Reporting on GPO Settings

The Settings tab of the GPO or GPO link pane in GPMC shows an HTML report that displays all the defined settings in the GPO. Clicking this tab will generate a report of the settings in the GPO. Figure 17 shows a typical report. This report can be generated by any user with read access to the GPO.

Without GPMC, users that did not have write access to a GPO could not read and view the settings in that GPO. This is because the Group Policy Object Editor requires the user to have read and write permissions to the GPO to open it. Some examples of users that might need to read and view but not edit a GPO include security audit teams that need to read but not edit GPO settings, helpdesk personnel that are troubleshooting a Group Policy issue, and OU administrators that may need to read and view the settings from inherited GPOs. With GPMC, these users now have read access to the settings.

The HTML reports also make it easy for the administrator to view all settings that are contained in a GPO at a glance. By clicking the Show All option at the top of the report, the report is fully expanded and all settings are shown. Alternatively, administrators can expand and contract individual sections within the report by clicking the heading for each section.

For settings under the Administrative Templates section of the report, you can view a description of the setting by clicking the setting name in the report. This opens a new window with the Explain text for that policy setting.

GPMC also solves some common reporting requirements including the ability to document all the settings in a GPO to a file for printing or viewing. Using a context menu, users can either print the reports, or save them to a file as either HTML or XML. Note that saved reports include the contents of the Settings tab, as well as additional information that that is shown on the Scope, Details, and Delegation pages in the UI.

To view a saved report directly in a Web browser, you must use Internet Explorer 6 or Netscape 7. Netscape 7 does not support functionality that enables you to show or hide data in reports.

In addition, GPMC provides similar reports for Group Policy Modeling (Resultant Set of Policy – planning) and Group Policy Results (Resultant Set of Policy –logging). This is described later in the paper in those respective sections.

The reports generated by GPMC display all settings that are contained in a GPO, except:

Within the IE Maintenance section of reports:

The reports indicate only whether Content Ratings and Connectoids are deployed, and do not report the details of those settings.

If Preference Mode is specified, this will be indicated, however the new settings that are only available in Preference mode will not be displayed.

Settings for the following cookie settings which were available in IE 5.5 but not in IE 6 are not displayed:

Allow per-session cookies (not stored)

Allow cookies that are stored on your computer

Within Security Zones and Privacy, the details of customized Java settings, if specified, are not shown. Customized Java settings will appear as “Custom.”

The core information for Wireless and IPSec settings is displayed, however some details for these settings are not displayed.

Administrative Templates Background

Administrative templates, (or .adm files), enable administrators to control registry settings using Group Policy. Windows comes with a predefined set of Administrative template files, which are implemented as text files (with an .adm extension), that define the registry settings that can be configured in a Group Policy object (GPO). These .adm files are stored in two locations by default: inside the GPO’s folder on Sysvol and in the %windir%\inf folder on the local computer.

As new versions of Windows are released, new policy settings are added. In addition to supporting these new settings, each successive version of Windows supports all registry policy settings that were available in earlier versions of Windows. For example, the Windows Server 2003 family supports all registry policy settings available in Windows 2000 and Windows XP.

It is important to understand that .adm files are not the actual settings that are deployed to client operating systems. The .adm file is simply a template file that provides the friendly name for the setting and an explanation. This template file is used to populate the user interface. The settings that are deployed to clients are contained in the registry.pol file inside the GPO. On Windows XP and Windows Server 2003, each registry setting contains a "Supported on" tag that indicates which operating system versions support that policy setting. If a setting is specified and deployed to a client operating system that does not support that setting, the settings are ignored.

Because all successive iterations of .adm files include settings from earlier versions, and because there is no harm if a new setting is applied inadvertently to a computer running an earlier operating system that does not support that setting, it is recommended to always create and edit GPOs from a computer that has the latest .adm files available.

Administrative Templates and GPMC

GPMC uses administrative templates (.adm files) to display the friendly names of policy settings in the Administrative Templates section when generating HTML reports for GPOs, Group Policy Modeling, and Group Policy Results. The reports generated by GPMC can display settings based on custom .adm files as well.

GPMC handles administrative templates for GPOs differently than the Group Policy Object Editor. The change in behavior was a deliberate design decision to simplify the behavior with .adm files, to avoid complications with .adm file version conflicts, and to improve performance in GPMC.

To generate a report, GPMC looks by default in the following locations for .adm files:

%Windir%\inf on the local computer where GPMC is running. If an .adm file is found, it is used, regardless of its timestamp.

If the .adm file is not found, GPMC looks in the GPO’s folder on SYSVOL

The user can specify an alternate path for where to find .adm files using the custom search location option on the Reporting tab of GPMC options. If specified, this takes precedence over the previous locations.

When searching for a given .adm file, GPMC will only use the first .adm file it finds in the listed search order. If there are policy settings in the GPO for which no .adm file can be found, these settings will be displayed in the report in a section called “Extra Registry Settings” which displays the registry keys and values for those settings.

As noted above, GPMC looks by default on the local computer for .adm files first, since the user-specified location is not specified by default. When running GPMC on Windows XP, this means that settings that were not available in Windows XP or Windows 2000 may be displayed in the report as “Extra Registry Settings.” This situation only occurs if both of the following are true:

You have set one of the settings in the Administrative Templates section of the GPO that is new for Windows Server 2003.

You are generating a report of that GPO on a computer running Windows XP.

The workaround here is to store the Windows Server 2003 versions of the .adm files somewhere, and specify that location in the custom search location mentioned above.

Unlike the Group Policy Object Editor, GPMC itself never transfers newer versions of .adm files to the SYSVOL. It simply reads the .adm files found using the algorithm described above in order to generate the report. However, when the Group Policy Object Editor is opened (either from GPMC or using other means) .adm files may be transferred to the sysvol, as described below.

Administrative Templates and Group Policy Object Editor

The Group Policy Object Editor uses .adm files to display available policy settings in the Administrative Templates section of a GPO.

By default it attempts to read .adm files from the GPO (from the Sysvol on the domain controller). Alternatively, the .adm file can be read from the local workstation computer. This behavior can be controlled by a policy setting.

By default, if the version of the .adm file found on the local computer is newer (based on the time stamp of the file) than the version on the Sysvol, the local version is copied to the Sysvol and is then used to display the settings. This behavior can be controlled by a policy setting.

If the GPO contains registry settings for which there is no corresponding .adm file, these settings cannot be seen in the Group Policy Object Editor. However, the policy settings are still active and will be applied to users or computers targeted by the GPO.

0 comments: