Creating Custom Templates for Microsoft's System Policy Editor

Introduction

One of the strengths of Microsoft's System Policy Editor (SPE) is that you can create your own custom templates for use on your network. This fact alone renders the fact that Samba can not implement Group Policy Objects (ala Active Directory) a non-issue. It is very easy to implement nearly any registry setting into a policy by using custom templates (with the exception of binary registry values).

NOTE: Policy Templates are simple text documents that can be edited with any text editor, such as notepad, Scite, Vi or emacs. When editing/creating these files do not use a word processor, such as Wordpad or Word, these applications add extraneous data to the file rendering them unusable with the System Policy Editor.

Since SPE templates are simple text files, you can look at the template files provided by Microsoft. However, A word of warning: Microsoft's templates make use of unnecessary variables making them very hard to read, because of this, this aritcle will cover different ways to implement different policies.

In my experience, with System Policies, once you get examples of how things are done, it is relatively easy to modify these examples to get what you need accomplished. Please note that this article merely scratches the surface of creating custom policies. Although these examples show you how to manipulate 95% of the settings you may want to use, additional reference materials may be required for anything extremely exotic.

Basics

To get things started, Template files are separated into two Classes, Machine and User. These classes simply separate your template into Machine Policies and User Policies. The Machine Policies adjust registry settings in the HKEY/LOCAL MACHINE registry hive, and the USER Policies adjust registry settings in the HKEY/Current User registry hive (the actual User's Profile). The majority of the time, you will be creating User Policies to control your Users.


CLASS MACHINE
	CATEGORY "Category Name"
		POLICY "Policy Name"
			KEYNAME	"registry key"
			VALUENAME	"registry value"
		END POLICY
	END CATEGORY
	
CLASS USER
	CATEGORY "Category Name"
		POLICY "Policy Name"
			KEYNAME	"registry key"
			VALUENAME	"registry value"
		END POLICY
	END CATEGORY

These 2 classes (Machine and User) are further separated into Category sections. These sections end up being the little books you see when running the System Policy Editor. Category sections are simply a way to organize all of your policies into different groups for the user's sake, they have no bearing whatsoever on the NTConfig.pol file.

The POLICY section is the nuts and bolts of the template. This is where you actually have the ability to adjust the registry. All Policies will require a KEYNAME and VALUENAME, although you can specify a KEYNAME for multiple POLICY sections. Policies can adjust all types of registry values, except BINARY values. If you do not specify a value, the default is DWORD "1" for checked and DWORD "0" for cleared policies.

If this seems confusing, don't fret - The best way to learn how to create templates is to simply work with them. The next sections will simply explain different methods used when creating custom templates. Going over these examples you should quickly pick up what the System Policy Editor needs to get what you want done. This is by no means a complete guide, but should be sufficient for most of your template creating.

Examples

ACTIONLIST

The ACTIONLIST directive allows you to adjust multiple registry settings while only providing one option to the System Policy Editor User. I gave this example first to give you a good look at how a simple policy is created.

SPE ACTIONLIST Directive

CLASS USER
	
CATEGORY "Internet Explorer Settings"
	
	POLICY "Disable Internet Explorer Search Asst"
	KEYNAME "Software\Microsoft\Internet Explorer\Main"
		VALUENAME "Use Search Asst"
			VALUEON "no"
			VALUEOFF DELETE
		ACTIONLISTON
			VALUENAME "Use Custom Search URL" VALUE 1
		END ACTIONLISTON
		ACTIONLISTOFF
			VALUENAME "Use Custom Search URL" VALUE 0
		END ACTIONLISTOFF
	END POLICY
	
END CATEGORY

PART

The PART directive allows you to enable the lower part of the computer/user property sheet. The lower section provides additional functionality to your custom policies. Not only does it enable you to further document the policy, but it is also used to fine tune each policy as you will see using other directives.

SPE PART Directive

CLASS MACHINE
	
CATEGORY "Custom Security Center Functions (XP-SP2)"
	
	POLICY "Disable Windows Firewall - Domain Settings"
	KEYNAME "SOFTWARE\Policies\Microsoft\WindowsFirewall\ DomainProfile"
		VALUENAME "EnableFirewall"
			VALUEON     0
			VALUEOFF    1
		PART "When checked the Windows Firewall will be disabled"	TEXT
		END PART
		PART "When cleared the Firewall will be enabled"		TEXT
		END PART
	END POLICY
	
END CATEGORY

CHECKBOX

The CHECKBOX directive allows you to provide a list of options in the PART section. These options are simple check boxes where they can be either on or off. A word of caution when implementing these, try not to use the CHECKBOX directive as a replacement for a simple CATEGORY section. These values can only be checked or unchecked, unlike normal policies which can also be grayed out (thus possibly reducing the size of your NTConfig.pol file).

SPE CHECKBOX Directive

CLASS USER
	
CATEGORY "User Restrictions"
	
	POLICY "Desktop Restrictions"
		KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
		PART "Disable Computer Shutdown"			CHECKBOX
			VALUENAME NoClose
		END PART
		PART "Disable Manage Computer Option from Desktop"	CHECKBOX
			VALUENAME NoManageMyComputerVerb
		END PART
		PART "Disable Control Panel"				CHECKBOX
			VALUENAME NoControlPanel
		END PART
	END POLICY
END CATEGORY

EDITTEXT

The EDITTEXT directive allows you to offer a box for text input for the SPE User to enter. EDITTEXT also allows you to enter default values and limits on how much text can be entered. The EXPANDABLETEXT directive allows X and the REQUIRED directive will not allow the user to leave the entry blank.

SPE EDITTEXT Directive

CLASS MACHINE
	
CATEGORY "System Settings"
	KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion"
	
	POLICY "Change Registration Information"
		PART "Registered User Information"		EDITTEXT
			REQUIRED
			EXPANDABLETEXT
			MAXLEN 25
			DEFAULT "User Info"
			VALUENAME "RegisteredOwner"
		END PART
		PART "Registered Organization Information"	EDITTEXT
			REQUIRED
			EXPANDABLETEXT
			MAXLEN 25
			DEFAULT "Company Info"
			VALUENAME "RegisteredOrganization"
		END PART
	END POLICY
END CATEGORY	

DROPDOWNLIST and COMBOBOX

The DROPDOWNLIST directive offers a list of options that the user can choose from. The options to DROPDOWNLIST include NOSORT and ITEMLIST. The NOSORT directive tells the SPE to not to sort the options alphabetically while the ITEMLIST directive actually creates the list of items presented to the user.

The COMBOBOX directive is basically a DROPDOWNLIST with the additional option of allowing the user to manually enter an option similar to the EDITTEXT directive.

SPE DROPDOWNLIST Directive

CLASS USER
	
CATEGORY "Desktop Settings"
	POLICY "Visual Effects Setting (XP)"
	KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects"
		PART "Windows XP's Visual Settings"		DROPDOWNLIST
			VALUENAME VisualFXSetting
			NOSORT
			REQUIRED
			ITEMLIST
				NAME "Let Windows Choose"	VALUE NUMERIC 0
				NAME "Best Appearance"		VALUE NUMERIC 1
				NAME "Best Performance"		VALUE NUMERIC 2
			END ITEMLIST
		END PART
	END POLICY
END CATEGORY

NUMERIC

The NUMERIC directive allows you to offer the user a range of numbers to select using a spin dial, alternatively when using the NUMERIC directive the user can also manually enter a number. Because of the ability to manually enter a number, there are other directives you can use to limit what the user can enter. These directives are DEFAULT, REQUIRED, MIN, MAX and SPIN. The SPIN directive allows you to specify the increment in the spin control, the default is 1, but can be adjusted accordingly.

SPE NUMERIC Directive

CLASS MACHINE
	
CATEGORY "Custom Policy Settings"
	POLICY "Restrict Profile Size"
	KEYNAME "SOFTWARE\Policies\Microsoft\WindowsFirewall\ DomainProfile"
		PART "Maximum User Profile size (in KB)"	NUMERIC
			REQUIRED
			SPIN 1024
			VALUENAME "MaxProfileSize"
			DEFAULT	5120
			MAX	20480
			MIN	1024
		END PART
	END POLICY
END CATEGORY

Getting Registry Keys

Now that you know enough to get you started, it is time to figure out how to get registry settings that you can mandate through policies.

The obvious way is to simply search for them using Google (or equivalent). Another way is to check out Microsoft's Template files, again these are extremely hard to read (so good luck).

The way that I usually get registry settings is to use a "Un-Installer Program" to show the difference in the system between 2 points. This seems to work extremely well for me, the application I use is ashampoo's Uninstaller Suite (simply because I got it cost-free in a contest), they do have a "demo-version" available on their website..

If you do create any custom policies and would like me to either include them in my "custom.adm" template, or simply add them to my template library for download, let me know.

Google Ad

© 2017 Mike Petersen - All Rights Reserved