Datacrash.net - Create your own ADM templates

Create your own ADM templates

Written by Hans Straat, Thursday, 30 March 2006

Introduction

This howto will show you how you can build a custom adm policy template. We used certain standards to implement it and you can offcourse implement your own standards.

After reading the book Microsoft Windows Group Policy Guide from the Microsoft Windows Server 2003 resoursekit I got a bit inspired to build a beginners manual for those who just start making there own adm templates.

One of the most powerfull goodies in windows server environments is a good set of group policies.

Sometimes however you mis items to configure. For instance how to set the general properties of internet explorer tab "Temporarily Internet Files > Settings.

Internet Options

If you click on the settings tab you have a few options to configure.

Internet Options Settings

Now this setting is not configerd in the standard adm templates of the 2003 environment and you have to build it for yourself.

You can device policies in to User class and Machine class. We for instance use the User class in this example but you can easily build your own machine policy.

A few items in the adm shortly explained.

Policy

Policy, Here you give a name to the policy

Example: Policy !!ExamplePolicy

Keyname

Keyname, is the string that you will use in the registry.
Example Keyname "Software\microsoft\windows\currentversion\internet settings"

Explain

The string Explain is used to fill the helptext.
Example Explain !!ReadThisFirst

Dropdownbox

Part and end part is used to create dropdownboxes or to place radiobuttons in.

Mind if you use PART you always have to use a END PART

Valuename

Valuename will be used which part of the registry you are going to use.
Example VALUENAME "CacheLimit"
You also have Valueon numeric 0 of valueoff numeric "1" If a valuename in the registry is enable with 0 and disabled with 1 you can use numeric 0 and numeric 1 to enable or disable a value.

Example
Valuename "something"
Valueon numeric "0"
valeoff numeric "1"

Strings

Strings, is always the last part of the policy, here are all the variables devined.

An example policy

Class User
Category !!WindowsComponents
Category !!Datacrash
Policy !!ExamplePolicy
Explain !!ExamplePolicy_Help
Keyname "Software\Microsoft\Datacrash"
Valuename "Bogus"
Valueon Numeric "0"
Valueoff Numeric "1"
End Policy
End Category ;Datacrash
END Category ;WindowsComponents
[Strings]
;nest the policy
WindowsComponents="Windows Components"
GOT="Gathering of Tweakers"

[strings]

;Here you actually nest the folders with the correct name
WindowsComponents="Windows Components"
Datacrash="Datacrash"
ExamplePolicy="Here is were you actually give the policy it's name"
ExamplePolicy_Help="Here you define the helptext"

The Policy

;Custom Policy made by Mutsje for Company BV
;This policy requires that you disable filtering in the group policy editor
;To disable the Group policy filer select Administrative Tools go to View, Filtering and deselect "Only show policy settings that can be fully managed"
;This Policy will set the registry setting for HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings (Syncmode5).
;This Policy will also set HKCU\microsoft\windows\currentversion\internet settings\5.0\cache\content (CacheLimit).
;If this policy is removed the registry setting will remain active!

;####################### Begin Temporarely Internet Files setting ###########################
CLASS USER
CATEGORY !!Company
CATEGORY !!WindowsComponents
  CATEGORY !!Internet_Settings
   CATEGORY !!Temporarely_Internet_Files
POLICY !!TempInternetSettings
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Explain !!TempInternetFilesSetting_Help
PART "Do you want to change the settings?" TEXT
END PART
PART "InternetExplorer Temp Settings:" DROPDOWNLIST
VALUENAME "Syncmode5"
ITEMLIST
NAME "Every Visit to the page" VALUE NUMERIC 3
NAME "Every time you start internet explorer"  VALUE NUMERIC 2
NAME "Automaticly" VALUE NUMERIC 4
NAME "Never"  VALUE NUMERIC 0 DEFAULT
END ITEMLIST
END PART
END POLICY

END CATEGORY ;Temporarely_Internet_Files
END CATEGORY ;Internet_Settings
END CATEGORY ;WindowsComponents
END CATEGORY ;Company

;####################### End set temporarely Internet Files setting ###########################

;####################### Begin Maximum Cache Size     ###########################
CATEGORY !!Company
CATEGORY !!WindowsComponents
  CATEGORY !!Internet_Settings
   CATEGORY !!Temporarely_Internet_Files
POLICY !!SetMaxCacheLimit
KEYNAME "Software\microsoft\Windows\CurrentVersion\Internet settings\5.0\cache\content"
EXPLAIN !!SetMaxCacheLimit_Help
PART "Set Maximum Cache to be used (10 to 100MB)?:" TEXT
END PART
PART "SetMaximum Cachesize:" DROPDOWNLIST
VALUENAME "CacheLimit"
ITEMLIST
NAME "Size 001 MB" VALUE NUMERIC 1024
NAME "Size 010 MB" VALUE NUMERIC 10240
NAME "Size 020 MB" VALUE NUMERIC 20480
NAME "Size 030 MB" VALUE NUMERIC 30720
NAME "Size 040 MB" VALUE NUMERIC 40960
NAME "Size 050 MB" VALUE NUMERIC 51200
NAME "Size 060 MB" VALUE NUMERIC 61440
NAME "Size 070 MB" VALUE NUMERIC 71680
NAME "Size 080 MB" VALUE NUMERIC 81920
NAME "Size 090 MB" VALUE NUMERIC 92160
NAME "Size 100 MB" VALUE NUMERIC 102400
END ITEMLIST
END PART
END POLICY

END CATEGORY ;Temporarely_Internet_Files
END CATEGORY ;Internet_Settings
END CATEGORY ;WindowsComponents
END CATEGORY ;Company

;####################### End Maximum Cache Size ###########################

[strings]
Company="Company"
WindowsComponents="Windows Components"
Internet_Settings="Internet Explorer"
Temporarely_Internet_Files="Temporarely Internet Files"
TempInternetSettings="Temporarely Internet Files Settings"
TempInternetFilesSetting_Help="This policy enables you to set the "Temporarely Internet Files Settings". Settings to be used are: Every visit to the page, Every time you start internet explorer, Automaticly, Never."
SetMaxCacheLimit="Set maximum cache limit for Temporarely Internet Files"
SetMaxCacheLimit_Help="This policy enables you to set the maximum used diskspace for Temporarely Internet Files from 1 to 100 MB in steps of 10 MB."

End Policy

As you can see Mutsje wrote this policy which actually is my allias on many forums. This howto is als written for Gatering of Tweakers in dutch. But why not share it also to non native dutch speaking people.

Mind that most custom made policies are not manageble. So you need to adjust the filter in your policy console to actually see them.

Tools

I always use the Group Policy Management Console shortly GPMC from www.microsoft.com on my domain to manage policys. In the past I created my policies with notepad.exe were you have to type a lot and type errors are easely made. These days I use ADM Template Editor from Sysprosoft which is a powerfull tool that also let's you enter statements as If Else etc. There are freeware policy editors on the web but most cannot handle these syntaxes.

One of the authors of the book I read is Darran Mar-Elia who has a good website were you can learn to build policies more in depth that in this beginners manual. www.gpoguy.com is the site he build and maintaince. There is also a mailing list were you can get a member of and ask beginners to high technical questions.

GPResult is the tool used in windowsXP and Windows2003 to see what policies a user get's.

GPUpdate is the follow up for secedit and is now used in WindowsXP and Windows2003, in windows2000 you still need to use secedit btw.

RSOP (also in GPMC) is Resultant Set Of Policies which is a powerfull tool to troubleshoot what happens if you launch multiple policies on a user or machine and you can see conflicts easely.

Jeff Pitsch from www.sbcgatekeeper.com wrote a article on Loopback Group Policy. Interesting reading material and a must for Terminal Server / Citrix system engineers.

Comments

Add New

RSS