Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Admin Templates: Make a preference a policy

Status
Not open for further replies.
gmail2

gmail2

Programmer
Jun 15, 2005
987
IE
I've just recently started writing my own admin templates and learnt the difference between polies and preferences and just wanted to check one or two things. If a registry key is changed as a preference and a user has rights to modify that key, then they can effecively "overwrite" that preference until the policy refreshes again - correct? What about policies, if a user has rights to change a particular registry key which is a true policy (eg firewall on or off) can a user effectively overwrie that also until next time the policy is refreshed (not by using registry, but rather through GUI).

Second question, is there any way to turn a preference into a True policy? Or are policies limited to whatever keys already exist in HKLM\software\microsoft\policies?

Thanks in advance

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Sort by date Sort by votes
If you script the reg mods and place into a policy, the keys will revert to what the policy dictates when they logon (this would be inside a logon script). Otherwise, preferences can be changed and will not refresh. Have you tried disabling regedit from running in a policy, so that user's cannot access? You can also restrict access to other settings in the OS as well with GPO's.

Another option for preferences to be refreshed within a policy is to use Policy Maker Registry Extension. Markdmac like this tool:)

Hope This Helps,

Good Luck!
 
Upvote 0 Downvote
Otherwise, preferences can be changed and will not refresh
Click to expand...
Really ... surely when the policy refreshes then it writes that value to the registry again? How does it know not to write it?

I guess, escentially my question is really how do I make a preference into a policy. Am I limited to the keys that are defined under HKLM\Software\Policies?

Yea, I've heard about Policy Maker, and apparently it's quiet good. But how does it manage to do things that Group Policy doesn't? Do you have to install some client side extension for it to work or ... ?

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Upvote 0 Downvote
How does it know not to write it?"

If the script is contained within a logon script policy, then every time the user logs into the machine the policy will know to write that registry information. If it has changed or has been deleted for some reason, the logon script will update the key. And, no, it's not restricted to just HKLM\Software\Policies. You can create, update, write and delete anywhere you wish.

PolicyMaker is essentially an extension to GPMC. Once you install it, you will see two additional nodes under Machine and User within a GPO.


Hope This Helps,

Good Luck!
 
Upvote 0 Downvote
Sorry, I should have explained properly. I'm not referring to scripts - I'm referring to creating registry entries with admin templates. If I create an admin template that writes to an area of the registry outside of the Policies hive, it is considered a preference. You said that if a user changes the value (assuming they have permission to do this) then the value WON'T be changed back during the next policy refresh. What I'm wondering is how does group policy know not to write the value on the next refresh?

The second part of my question is referring to "true" policies - in order to have a true policy, do I have to write to the Policies hive in the registry?

Thanks for your help

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Upvote 0 Downvote
In order for a policy to be a "true" policy, it must use the policy trees defined in the registry. With a "true" policy, the settings are removed when the user logs off the machine. With preferences, the settings are permanent until otherwise removed. True policies will always refresh during it's scheduled interval, which can also be controlled with yet another policy.

I didn't realize you were talking about custom ADM's. Here's a resourceful link. I suggest reading through this, as there are quite a few concepts to learn in order to move forward with custom ADM's.


Hope This Helps,

Good Luck!
 
Upvote 0 Downvote
Thanks for the link ... that helped a bit, although I still have a few questions !!

1. In order for a policy to be a true policy, I need to put it into HKLM\Policies. So am I limited by what's already contained in here? I currently have an adm that writes to HKLM\Software\SAP - so if I changed this to write to HKLM\Policies\SAP, it will be a true policy. But SAP will be looking for the entry under HKLM\Software\SAP. So therefore, am I limited really to just the keys that already exist under HKLM\Policies (and the other policy hives) or does XP have some way of handling this?

2. I'm still a little confused about the fact that "preferences" are not applied during each policy refresh. So say I have 10 PC's in my domain, and I create a new "preference" - this preference gets applied to all the PC's. Then say somebody changes the registry entry manually - if they type gpupdate, then why would it not get re-written again? Does it only write the registry entry once, when the policy is created? What about if I add an 11th PC to my domain (which is also under the scope of my "preference") - does that mean that this PC doesn't get the preference? I wouldn't have thought so. I'm just a little cofused as to why its only applied once, and how group policy keeps track of which PC's it's applied it to already.

Thanks for your help

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Upvote 0 Downvote
OK, I've been having a bit of a play around with this. I used the office.adm file to make some changes to my local policy for MS Office settings. I see now that when I make changes, they are written to HKLM\Policies\Office\11.0\common(because I'm using 2003) but when I go to HKLM\Software\Microsoft\Office\11.0\common the same key wasn't there too ... which I kind of expected it to.

I guess what I'm trying to get at is, if I made the change through the MS Office GUI, it would have been written to HKLM\Software\Microsoft\Office\11.0\Common - but because I done it through policy it was written to HKLM\Software\Policies\Microsoft\Office\11.0\common - but how does office know to check here? That's why I thought maybe it would be written to both places. Does office automatically check both places? In this case, are there only certain applications that are truly AD aware and can therefore have policies configured instead of preferences? Or does windows handle this?

I found this document


which states that there are more than 700 policy settings which can be configured. So I guess if there's 700 then I have to work within a "pre-defined set" of registry keys? Am I making sense here? Hopefully I'm finally getting across the idea of what I meant by making a preference a policy?

One more question - I really like the idea that the registry key gets deleted when the policy is removed. You mentioned also that policies are removed when the user logs off (or presumably when the PC shuts down if it's a computer policy) - and I think I'm beginning to understand why. But does this apply JUST to admin templates? What about folder redirection (I know this is stored in the registry too, but I don't know where) and registry or file permissions? Do these default back when the user logs off or the PC is shut down?

Thanks so much for your help, really apprecaited. I'm already getting a better understanding ... just feel I have a one final mile to go (at least I hope that's all!!)

Thanks again :)

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Upvote 0 Downvote
I create a new "preference" - this preference gets applied to all the PC's. Then say somebody changes the registry entry manually - if they type gpupdate, then why would it not get re-written again?
Click to expand...

This is a good question, as I use VBS to apply registry changes not custom ADM's. So, essentially, I am using a true policy to enforce a preference (hmm). And, if I were to modify my script I know that the mod will be applied...hence the policy is refreshing the registry keys I am manipulating.

I think the real difference here is the fact that if/when I remove the policy, these preferences would stay "tatooed" in the registry unless I remove them manually. On the other hand, a true policy removes the registry mods to it's "original" state.

What about folder redirection (I know this is stored in the registry too, but I don't know where) and registry or file permissions? Do these default back when the user logs off or the PC is shut down?
Click to expand...
Folder redirection is stored in the HKCU hive. And, to my understanding...yes, these keys are unloaded when the user logs off. Now, roaming profiles on the other hand are stored in HKLM which would lead me to believe these policies are refreshed during boot-time.

Check this out. This explains the differences between the different hives and how GPO's use them. I think it may give insight to your Office policy question as well.


Hope This Helps,

Good Luck!
 
Upvote 0 Downvote
I done some research into this - turns out that "true" policies are limited to applications that will read the appropriate hives in the registry ... which makes sense I guess. Only thing that bugs me now is why did M$ design it like this? Maybe for performance reasons I guess

As for the preferences, apparently (according to M$ newsgroup) they do get applied each time - not just once. As for the file permissions, I have a feeling that they would stay the same if the policy was removed ... after all, you can always delete a registry entry (assumign it won't mess up your system that is !!) but you can't delete an ACL - every file has to have one, and if it were to revert back to the default then it would have to have stored it somewhere in the first place I guess wouldn't it.

Anyway, thanks for helping me get to the bottom of this. I can sleep sound tonight now :)

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Upvote 0 Downvote
gmail2-

I am having issues with this also. What keys can go under the policy key? I tried to create a Control Panel/Desktop/ScreenSaveActive value, but it did not set the screen saver as disabled.

Any advice?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
358
ADB100
ADB100
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
944
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
782
DrB0b
DrB0b
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
1K
gbaughma
gbaughma
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
586
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top