Problem solve Get help with specific problems with your technologies, process and projects.

Administering computers with registry-based Group Policy

The Windows registry is the operating system's reference mechanism, particular entries can help secure the PC as well as weaken its security. According to contributor Tony Bradley, using administrative templates to manipulate GPOs can help you standardize security settings.

Network administrators use Group Policy in Microsoft Windows domains to restrict functionality or enforce specific configurations for computer systems on the network. There are aspects of Group Policy to manipulate or control security settings, software installation, folder redirection, Internet Explorer and even registry-based policy settings. This article will take a look at the registry-based Group Policy settings and how to use them.

For more informantion:
  • AD security: Group Policy inheritance
  • Tip: Testing Group Policy security
  • Registry-based Group Policy relies on administrative templates, or .adm files. The .adm files do not directly alter the registry settings, but they allow the registry settings to be viewed from within the Group Policy Object Editor, where administrators can then create GPO's (Group Policy Objects) that contain the registry keys that need to be added or modified. For any program or operating system functionality that can have its behavior modified based on registry values in the .adm file, an administrator can manage its configuration using registry-based Group Policy. As of Windows XP with SP2, there are over 1300 settings that administrators can manage in this way.

    Registry-based Group Policy is an effective means of managing many servers and workstations across a domain. It is particularly useful for the following situations:

    • Setting policies that can be stored as plain text: To define some aspects of the computer settings or configuration such as what the standard or default desktop wallpaper will be, administrators can use registry-based Group Policy to specify the file to use for the wallpaper and define the path where it can be located.
    • Enabling / disabling functionality: For computer settings which can be turned either on or off, registry-based Group Policy is very useful. This type of policy setting can be used to make certain items or options visible or make them unavailable. By making certain options unavailable and limiting the ability of the user to alter the computer settings on their own, the computer can be made more secure and more stable.
    • Customizing the interface: Registry-based Group Policy can be used to pre-populate certain menus and drop-down lists. By creating and enforcing a standard build of the operating system across the domain, the user experience is more consistent and administration and support of the users is greatly simplified.

    Microsoft recommends that you create many smaller GPO's rather than trying to create one, all-encompassing Group Policy setting. Group Policy is easier to implement and administer if you deal with smaller policy settings and managing Group Policy this way makes it much more flexible. There are a number of .adm administrative template files already available, but, if you find that you need to create registry-based Group Policy settings for other applications, Microsoft also provides a language framework for creating your own custom .adm files.

    About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security.

    Dig Deeper on Microsoft Group Policy Management