings, and Internet Explorer Maintenance. I then selected Browser User Interface. This shows how simple it is to set options for Microsoft Internet Explorer.
You can easily set the title, the static logo, and browser toolbar customizations.
Figure 5.7: In the MMC, policies are navigated using a tree structure very similar to Explorer.
3. Select Properties from the context menu, or select Properties from the Action menu. In Figure 5.8, I selected the Browser Title and then displayed the properties.
Figure 5.8: Use an item's Properties dialog box to set various policy settings. Here I'm setting the Browser Title.
4. In the Properties dialog box for the object (display this by double-clicking on the object-Browser Title in this example), make changes as desired. Notice that each object's Properties dialog box is different, and that most have substantial prompting to allow you to easily change the object.
5. Now for the hard part. To create an MMC configuration file (these files have an extension of .msc), select File → Save As. Enter a new filename when prompted (I used the name Group Policies.msc). Click Save to save this file. You can save the .msc file in Administrative Tools, on the Desktop, or on any drive you'd like.
Well, now you have created your policy MMC configuration file; next is what to do with it.
(Actually, you have probably saved a bunch of MMC configuration files-one for each group
policy object.) My recommendation is to create a folder to hold these files, maybe called Policy. Then create a second folder under Administrative Tools, again called Policy. Then place shortcuts to each of the MMC configuration files in this folder. This will give you one-click access to each group policy object.
Figure 5.9 shows an example of just this type of policy control. My Start menu is opened to my Administrative Tools folder. Notice that I have a shortcut for Group Policies. Easy, fast, and efficient-sure beats threading through Active Directory Users and Computers, properties, and everything else.
Figure 5.9: My Start menu's Administrative Tools folder contains a shortcut called Group Policies, where I can start the MMC to manage my policies.
Figure 5.9: My Start menu's Administrative Tools folder contains a shortcut called Group Policies, where I can start the MMC to manage my policies.