Stefano is correct. His link is accurate.
GP's are just forced regedits (or xp config db settings) onto the client pc's. You should be able to do anything you need with poledit and the adm templates.
MS doesn't want you to touch the registry directly so they have Group Policies (GP's). However everyone (even MS) knows that eventually you need to edit the registry directly to tweak it or to fix a problem.
So the MS hiccup is that changes can be forced through direct regedits or GP's . This is why in MS these types of edits are given in both regedit format and GP format:
http://msdn2.microsoft.com/en-us/library/ms815238.aspx and they offer a reference file:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=enIt's important to note that GP's are only done with the correct ADM files, txt files that control the mapping of GP's to regedits. xp adm files live in: %systemroot%\inf (go ahead and look on your local xp pc -edit any adm file with txt editor). The adm files are ever increasing in size & complexity (SP2 contains 609 new adm policy settings & newly released have nearly 800 more than the 2003 sp1 ADM files, for a total of 2450 settings).
For example, when XP SP2 came out, new adm files were needed to control the additional settings, ie windows firewall. If you had a W2K server, you had to apply the new xp sp2 adm files to the local W2K server but couldn't use them directly from the server b/c W2K didn't have those registry edits locally in its OS. You needed to use a XP client to access the W2K server GP. Even after doing this, most ran into errors like "The following entry in the [strings] section is too long and has been truncated":
http://support.microsoft.com/kb/842933 A classic situation of "Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section."
Have fun reading; white papers, tech notes, kb articles, discussion threads. All for information that isn't going to be around in 3 years when it's changed again or obsolete.
So to do this correcly from MS, you need to be familiar with the registry, the GP settings and the adm templates that tie them together. To matters worse, GP's aren't effective immediately, sometimes requires a twice-reboot and can "tatoo" the clients (leave the regedits after the GP is removed). On top of it all, they still can't easily do what most admin's want -prevent users from installing stupid stuff or making stupid changes all the while giving enough access to run the apps they need.
As a result, you'll find GPO's, regedits, regedit-scripts and ADM template all through the internet. For example,
http://www.securityfocus.com/infocus/1719 or you can google your way into oblivion.
Obviously none of these options are necessarily intuitive. This leads to a huge 3rd party market trying to make it all make sense for customers. Such as:
www.netpro.com,
www.scriptlogic.com,
www.visualclick.com and
www.desktopstandard.com. Even linux has a 3rd party gpo provider:
http://www.nitrobit.com/ How long are companies/admins going to tolerate this in terms of money and time before they switch to something easier? Basically, this type of network is a nightmare for companies. Especially when they have to start creating a seperate GPO just for a specific desktops to allow ports. It's easier just to make the desktop change. This, as well as overall cost, is pushing companies to thin client setups -citrix, sunrays, etc. Basically back to some type of mainframe setup, where minial changes need to happen to affect a large amount of users.
I wrote some basic steps awhile back:
http://forums.contribs.org/index.php?topic=31770.0
16 Replies
5106 Views