#68036 - 2002-07-11 01:58 PM
Re: Determine NTConfig.pol entries
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Patrick,
Do you have POLEDIT.EXE? That is the easiest way to look inside these files.
Kent
|
Top
|
|
|
|
#68039 - 2002-07-11 02:44 PM
Re: Determine NTConfig.pol entries
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
Why not run one of the many registry watcher programs out there as you apply your policies. Here's a free one that will create a log for you...
InstallWatch 2.5
|
Top
|
|
|
|
#68040 - 2002-07-11 02:59 PM
Re: Determine NTConfig.pol entries
|
Shawn
Administrator
Registered: 1999-08-13
Posts: 8611
|
Patrick - yes - thats kinda what I thought - a very cool and noble cause because to be honest, I would LOVE to have such a utility as well. We got about a bazillion custom policies - and its a pain-in-the-a$$ to document them all. Plus, a reporting tool would be very usefull when double checking policy changes, after modifications are made (we all know what can happen when one forgets to include a reference to a template, when making changes) ...
Remember at the time, was thinking about writing a Kix script to do this - but the thought of parsing the ADM file - and then trying to "reverse engineer" and "match-up" the policy settings (like POLEDIT does) turned me off - imho - POLEDIT is a magic piece of software - when you really delve into it.
Another option might be a LIGHTWEIGHT reporting tool. Not too sure if you know this or not, but one can LOAD a .POL file, just like any other REGISTRY HIVE. .POL IS A registry hive actually. I load them to manually review changes - and then do an registry export on the before and after hives - just to double check that I haven't dropped anything.
Having said that, maybe you could:
1) Load the .POL hive into HKU and give it a name. Use LOADHIVE() and UNLOADHIVE()
2) Enumerate the loaded hive using READVALUE() and produce a report.
All the GROUP information is embedded in the hive, as registry keys. Lots of good stuff in there.
Problem is - you won't get all the "description strings" from the template ... but if you did want to persue parsing the ADM, this "backward" approach might help. But believe me - anyway you slice it - if you did get it going - I would be first in line to download and use it.
-Shawn [ 11 July 2002, 15:08: Message edited by: Shawn ]
|
Top
|
|
|
|
#68042 - 2002-07-12 01:28 PM
Re: Determine NTConfig.pol entries
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
Would you like a script that outputs the contents of ADM files looking like this (example is WINNT.ADM):
code:
Registry hive: MACHINE |-Windows NT Network | |-Sharing | | Key: System\CurrentControlSet\Services\LanManServer\Parameters | | Policy: Create hidden drive shares (workstation) | | Entry: 'AutoShareWks' | | Policy: Create hidden drive shares (server) | | Entry: 'AutoShareServer' |-Windows NT Printers | Key: System\CurrentControlSet\Control\Print | Policy: Disable browse thread on this computer | Entry: 'DisableServerThread' | Policy: Scheduler priority | Entry: 'SchedulerThreadPriority' | Policy: Beep for error enabled | Entry: 'BeepEnabled' |-Windows NT Remote Access | Key: System\CurrentControlSet\Services\RemoteAccess\Parameters | Policy: Max number of unsuccessful authentication retries | Entry: 'AuthenticateRetries' | Policy: Max time limit for authentication | Entry: 'AuthenticateTime' | Policy: Wait interval for callback | Entry: 'CallbackTime' | Policy: Auto Disconnect | Entry: 'AutoDisconnect' |-Windows NT Shell | |-Custom shared folders | | Key: Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders | | Policy: Custom shared Programs folder | | Entry: 'Common Programs' | | Policy: Custom shared desktop icons | | Entry: 'Common Desktop' | | Policy: Custom shared Start menu | | Entry: 'Common Start Menu' | | Policy: Custom shared Startup folder | | Entry: 'Common Startup' |-Windows NT System | |-Logon | | Policy: Logon banner | | Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon | | Entry: 'LegalNoticeCaption' | | Entry: 'LegalNoticeText' | | Policy: Enable shutdown from Authentication dialog box | | Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon | | Entry: 'ShutdownWithoutLogon' | | Policy: Do not display last logged on user name | | Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon | | Entry: 'DontDisplayLastUserName' | | Policy: Run logon scripts synchronously. | | Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon | | Entry: 'RunLogonScriptSync' | |-File system | | Key: System\CurrentControlSet\Control\FileSystem | | Policy: Do not create 8.3 file names for long file names | | Entry: 'NtfsDisable8dot3NameCreation' | | Policy: Allow extended characters in 8.3 file names | | Entry: 'NtfsAllowExtendedCharacterIn8dot3Name' | | Policy: Do not update last access time | | Entry: 'NtfsDisableLastAccessUpdate' |-Windows NT User Profiles | Key: Software\Microsoft\Windows NT\CurrentVersion\winlogon | Policy: Delete cached copies of roaming profiles | Entry: 'DeleteRoamingCache' | Policy: Automatically detect slow network connections | Entry: 'SlowLinkDetectEnabled' | Policy: Slow network connection timeout | Entry: 'SlowLinkTimeOut' | Policy: Slow network default profile operation | Entry: 'SlowLinkProfileDefault' | Policy: Choose profile default operation | Entry: 'ChooseProfileDefault' | Policy: Timeout for dialog boxes | Entry: 'ProfileDlgTimeOut'
Registry hive: USER |-Windows NT Shell | |-Custom user interface | | Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon | | Policy: Custom shell | | Entry: 'Shell' | |-Custom folders | | Key: Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders | | Policy: Custom Programs folder | | Entry: 'Programs' | | Policy: Custom desktop icons | | Entry: 'Desktop' | | Policy: Hide Start menu subfolders | | Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | | Entry: 'NoStartMenuSubFolders' | | Policy: Custom Startup folder | | Entry: 'Startup' | | Policy: Custom Network Neighborhood | | Entry: 'NetHood' | | Policy: Custom Start menu | | Entry: 'Start Menu' | |-Restrictions | | Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | | Policy: Only use approved shell extensions | | Entry: 'EnforceShellExtensionSecurity' | | Policy: Remove View->Options menu from Explorer | | Entry: 'NoOptions' | | Policy: Remove Tools->GoTo menu from Explorer | | Entry: 'NoGoTo' | | Policy: Remove File menu from Explorer | | Entry: 'NoFileMenu' | | Policy: Remove common program groups from Start menu | | Entry: 'NoCommonGroups' | | Policy: Disable context menus for the taskbar | | Entry: 'NoTrayContextMenu' | | Policy: Disable Explorer's default context menu | | Entry: 'NoViewContextMenu' | | Policy: Remove the "Map Network Drive" and "Disconnect Network Drive" options | | Entry: 'NoNetConnectDisconnect' | | Policy: Disable link file tracking | | Entry: 'LinkResolveIgnoreLinkInfo' | | Policy: Remove NT Security item from Start menu | | Entry: 'NoNTSecurity' | | Policy: Remove Disconnect item from Start menu | | Entry: 'NoDisconnect' | | Policy: Remove Logoff item from Start menu | | Entry: 'NoLogoff' | | Policy: Prevent user from changing file type associations | | Entry: 'NoFileAssociate' |-Windows NT System | Policy: Parse Autoexec.bat | Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Entry: 'ParseAutoexec' | Policy: Run logon scripts synchronously. | Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Entry: 'RunLogonScriptSync' | Policy: Disable Logoff | Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | Entry: 'NoLogoff' | Policy: Disable Task Manager | Key: Software\Microsoft\Windows\CurrentVersion\Policies\System | Entry: 'DisableTaskMgr' | Policy: Disable Lock Workstation | Key: Software\Microsoft\Windows\CurrentVersion\Policies\System | Entry: 'DisableLockWorkstation' | Policy: Disable Change Password | Key: Software\Microsoft\Windows\CurrentVersion\Policies\System | Entry: 'DisableChangePassword' | Policy: Show welcome tips at logon | Key: Software\Microsoft\Windows\CurrentVersion\Explorer\Tips | Entry: 'Show' |-Windows NT User Profiles | Policy: Limit profile size | Key: Software\Microsoft\Windows\CurrentVersion\Policies\System | Entry: 'EnableProfileQuota' | Entry: 'ProfileQuotaMessage' | Entry: 'MaxProfileSize' | Entry: 'IncludeRegInProQuota' | Entry: 'WarnUser' | Entry: 'WarnUserTimeout' | Policy: Exclude directories in roaming profile | Key: Software\Policies\Microsoft\Windows\System | Entry: 'ExcludeProfileDirs'
You would? Here you go then: quote: USE NEWER VERSION POSTED BELOW
It doesn't parse everything (help comments for example), but the framework is there to add the rest.
Unfortunately the real world (work) has intervened so I'm going to have to leave it now.
NB When specifying the "ADM" file be sure to include a path name otherwise the string lookups will fail, i.e. "WINNT.ADM" will *not* work, ".\WINNT.ADM" will.
Of course it is trivial to use the information to read the reg keys and display the contents, but I leave that as an exercise for the reader [ 12 July 2002, 16:43: Message edited by: Richard Howarth ]
|
Top
|
|
|
|
#68043 - 2002-07-12 01:56 PM
Re: Determine NTConfig.pol entries
|
Shawn
Administrator
Registered: 1999-08-13
Posts: 8611
|
|
Top
|
|
|
|
#68044 - 2002-07-12 02:02 PM
Re: Determine NTConfig.pol entries
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
|
Top
|
|
|
|
#68045 - 2002-07-12 02:36 PM
Re: Determine NTConfig.pol entries
|
MightyR1
MM club member
Registered: 1999-09-09
Posts: 1264
Loc: The Netherlands
|
|
Top
|
|
|
|
#68046 - 2002-07-12 03:22 PM
Re: Determine NTConfig.pol entries
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
Ok, fixed up as a UDF to make calling it easier and added code to display current registry values.
Not much of interest appears in the example as I'm running it on a vanilla Win95 machine.
quote: USE NEWER VERSION POSTED BELOW
Fixed schoolboy error in deleted post where strings were not being expanded. Tch. [ 12 July 2002, 16:44: Message edited by: Richard Howarth ]
|
Top
|
|
|
|
#68049 - 2002-07-12 04:39 PM
Re: Determine NTConfig.pol entries
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
Updated to handle VALUEPREFIX type entries.
At least I think it does. Don't have any to test it on
code:
Break On Global $bInString $bInString=0 Global $bIsEnding $bIsEnding=0 Global $sString Global $cQuote $cQuote='"' Global $sAction Global $sHive Global $sKey Global $sEntry Global $sIniFile ; Constants Global $INDENT $INDENT=" | " Global $BRANCH $BRANCH=" |-" Global $SPACES $SPACES=" " Global $TAB $TAB=Chr(9)
; Call UDF $=udfDocPolicy(".\common.adm") Function udfDocPolicy($sPolicyFile) If Open(1,$sPolicyFile) "Cannot open file " $sPolicyFile " for reading." ? $udfDocPolicy=1 Return EndIf $sIniFile=$sPolicyFile $sData=ReadLine(1) While @ERROR=0 ; Convert tabs to spaces. ; How long did it take me to work out why the split was failing! ; Doh! $iIndex=InStr($sData,$TAB) While $iIndex $sData="" + SubStr($sData,1,$iIndex-1) + " " + SubStr($sData,$iIndex+1,9999) $iIndex=InStr($sData,$TAB) Loop udfParseLine(Split($sData)) $sData=ReadLine(1) Loop $udfDocPolicy=0 Return EndFunction Function udfParseLine($asData) $iArraySize=Ubound($asData) For $iIndex = 0 To $iArraySize udfInterpret($asData[$iIndex]) Next EndFunction Function udfInterpret($sToken) If $bInString=0 $sString="" EndIf If $sAction = "" Select Case $sToken="END" $sAction=$sToken Case $sToken="CLASS" $sAction=$sToken Case $sToken="CATEGORY" $sAction=$sToken Case $sToken="PART" $sAction=$sToken Case $sToken="POLICY" $sAction=$sToken Case $sToken="KEYNAME" $sAction=$sToken Case $sToken="VALUENAME" $sAction=$sToken Case $sToken="VALUEPREFIX" $sAction=$sToken EndSelect Else Select Case $bInString $sString=$sString + " " + $sToken If SubStr($sToken,Len($sToken),1)=$cQuote $bInString=0 $sString=SubStr($sString,1,Len($sString)-1) EndIf Case $sToken="" Return Case SubStr($sToken,1,1)=$cQuote $bInString=1 $sString=SubStr($sToken,2,Len($sToken)-1) If SubStr($sString,Len($sString),1)=$cQuote $bInString=0 $sString=SubStr($sString,1,Len($sString)-1) EndIf Case SubStr($sToken,1,2)="!!" ; Get parameter from string fields $sString=ReadProfileString($sIniFile,"strings",SubStr($sToken,3,99)) EndSelect ; Actions. If $bInString Return EndIf Select Case $sAction="END" Select Case $sToken="CATEGORY" $sIndent=SubStr($sIndent,1,Len($sIndent)-Len($INDENT)) EndSelect $sAction="" Case $sAction="CLASS" ? "Registry hive: " $sToken ? $sIndent="" Select Case $sToken="MACHINE" $sHive="HKEY_LOCAL_MACHINE" Case $sToken="USER" $sHive="HKEY_CURRENT_USER" EndSelect Case $sAction="CATEGORY" $sIndent $BRANCH If $sString="" $sToken Else $sString EndIf ? $sIndent=""+$sIndent+$INDENT Case $sAction="POLICY" $sIndent $SPACES "Policy: " If $sString="" $sToken Else $sString EndIf ? Case $sAction="KEYNAME" If $sString="" $sKey=$sToken Else $sKey=$sString EndIf $sIndent $SPACES "Key: " $sKey ? Case $sAction="VALUENAME" If $sString="" $sEntry=$sToken Else $sEntry=$sString EndIf $sIndent $SPACES $SPACES "Entry: '" $sEntry "'=" ReadValue($sHive + "\" + $sKey,$sEntry) ? Case $sAction="VALUEPREFIX" $iEnum=0 $sEntry=EnumValue($sHive + "\" + $sKey,$iEnum) While @ERROR=0 "ERROR=@ERROR, Enum=$iEnum, Entry=$sEntry" ? If $sString=SubStr($sEntry,1,Len($sString)) $sIndent $SPACES $SPACES "Entry: '" $sEntry "'=" ReadValue($sHive + "\" + $sKey,$sEntry) ? EndIf $iEnum=$iEnum+1 $sEntry=EnumValue($sHive + "\" + $sKey,$iEnum) Loop EndSelect $sAction="" $bIsEnding=0 EndIf EndFunction
[ 15 July 2002, 16:19: Message edited by: Richard Howarth ]
|
Top
|
|
|
|
#68050 - 2002-07-12 08:02 PM
Re: Determine NTConfig.pol entries
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11623
Loc: CA
|
Thanks Richard...
Trying it against the SYSTEM.ADM file (copied to a test folder) results in an error.
code:
Script error: unknown or unexpected command [ÿ_#]! ÿ_#
I also tried it on a common.adm file from NT 4.0 and it worked just fine on that, but not on the 2000 system.adm file.
|
Top
|
|
|
|
#68052 - 2002-07-16 10:45 AM
Re: Determine NTConfig.pol entries
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
Ok. There are two problems with the W2K adm files. 1) They are in Unicode. You can open them in word, then save as "text only" to a new name. This file is then readable and works fine. 2) They are huge. The system.adm file is still ~370 KB after converting to text. This causes the string lookup to fail, so all the string tokens get returned as their original "!!Token" format rather that the more readable string.
The string lookup fails because it uses ReadProfileString(), and this is limited to 64KB files in the API. The option here is to pre-parse the file and create a smaller strings file and use that for the lookup, or just to accept that the strings will not be displayed in friendly format.
Here is a small sample from W2K system.adm:
code:
Policy: !!GPOnlyPolicy Key: Software\Policies |-;CLASS | Policy: !!GPOnlyPolicy | Key: Software\Policies | |-;#endif
Registry hive: MACHINE |-!!AdministrativeServices | Policy: !!NoSecurityMenu | Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | Entry: 'NoNTSecurity'= | Policy: !!NoDisconnectMenu | Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | Entry: 'NoDisconnect'= | Policy: !!DisableStatusMessages | Key: Software\Microsoft\Windows\CurrentVersion\Policies\System | Entry: 'DisableStatusMessages'= | Policy: !!VerboseStatus | Key: Software\Microsoft\Windows\CurrentVersion\Policies\System | Entry: 'VerboseStatus'= | Policy: !!Autorun | Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | Entry: 'NoDriveTypeAutoRun'= | Policy: !!NoWelcomeTips | Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | Entry: 'NoWelcomeScreen'= | Policy: !!Run | Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Policy: !!DisableExplorerRunOnceLegacy | Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | Entry: 'DisableLocalMachineRunOnce'= | Policy: !!DisableExplorerRunLegacy | Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | Entry: 'DisableLocalMachineRun'= | Policy: !!NoEncryptOnMove | Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | Entry: 'NoEncryptOnMove'= | Policy: !!AppMgmt_COM_SearchForCLSID | Key: Software\Policies\Microsoft\Windows\App Management | Entry: 'COMClassStore'= | |-!!Login_Policies | | Policy: !!Run_Logon_Script_Sync | | Key: Software\Microsoft\Windows\CurrentVersion\Policies\System | | Entry: 'RunLogonScriptSync'= | | Policy: !!Run_Startup_Script_Sync | | Key: Software\Microsoft\Windows\CurrentVersion\Policies\System | | Entry: 'RunStartupScriptSync'= | | Policy: !!Run_Startup_Script_Visible | | Key: Software\Microsoft\Windows\CurrentVersion\Policies\System | | Entry: 'HideStartupScripts'= | | Policy: !!Run_Shutdown_Script_Visible | | Key: Software\Microsoft\Windows\CurrentVersion\Policies\System | | Entry: 'HideShutdownScripts'= | | Policy: !!MaxGPOScriptWaitPolicy | | Key: Software\Microsoft\Windows\CurrentVersion\Policies\System | | Entry: 'MaxGPOScriptWait'= | | Policy: !!DeleteRoamingCachedProfiles | | Key: Software\Policies\Microsoft\Windows\System | | Entry: 'DeleteRoamingCache'= | | Policy: !!EnableSlowLinkDetect | | Key: Software\Policies\Microsoft\Windows\System | | Entry: 'SlowLinkDetectEnabled'= | | Policy: !!SlowLinkTimeOut | | Key: Software\Policies\Microsoft\Windows\System
As you can see it kind of works There are no values because I'm running it on a Win95 box.
I suggest that anyone who wants to use this for documenting settings should either adapt it to read the registry remotely, or spawn it as a parallel process, as it will take a long time to run due to the sheer size of the W2K .adm files.
|
Top
|
|
|
|
#68054 - 2002-07-17 09:35 AM
Re: Determine NTConfig.pol entries
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
I support a large and disparate user base with varied OSes (I even have one Windows 3.11 machine!), so I use the lowest common denominator as my day-to-day/development box.
It's a Pentium-Pro 180 with 64mb memory that I've been using for about 4 years, and is one of the quickest and most reliable boxes in the department.
It will be 18 months at least until the last of our Win95 machines goes, and that will probably be mine
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 515 anonymous users online.
|
|
|