Finding a specific Group Policy Setting

Long time no hear – or whatever they say. I’ve been busy, starting a new job and stuff, so I had no time to blog the last couple of weeks.

Have you found yourself in the situation when you have a specific Windows setting, an Office behavior or a third party application – and you want to control that with Group Policy? Have you found yourself searching the right place to start digging for that setting? How will you know there’s a GPO for what you need and where it’s located? Hmm – there are a couple of steps that I follow usually.

Check whether there’s a built-in GPO

Your first step probably is to check if there’s a ready-to-go GPO you can deploy. For that, you can fire up GPMC and check there. But other than browsing through the GPEditor tree or using the GPMC search, there are other two additional options. Those are good when you are with a customer and can’t get your hands on a machine with GPMC loaded. The first option is one of the coolest Azure apps I’ve seen: http://gps.cloudapp.net. GPS stands for Group Policy Search – you can search for GPOs by name or browse the GPO tree “virtually”. You can get it from any machine with internet access. If you’re more the download-n-go kind of guy, someone who sticks with references, there’s a GPO reference Excel spreadsheet: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb&displaylang=en. They contain the setting names, the registry location the settings change, the path to browse and the “supported on” information. All searchable – and filterable, excel-like. That should get you going.

By now, you should know if there’s a built-in GPO you can use. In case you found what you were searched, consider yourself done with this article. If not, read on.

Check whether there’s a custom ADM(X) template

So no luck with the built-in stuff. Good thing there’s the community and fine places you can find and download ADM(X) templates from. ADM(X) templates are simply templates you can add to Group Policy Editor – based on the information in the template, the correct registry settings are forced on the client. Reading this, you probably noticed that this only works for registry settings, so it’ll only add “Administrative Templates” settings. There are ADM template files for pre-Vista GPMC administrators and ADMX template files for Vista+ GPMC administrators. Vista+ GPMC understands ADM, too, but XP’s GPMC only eats ADM template files. So be sure to search and find for the correct format.

For Microsoft Office, there are downloadable ADM(X) template files around: http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=92d8519a-e143-4aee-8f7a-e4bbaeba13e7 and http://www.microsoft.com/downloads/en/details.aspx?FamilyID=64b837b6-0aa0-4c07-bc34-bec3990a7956&displaylang=en. No biggie to find them. ADM templates can be imported in GP Editor by clicking the “Administrative Templates” node and choosing “Add/Remove template”. For ADMX, you’ll have to either copy the files to the CentralStore or to the local PolicyDefinitions folder and re-open the GPEditor. It appears that I have created a link list for ADM template files in the past: http://www.frickelsoft.net/blog/?p=38, you may find other ADM template using Bing or Google or any other search engine. If you’re familiar with German, at least a bit, you can check Mark Heitbrink’s Group Policy site in German. He has a ton of ADM template files you can download and adjust: http://www.gruppenrichtlinien.de/index.html?/adm/Beispiele.htm. #24 for Adobe Reader is a real pearl :-) Also, I’ve found http://www.appdeploy.com has some good tips for you. They not only have tips and tricks about zero-touch installations, unattended installer packages and script installations, I’ve seen a couple of good ADM templates there. Worth a try!

Tracing the software setting’s steps

Still not lucky? Okay, time to get our hands dirty. When you change a setting, close the application and re-open it, the setting needs to get stored somewhere. Pretty likely that’s some place in the registry or some ugly .ini file. You only need to find where. There are tools that help you with that. Regshot is one of these great tools for free. You create a “before” snapshot of the registry, then open your app, change the setting, close it and make a “after” snapshot. You then compare the two and find the changes the software setting obviously had to make: http://sourceforge.net/projects/regshot/. There are other tools out there. Process Monitor (formerly FileMon and Regmon) is a great tool that helps you trace file and registry operations and filter for applications: http://technet.microsoft.com/en-us/sysinternals/bb795533.

Once you’ve found the location and the values a switch flip in your application changes, you’ll just have to deploy them via Group Policy. There are numerous ways – but today, you don’t want to use most them anymore. For a registry change, you can

(1)Â Write a custom ADM template file and import it: http://www.frickelsoft.net/blog/?p=62
(2) Create a registry export on a sample machine and import it via a script: “regedit.exe /s myReg.reg”
(3)Â Use GP Preferences Registry settings to deploy the changes all in once!

Clearly, option 3 is the way to go. Creating custom ADM templates is… well, not too easy. Scripting is … yeah, so 1990.

2 Comments so far

  1. [...] Blog » Finding a specific Group Policy Setting] http://www.frickelsoft.net/blog/?p=277 Verwandte Beiträge:Gruppenrichtlinien für Office 2010 Bereits seit zwei Wochen sind die ADM- [...]

  2. Markus on August 23rd, 2011

    English text below
    Ergänzung:
    bei der CloudApp sollte man sich UNBEDINGT das Group Policy Search Connector AddOn für Windows 7 herunterladen. Die OSDX Datei befindet sich in einer Zip-Datei unter “Settings>>>Add Search Connector”
    oder direkt hier http://gps.cloudapp.net/grouppolicysearch.zip
    Danach wird unter Favoriten ein neuer Suchordner angelegt, mit dem man Bequem die Group Policys durchsuchen kann!

    Addition:
    You MUST use the Group Policy Search Connector for Windows 7. THe OSDX file is placed in a zip file, which can be downloaded under “Settings>>>Add Search Connector” or directly from here: http://gps.cloudapp.net/grouppolicysearch.zip

    After adding the Search Connector a new search folder can be used in the Windows Explorer Favorites, with which you can search for group policy in a most comfortable way.

    Grüße / Regards
    Markus