Using System Policy Templates

Write custom policy templates to modify the Registry

As a Windows NT systems administrator, part of your job is choosing the righttool to use for the job. One of the more versatile tools in NT is the SystemPolicy Editor (SPE) because it enhances network administration. It lets anadministrator configure the NT Registry either directly over the network, or bycreating policy files that are applied to a computer's Registry when a user logson. But, the SPE can modify only Registry entries for which a policy templateexists.

Fortunately, you can create custom policy templates easily. For a recentproject, I spent a lot of time writing custom policy templates. During theprocess, I learned that documentation on writing templates is scarce and thatyou can write more straightforward templates than the ones NT provides.

You can load templates into the SPE to configure custom changes to mostparts of the Registry. When you use the SPE instead of the Registry editor, youreduce the possibility of accidentally damaging the Registry. You can easilymake a mistake with the Registry editor, particularly if you need to setmultiple values. But the SPE follows the actions you define in the policytemplate and always makes the same changes.

Custom policy templates play a large role in Microsoft's ZeroAdministration Initiative. The Zero Administration Kit (ZAK--available athttp://www.microsoft.com/windows/zak) contains configurations for twosample end users: a task-based user who uses one task-based application(Taskstation) and a slightly more advanced user who has access to two or threeline-of-business applications (Appstation). What makes the Task stationand Appstation configurations work is in large part custom policies.

This article is not a tutorial on using the SPE. For this article, I assumeyou are comfortable using both the Registry editor and the SPE. (For a gooddescription of using the SPE see Robert Slifka, "How to Edit NT 4.0 SystemPolicies," February 1997, and Sean Daily, "Further Explorations of theNT System Policy Editor," April 1997. For more information on editing theRegistry, see Christa Anderson, "Care and Feeding of the Registry,"December 1996.) Once you understand the format and the limitations of policytemplates, you can begin to apply them to suit your needs. We'll look at severalscenarios to get you thinking about how you can use these powerful tools.

Policy Template Format
By default, NT stores policy templates in the %systemroot%infdirectory. Each policy template file has three major sections: CLASS MACHINE,CLASS USER, and [strings]. The CLASS MACHINE section defines which options willappear for a computer policy, and it affects Registry entries inHKEY_LOCAL_MACHINE. The CLASS USER defines which options are available in theSPE when you work with a user or group, and it affects Registry entries inHKEY_CURRENT_USER. Finally, the [strings] section defines string variablesthat you can use in the other two sections. Screen 1 shows the SPE in policymode. Each user and group icon represents a set of configuration instructionsbased on the contents of the CLASS USER section of the loaded policy templates.Each machine icon represents configuration information based on the CLASSMACHINE section of the loaded policy templates.

The major classes contain categories. Categories appear in the SPEProperties window as a book icon, as Screen 2 shows. You use categories to breakup the policies into a logical hierarchical view. For example, in the WINNT.ADMpolicy template that comes with NT 4.0, the top-level categories for the CLASSMACHINE section are Network, Printers, Remote Access, Shell, System, and UserProfiles. Categories can contain either other categories (in WINNT.ADM forexample, the System category is further subdivided into Logon and File Systemcategories) or policies.

Table 1, defines the format for policy templates. You can referto these definitions when you write templates. Much of this information isavailable from other sources such as Microsoft's Zero Administration Kitand the Windows 95 Resource Kit (the NT policy templates are a superset of theWin95 templates). But some functions documented here (e.g., NoSort andExpandableText) are not documented elsewhere.

When you edit a policy file or Registry with the SPE, policies appear inthe top half of the SPE properties window with a check box. You might recallfrom Robert Slifka's article, "How to Edit NT 4.0 System Policies,"February 1997, the SPE has two modes: Registry mode and Policy mode. You useRegistry mode to directly edit the Registry and Policy mode to create or modifypolicy files. In Registry mode, the policy checkboxes have two states: On andOff. In Policy mode, these checkboxes have three states: checked (or apply in anon state), unchecked (or apply in an off state), and grayed out (or ignore thispolicy).

Simple yes/no-type policies don't need to go any further. However, if theRegistry data is more complex than you can handle with a simple yes or noanswer, a policy can have several parts. With a multipart policy, you can usethe additional parts to control multiple values when the policy is in an on, orapply, state. An excellent example of a large, complex policy is the colorscheme policy that comes in the COMMON.ADM standard template. Here, you canchoose from several options and, based on your choice, modify 25 Registryentries.

What's Up with the [strings] Section?
The [strings] section defines text variables that you can use in other partsof the policy template instead of directly using the string. I'm not sure whyyou would want to do this, though. If you look at the policy templates that shipwith NT and Win95, you see that Microsoft templates rarely use strings in-linein a template. These templates are full of lines such asCATEGORY!!VARIABLE_NAME. Variables tend to make templates less readable anddouble the file size. For every reference to a !!VARIABLE_NAME in the CLASSMACHINE or CLASS USER section, you must have an equivalent !!VARIABLE_NAME="VariableText" in the [strings] section.

I prefer to put the text in-line in the template. In-lining the text makesthe template shorter and easier to read. Unless I have a string that will appearmore than twice in the template, I do not use string replacement variables. Theclarity of the template more than makes up for any potential savings from usingthe variable instead of retyping the text.

Policy Limitations
Policy templates offer a convenient filter through which to view parts ofthe Registry. They have limitations, though. The Win95 Registry supports twodata types in NT: variable-length string and binary. The NT Registry supportsseveral other data types, but you can modify only the REG_SZ (string), theREG_EXPAND_SZ (expandable string), and the REG_DWORD (4-byte integer) entriesthrough system policies.

Because policies do not support all the Registry data types, you cannotmodify some Registry values. For example, you cannot write a policy to fix thereplication bug in NT 4.0. Directory replication in NT 4.0 doesn't work untilyou add a line to the Allowed paths value in HKEY_LOCAL_MACHINESYSTEM
CurrentControlSetControlSecurePipeServersWinreg. Because this value is theREG_MULTI_SZ (multi-line string) type, the SPE cannot modify it. If you wrote apolicy to modify this value, you might change the data type and causeunpredictable results. Luckily, most Registry entries are REG_SZ, REG_EXPAND_SZ,or REG_DWORD, which are the data types system policies support.

The rest of this article details several situations where no convenientuser interface control exists for some feature in the Registry. For eachsituation, I explain how to create a policy template that lets you control anentry with the SPE.

SCENARIO 1
A System Policy for Controlling the WINS Proxy Flag
WINS resolves computer names to IP addresses. However, some older networkclient software (e.g., LAN Manager 2.x) does not support WINS. For theseclients, you can configure an NT machine to act as a WINS proxy agent on thelocal network. Looking for a server's IP address, the non-WINS client willgenerate a broadcast on the local network. The WINS proxy agent will listen forthese broadcasts, forward them to a remote WINS server, and return the desiredserver's IP address to the non-WINS client. Having one WINS proxy agent on asegment with non-WINS clients can let these clients access resources that theyordinarily wouldn't be able to. Having more than one WINS proxy agent on asegment or installing a WINS proxy agent on a segment that doesn't have non-WINSclients will not increase functionality but will create additional networktraffic. (For more information on WINS proxy agents, see David Lafferty, "SettingYour WINS Strategy," and Mark Minasi, "WINS Proxy Agents")

In NT 3.51, the network applet in Control Panel lets you control whether anNT machine acts as a WINS proxy agent. In NT 4.0, this utility doesn't exist.Microsoft removed it because you rarely need proxies. If you need WINS proxies,you can create a policy template to have the SPE control this function.

The Registry entry that controls whether a computer will act as a WINSproxy agent is in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBTParameters.If you set EnableProxy to 1, the computer will act asa WINS proxy agent; if you set it to 0, it won't.

Creating a policy is fairly straightforward. Screen 3 shows how simple apolicy entry in a template can be. The first line begins with the keywordPolicy. The name of the policy as it will appear in the SPE (in this example,Enable WINS Proxy Agent) comes next. The second and third lines specify theRegistry key and Registry value this policy will modify. The KeyName keywordspecifies all but the hive of the Registration key. The policy class defines thehive. If the policy is in the CLASS MACHINE section, the hive is set toHKEY_LOCAL_MACHINE. If the policy is in the CLASS USER section, the hiveis set to HKEY_CURRENT_USER. Because this value is in HKEY_LOCAL_MACHINE,this policy needs to be in the CLASS MACHINE section of the template. TheValueName keyword entry specifies the value.

For this scenario, set the Registry value to integer 1 or 0. You aren'tlimited to numeric values though. You can set the values to strings, such asValueOn "on" and ValueOff "off." You can even delete anentry from the Registry with the ValueOff or ValueOn Delete statements.

Remember, ValueOn 1 is not the same as ValueOn Numeric 1. In the firstcase, the policy stores the value in the Registry as type REG_SZ (string); inthe second, the policy stores the value as type REG_DWORD (integer).Accidentally storing a string value where the operating system expects aninteger can cause unpredictable results (up to and including making your machineunbootable).

You must include both a ValueOn and a ValueOff statement for each policyyou create. When you use the SPE in Registry mode, the SPE uses these statementsto determine the current state of the Registry. If you don't include them, theSPE can make an incorrect assumption and when you save your changes,unintentionally modify something you did not want to change.

For example, consider the WINNT.ADM file that ships with NT 4.0. Thefirst two policies in that file control whether NT will automatically create theadministrative (c$, d$, etc.) shares. As shipped with NT 4.0, these policiesdon't have a ValueOn statement. If you edit the Registry with the SPE and don'tspecify that you want the administrative shares created, NT will remove theadministrative shares by default. Service Pack 3 for NT 4.0 has an updatedWINNT.ADM file that does not have this error.

Because you should install a WINS proxy agent on only one or two machinesper subnet, you might want to display a message in the SPE explaining the rulesfor using WINS proxy agents. You can use a Text part in the policy todisplay a line of text in the bottom half of the policy editor dialog. Textparts only display information; they do not modify the Registry.

Because the SPE will not break text lines and doesn't have a horizontalscroll bar, take care to break the text lines at an appropriate place.Unfortunately, trial and error is the only way to determine the optimal linebreaks.

I just described what you can do with a simple yes or no policy. Toaccomplish more, you must create a multipart policy.

SCENARIO 2
Automatic Logon
Suppose you want to configure a machine as a publicly accessible informationkiosk. In this case, you don't want someone to be able to unplug and re-plug thepower cable and get a logon prompt. You might consider using an automatic logonfor an NT machine. This way, on power-up, the machine can automatically log onto the network and begin the kiosk application. You cannot configure automaticlogon through the standard user interface, so you need to create a policy toconfigure automatic logon.

For an automatic logon to function, you must set four values in theRegistry. In HKEY_LOCAL_MACHINESOFTWAREWindows NTCurrentVersionWinLogon,set AutoAdminLogon to 1. Then, set DefaultUserName, DefaultPassword, andDefaultDomain to valid values.

Given this information, you want to create a policy that, when selected,requires the user to enter a value for the three logon values. Additionally,because DefaultPassword is stored in clear-text, when this policy is unselected,you'll want to delete these values from the Registry entirely.

Screen 4 shows the policy for this scenario. Notice that the policy doesnot specify KeyName. The policy inherits its KeyName from the category, and theparts of this policy inherit their default KeyName from the parent policy. Thisbehavior is standard; if the KeyName is not defined for a category or policy, itis inherited from its parent category or class.

Note also that when you un-select this policy, the policy deletes all fourvalues from the Registry. The policy deletes the AutoLogon value in the ValueOffstatement and uses an ActionListOff statement to delete the other three values.Again, you must include the ValueOn and ValueOff statements in each policy sothe SPE can determine the current state of the Registry when operating inRegistry mode. You can configure the Domain part of this policy as a combo box(as I've done) instead of simple text. This approach lets you offer suggestionsbut still lets users enter whatever they want. The Maxlen parameter in theDomain part also prevents a user from entering a domain name longer than 15characters. I've also made Username, Password, and Domain required so that ifusers select the automatic logon policy, they must enter a username, password,and domain in the SPE. After all, if you were able to turn on automatic logonand then leave the username, password, or domain field blank in the policy, theautomatic logon wouldn't know what these values were and would fail.

SCENARIO 3
Domain Controller Functions
When a Backup Domain Controller (BDC) pulls changed security accountsdatabase information from the Primary Domain Controller (PDC), the BDC checksthe Replication Governor parameter to determine how much network bandwidth touse. By default, this traffic can take up to 100 percent of the networkbandwidth and affect an end user's ability to access resources. On the otherside, the PDC maintains a list of account changes that have not been replicatedto the BDCs. By default, this log (%systemroot%etlogon.chg) size is64KB.

If you reduce the value in the Replication Governor parameter, you can endup with more account changes waiting to be replicated than space available tohold them in the netlogon.chg file. In this case, NT marks the PDC for fulldatabase synchronization and sends the full accounts database to the BDC (in alarge organization, perhaps 40MB), instead of sending only the changed accountdata. If you throttle back the Replication Governor on the BDCs, increase thesize of the change log on the PDC. Because this increase carries no performancepenalty, always increase the size of the change log.

Because these values affect only domain controllers, the user interfacedoesn't include controls to manage them. But, you can create policies that willlet you set these parameters.

First, you need to adjust the Replication Governor parameter.Thisvalue is stored in HKEY_LOCAL_MACHINE
SYSTEMCurrentControlSetServicesNetLogonParametersas the Replication Governor value. Because this value is anumeric percentage, valid values range from 0 to 100. In the example policy inScreen 5, the Replication Governor parameter has a minimum value of 0, a maximumvalue of 100, and a default value of 100.

When you define a part as numeric, the SPE puts spin buttons (the smallstacked buttons that let you adjust a numeric value) to the right of the inputfield. The default increment for the spin button is 1. You can use the spin xkeyword if you want to increment or decrement the spin control by more than 1.If you want to remove the spin control entirely, use spin 0.

How about the change log size? A couple of factors make using a simplenumeric input type impractical. First, the change log can be as small as 64KB oras large as 4MB. Also, the change log size must be a multiple of 64KB. To top itoff, NT must store the size as the total number of bytes. To prevent the userfrom entering an invalid value, use a drop-down menu, as the policy template inScreen 5 specifies and the window in Screen 6 shows.

Typically, when you use the SPE, items in a drop-down menu appearcanonically. In the case of the policy you see in Screen 5, this type oforganization would cause the SPE to display the entries out of order. I used theNoSort keyword to force the SPE to display the list in the same order as is inthe template file. In Registry mode, the SPE will compare the current value inthe Registry with the values in the list and display the appropriate name in thelist box by default.

SCENARIO 4
Controlling the User Environment
When you type a universal resource locator (URL) into Internet Explorer(IE), the software remembers the typed URL and stores it in a drop-down menu inthe address control. If you are an IS manager in a large company, you cancustomize the links IE displays in the address drop-down menu to include severalcompany-specific sites.

You can go to each machine in your organization and manually enter theURLs, but that approach is time consuming. Instead, you can create a policy thatwill let you add links to this list. The list of URLs in the address drop-downmenu is in HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerTypedURLs.NT stores each URL with the value name urlx, and the data isthe URL, as Screen 7 shows.

For all the formats we've looked at so far, the Registry key and value thatthe template modifies are fixed when you write the policy. With the ListBoxpart, you specify only the Registry key, not the value. The data you enter inthe policy determines the value.

Because the value names are all of the format url1, url2, etc., I usedValuePrefix "url," as the policy template in Screen 8 shows. Thiscommand makes the policy add the data from the policy into the Registry in theexpected format.

Because you don't want to delete the user's favorite sites, the Additivekeyword is important. This variable tells the policy to add the information toany existing values in the Registry. Without the Additive keyword, the policywill delete existing values and insert the entries from the policy template.Without the Additive keyword, users lose typed URLs each time they log on.

SCENARIO 5
File Associations
You don't need to specify a prefix using the ListBox part. UsingExplicitValue, you can enter the value and the data. For example, consider apolicy that modifies HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsNTCurrentVersionExtensions.Here, NT stores user preferences for fileassociations, as Screen 9 shows.This policy lets a user specify the applicationassociated with a file extension. A standard way for enforcing standards forusers' file associations on an NT network does not exist. But, you can create apolicy.

If you want to register companywide preferences, you must specify theextension as the value, and program as the data. Instead of ValuePrefix, useExplicit Value, which will let you enter both the value and data.ExplicitValue and ValuePrefix are mutually exclusive; you cannot use themtogether. You can leave both out of the template, in which case the policy willuse the data for the value name.

In the example policy in Screen 10, I used the Additive keyword so thatwhen I apply the policy, I don't use the user preferences that the policydoesn't affect. However, if duplicate value names exist in the Registry and thepolicy, the policy replaces the value that is already in the Registry. Forexample, if a user has set the .doc extension to be associated with WordPerfect5.1 and the policy is configured to associate .doc files with Word 97, thepolicy will overwrite the user preferences, ensuring a consistent organizationalstandard.

Wrapping It Up
The SPE is a powerful systems administration tool. But, it is only aspowerful as the policy templates you use with it. I have shown you how to createa policy template that lets you control almost any aspect of the computers inyour organization. Creating custom templates costs extra up front, but the speedand safety of using policies and the SPE to modify Registry parameters recoversthose costs rapidly.