I'm trying to create a custom policy for Windows 2000 SBS that sets
software restrictions (of the cryptographic hash kind).

All is going well except for the fact that a couple of the registry
keys are of type binary.

According to various sources i've read your meant to use the numeric
type and it autodetects when to use a binary or dword.

So I converted the ItemData field to a huge decimal number:
275457228279875578229615414049268972442.

and created the following template:

CLASS MACHINE
CATEGORY "Software Restriction Policies"
POLICY "Disable Command Prompt"

KEYNAME "Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{a47931aa-8280-4408-b362-22a95bf8ec48}"
ACTIONLISTON
VALUENAME "Description" VALUE "Disable the Command Prompt"
VALUENAME "FriendlyName" VALUE "(5.1.2600.2096)"
VALUENAME "HashAlg" VALUE NUMERIC 32771
VALUENAME "ItemData" VALUE NUMERIC
275457228279875578229615414049268972442
VALUENAME "ItemSize" VALUE NUMERIC 65870642108432384
VALUENAME "LastModified" VALUE NUMERIC 4643848508271477761
VALUENAME "SaferFlags" VALUE NUMERIC 0
END ACTIONLISTON
ACTIONLISTOFF
VALUENAME "Description" VALUE DELETE
VALUENAME "FriendlyName" VALUE DELETE
VALUENAME "HashAlg" VALUE DELETE
VALUENAME "ItemData" VALUE DELETE
VALUENAME "ItemSize" VALUE DELETE
VALUENAME "LastModified" VALUE DELETE
VALUENAME "SaferFlags" VALUE DELETE
END ACTIONLISTOFF
END POLICY
END CATEGORY

The binary values however appear to truncate. How do I put these long
binary values into an ADM?

Or, Is there a better way of achieving this function (that doesn't
require an upgrade to SBS2003)

Simon.

(E-Mail Removed) (Simon Johnson) wrote in message news:<(E-Mail Removed)>...
> I'm trying to create a custom policy for Windows 2000 SBS that sets
> software restrictions (of the cryptographic hash kind).
>
> All is going well except for the fact that a couple of the registry
> keys are of type binary.
>
> According to various sources i've read your meant to use the numeric
> type and it autodetects when to use a binary or dword.
>
> So I converted the ItemData field to a huge decimal number:
> 275457228279875578229615414049268972442.
>
> and created the following template:
>
> CLASS MACHINE
> CATEGORY "Software Restriction Policies"
> POLICY "Disable Command Prompt"
>
> KEYNAME "Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{a47931aa-8280-4408-b362-22a95bf8ec48}"
> ACTIONLISTON
> VALUENAME "Description" VALUE "Disable the Command Prompt"
> VALUENAME "FriendlyName" VALUE "(5.1.2600.2096)"
> VALUENAME "HashAlg" VALUE NUMERIC 32771
> VALUENAME "ItemData" VALUE NUMERIC
> 275457228279875578229615414049268972442
> VALUENAME "ItemSize" VALUE NUMERIC 65870642108432384
> VALUENAME "LastModified" VALUE NUMERIC 4643848508271477761
> VALUENAME "SaferFlags" VALUE NUMERIC 0
> END ACTIONLISTON
> ACTIONLISTOFF
> VALUENAME "Description" VALUE DELETE
> VALUENAME "FriendlyName" VALUE DELETE
> VALUENAME "HashAlg" VALUE DELETE
> VALUENAME "ItemData" VALUE DELETE
> VALUENAME "ItemSize" VALUE DELETE
> VALUENAME "LastModified" VALUE DELETE
> VALUENAME "SaferFlags" VALUE DELETE
> END ACTIONLISTOFF
> END POLICY
> END CATEGORY
>
> The binary values however appear to truncate. How do I put these long
> binary values into an ADM?
>
> Or, Is there a better way of achieving this function (that doesn't
> require an upgrade to SBS2003)
>
> Simon.

Hi Simon,
You can use the free Registry extension in Policy Maker Professional
to set ANY registry setting (including binary values) with a native
Group Policy Extension. It's very easy to use because Policy Maker
extensions are plug-ins to the Group Policy Editor, and the Registry
Extension is very similar to Regedit. Browse to the setting, edit it,
save the GPO, and the registry setting is applied as policy. Again,
the registry extension is free to use across the network. Download
here: www.autoprof.com/download.html
Peter Beauregard
AutoProf