none
A few questions about Group Policy development

    Question

  • This post was originally in the Windows Development forum. Please note the following:

    • This question is not about the application and management of GPOs. It's about how to develop a group policy.
    • I know about Group Policy Preferences, please do not provide this as an answer.

    I create a custom group policy for an application.

    Recently the application developers allowed settings to be controlled via policy registry keys, in order to make these settings easier to set for Systems Administrators I have created a GPO. Unfortunately, there aren't that many resources I can find that help with Group Policy creation, so:

    • Is there an easier way to create and edit admx/adml files rather than just a xml editor? Like a GUI front end?
    • The vast majority of this applications settings are just a simple Boolean, is there any way to just use one base presentation element for multiple policies? or do I really have to create a presentation element for every single policy? :/
    • As mentioned above, most settings are a simple Boolean, but with an additional enforce parameter. If you "enforce" the setting the user is blocked from changing the value. I was going to peg the setting Boolean to whether the policy was Enabled or Disabled and have an enforce check box in the policy itself (this would make it easier to just glance at the configured settings and get an idea). Unfortunately, when you disable a policy you cannot interact with its contents, so the enforce check box cannot be toggled. So I have two options:
      1. Have two policies for each setting eg: Disabled: Load printer settings with the document and Enabled: ENFORCE Load printer settings with the document
      2. OR what I have elected to do is just have the one policy with 2 check-boxes in it, one for the setting and one for the enforcement

    The former is both more complex to write for me and more time consuming to configure for the Administrator, the later is easier for me to write but still annoying to use. So my final question is: can I make it so, even though a policy is disabled, you can still toggle settings within the policy?

    Friday, March 13, 2015 3:35 PM

Answers

  • This product:http://www.microsoft.com/en-us/download/details.aspx?id=15058 is free and comes with an ADMX editor/creator, although it's a bit wonky--you will likely have to hand edit the XML after creating it using this tool.

    To add on to what Martin said, I think what you're trying to accomplish doesn't fit well with Admin Templates. What I might suggest is that, since most customers out there can use GP Preferences, that you provide a simple GUI tool that translates your application's wishes into GP Preferences registry extension settings. This would be easy to build and gives you the flexibility of creating your own front-end UI (and attendant savings in repeated values) and then just output XML that could be imported (easily) in the GP preferences registry area by the end user. Much simpler, IMHO, than trying to contort ADMX/ADM syntax to do something it wasn't designed to do.

    Darren


    Darren Mar-Elia MS-MVP, Group Policy
    www.gpoguy.com
    www.sdmsoftware.com - "The Group Policy Experts"

    Sunday, March 15, 2015 3:46 PM

All replies

    • My editor of choice for ADM and ADMX: http://www.sysprosoft.com/adm_summary.shtml
    • You have to create a policy entry for each single registry value. Or you can combine them into one dialog, but still need to create a check box for each value.
    • That's how GPO works - and by default, GPOs ARE enforced (thus disabling the respective user interface). If you prefer to go your way, then I'd second the check box approach :)


    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:

    Friday, March 13, 2015 5:28 PM
  • Thanks very much for your helpful reply Martin!

    One of my main issues is the additional Enforce parameter on every setting. Almost every setting is two Booleans, toggling the setting (this will set the default in the application) and then toggling whether that setting is Enforced (unable for the user to modify it - disabling it in the user interface). 

    This means two things for the GPO:

    1. The presentation table contains hundreds of presentation tags that essentially are the same thing. From your response there is no way to make the GPO any easy to write? I can't just create one generic presentation that multiple policies can use? I have to create a presentation for every. single. policy.?
    2. Because of how the settings are set, as mentioned in my earlier post, I have chosen to have each policy contain two check boxes. Each setting could be set to the following:
      1. True
      2. False
      3. True and Enforced
      4. False and Enforced
      When you disable a Policy in Group Policy Management you cannot interact with the policy anymore in Group Policy Management. Is there a way for a Disabled policy to also have settings that can be modified in Group Policy Management? Or can only Enabled policies be modified? This would allow for the setting Boolean to be attached to the status of the Policy and then I could a check box in the policy to weather it was enforced or not. This would make my life easier in regards to writing the GPO, and the life of System Admins easier as well because it would make it easier for them to read the GPO. But I think you are saying this is not possible.
    Saturday, March 14, 2015 8:41 AM
  • Hi Thomas.
     
    > (this will set the default in the application) and then toggling whether
    > that setting is Enforced (unable for the user to modify it - disabling
    > it in the user interface).
     
    As said - that's not how policies are intended to work - they are always
    enforced. You are talking about preferences that have an optional
    "enforce" switch :) But doesn't matter for the remainder of this post.
     
    >  1. The presentation table contains hundreds of presentation tags that
    >     essentially are the same thing. From your response there is no way
    >     to make the GPO any easy to write? I can't just create one generic
    >     presentation that multiple policies can use? I have to create a
    >     presentation for every. single. policy.?
     
    I'd sugggest to use ADM instead of ADMX. Much easier to write and
    maintain, and copy/paste works very well in ADM :)
     
     
    >  2. Because of how the settings are set, as mentioned in my earlier
    >     post, I have chosen to have each policy contain two check boxes.
    >     Each setting could be set to the following:
    >      1. True
    >      2. False
    >      3. True and Enforced
    >      4. False and Enforced
     
    What elements you need depends on the registry values your application
    is expecting/checking. I'd suggest a radio button (enabled/disabled) and
    a check box "enforced".
     
    >     there a way for a Disabled policy to also have settings that can be
    >     modified in Group Policy Management? Or can only Enabled policies be
    >     modified?
     
    You cannot edit what a disabled GPO does, but you can define it
    (VALUEOFF in ADM files if I recall correctly).
     
    >     well because it would make it easier for them to read the GPO. But I
    >     think you are saying this is not possible.
     
    Yes, it isn't. It still - at least to me - is a slight misunderstanding
    of "preferences" versus "policies" :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Saturday, March 14, 2015 4:02 PM
  • Martin, I may be confusing you, all I am doing is trying to give some context of what I want to achieve.

    Application Context:

    There are TWO registry keys per application setting:

    1. string:Value
    2. dword:Final

    Each setting has it's own registry key.

    The string Value sets the default setting and the dword Final will block the user from changing this value in the GUI (just a Boolean).

    For the most part Value contains the string either 'true' or 'false'.

    Group Policy:

    All I wanted was that I could have one check box in the policy that set the dword Final and the Policy being enabled or not could set the string Value. But from what you are telling me that cannot be done. If I was to do that, then I can only chose from one of the following two options with a disabled policy:

    1. Value: false and Final: 1.
      OR
    2. Value: false and Final: 0.

    This is not good enough as I have to be able to provide Administrators all 4 possibilities:

    1. Value: true and Final: 0.
    2. Value: true and Final: 1.
    3. Value: false and Final: 0.
    4. Value: false and Final: 1.

    As you have said the check-box for Final cannot be set if the policy is disabled. So I can only provide all these options in an Enabled policy.

    I am rather disappointed that Microsoft does not provide an easy way for developers to create custom group policy and that I cannot use some form of template for the presentation tag when nearly all of the policies are presented in exactly the same way. It means that I have to waste far more time than I would like.

    Thanks for your help Martin. The application you linked looks like it might do the job but is way out of my price range and definitely doesn't look like it's worth the price!

    Saturday, March 14, 2015 8:00 PM
  • >  1. *Value*: true and *Final*: 0.
    >  2. *Value*: true and *Final*: 1.
    >  3. *Value*: false and *Final*: 0.
    >  4. *Value*: false and *Final*: 1.
     
    I don't get the picture... Two radio buttons for Value=true or
    Value=false and a checkbox for Final=1 can do this easily.
     
    > I am rather disappointed that Microsoft does not provide an easy way for
    > developers to create custom group policy and that I cannot use some form
    > of template for the presentation tag when nearly all of the policies are
     
    Again don't really understand. If you go for the classic ADM template,
    you can craft ONE instance of your setting and then copy/paste this
    instance as often as needed, only changing the descriptive text and the
    registry values used.
     
    > Thanks for your help Martin. The application you linked looks like it
    > might do the job but is way out of my price range and definitely doesn't
    > look like it's worth the price!
     
    It is worth its price (I'm using it for several years now), and I don't
    feel that 150$-300$ is a "high" price, taking into account that Alan
    does a good job in supporting his products and that the target audience
    is not that big :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Sunday, March 15, 2015 11:05 AM
  • Just trying to provide some context to how the application reads the registry settings, and how it looks like I have to have two settings per policy as I mentioned in the first post. Yes I know I can do it that way (I have used two check-boxes per policy), I have already made the group policy that way and it has been available for public download for almost 8 months now.

    I have already written it, but all I wanted to know is if there is a better approach, and it looks like there isn't!

    I am writing this group policy for an open source product. I am not getting paid for this job! and in that context I do not feel that the Group Policy editor is worth the cost.

    All I wanted to do is make it easier for myself and other Systems Administrators.

    Sunday, March 15, 2015 2:07 PM
  • This product:http://www.microsoft.com/en-us/download/details.aspx?id=15058 is free and comes with an ADMX editor/creator, although it's a bit wonky--you will likely have to hand edit the XML after creating it using this tool.

    To add on to what Martin said, I think what you're trying to accomplish doesn't fit well with Admin Templates. What I might suggest is that, since most customers out there can use GP Preferences, that you provide a simple GUI tool that translates your application's wishes into GP Preferences registry extension settings. This would be easy to build and gives you the flexibility of creating your own front-end UI (and attendant savings in repeated values) and then just output XML that could be imported (easily) in the GP preferences registry area by the end user. Much simpler, IMHO, than trying to contort ADMX/ADM syntax to do something it wasn't designed to do.

    Darren


    Darren Mar-Elia MS-MVP, Group Policy
    www.gpoguy.com
    www.sdmsoftware.com - "The Group Policy Experts"

    Sunday, March 15, 2015 3:46 PM
  • Thanks Darren for your help.

    That application you linked looks good for my purposes!

    As mentioned, the difficulty is without this Group Policy it would be very difficult for Sys Admins to actually know what registry key they need to set. LibreOffice does not actually save settings to the registry, all it does is read from the registry and build an xml file from it.

    Sys Admins can't just toggle a setting in the LibreOffice and check for changes in the registry. Creating these keys requires intimate knowledge of how LibreOffice builds its settings xml file. I don't think it is fair to expect Sys Admins to know these keys, therefore a Group Policy is the best approach.

    Sunday, March 15, 2015 4:00 PM
  • Right. I was proposing that, instead of using ADMX-based registry settings, that the customer use a custom UI to configure a set of "policy settings" they want, the output of which would be GP Preferences registry XML (the schema is pretty simple). The customer could then simply import that XML into a GPO and they're done.

    But if the ADMX editor above works for you, so much the better.


    Darren


    Darren Mar-Elia MS-MVP, Group Policy
    www.gpoguy.com
    www.sdmsoftware.com - "The Group Policy Experts"

    Sunday, March 15, 2015 4:04 PM