by DEBRA LITTLEJOHN SHINDER, MCSE etc
REPRINTED FROM
WWW.CRAMSESSION.COM
For the past three weeks, we have been discussing various aspects of Windows 2000’s new IntelliMirror technologies, which allow administrators to exercise more control over the user environment, with more flexibility and great ease. We’ve provided you with an overview of how to manage users’ application software installation, upgrade and removal, and how to manage users’ data.
Last week, we looked at the ability to manage users’ system settings using the Windows Settings node in the User Configuration section of Group Policy. This week, we’ll continue that discussion with instructions on how to use the administrative templates We will specifically examine the following templates provided with Windows 2000 Group Policy:
· Windows components
· Start menu and taskbar
· Desktop
· Control Panel
· Network
· System
An administrative template controls the Registry settings of multiple computers (those in the OU, domain or site to which the Group Policy is applied), without requiring manual editing of the individual Registries.
You can create entries for the Administrative Templates node, by adding custom .adm files. The .adm files are ASCII files that can be created by an administrator in Notepad or any other text editor. You can either write the file from scratch, or you can make changes to one of the existing templates.
NOTE: You can only use .adm files for policies that are based on Registry settings. If you are a programmer and you need to use Group Policy to control settings that are not Registry-based, you will need to develop Group Policy extensions, using the Windows 2000 Software Development Kit
A custom .adm file must identify the location in the Registry that will be changed when an administrator selects a particular option in the Group Policy MMC. An .adm file is made up of eight parts: string, class, category, policy, explain, part, PartTypes, and Numeric. For detailed instructions on creating custom .adm files, see the Windows 2000 Help Files.
In this article, we will look at the many useful administrative templates that are supplied with Windows 2000. When you use the Administrative Templates node in Group Policy for the first time, the default .adm files will be installed. The files that are provided are:
· System.adm (used for Windows 2000 clients)
· Inetres.adm (used for Internet Explorer policies with Windows 2000 clients)
· Winnt.adm (used with System Policy Editor for Windows NT 4.0 clients)
· Windows.adm (used with System Policy Editor for Windows 9x clients)
· Common.adm (used with System Policy Editor for interface options common to both NT 4.0 and Windows 9x clients)
The first two are installed in Group Policy by default. The last three can be loaded into Group Policy, but should be used only to administer Windows 9x or NT clients via System Policy. If you wish System Policy settings to show up in the Group Policy console, you must uncheck the Show Policies Only option on the View menu (see Figure A).
Figure A: Uncheck the Show Policies Only option to see System Policy settings
System Policy settings will be shown in red in the Group Policy MMC, while Group Policy settings will be in blue.
WARNING: Do not use System Policy .adm files with Windows 2000 clients. Microsoft recommends that you enable the Disable System Policy setting in the System template; this will prevent System Policy settings from being applied to Windows 2000 clients.
Windows 2000 uses a new version of the .adm language, which is a superset of the version used in previous versions of Windows. Unicode-based .adm files are supported in Windows 2000, as well.
Using Windows Components Templates
When you expand the Windows Components node under User Configuration, you’ll see a number of subnodes represented by folders, including the following:
· NetMeeting
· Internet Explorer
· Windows Explorer
· Microsoft Management Console
· Task Scheduler
· Windows Installer
Each allows you to control various aspects of the associated Windows component. Some components may contain another level of subfolders, as shown in Figure B.
Figure B: Each Windows Component has a number of aspects you can control
As you can see in the figure, by default none of the policies are configured. You can fine tune the behavior of the component by selecting those policies that are desirable on your network. For example, if you want users to be able to use NetMeeting for video conferencing, but do not want them to send and receive files or use the chat function, you can enable the appropriate policies (Prevent sending files, Prevent receiving files and Disable chat).
The scope of this article is such that we cannot cover all individual policies that are available for each component, but we will look at some of the more interesting or useful settings. The Internet Explorer node gives you a great deal of control over the browser, allowing you to prevent users from doing things such as importing or exporting Favorites, changing the Temporary Internet files settings, changing the proxy settings, etc.
If user machines or the network disks have a limited amount of space available, you might want to prevent users from saving web pages to the hard disk as a complete web page. You can do this, using the Browser menu subnode of the Internet Explorer node.
The Windows Explorer node allows you to really lock down and limit what users can do with the Explorer file manager. For example, you can prevent access to drives in My Computer (either all drives, or just specific drives that you specify), remove the “Map Network Drive” option, or remove “Entire Network” from My Network Places. You can set a maximum number of documents to be shown as “Recent Documents,” remove the Folder Options menu item from the Tools menu so that users can’t change folder options, or completely remove the File menu from Explorer.
Use the Microsoft Management Console node to control users’ use of MMCs. For example, if you don’t want users to be able to create and modify MMCs, you can select to restrict users from entering author mode. You can also restrict users to only the explicitly permitted list of MMC snap-ins. In the Restricted/Permitted Snap-ins folder, there is a list of snap-ins that you can individually configure.
Other Windows Components nodes include the Task Scheduler node, which allows you to place restrictions such as disabling drag-and-drop or preventing new task creation, and the Windows Installer node, with which you can set the search order for the media source for installer packages, or disable rollback.
Take some time to explore the Windows Components node and discover the many system settings that you can control using these policies.
Using Start Menu and Taskbar Templates
The Start Menu and Taskbar node has no subnodes, but it does provide policies for locking down users’ systems by restricting what appears on their Start menus and desktop taskbars. For example, you can:
· Remove common program groups from the Start Menu
· Remove the usual menus (such as Documents, Favorites, Search, Help, and Run) from the Start menu
· Add Logoff to the Start menu
· Disable and remove the Shutdown command
· Disable personalized menus
· Prevent keeping a history of recently opened documents
One option I’ve found useful in this node is the ability to disable drag-and-drop context menus on the Start menu. Because you can drag or drop a program icon from the Programs menu, some users use this feature to inadvertently move the icon to the desktop or to the quick launch toolbar, instead of right-dragging and creating a shortcut in the new location. This means the icon is now “missing” from the Programs menu – which can cause all manner of consternation on the part of users. Disabling the drag-and-drop ability will prevent your users from doing this.
Using Desktop Templates
Desktop Templates, as the name suggests, allow you to control users’ desktop settings. Using this set of powerful policies, you can control the appearance of users’ desktops and ensure a standardized look throughout the organization. Some policies included in this node include (but are not limited to):
· Hide all icons on the desktop (good for enforcing the “clean desktop” look on all users’ systems)
· Remove the My Documents icon from the desktop (it will still appear in the Start menu unless you also apply the Remove My Documents icon from Start menu policy)
· Hide the My Network Places icon on the desktop (useful if you don’t want users to browse the network)
· Hide the Internet Explorer icon on the desktop
An especially useful option here is the “don’t save settings at exit” policy. This works similarly to the familiar mandatory user profile in that it allows a user to make changes to the desktop during a session, but does not save these settings to the user’s profile, so when the user logs on again, he/she is back to the original settings.
There are two subfolders in the Desktop node: Active Desktop and Active Directory. With the first, you can force enabling or disabling of Active Desktop, or prohibit adding desktop items (you can also prevent closing the existing desktop items). With the second, you can limit the maximum size of Active Directory searches, enable display of the filter bar in the Find dialog box when “Filter” is selected on the View menu, or hide the Active Directory folder in My Network Places if you don’t want users to browse directory objects.
Using Control Panel Templates
The Control Panel node is often used by administrators to disable Control Panel completely, so that users cannot make any changes using the Control Panel applets. Enabling this policy prevents Control.exe from running, and also removes Control Panel from the Start menu and from Windows Explorer. Alternately, you can hide only specified Control Panel applets, or you can select to show only specified applets.
There are four subfolders in the Control Panel node:
· Add/Remove Programs (allows you to set polices that will hide various options in the Add/Remove Programs applet)
· Display (allows you to disable the Display Settings applet in Control Panel, or hide only certain Display tabs, such as Appearance, Settings, or Screensaver). You can prevent users from changing the wallpaper, or password protect the screensaver)
· Printers (allows you to prevent users from deleting or adding printers, or from browsing the network to search for a printer)
· Regional Options (allows you to disable the menus and dialog boxes in the Regional Options applet, so users will be restricted to the specified language, or English by default)
Using Network Templates
The Network node contains two subfolders:
· Offline Files (allows you to disable configuration of offline files, or control the behavior of offlines files; for example, forcing synchronization of all offline files before logging off)
· Network and Dialup Connections (allows you to prohibit specific changes to network connections; for example, you can prevent enabling or disabling of a LAN connection or prohibit access to the properties of RAS connections)
A useful policy available in this node is the Prohibit TCP/IP advanced configuration policy. This will prevent users from changing IP settings, such as DNS and WINS server information. When you enable this policy, the Advanced button on the TCP/IP properties dialog box will be disabled.
Using System Templates
The last templates node gives you control over various system settings such as whether to display the Welcome screen at logon, and allows you to disable the command prompt or the registry editing tools (useful for preventing the damage that can be done by curious or adventurous users). You can also use the policies in this node to allow running only specified Windows applications, or alternately, to prevent running specified applications.
There are two subfolders here: Logon/Logoff and Group Policy. Using the first, you will find policies to:
· Disable Task Manager
· Disable changing of passwords
· Disable logoff
· Disable locking of the computer
This node also includes policies pertaining to logon scripts, allows you to limit the size of roaming user profiles, and more.
The Group Policy node provides policies that allow you to set the group policy refresh interval for users, specify which domain controller the Group Policy snap-in will use, or prevent administrators from viewing Group Policy preferences by unchecking the Show Policies Only selection from the View menu as discussed earlier.
How to Use the Template Policies
As mentioned earlier, by default all the policies included as administrative templates will be set to “Not configured.” To enable one of these polices, double click it and you’ll see a dialog box as shown in Figure C.
Figure C: Properties dialog box for the “Don’t run specified Windows applications” policy
To enable the policy, click the Enabled radio button. In some cases, you will need to enter additional information. For example, in the figure we have enabled the “Don’t run specified Windows applications” policy, so we must enter the applications that we want to prevent from running. To do so, click the Show button, and you will see a list of disallowed applications as shown in Figure D.
Figure D: The list of disallowed applications will be empty until you add one or more applications
Now to specify the applications to be disallowed, click the Add button. You’ll see the dialog box shown in Figure E.
Figure E: Enter the name of the executable for the application to be disallowed
Now the application will show up in the list, and users will not be able to run this application.
Configuring other policies using the administrative templates is done similarly.
Summary
Microsoft has provided a large number of administrative templates to allow you to control Windows components, the Start menu and taskbar, the user desktop, Control Panel, Network settings and miscellaneous system settings. In this article, we’ve provided you with an overview of what administrative templates are and how to use them.
In next week’s article, Part 5 of this 5-part series, we will wrap up our discussion of IntelliMirror technologies with an examination of its last component: the Windows 2000 remote installation services.