Using Group Policy To Support Custom Applications In Your Environment
With the introduction of Group Policy in Windows 2000 Microsoft made a huge step forward in creating a better manageable platform. It took some getting used to but after a while using Group Policy to manage your (Terminal Server) environment became a best practice.
Mainstream products like Microsoft Office and Internet Explorer all come with administrative templates that you can use with Group Policy to manage these applications. But what if you have an application that isn’t up there with Microsoft Office in terms of manageability? What if there’s no administrative template supplied by the vendor? Well, assuming the preferences / settings are stored in the registry, then you can create your own administrative template that you can use in Group Policy.
An example: the Softgrid Terminal Server Client
The easiest way to show you how you should go about creating your own administrative templates is to use an example. Although the Softgrid Terminal Server client is by no means an obscure application, it is one that comes without an administrative template. The Softgrid Terminal Server client is an example of an application that stores all settings in the registry.
One of the more important settings you can make in the Softgrid Terminal Server client is the Desktop Configuration Server. You can do this by opening up the Softgrid Client Management Console and setting the Desktop Configuration Server.
When you do configure a Desktop Configuration Server, this value is saved in the registry under the “DC Servers” key:
Usually the same Desktop Configuration server is used by multiple Softgrid Terminal Server clients. It would be nice if you could manage the DC server location for all Softgrid Terminal Server clients in one place, now wouldn’t it? Well you can do this if you manage these settings via Group Policy. Let’s take a look at how we can do this.
First we have to create our own administrative template we can import into our Group Policy. To do this, we will use a tool called Reg2Adm. This tool is part of a suite of tools called N.U.T.S. (Network administrators Utilities Set). One of the tools in this suite is Reg2Adm. This tool -gasp- converts registry files (.reg files) to administrative templates (.adm files).
To be able to convert the registry entries on the Terminal Server to an administrative template we have to export the registry entries we want. Let’s just take the “DC Servers” key as an example. Just right click on the key in regedit and click “export”.
Next, fire up Reg2Adm and open the .reg file you exported:
You can edit the registry on the right and then click File>Regenerate ADM text. To keep it simple, we we’ll only put the “Host” and the “Port” value names into the administrative template.
It’s important to remember that you shouldn’t worry about the other values being overwritten or deleted. When you apply the Group Policy we will create, it will only configure the settings that are in the administrative template (Host and Port) and it will leave the other values (and subkeys) alone. We can now save this administrative template by selecting File>Save ADM Template.
Next it’s time to import our administrative template into our Group Policy. In our example I’ll be using a local Group Policy, so I’ll run gpedit.msc and import our administrative template.
After we’ve done that, we can see our creation by expanding “Administrative Templates”. Can’t find it? Don’t panic, this is because it’s an “unmanaged policy”. In Gpedit.msc, while selecting the “Administrative Templates” of the Local Computer Policy, navigate to Action>Filtering. In the pop-up windows uncheck “Only show policy settings that can be fully managed”. With that done, you should be able to see our imported administrative template:
Yikes! I know, she isn’t much of a looker, is she? Let’s do something about that. First, we can change the “SOFTWARE\Softricity\SoftGrid Client\CurrentVersion\DC Servers\SG01” to something more descriptive. There are several tools out there that can help you with this. However, the tool I prefer to use for administrative template editing – the Policy Template Editor - isn’t free and the evaluation version does not allow you to save your changes. So, since this is only a simple example, I’ll show you how to do it with the skeleton key equivalent on Windows: notepad.
Opening the administrative template we created in notepad, should yield the following:
CATEGORY "SOFTWARE\Softricity\SoftGrid Client\CurrentVersion\DC Servers\SG01"
KEYNAME "SOFTWARE\Softricity\SoftGrid Client\CurrentVersion\DC Servers\SG01"
First, let’s change the description as it appears under the “Administrative Templates” in the Group Policy management console. To do this, change the text between the quotes in the “CATEGORY” line (3rd line).
Next, it would be nice to change the descriptions given under “Setting” column in the right hand side of the Local Group Policy management console. To do this, we should change the text in the “PART” section of the administrative template.
Finally, it would be nice to add a “description” to the administrative template. Descriptions have become available since Windows 2000. To add a description, you have to know a bit more about the syntax of administrative templates. If you’ve done all this you should end up with an administrative template that looks like the one depicted below (all the changes to the original template are bold).
By the way, be sure to save the administrative template in UNICODE!
CATEGORY "Softgrid Client Settings"
KEYNAME "SOFTWARE\Softricity\SoftGrid Client\CurrentVersion\DC Servers\SG01"
PART "Host name of Desktop Configuration Server"
PART "The Port number used by the Desktop Configuration Server"
sg_setting_Host_explain="The Host name is the NETBIOS name of the Desktop Configuration Server"
sg_setting_Port_explain="The Port number used by the Desktop Configuration Server. The Default is 554"
This is what our example administrative template should look like in the local Group Policy mmc:
Now, the example we used in this article is of course a very simple one to demonstrate what you can do to manage applications within Group Policy. We only included two settings in our administrative template. Naturally there are a lot more settings that you might want to have configured in your administrative templates. An excellent example of this is Rodney Medina’s Softgrid administrative templates. They cover every imaginable aspect of the Softgrid Client and come well documented.
There are several important things to note about creating your own administrative templates. First, it’s extremely important that you have a thorough knowledge of the registry settings that are associated with the software you are writing the administrative template for.
Secondly, you should know that using these kinds of administrative templates isn’t exactly the same as using only the Group Policies that come with Windows. To make a long story short, the custom settings you use in your administrative templates are “tattooed”. This means that if you disable the Group Policy containing the administrative template, the settings do not get reverted to their original value like in a “true” Group Policy but the settings are permanent (hence the term tattoo).
And as a last pointer, you should know that administrative templates do not support all kinds of registry values. For example it’s impossible to have “REG_MULTI_SZ” or “REG_BINARY” values in your Group Policy. There are several tools out there that can help you out with this but one I would like to highlight is the DesktopStandard PolicyMaker Registry Extension because it’s free.
This article showed you how you can use Group Policy to support custom applications in your Terminal Server / Citrix environments. Creating the administrative templates might initially be a pain but once you get into it, you can fully harness the power of Group Policy – not just for custom applications but for a lot more.