Wednesday, May 10, 2006

GPO Administrative Templates in Vista Part 3

So now we move on from the previous post and construct some of the policy syntax to the ADM template by extracting the information from the ADMX/ADML templates.

Simple Policy Syntax
In the ADMX template, at the end of the ‘Categories’ (signified by </category>) you will see the beginning of the Policies section.  Using the Device Installation ADMX/ADML files as a basis you will find the First policy is as shown here:-

<policy name="DeviceInstall_AllSigningEqual" class="Machine" displayName="$(string.DeviceInstall_AllSigningEqual)" explainText="$(string.DeviceInstall_AllSigningEqual_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\
Settings" valueName="AllSigningEqual">
      <parentCategory ref="DeviceInstall_Category" />
      <supportedOn ref="windows:SUPPORTED_WindowsVista" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>

So we can see that as mentioned on the previous post the policy class is stated on a per-policy basis.  The display name and the explain text sections work in much the same way as with the categories, they are linked to strings in the ADML template file shown here:-

<string id="DeviceInstall_AllSigningEqual">Treat drivers signed by Microsoft the same as those signed by others</string>
      <string id="DeviceInstall_AllSigningEqual_Help">When selecting which driver to install, do not distinguish between drivers that are signed by Microsoft and drivers that are signed by others.

If you enable this setting, drivers will be selected for installation based on other criteria (such as version number or when the driver was created) rather than whether the driver was signed by Microsoft or by another vendor. A signed driver will still be preferred over a driver that is not signed at all. However, drivers that are signed by Microsoft will not be preferred over other drivers.

If you disable or do not configure this setting, drivers that are signed by Microsoft will be selected for installation over drivers that are signed by other vendors.</string>

The ADMX snippet also shows that the registry keys and associated value along with what to set the registry key to if you enable or disable the policy.  In this case the value AllSigningEqual would be set to a DWORD with a decimal value of 1 when enabled.

Extracting this information out and constructing the section of the ADM template would give you this:-

POLICY !!DeviceInstall_AllSigningEqual
             KEYNAME "Software\Policies\Microsoft\Windows\DeviceInstall\
Settings"
          EXPLAIN !!DeviceInstall_AllSigningEqual_HELP
             VALUENAME "AllSigningEqual"
              VALUEON NUMERIC 1
              VALUEOFF NUMERIC 0

        END POLICY

And in the strings section:-

DeviceInstall_AllSigningEqual=" Treat drivers signed by Microsoft the same as those signed by others "
DeviceInstall_AllSigningEqual_HELP=" When selecting which driver to install, do not distinguish between drivers that are signed by Microsoft and drivers that are signed by others./n/nIf you enable this setting, drivers will be selected for installation based on other criteria (such as version number or when the driver was created) rather than whether the driver was signed by Microsoft or by another vendor. A signed driver will still be preferred over a driver that is not signed at all. However, drivers that are signed by Microsoft will not be preferred over other drivers./n/nIf you disable or do not configure this setting, drivers that are signed by Microsoft will be selected for installation over drivers that are signed by other vendors."

Listbox Syntax
This becomes a little more interesting when you encounter policies with multiple ‘Parts’ (to use ADM Syntax), these have now become ‘Elements’.  Whilst all the information is in the ADMX and ADML templates to construct them, it is a pain to get the information together, when you find the info however it is pretty intuitive to construct the policy syntax if you are used to constructing/amending adm templates.

Here is an example of a listbox from this ADMX/ADML template set:-

From the ADMX template:-

<policy name="DeviceInstall_Classes_Deny" class="Machine" displayName="$(string.DeviceInstall_Classes_Deny)" explainText="$(string.DeviceInstall_Classes_Deny_Help)" presentation="$(presentation.DeviceInstall_Classes_Deny)" key="Software\Policies\Microsoft\Windows\DeviceInstall\
Restrictions" valueName="DenyDeviceClasses">
      <parentCategory ref="DeviceInstall_Restrictions_Category" />
      <supportedOn ref="windows:SUPPORTED_WindowsVista" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
      <elements>
        <list id="DeviceInstall_Classes_Deny_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\
Restrictions\DenyDeviceClasses" valuePrefix="" />
      </elements>
    </policy>

From the ADML:-
<string id="DeviceInstall_Classes_Deny">Prevent installation of drivers matching these device setup classes</string>
      <string id="DeviceInstall_Classes_Deny_Help">Specifies a list of Plug and Play device setup class GUIDs for devices that cannot be installed.

If you enable this setting, new devices cannot be installed and existing devices cannot be updated if they use drivers that belong to any of the listed device setup classes.

If you disable or do not configure this setting, new devices can be installed and existing devices can be updated as permitted by other policy settings for device installation.

NOTE: This policy setting takes precedence over any other policy settings that allow a device to be installed. If this policy setting prevents a device from being installed, the device cannot be installed or updated, even if it matches another policy setting that would allow installation of that device.</string>

Also from the ADML:-
<presentation id="DeviceInstall_Classes_Deny">
        <listBox refId="DeviceInstall_Classes_Deny_List">Prevent installation of devices using drivers for these device setup classes:</listBox>
        <text>To create a list of device classes, click Show, click Add,</text>
        <text>and specify a GUID that represents a device setup class</text>
        <text>(for example, {25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}).</text>
      </presentation>

The equivalent sections in an ADM would be constructed as follows:-

POLICY !!DeviceInstall_IDs_Deny
          KEYNAME "Software\Policies\Microsoft\Windows\DeviceInstall\
Restrictions"
          EXPLAIN !!DeviceInstall_IDs_Deny_HELP
          VALUENAME "DenyDeviceIDs"
          VALUEON NUMERIC 1
          VALUEOFF NUMERIC 0
          PART !!DeviceInstall_IDs_Deny_LIST LISTBOX
          KEYNAME "Software\Policies\Microsoft\Windows\DeviceInstall
\Restrictions\DenyDeviceIDs"
          VALUEPREFIX ""
          END PART
          PART !!DeviceInstall_IDs_Deny_TEXT1 TEXT
          END PART
          PART !!DeviceInstall_IDs_Deny_TEXT2 TEXT
          END PART
          PART !!DeviceInstall_IDs_Deny_TEXT3 TEXT
          END PART
               
          END POLICY

And in the strings section:-

DeviceInstall_Classes_Deny="Prevent installation of drivers matching these device setup classes"
DeviceInstall_Classes_Deny_HELP="Specifies a list of Plug and Play device setup class GUIDs for devices that cannot be installed.\n\nIf you enable this setting, new devices cannot be installed and existing devices cannot be updated if they use drivers that belong to any of the listed device setup classes.\n\nIf you disable or do not configure this setting, new devices can be installed and existing devices can be updated as permitted by other policy settings for device installation.\n\nNOTE: This policy setting takes precedence over any other policy settings that allow a device to be installed. If this policy setting prevents a device from being installed, the device cannot be installed or updated, even if it matches another policy setting that would allow installation of that device."


The second section taken from the ADML template is taken from the Presentation table towards the bottom of the template following the strings table.

The rest, I think is pretty intuitive and the other ADM syntaxes are equally straightforward to construct.

Tuesday, May 02, 2006

GPO Administrative Templates in Vista Part 2

So how do you go about writing ADM templates from the ADMX and ADML templates included with Vista?  Well it’s a long laborious process so unless you absolutely need to continue to support ADM templates, I would stick with the new ADMX/ADML templates.

CLASS
In ADM templates you set the CLASS for the policies that followed the CLASS statement to either CLASS USER or CLASS MACHINE.  This denoted which registry hive the policies that followed would be amending; Hkey_Current_User and Hkey_Local_Machine respectively.  I personally split my policies into User and Computer policies, and so a single GPO will only be set to provide settings for one or the other registry hive.  I find this generally works well, and so I have adm templates that are tailored to either user settings or machine settings, therefore I only set the CLASS once per ADM template.  In the ADMX templates however the CLASS is given once per Policy setting and so if you are converting AMDX/ADML into ADM templates you need to be careful that you see this.
Categories
If you open one of the default ADMX templates in a text editor the first things you will notice after the XML pre-amble is the list of Categories along with the display name for the Category, the explaintext and its parent category as shown here:-

<category name="DeviceInstall_Category" displayName="$(string.DeviceInstall_Category)" explainText="$(string.DeviceInstall_Help)">
      <parentCategory ref="windows:System" />
    </category>
    <category name="DriverInstall_Category" displayName="$(string.DriverInstall_Category)" explainText="$(string.DriverInstall_Help)">
      <parentCategory ref="windows:System" />
    </category>
    <category name="DeviceInstall_Restrictions_Category" displayName="$(string.DeviceInstall_Restrictions_Category)" explainText="$(string.DeviceInstall_Restrictions_Help)">
      <parentCategory ref="DeviceInstall_Category" />
    </category>

So we can see here that the Device Install and Driver Install Categories both sit under the Windows System Category and Device Install Restrictions Category sits under the Device Install Category.  In much the same way as in ADM templates, the DisplayName and explaintext are listed as strings, however you will find these strings listed in the equivalent ADML template file rather than in the main body of the ADMX file.  The relevant section in the ADML that covers Device Install Restrictions Category looks like this:-

<string id="DeviceInstall_Category">Device Installation</string>
<string id="DeviceInstall_Help">Policy settings that control the installation of devices.</string>

<string id="DeviceInstall_Restrictions_Category">Device Installation Restrictions</string>
      <string id="DeviceInstall_Restrictions_Help">Policy settings that describe which devices can or cannot be installed on the System</string>

Ok, from here we have enough to layout the barebones of the ADM template as follows:-

CLASS MACHINE

CATEGORY !!DeviceInstallation

EXPLAIN !!DeviceInstallation_CATEGORY_EXPLAIN

CATEGORY !!DeviceInstall_Restrictions_Category

EXPLAIN !!DeviceInstall_Restrictions_Category_EXPLAIN

[strings]

DeviceInstallation="Device Installation"
DeviceInstallation_CATEGORY_EXPLAIN="Policy settings controlling the installation of devices on the system."

DeviceInstall_Restrictions_Category="Device Installation Restrictions"
DeviceInstall_Restrictions_Category_EXPLAIN="Policy settings describing which devices may or may not be installed on the system."

Part 3 will continue on to discuss a number of policy settings and how you construct the Policy Syntax for the ADM template from the ADMX/ADML template files.