Product Description

The Windows 2000 Registry is the repository for all hardware, software, and application configuration settings. Managing the Windows 2000 Registry is the system administrator's guide to maintaining, monitoring, and updating the Registry database. The book addresses four main areas:

• What the Registry is and where it lives on disk; includes a discussion of disaster recovery
• Available tools; includes Resource Kit utilities as well as the Registry Editors
• How to access the Registry from a program; includes examples in C++, Visual Basic, and Perl
• Registry content; includes descriptions of selected undocumented keys

Product Details

• Amazon Sales Rank: #1136650 in Books
• Published on: 2000-08-30
• Original language: English
• Number of items: 1
• Binding: Paperback
• 556 pages

About the Author
Paul Robichaux is an experienced software developer and author and the principal of Robichaux and Associates, Inc. He has worked on Unix, Macintosh, and Win32 development projects over the past eight years, including a stint on Intergraph's OLE team. He is the author of Managing the Windows NT Registry and Managing Microsoft Exchange Server.

Excerpt. © Reprinted by permission. All rights reserved.
Chapter 7

Using Group Policies

One of the most powerful capabilities included with Windows 2000 is the Group Policy mechanism. Active Directory provides a comprehensive way for administrators to manage network resources. When you use Active Directory, Group Policy allows you to apply policies to users and computers over the entire hierarchy of your network, from entire domains right down to individual computers.

As you learned in the preceding chapter, the Windows NT 4.0 System Policy Editor is used to configure membership-based permissions for users, groups, and computers in a domain. System policies, such as desktop appearance and program control, can be distributed and applied to whole domains. For Windows 2000 network clients, policies are no longer Registry-based; they're replaced by Group Policy. By associating policies with actual objects in Active Directory, each site, domain, and organizational unit can distribute its own set of policy demands. You manage this capability with the Group Policy snap-in for the Microsoft Management Console (MMC). Group Policy, sometimes referred to as the Group Policy Editor, uses policy files to interface to a system's Registry.

What Are Group Policies? In a general sense, policies define what a user can and can't do. Under Windows 2000, system administrators use Group Policy to manage the policies that apply to computers and users within a site or domain. These policies define certain aspects of the user's desktop environment. They specify system behavior, and they restrict what users are allowed to do. In short, a policy is simply a group of related settings an administrator can set.

Many of these policy settings are applied to keys in the Registry. The specific keys and values written into the Registry depend on the policies you're trying to enforce. In the Windows NT world, policy changes are persistent because they're applied throughout the Registry, and no mechanism exists to sweep away the changes once they're made (though one policy's changes can be overwritten by another set of changes that occurs later).

Under Windows 2000, Group Policy settings that modify the Registry are always applied in one of four Registry subtrees. Microsoft recommends that Windows 2000-savvy applications should look for policy information in HKLM\Software\Policies and HKCU\Software\Policies. If they don't find their settings there, they can look in HKLM\Software\Microsoft\CurrentVersion\Policies and HKCU\Software\Microsoft\Windows\CurrentVersion\Policies. If the application still hasn't found the settings it needs, it can look elsewhere in HKCU or HKLM, or even in INI files (though that's strongly discouraged). None of these subtrees may be modified by nonadministrators.

Elements of a Group Policy Much the same way that the Registry is arranged in a hierarchical structure, policies are categorized into sections and subsections. The sections and subsections that build the hierarchy of Group Policy are called categories. Think of categories like folders: a group policy contains one or more categories, and each category may contain subordinate categories. The subordinate categories may contain their own subcategories, and so on. In addition to containing subcategories, categories contain the specific policies an administrator can configure.

Each policy controls the behavior of one aspect of a user's environment. For example, a simple desktop policy specifies whether to hide all icons on the desktop. There are more elaborate policies that define the default quota limit and warning level for an individual filesystem.

Remember that these specific policies are applied to keys in the Registry. The number of Registry keys affected depends on the complexity of the actual policy. A single policy can consist of multiple settings, or parts. A part represents a single value that is stored in the Registry. Each policy is made up of zero or more parts. The policy for hiding icons on the desktop does not contain any parts; it's simply enabled or disabled. The quota limit and warning level policy, however, contains a number of parts, one for each value that needs to be stored: the default quota limit value, the measurement units for the quota limit, and so on. Since policies require values of various data types, parts differ as to their permissible values. Some parts require strings, some require numeric values, and some parts' values are restricted to a set of predefined values.

User Versus Machine Policies There are two types of group polices: polices that apply to the computer and policies that pertain to users. Computer configuration policies apply to all users on a computer and are active whenever a machine is running. They're stored in the HKLM section of the machine's Registry and include policies that define security settings, desktop appearance, and startup and shutdown scripts. They're applied when the machine boots. This is different from System Policy Editor machine policies, which are applied when a user logs on.

User configuration settings, on the other hand, are active for each user on a computer. They're stored in the Registry under HKCU and define user-specific settings such as assigned programs, program settings, and desktop appearance. Unlike computer settings, which remain in effect until the computer is shut down, user configuration settings are reloaded for each new user. In this way, user policies can be downloaded for a user, regardless of what machine she logs into. You can specify user policies that can be applied to all users of a specific machine, or you can apply policies that apply only to specific users no matter where they log on. TIP:

For detailed information about these templates and the policies, Registry keys, and values that they cover, refer to Appendix A, User Configuration Group Policy Objects, and Appendix B, Computer Configuration Group Policy Objects.

--------------------------------------------------------------------------------

1. You sometimes see reference to the local machine policy; that's just another name for the LGPO.

2. A second, but much more ambitious, way to extend the functionality of Group Policy is to write a software extension for the Group Policy snap-in. Software development, unfortunately, is beyond the scope of this book.

Customer Reviews

Fun for all levels
Regardless of your experience with the registry, this book can be of value to you. Despite the title, there are references in almost every section of the book on the Windows NT 4 registry, which can be helpful if you are working in a mixed environment or are coming from the NT 4 side of things.

The author starts the book by assuming you have no previous experience with the registry, and takes you on a 5 chapter tour, covering topics such as the history of the registry, how to navigate, what each part does, how to back it up and restore it, the different editors you can use, etc. From there, the book progresses for a couple of chapters on configuring policies - using the Policy Editor and GPO/OU policies within Windows 2000.

The author does include a surprising chapter in the middle entitled "Programming with the Registry" (Chapter 8) in which he covers many of the API calls for the registry and the Shell Utility, and then gives demos in C/C++, Perl and Visual Basic. My personal opinion is that that chapter is a little advanced for the book as a whole, but if you're not into it, it can be skipped without much loss to you.

The book also spends 2 chapters covering administration and tweaks (plus a great index section on the Group Policy Objects), and the final chapter documents what each hive in the registry does.

All in all, it's worth a read.

Mostly good
Really I would give it 4.5 stars if I could.

It's a good book, but it should be titled 'NT and 2000 registry'. It discusses both. This might be a bonus to some (who would like info on both) and a disadvantage to others (who already own stuff about NT registry). There are a few errors and some things I would change, and I wouldn't say it's as good as some other Oreilly books I've read.

There are sections just about policy settings which is good and a nice set of appendicies.