Creating Custom Templates for Microsoft's System Policy Editor
One of the strengths of Microsoft's System Policy Editor (SPE) is that you can create your own custom templates for use on your network. This fact alone renders the fact that Samba can not implement Group Policy Objects (ala Active Directory) a non-issue. It is very easy to implement nearly any registry setting into a policy by using custom templates (with the exception of binary registry values).
NOTE: Policy Templates are simple text documents that can be edited with any text editor, such as notepad, Scite, Vi or emacs. When editing/creating these files do not use a word processor, such as Wordpad or Word, these applications add extraneous data to the file rendering them unusable with the System Policy Editor.
Since SPE templates are simple text files, you can look at the template files provided by Microsoft. However, A word of warning: Microsoft's templates make use of unnecessary variables making them very hard to read, because of this, this aritcle will cover different ways to implement different policies.
In my experience, with System Policies, once you get examples of how things are done, it is relatively easy to modify these examples to get what you need accomplished. Please note that this article merely scratches the surface of creating custom policies. Although these examples show you how to manipulate 95% of the settings you may want to use, additional reference materials may be required for anything extremely exotic.
To get things started, Template files are separated into two Classes, Machine and User. These classes simply separate your template into Machine Policies and User Policies. The Machine Policies adjust registry settings in the HKEY/LOCAL MACHINE registry hive, and the USER Policies adjust registry settings in the HKEY/Current User registry hive (the actual User's Profile). The majority of the time, you will be creating User Policies to control your Users.
CLASS MACHINE CATEGORY "Category Name" POLICY "Policy Name" KEYNAME "registry key" VALUENAME "registry value" END POLICY END CATEGORY CLASS USER CATEGORY "Category Name" POLICY "Policy Name" KEYNAME "registry key" VALUENAME "registry value" END POLICY END CATEGORY
These 2 classes (Machine and User) are further separated into Category sections. These sections end up being the little books you see when running the System Policy Editor. Category sections are simply a way to organize all of your policies into different groups for the user's sake, they have no bearing whatsoever on the NTConfig.pol file.
The POLICY section is the nuts and bolts of the template. This is where you actually have the ability to adjust the registry. All Policies will require a KEYNAME and VALUENAME, although you can specify a KEYNAME for multiple POLICY sections. Policies can adjust all types of registry values, except BINARY values. If you do not specify a value, the default is DWORD "1" for checked and DWORD "0" for cleared policies.
If this seems confusing, don't fret - The best way to learn how to create templates is to simply work with them. The next sections will simply explain different methods used when creating custom templates. Going over these examples you should quickly pick up what the System Policy Editor needs to get what you want done. This is by no means a complete guide, but should be sufficient for most of your template creating.
The ACTIONLIST directive allows you to adjust multiple registry settings while only providing one option to the System Policy Editor User. I gave this example first to give you a good look at how a simple policy is created.
CLASS USER CATEGORY "Internet Explorer Settings" POLICY "Disable Internet Explorer Search Asst" KEYNAME "Software\Microsoft\Internet Explorer\Main" VALUENAME "Use Search Asst" VALUEON "no" VALUEOFF DELETE ACTIONLISTON VALUENAME "Use Custom Search URL" VALUE 1 END ACTIONLISTON ACTIONLISTOFF VALUENAME "Use Custom Search URL" VALUE 0 END ACTIONLISTOFF END POLICY END CATEGORY
The PART directive allows you to enable the lower part of the computer/user property sheet. The lower section provides additional functionality to your custom policies. Not only does it enable you to further document the policy, but it is also used to fine tune each policy as you will see using other directives.
CLASS MACHINE CATEGORY "Custom Security Center Functions (XP-SP2)" POLICY "Disable Windows Firewall - Domain Settings" KEYNAME "SOFTWARE\Policies\Microsoft\WindowsFirewall\ DomainProfile" VALUENAME "EnableFirewall" VALUEON 0 VALUEOFF 1 PART "When checked the Windows Firewall will be disabled" TEXT END PART PART "When cleared the Firewall will be enabled" TEXT END PART END POLICY END CATEGORY
The CHECKBOX directive allows you to provide a list of options in the PART section. These options are simple check boxes where they can be either on or off. A word of caution when implementing these, try not to use the CHECKBOX directive as a replacement for a simple CATEGORY section. These values can only be checked or unchecked, unlike normal policies which can also be grayed out (thus possibly reducing the size of your NTConfig.pol file).
CLASS USER CATEGORY "User Restrictions" POLICY "Desktop Restrictions" KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" PART "Disable Computer Shutdown" CHECKBOX VALUENAME NoClose END PART PART "Disable Manage Computer Option from Desktop" CHECKBOX VALUENAME NoManageMyComputerVerb END PART PART "Disable Control Panel" CHECKBOX VALUENAME NoControlPanel END PART END POLICY END CATEGORY
The EDITTEXT directive allows you to offer a box for text input for the SPE User to enter. EDITTEXT also allows you to enter default values and limits on how much text can be entered. The EXPANDABLETEXT directive allows X and the REQUIRED directive will not allow the user to leave the entry blank.
CLASS MACHINE CATEGORY "System Settings" KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion" POLICY "Change Registration Information" PART "Registered User Information" EDITTEXT REQUIRED EXPANDABLETEXT MAXLEN 25 DEFAULT "User Info" VALUENAME "RegisteredOwner" END PART PART "Registered Organization Information" EDITTEXT REQUIRED EXPANDABLETEXT MAXLEN 25 DEFAULT "Company Info" VALUENAME "RegisteredOrganization" END PART END POLICY END CATEGORY
DROPDOWNLIST and COMBOBOX
The DROPDOWNLIST directive offers a list of options that the user can choose from. The options to DROPDOWNLIST include NOSORT and ITEMLIST. The NOSORT directive tells the SPE to not to sort the options alphabetically while the ITEMLIST directive actually creates the list of items presented to the user.
The COMBOBOX directive is basically a DROPDOWNLIST with the additional option of allowing the user to manually enter an option similar to the EDITTEXT directive.
CLASS USER CATEGORY "Desktop Settings" POLICY "Visual Effects Setting (XP)" KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" PART "Windows XP's Visual Settings" DROPDOWNLIST VALUENAME VisualFXSetting NOSORT REQUIRED ITEMLIST NAME "Let Windows Choose" VALUE NUMERIC 0 NAME "Best Appearance" VALUE NUMERIC 1 NAME "Best Performance" VALUE NUMERIC 2 END ITEMLIST END PART END POLICY END CATEGORY
The NUMERIC directive allows you to offer the user a range of numbers to select using a spin dial, alternatively when using the NUMERIC directive the user can also manually enter a number. Because of the ability to manually enter a number, there are other directives you can use to limit what the user can enter. These directives are DEFAULT, REQUIRED, MIN, MAX and SPIN. The SPIN directive allows you to specify the increment in the spin control, the default is 1, but can be adjusted accordingly.
CLASS MACHINE CATEGORY "Custom Policy Settings" POLICY "Restrict Profile Size" KEYNAME "SOFTWARE\Policies\Microsoft\WindowsFirewall\ DomainProfile" PART "Maximum User Profile size (in KB)" NUMERIC REQUIRED SPIN 1024 VALUENAME "MaxProfileSize" DEFAULT 5120 MAX 20480 MIN 1024 END PART END POLICY END CATEGORY
Getting Registry Keys
Now that you know enough to get you started, it is time to figure out how to get registry settings that you can mandate through policies.
The obvious way is to simply search for them using Google (or equivalent). Another way is to check out Microsoft's Template files, again these are extremely hard to read (so good luck).
The way that I usually get registry settings is to use a "Un-Installer Program" to show the difference in the system between 2 points. This seems to work extremely well for me, the application I use is ashampoo's Uninstaller Suite (simply because I got it cost-free in a contest), they do have a "demo-version" available on their website..
If you do create any custom policies and would like me to either include them in my "custom.adm" template, or simply add them to my template library for download, let me know.