Network administrators use Group Policy in Microsoft Windows domains to restrict functionality or enforce specific configurations for computer systems on the network. There are aspects of Group Policy to manipulate or control security settings, software installation, folder redirection, Internet Explorer and even registry-based policy settings. This article will take a look at the registry-based Group Policy settings and how to use them.
Registry-based Group Policy relies on administrative templates, or .adm files. The .adm files do not directly alter the registry settings, but they allow the registry settings to be viewed from within the Group Policy Object Editor, where administrators can then create GPO's (Group Policy Objects) that contain the registry keys that need to be added or modified. For any program or operating system functionality that can have its behavior modified based on registry values in the .adm file, an administrator can manage its configuration using registry-based Group Policy. As of Windows XP with SP2, there are over 1300 settings that administrators can manage in this way.
Registry-based Group Policy is an effective means of managing many servers and workstations across a domain. It is particularly useful for the following situations:
- Setting policies that can be stored as plain text: To define some aspects of the computer settings or configuration such as what the standard or default desktop wallpaper will be, administrators can use registry-based Group Policy to specify the file to use for the wallpaper and define the path where it can be located.
- Enabling / disabling functionality: For computer settings which can be turned either on or off, registry-based Group Policy is very useful. This type of policy setting can be used to make certain items or options visible or make them unavailable. By making certain options unavailable and limiting the ability of the user to alter the computer settings on their own, the computer can be made more secure and more stable.
- Customizing the interface: Registry-based Group Policy can be used to pre-populate certain menus and drop-down lists. By creating and enforcing a standard build of the operating system across the domain, the user experience is more consistent and administration and support of the users is greatly simplified.
Microsoft recommends that you create many smaller GPO's rather than trying to create one, all-encompassing Group Policy setting. Group Policy is easier to implement and administer if you deal with smaller policy settings and managing Group Policy this way makes it much more flexible. There are a number of .adm administrative template files already available, but, if you find that you need to create registry-based Group Policy settings for other applications, Microsoft also provides a language framework for creating your own custom .adm files.
About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security.
This was first published in November 2005