Using System Policy Templates

As a Windows NT systems administrator, part of your job is choosing the right tool to use for the job. One of the more versatile tools in NT is the System Policy Editor (SPE) because it enhances network administration. It lets an administrator configure the NT Registry either directly over the network, or by creating policy files that are applied to a computer's Registry when a user logs on. But, the SPE can modify only Registry entries for which a policy template exists.

Fortunately, you can create custom policy templates easily. For a recent project, I spent a lot of time writing custom policy templates. During the process, I learned that documentation on writing templates is scarce and that you can write more straightforward templates than the ones NT provides.

You can load templates into the SPE to configure custom changes to most parts of the Registry. When you use the SPE instead of the Registry editor, you reduce the possibility of accidentally damaging the Registry. You can easily make a mistake with the Registry editor, particularly if you need to set multiple values. But the SPE follows the actions you define in the policy template and always makes the same changes.

Custom policy templates play a large role in Microsoft's Zero Administration Initiative. The Zero Administration Kit (ZAK--available at http://www.microsoft.com/windows/zak) contains configurations for two sample end users: a task-based user who uses one task-based application (Taskstation) and a slightly more advanced user who has access to two or three line-of-business applications (Appstation). What makes the Task station and Appstation configurations work is in large part custom policies.

This article is not a tutorial on using the SPE. For this article, I assume you are comfortable using both the Registry editor and the SPE. (For a good description of using the SPE see Robert Slifka, "How to Edit NT 4.0 System Policies," February 1997, and Sean Daily, "Further Explorations of the NT System Policy Editor," April 1997. For more information on editing the Registry, see Christa Anderson, "Care and Feeding of the Registry," December 1996.) Once you understand the format and the limitations of policy templates, you can begin to apply them to suit your needs. We'll look at several scenarios to get you thinking about how you can use these powerful tools.

Policy Template Format
By default, NT stores policy templates in the \%systemroot%\inf directory. Each policy template file has three major sections: CLASS MACHINE, CLASS USER, and [strings]. The CLASS MACHINE section defines which options will appear for a computer policy, and it affects Registry entries in HKEY_LOCAL_MACHINE. The CLASS USER defines which options are available in the SPE when you work with a user or group, and it affects Registry entries in HKEY_CURRENT_USER. Finally, the [strings] section defines string variables that you can use in the other two sections. Screen 1 shows the SPE in policy mode. Each user and group icon represents a set of configuration instructions based on the contents of the CLASS USER section of the loaded policy templates. Each machine icon represents configuration information based on the CLASS MACHINE section of the loaded policy templates.

The major classes contain categories. Categories appear in the SPE Properties window as a book icon, as Screen 2 shows. You use categories to break up the policies into a logical hierarchical view. For example, in the WINNT.ADM policy template that comes with NT 4.0, the top-level categories for the CLASS MACHINE section are Network, Printers, Remote Access, Shell, System, and User Profiles. Categories can contain either other categories (in WINNT.ADM for example, the System category is further subdivided into Logon and File System categories) or policies.

Table 1, defines the format for policy templates. You can refer to these definitions when you write templates. Much of this information is available from other sources such as Microsoft's Zero Administration Kit and the Windows 95 Resource Kit (the NT policy templates are a superset of the Win95 templates). But some functions documented here (e.g., NoSort and ExpandableText) are not documented elsewhere.

When you edit a policy file or Registry with the SPE, policies appear in the top half of the SPE properties window with a check box. You might recall from Robert Slifka's article, "How to Edit NT 4.0 System Policies," February 1997, the SPE has two modes: Registry mode and Policy mode. You use Registry mode to directly edit the Registry and Policy mode to create or modify policy files. In Registry mode, the policy checkboxes have two states: On and Off. In Policy mode, these checkboxes have three states: checked (or apply in an on state), unchecked (or apply in an off state), and grayed out (or ignore this policy).

Simple yes/no-type policies don't need to go any further. However, if the Registry data is more complex than you can handle with a simple yes or no answer, a policy can have several parts. With a multipart policy, you can use the additional parts to control multiple values when the policy is in an on, or apply, state. An excellent example of a large, complex policy is the color scheme policy that comes in the COMMON.ADM standard template. Here, you can choose from several options and, based on your choice, modify 25 Registry entries.