Extending Group Policy

Group Policy is the Swiss Army knife of the Windows Security Administrator. But what about when you want to change a registry setting and it isn’t a preconfigured option in Group Policy? That was my task over the past few weeks.


Note: Windows & .NET magazine ran an article on this in the August 2004 issue. I had to figure this out on my own and got the issue right as I rolled out my new policy.
My company had the need to add a list of sites to the intranet security zone and enable Windows Authentication located on the Advanced tab of Internet Explorer Options. I found that these changes are located in the registry.
The first step was finding the registry keys I needed to change. The Internet Explorer setting to add a site to an Intranet Zone was found on the Microsoft website. The setting for enabling integrated windows authentication was found on another site.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain.org with a dword of * with a value 1.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\enable negotiate =1
The first step of course was to make sure that those registry keys did what I wanted. I tested that and was successful. Now its time to find a deployment method.
I could put it in a login script and push it out, but that wouldn’t work for the users without administrative rights. I could use remote scripting to list the domain members and push out the script using my admin rights, but that would require the system to be online. I considered dropping the registry key via SMS, but ultimately Group Policy seemed like the best way to go.
I knew that the old NT 4 method of using an ADM template would let me manipulate the registry. The trick was finding out if that could be used in conjunction with Group Policy. I quickly found that adm files could be imported. Those of you who used SUS will recall that when that came out you needed to import an ADM file to configure the clients to point to the SUS server for updates.
The next challenge was figuring out how to get what I wanted into an ADM format. I did this by looking at existing adm templates in c:\winnt\inf. I also downloaded an eval of the Policy Template Editor from Tools4Ever. The eval version allows you to save files. This product helped me make sure my syntax was correct, but it didn’t provide a lot of other guidance. Its not really worth the cost.
Here are examples of the adm files I used.
#if version >= 1
CLASS USER
CATEGORY “Windows Components”
CATEGORY “Internet Explorer”
POLICY “TrustMTS”
KEYNAME “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain.org”
VALUENAME “*”
END POLICY ; TrustMTS
END CATEGORY ; Internet Explorer
END CATEGORY ; Windows Components
#endif
[STRINGS]
#if version >= 1
CLASS USER
CATEGORY “Windows Components”
CATEGORY “Internet Explorer”
POLICY “!!IntegratedAuth”
KEYNAME “Software\Microsoft\Windows\CurrentVersion\Internet Settings”
#if VERSION >= 3
EXPLAIN “This Policy enables Integrated Windows Authentication (after browser restart). This setting is in the GUI at Internet Options -> Advanced. ”
#endif
VALUENAME “EnableNegotiate”
END POLICY ; IntegratedAuth
END CATEGORY ; Internet Explorer
END CATEGORY ; Windows Components
#endif
[STRINGS]
IntegratedAuth =”Enable Integrated Windows Authentication”
Creating an adm file isn’t the hardest thing in the world, but you really want to make sure you aren’t reinventing the wheel. Group Policy has a lot of settings, and a lot of adm files are precreated by Microsoft and available from their site or in the latest server releases. Use their stuff if at all possible.
My next step was to test my adm file on a local computer using local group policy.
To import your adm file into group policy open the policy. Since I was creating a User policy, I went to Administrative Templates under User Configuration.
Choose Add/Remove Templates, select add and select your template.
In the adm template, I told it to place my entry under Windows Components -> Internet Explorer. At first I didn’t see an entry there, but I remembered to select View and turn off show Policies only.
I now have the ability to turn this registry key on or off on my local machine!!!
After testing this out, I recreated the policy in Active Directory and tried it on a larger group prior to company wide deployement.
I was very excited about figuring out something on my own, and then Windows &.NET mag shows up and describes how to do. Where was that a month ago.