[gptalk] Re: Problem implementing a registry setting in ADM

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 26 Oct 2006 14:06:45 -0700

I think its do-able using one of the Part controls--as Alan mentioned the
Checkbox part seems to exhibit the behavior you're after. 
 
 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Victor W.
Sent: Thursday, October 26, 2006 12:31 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem implementing a registry setting in ADM


It seems I have raised a question to which the answer turns out to be not as
simple as I thought. :-)
 
Maybe I want two things in the same policy that aren't possible together.
 
On the one hand I want the registry key to be deleted when the GPO is set to
Disabled.
On the other hand I want the resgistry key to be set to 0 when it is set to
Enabled and No is selected.
 
I am still hoping this is possible somehow.
 
Thanks,
 
 
Victor
 
 
 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: donderdag 26 oktober 2006 15:35
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem implementing a registry setting in ADM


Alan-
I haven't looked at the checkbox part in particular so you may be right, but
in general, that is not the way a "regular" policy behaves. Do you know if
the Dropdownlist part behaves the same way?

Thanks

Darren

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: Wednesday, October 25, 2006 9:28 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem implementing a registry setting in ADM



Hi Darren,

 

I think you are mistaken (or I have misunderstood you)

 

You are correct when you define a POLICY. You normally assign a registry
value to it and you can define a VALUEON and VALUEOFF. These can be a value,
or can use the DELETE keyword. (Microsoft uses a Default of DELETE for
VALUEOFF )

 

However a CHECKBOX PART within a POLICY behaves differently. It has a
VALUEON and VALUEOFF parameter, but it also has a DELETE setting which comes
in to effect if the Policy is disabled: effectively this is a Tri-state:-

 

1.       Policy Enabled, CheckBox Enabled = VALUEON setting

2.       Policy Enabled, CheckBox disabled = VALUEOFF setting

3.       Policy Disabled = DELETE

 

This can lead to  confusion if you set the VALUEOFF parameter to be DELETE.
If it is the only PART in the Policy, and there is no keyValue defined for
the Policy, then the Group Policy Editor uses the setting to determine
whether the policy is enabled. This means that you can:-

1.       Enable the policy

2.       Uncheck the check Box

3.       Save the policy

4.       The policy shows as Disabled (rather than enabled)

 

Sounds a bit silly, but if you use the following, it is exactly what happens

 

CLASS MACHINE

CLASS USER

            CATEGORY "Test Policy"

                        POLICY "Test CheckBox"

                                    KEYNAME software\test\checkbox

 

                                    PART test CHECKBOX

                                                KEYNAME
software\test\checkbox

                                                VALUENAME CheckBox

                                                VALUEON 1

                                                VALUEOFF DELETE

                                    END PART ;test

                        END POLICY ;Test CheckBox

            END CATEGORY ;Test Policy

[Strings]

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, 26 October 2006 11:31 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem implementing a registry setting in ADM

 

Oops. Sorry, hit send to fast:

This:

'Disabled'              - the registry setting must not be there

 

Is problematic. The Disabled state will always set a value--it will not
delete a value by default. There is the Delete keyword that you can use
however, in the ADM syntax. That might get you what you need.


Darren

  _____  

From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] 
Sent: Wednesday, October 25, 2006 6:29 PM
To: 'gptalk@xxxxxxxxxxxxx'
Subject: RE: [gptalk] Re: Problem implementing a registry setting in ADM

The only thing I'll add to Alan's comments Victor is that I think you will
have problems with the following that you wrote:

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: Wednesday, October 25, 2006 5:59 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem implementing a registry setting in ADM

Hi Victor,

 

You are pretty well correct with what you have written. 

 

One thing that is a little confusing is whether you want a Tri-state (i.e.
Missing, 1, or 0) setting or a Bi-state setting (1, 0). I suspect a Bi-state
setting since the application will normally treat a "missing" as "0".

 

If you want a tristate setting, then you can do it as a checkbox or a
Listbox within a Policy and it will behave as you wish

 

If you want a Bi state , then you can do it just as a Policy

 

One other point, "Not configured" always means "do nothing" It has to be
this way otherwise all of the polices that you don't configure would be
removing entries on you

 

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Victor W.
Sent: Thursday, 26 October 2006 5:43 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem implementing a registry setting in ADM

 

Hi,

 

I have decided to implement it with the drop down list afterall. 

This is because this way there is probably less confusion when somebody
selects "enable".

He then has two choices Yes and No, I know this is confusing but probably
less confusing then with the checkbox.

 

But it got me thinking about the whole matter and that was a good thing.

 

I would like to go through the ADM file to be sure I am correct in my
assumption:

 

What I would like the following to mean in the GPO is:

 

'Not Configured'     - the registry setting must not be there

'Enabled'               - the registry setting must be there with a value of
1

'Disabled'              - the registry setting must not be there

 

 

When Enabled has been selected and Yes is selected in the drop downlist -
the registry setting must be there with a value of 1

When Enabled has been selected and No is selected in the drop downlist - the
registry setting must be there with a value of 0

 

Is all the above possible?

 

 

Below is the adm file as it is now (I have put a lot of spaces in a part
section, this can also probably be done otherwise).

 

 

CLASS MACHINE

CATEGORY "Office Components"

           POLICY "PST Restrictions"

           KEYNAME "SOFTWARE\Microsoft\Office\11.0\Outlook"

                        PART "This setting restricts the use of PST files."
TEXT

                        END PART

 

PART "
"

TEXT

END PART

PART "Restrict PST files" DROPDOWNLIST

    VALUENAME DisablePST

            ITEMLIST

            NAME "Yes" VALUE NUMERIC 1 DEFAULT

            NAME "No" VALUE NUMERIC 0 

            END ITEMLIST

                        END PART

            END POLICY

END CATEGORY

 

Cheers,

 

 

Victor

 

 

 

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Victor W.
Sent: zondag 22 oktober 2006 11:19
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem implementing a registry setting in ADM

Hi Alan,

 

Great work. I will implement it this way and offcourse will take a look at
the tool you suggested ;-)

 

Cheers,

 

 

Victor

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: donderdag 19 oktober 2006 23:59
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Problem implementing a registry setting in ADM

Hi Victor,

 

You are correct that the problem is in your  ItemList. The parts in bold are
not valid:-

 

ITEMLIST
NAME "Yes" VALUE Numeric 1
VALUE NUMERIC 1 DEFAULT
NAME "No" VALUE Numeric 0
VALUE NUMERIC 0 
END ITEMLIST

An item list is a list of options. Each option must have a NAME and a VALUE.
You can have other keywords such as Numeric and Default.

 

Note: You don't really need to use an item List. A checkbox would be simpler
since it gives you an effective Yes/No value:-

 

   PART "Restrict pst files" CHECKBOX
    KEYNAME SOFTWARE\Microsoft\Office\11.0\Outlook
    VALUENAME DisablePST
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
   END PART ;Restrict pst files

Note: At the risk of incurring the rage of list members, you should consider
using an ADM Editor tool (we sell one). If nothing else, download it and
play with it for a month and you will learn a lot about writing your own ADM
files!

 

 Alan Cuthbertson


 Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
 <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml

 

----- Original Message ----- 

From: "Victor W." < <mailto:victor-w@xxxxxxxxx> victor-w@xxxxxxxxx>

To: < <mailto:gptalk@xxxxxxxxxxxxx> gptalk@xxxxxxxxxxxxx>

Sent: Friday, October 20, 2006 7:08 AM

Subject: [gptalk] Re: Problem implementing a registry setting in ADM

 

> 
> I managed to get it working, see below.
> It seems as if the Yes and No checkboxes dont go together with the VALEUON
> NUMERIC 1 and the VALUEOFF NUMERIC 0.
> Am I correct in my assumption?
> 
> CLASS MACHINE
> CATEGORY "Custom ADM Entries"
> POLICY "PST Restrictions"
> KEYNAME "SOFTWARE\Microsoft\Office\11.0\Outlook"
> PART "This setting restricts the use of PST files. Sander
> asks waarom?" TEXT
> END PART
> PART "Do you want to restrict PST files?" DROPDOWNLIST
> VALUENAME "DisablePST"
> ITEMLIST
> NAME "Yes" VALUE Numeric 1
> DEFAULT
> NAME "No" VALUE Numeric 0
>  END ITEMLIST
> END PART
> END POLICY
> END CATEGORY
> 
> 
> 
> 
> 
> -----Original Message-----
> From:  <mailto:gptalk-bounce@xxxxxxxxxxxxx> gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Victor W.
> Sent: donderdag 19 oktober 2006 22:33
> To:  <mailto:gptalk@xxxxxxxxxxxxx> gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Problem implementing a registry setting in ADM
> 
> Thanks, that did it.
> 
> I now changed the adm file a bit and now it looks like this, but it gives
me
> an error when I add it.
> 
> CLASS MACHINE
> CATEGORY "Custom ADM Entries"
> POLICY "PST Restrictions"
> KEYNAME "SOFTWARE\Microsoft\Office\11.0\Outlook"
> VALUENAME "DisablePST"
> VALUEON NUMERIC 1
> VALUEOFF NUMERIC 0
> 
> PART "Restricting the use of PST files" TEXT
> END PART
> 
> PART "I want to restrict PST files" DROPDOWNLIST
> 
> ITEMLIST
> NAME "Yes" VALUE Numeric 1
> VALUE NUMERIC 1 DEFAULT
> NAME "No" VALUE Numeric 0
> VALUE NUMERIC 0 
> END ITEMLIST
> END PART
> END POLICY
> END CATEGORY
> 
> It gives me the error that line 21 has no value.
> 
> Anybody familiar with this?
> 
> Cheers,
> 
> 
> Victor
> 
> 
> 
> -----Original Message-----
> From:  <mailto:gptalk-bounce@xxxxxxxxxxxxx> gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Robert Tannehill
> Sent: donderdag 19 oktober 2006 17:00
> To:  <mailto:gptalk@xxxxxxxxxxxxx> gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Problem implementing a registry setting in ADM
> 
> Victor,
> Make sure on the GPMC, you set View, Filtering, Only show policy settings
> that can be fully managed to Unchecked.
> Bob 
> 
> -----Original Message-----
> From:  <mailto:gptalk-bounce@xxxxxxxxxxxxx> gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of  <mailto:victor-w@xxxxxxxxx> victor-w@xxxxxxxxx
> Sent: Thursday, October 19, 2006 8:49 AM
> To:  <mailto:gptalk@xxxxxxxxxxxxx> gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Problem implementing a registry setting in ADM
> 
> Gents and ladies,
> 
> I am trying to implement the following registry setting in an ADM file but
> it simply doenst show up in the GPO editor/GPMC.
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\Outlook]
> "DisablePST"=dword:00000001
> 
> The folder itself (Custom ADM Entries), does appear but the setting simply
> isnt there.
> Am I missing something? I sure must be :-)
> 
> I this setting I would also like to implement the VALUEON NUMERIC 1 and
the
> VALUEON NUMERIC 0. So that the setting is not deleted when choosing
disable.
> 
> Any suggestions are greatly appreciated.
> 
> See the adm file below.
> 
> Cheers,
> 
> 
> Victor
> 
> 
> CLASS MACHINE
> CATEGORY "Custom ADM Entries"
> POLICY "PST Restrictions"
> KEYNAME "SOFTWARE\Microsoft\Office\11.0\Outlook"
> PART "Do you want to restrict PST files?" TEXT
> END PART
> PART "I want to restrict PST files" DROPDOWNLIST
> VALUENAME DisablePST
> ITEMLIST
> NAME "Yes" VALUE Numeric 1
> NAME "No" VALUE Numeric 0
> END ITEMLIST
> END PART
> END POLICY
> END CATEGORY
> 
> ***********************
> You can unsubscribe from gptalk by sending email to
>  <mailto:gptalk-request@xxxxxxxxxxxxx> gptalk-request@xxxxxxxxxxxxx with
'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at  <http://www.freelists.org/archives/gptalk/>
http://www.freelists.org/archives/gptalk/
> ************************
> ***********************
> You can unsubscribe from gptalk by sending email to
>  <mailto:gptalk-request@xxxxxxxxxxxxx> gptalk-request@xxxxxxxxxxxxx with
'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at  <http://www.freelists.org/archives/gptalk/>
http://www.freelists.org/archives/gptalk/
> ************************
> 
> ***********************
> You can unsubscribe from gptalk by sending email to
>  <mailto:gptalk-request@xxxxxxxxxxxxx> gptalk-request@xxxxxxxxxxxxx with
'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at  <http://www.freelists.org/archives/gptalk/>
http://www.freelists.org/archives/gptalk/
> ************************
> 
> ***********************
> You can unsubscribe from gptalk by sending email to
<mailto:gptalk-request@xxxxxxxxxxxxx> gptalk-request@xxxxxxxxxxxxx with
'unsubscribe' in the Subject field OR by logging into the freelists.org Web
interface. Archives for the list are available at
<http://www.freelists.org/archives/gptalk/>
http://www.freelists.org/archives/gptalk/
> ************************ 

Other related posts: