Windows 2003 Local Policies and System32\GroupPolicy Folder ??

[Semal Patil]

In Windows 2000 based machines when you replace the Registry.pol file in
\System32\Grouppolicy\User or \Machine subfolders, then every time machine
is rebooted or every time a user loggs on , Machine or User policies are
aplied respectively.
So we can say that for a Windows 2000 based system
\System32\GroupPolicy\ is a central repository for all the policy
settings. I could not find any such folder or even thr Registry.pol files in
a Windows 2003 ( .NET) machine. Although I could locate some registry hive
which I thought is serving the same purpose. But my experiments to assertain
this failed. Or I messed up somewhere in between.
Does any one know where are these Windows 2003 based system Local Policy
Setting stored? Is there a way to import / apply the registry.pol files on
to a Windows 2003 system?
~Semal

 

[Tim Springston \(MSFT\)]

Hi Semal-

Windows 2000 and 2003 group policy settings can be stored in various places
in the registry, or in the SECEDIT.SDB (for security specific settings).

In the case you described below, registry based settings were not continuous
between one reboot and the next since the registry keys themselves were not
retained.

By default, policies which are user specific will apply at logon (depending
on the type of setting of course). Likewise, machine specific settings
which should apply to that machine are applied at boot. In addition, there
is a default policy refresh interval for policy reapplication.

For your purposes, I would suggest exporting your user settings from a
machine that has them applied by using the Security Configuration and
Analysis snapin. This will create a template which can be imported into a
group policy, which will bring those settings over for you.

Please repost if you have any questions or concerns.

 

[news.microsoft.com]

Thanks a lot Tim,

Your quick and helpful response is really appreciated.
Actually All I want to do is apply some policies on Terminal Server
programmatically. And didnt want to mess up individual resgitry key on my
own.
I would if that Winlogon or whatever compopnent of OS usually does. My
understanding is that WinLogon retrieves GPO from ADS and actually synch up
the registry when ever a User loggs in. I could not figure out how one can
create GPO or local policy objects programmatically. So I was looking for
the central entity from where winlogon or whatever component reads the
newest policy settings. and wanted to manipulate them directly. thats how I
stumbled across this \System32\GroupPolicy folder. So tried to find out the
same on Windows 2003 but unfortunately it has some different infrastructure
altogether.
I had a detailed NEWS group discussion with one of the Microsoft onlin guys
Eric Fleischman [MSFT]" (e-mail address removed). And it describes what
exactly I am trying to do. You can read what exactly I am trying to achieve
here:
http://groups.google.com/[email protected]#link3
.. I am copying it below here for your convenience.
I have found a document which documents all the policy settings and their
corresponding Registry Keys for Windows 2000 based systems. My managers and
peers coninced me that once MS documents a key its as good as a API. So
finally I have started a implementation which directly manipulates the
registry keys whenever a user loggs in and I clear the registry keys before
logging off. In this way I achieve a restricted shell and if he launches a
provisioned app then we apply some UI restrictions so that user wont see any
drives and will not be able to launch any other apps which are not
provisioned to him. REstrictiong File open dialog boxe and all possible
places of getting the Explorer's default context menu. It sounds toooooooo
hacky but I have no other way. although I have started the implementation
already but, the very thought that I cant applu local policys
programmatically or even if I have to use ADS, I could not find out a way
to actually create GPO with settings of my interest programmatically. The
very thought that this such an elaborate infrastructure which can be tuned /
customized to such minute details of UI, DOES NOT HAVE ANY programming
interface as such and one has to use the MMC snapin only , this thought is
haunting me day and night. Can you please thorow some light on this.
Thanks in Advance,
~Semal
=========== My original post =============
Hello Eric,

I was really very surprised and pleased to see such a quick reply,
thanks a lot. So here is what I am looking for;

We have a web based interface to launch some windows based apps on
Win2k and Windows 2003 terminal servers. We actual execute a certain
control program before actually launching the app.
My product manager tells me that he should be able to provision a
Restricted Shell ( just like kiosk). And even the Apps should run
under a restricted environment. And we want to give Admins a separate
Web Based UI , where in they can relax or tighten the security or
rather Restrictions. They need three levels and if possible an
advanced Customizable Restirction Template ( in MS terminology they
need three deifferent Ploicys and should be able to customize it if
needed).
So applying restrictions in most of the cases should be as easy as
just one or two clicks And MOST IMPORTANT THING IS they DO NOT have
Active Directory Services implemented and hesitate to go for ADS.
And I have already tried the ADS approach gone thru the KB
article, which says create a separate OU put all the Term servers in
that OU . etc etc. But we want independence from ADS for this old
installation. Even if its a really bad unClean way of doing the
things.
I even dont know whether it is possible. I dont want to actually
manipulate each corresponding Registry entry, and hoping that there is
some what better way. I myself is slightly unclear about the whole
thing, but the most important thing is we dont want to rely on ADS.
Suppose I managed to convince them to go for a ADS based approach, how
can I manage the policies programmatically, without having to open
that MMC consoles manually and doing n number of steps manually?
Thanks and Regards,
~Semal

============= Erichs Reply ================
hmmmm
I'm not aware of an api to do this, but that doesn't mean it can't be done.
What you would probably want to do in this case is just write to the reg
keys as appropriate.

Note that policy probably isn't the right technology for what you are trying
to do. Policy affects security settings on the machine, and the way in which
the gui is displayed for the users, and also some other sorts of settings
(network, ipsec, etc).
What you are trying to do is provision a shell, which has little to do with
policy per say, but rather to do with a shell and the context under which it
runs.
You would probably want to do is change the local policy to restrict the
rights for a given security context (maybe a local account you create),
start the shell in that context, and subsequently acl things on the system
as appropriate for it. Note that the only time policy comes in to play are
for some of the rights this user might have, not for anything else.

~Eric

 

[Tim Springston \(MSFT\)]

Hi Semal-

It sounds like we have settings that can do what you want to do already.

If you have a terminal server and you would like to restrict user access
when they log on to it, you can configure a policy, linked to the OU which
contains the terminal server(s). In that policy, enable loopback policy
processing, and give the users (or groups they are members of) the Read and
Apply Group Policy Allow permissions.

Once that policy is created, you can add the resitrctions you would like for
the users. This can be a list of applications you want the users to NOT be
able to use, or you can exclude their use of all applications except ones
you specify.

You can also edit what options appear in Windows, removing nearly all
default selections. There are many user-based settings that be enabled to
alter (and inhibit of needed) the user's Windows experience.

However, for something similar to kiosk mode you may consider editing the
Computer Configuration portion of a different policy (not loopback policy
processing enabled) to run a specific application in the session, and
nothing else (no access to the classic Windows shell or Explorer).

That setting is available in Computer Configuration->Administrative
Templates->Terminal Services. The setting name is "Start a program on
connection". For this setting to work, GPO must be link to the OU the
terminal server is in, and the terminal server, or a group it is a member
of, must have Read and Apply Group Policy Allow permissions.

Please repost if the above suggestions do not help.
--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks a lot Tim,

Your quick and helpful response is really appreciated.
Actually All I want to do is apply some policies on Terminal Server
programmatically. And didnt want to mess up individual resgitry key on my
own.
I would if that Winlogon or whatever compopnent of OS usually does. My
understanding is that WinLogon retrieves GPO from ADS and actually synch up
the registry when ever a User loggs in. I could not figure out how one can
create GPO or local policy objects programmatically. So I was looking for
the central entity from where winlogon or whatever component reads the
newest policy settings. and wanted to manipulate them directly. thats how I
stumbled across this \System32\GroupPolicy folder. So tried to find out the
same on Windows 2003 but unfortunately it has some different infrastructure
altogether.
I had a detailed NEWS group discussion with one of the Microsoft onlin guys
Eric Fleischman [MSFT]" (e-mail address removed). And it describes what
exactly I am trying to do. You can read what exactly I am trying to achieve

here:

http://groups.google.com/[email protected]#link3
. I am copying it below here for your convenience.
I have found a document which documents all the policy settings and their
corresponding Registry Keys for Windows 2000 based systems. My managers and
peers coninced me that once MS documents a key its as good as a API. So
finally I have started a implementation which directly manipulates the
registry keys whenever a user loggs in and I clear the registry keys before
logging off. In this way I achieve a restricted shell and if he launches a
provisioned app then we apply some UI restrictions so that user wont see any
drives and will not be able to launch any other apps which are not
provisioned to him. REstrictiong File open dialog boxe and all possible
places of getting the Explorer's default context menu. It sounds toooooooo
hacky but I have no other way. although I have started the implementation
already but, the very thought that I cant applu local policys
programmatically or even if I have to use ADS, I could not find out a way
to actually create GPO with settings of my interest programmatically. The
very thought that this such an elaborate infrastructure which can be tuned /
customized to such minute details of UI, DOES NOT HAVE ANY programming
interface as such and one has to use the MMC snapin only , this thought is
haunting me day and night. Can you please thorow some light on this.
Thanks in Advance,
~Semal
=========== My original post =============
Hello Eric,

I was really very surprised and pleased to see such a quick reply,
thanks a lot. So here is what I am looking for;

We have a web based interface to launch some windows based apps on
Win2k and Windows 2003 terminal servers. We actual execute a certain
control program before actually launching the app.
My product manager tells me that he should be able to provision a
Restricted Shell ( just like kiosk). And even the Apps should run
under a restricted environment. And we want to give Admins a separate
Web Based UI , where in they can relax or tighten the security or
rather Restrictions. They need three levels and if possible an
advanced Customizable Restirction Template ( in MS terminology they
need three deifferent Ploicys and should be able to customize it if
needed).
So applying restrictions in most of the cases should be as easy as
just one or two clicks And MOST IMPORTANT THING IS they DO NOT have
Active Directory Services implemented and hesitate to go for ADS.
And I have already tried the ADS approach gone thru the KB
article, which says create a separate OU put all the Term servers in
that OU . etc etc. But we want independence from ADS for this old
installation. Even if its a really bad unClean way of doing the
things.
I even dont know whether it is possible. I dont want to actually
manipulate each corresponding Registry entry, and hoping that there is
some what better way. I myself is slightly unclear about the whole
thing, but the most important thing is we dont want to rely on ADS.
Suppose I managed to convince them to go for a ADS based approach, how
can I manage the policies programmatically, without having to open
that MMC consoles manually and doing n number of steps manually?
Thanks and Regards,
~Semal

============= Erichs Reply ================
hmmmm
I'm not aware of an api to do this, but that doesn't mean it can't be done.
What you would probably want to do in this case is just write to the reg
keys as appropriate.

Note that policy probably isn't the right technology for what you are trying
to do. Policy affects security settings on the machine, and the way in which
the gui is displayed for the users, and also some other sorts of settings
(network, ipsec, etc).
What you are trying to do is provision a shell, which has little to do with
policy per say, but rather to do with a shell and the context under which it
runs.
You would probably want to do is change the local policy to restrict the
rights for a given security context (maybe a local account you create),
start the shell in that context, and subsequently acl things on the system
as appropriate for it. Note that the only time policy comes in to play are
for some of the rights this user might have, not for anything else.

~Eric

Hi Semal-

Windows 2000 and 2003 group policy settings can be stored in various places
in the registry, or in the SECEDIT.SDB (for security specific settings).

In the case you described below, registry based settings were not continuous
between one reboot and the next since the registry keys themselves were not
retained.

By default, policies which are user specific will apply at logon (depending
on the type of setting of course). Likewise, machine specific settings
which should apply to that machine are applied at boot. In addition, there
is a default policy refresh interval for policy reapplication.

For your purposes, I would suggest exporting your user settings from a
machine that has them applied by using the Security Configuration and
Analysis snapin. This will create a template which can be imported into a
group policy, which will bring those settings over for you.

Please repost if you have any questions or concerns.
--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
files

files

on

 

[Semal Patil]

Thanks a lot Tim,

I can not go that route because for the same reasons I have already told
to eric.
So first very important thing is my product manager tells me that we should
not involve ADS in this implementation because many people still are using
old NT 4.0 domain and NOT using ADS ( atleast thats what he is telling me).
And many people still are not willing to migrate to ADS. another thing is
that we have a web based console that should let administrators to change
the lockdown policies, so we will do these things programmatically. And he
thinks that people will not allow you to write into the ADS. They wont let
you touch their ADS. So dont used ADS.
Even if I manage to convince him that we MUST use GPO and ADS , the
question STILL REMAINS is how do I achieve these things PROGRAMMATICALLY ?
Are there any API's to change the settings in a GPO ? I am sure there are
numerous programming interfaces to create OU and Containers and linking GPO
to them but how do I create a GPO with the desired settings
programmatically?
Thanks once again for such a quick reply.
~Semal

Hi Semal-

It sounds like we have settings that can do what you want to do already.

If you have a terminal server and you would like to restrict user access
when they log on to it, you can configure a policy, linked to the OU which
contains the terminal server(s). In that policy, enable loopback policy
processing, and give the users (or groups they are members of) the Read and
Apply Group Policy Allow permissions.

Once that policy is created, you can add the resitrctions you would like for
the users. This can be a list of applications you want the users to NOT be
able to use, or you can exclude their use of all applications except ones
you specify.

You can also edit what options appear in Windows, removing nearly all
default selections. There are many user-based settings that be enabled to
alter (and inhibit of needed) the user's Windows experience.

However, for something similar to kiosk mode you may consider editing the
Computer Configuration portion of a different policy (not loopback policy
processing enabled) to run a specific application in the session, and
nothing else (no access to the classic Windows shell or Explorer).

That setting is available in Computer Configuration->Administrative
Templates->Terminal Services. The setting name is "Start a program on
connection". For this setting to work, GPO must be link to the OU the
terminal server is in, and the terminal server, or a group it is a member
of, must have Read and Apply Group Policy Allow permissions.

Please repost if the above suggestions do not help.
--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks a lot Tim,

Your quick and helpful response is really appreciated.
Actually All I want to do is apply some policies on Terminal Server
programmatically. And didnt want to mess up individual resgitry key on my
own.
I would if that Winlogon or whatever compopnent of OS usually does. My
understanding is that WinLogon retrieves GPO from ADS and actually

synch

up
the registry when ever a User loggs in. I could not figure out how one can
create GPO or local policy objects programmatically. So I was looking for
the central entity from where winlogon or whatever component reads the
newest policy settings. and wanted to manipulate them directly. thats

how

I
stumbled across this \System32\GroupPolicy folder. So tried to find out the
same on Windows 2003 but unfortunately it has some different infrastructure
altogether.
I had a detailed NEWS group discussion with one of the Microsoft onlin guys
Eric Fleischman [MSFT]" (e-mail address removed). And it describes what
exactly I am trying to do. You can read what exactly I am trying to achieve

here:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&frame=right&th=509f66dcb7
284521&seekm=3515b09d.0309012339.7075fd5b%40posting.google.com#link3

. I am copying it below here for your convenience.
I have found a document which documents all the policy settings and their
corresponding Registry Keys for Windows 2000 based systems. My managers and
peers coninced me that once MS documents a key its as good as a API. So
finally I have started a implementation which directly manipulates the
registry keys whenever a user loggs in and I clear the registry keys before
logging off. In this way I achieve a restricted shell and if he launches a
provisioned app then we apply some UI restrictions so that user wont see any
drives and will not be able to launch any other apps which are not
provisioned to him. REstrictiong File open dialog boxe and all possible
places of getting the Explorer's default context menu. It sounds toooooooo
hacky but I have no other way. although I have started the implementation
already but, the very thought that I cant applu local policys
programmatically or even if I have to use ADS, I could not find out a way
to actually create GPO with settings of my interest programmatically. The
very thought that this such an elaborate infrastructure which can be

tuned

/
customized to such minute details of UI, DOES NOT HAVE ANY programming
interface as such and one has to use the MMC snapin only , this thought is
haunting me day and night. Can you please thorow some light on this.
Thanks in Advance,
~Semal
=========== My original post =============
Hello Eric,

I was really very surprised and pleased to see such a quick reply,
thanks a lot. So here is what I am looking for;

We have a web based interface to launch some windows based apps on
Win2k and Windows 2003 terminal servers. We actual execute a certain
control program before actually launching the app.
My product manager tells me that he should be able to provision a
Restricted Shell ( just like kiosk). And even the Apps should run
under a restricted environment. And we want to give Admins a separate
Web Based UI , where in they can relax or tighten the security or
rather Restrictions. They need three levels and if possible an
advanced Customizable Restirction Template ( in MS terminology they
need three deifferent Ploicys and should be able to customize it if
needed).
So applying restrictions in most of the cases should be as easy as
just one or two clicks And MOST IMPORTANT THING IS they DO NOT have
Active Directory Services implemented and hesitate to go for ADS.
And I have already tried the ADS approach gone thru the KB
article, which says create a separate OU put all the Term servers in
that OU . etc etc. But we want independence from ADS for this old
installation. Even if its a really bad unClean way of doing the
things.
I even dont know whether it is possible. I dont want to actually
manipulate each corresponding Registry entry, and hoping that there is
some what better way. I myself is slightly unclear about the whole
thing, but the most important thing is we dont want to rely on ADS.
Suppose I managed to convince them to go for a ADS based approach, how
can I manage the policies programmatically, without having to open
that MMC consoles manually and doing n number of steps manually?
Thanks and Regards,
~Semal

============= Erichs Reply ================
hmmmm
I'm not aware of an api to do this, but that doesn't mean it can't be done.
What you would probably want to do in this case is just write to the reg
keys as appropriate.

Note that policy probably isn't the right technology for what you are trying
to do. Policy affects security settings on the machine, and the way in which
the gui is displayed for the users, and also some other sorts of settings
(network, ipsec, etc).
What you are trying to do is provision a shell, which has little to do with
policy per say, but rather to do with a shell and the context under

which

it
runs.
You would probably want to do is change the local policy to restrict the
rights for a given security context (maybe a local account you create),
start the shell in that context, and subsequently acl things on the system
as appropriate for it. Note that the only time policy comes in to play are
for some of the rights this user might have, not for anything else.

~Eric



were
not

into

a

file

in registry
hive files

 

[Tim Springston \(MSFT\)]

Programmatic level information regarding group policy settings, CSE
creation, and search functions are available at the MSDN web page
http://msdn.microsoft.com/library/d.../en-us/policy/policy/new_for_group_policy.asp

An additional resource you could look at would be the Group Policy Registry
Reference
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/gpref.asp

--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks a lot Tim,

I can not go that route because for the same reasons I have already told
to eric.
So first very important thing is my product manager tells me that we should
not involve ADS in this implementation because many people still are using
old NT 4.0 domain and NOT using ADS ( atleast thats what he is telling me).
And many people still are not willing to migrate to ADS. another thing is
that we have a web based console that should let administrators to change
the lockdown policies, so we will do these things programmatically. And he
thinks that people will not allow you to write into the ADS. They wont let
you touch their ADS. So dont used ADS.
Even if I manage to convince him that we MUST use GPO and ADS , the
question STILL REMAINS is how do I achieve these things PROGRAMMATICALLY ?
Are there any API's to change the settings in a GPO ? I am sure there are
numerous programming interfaces to create OU and Containers and linking GPO
to them but how do I create a GPO with the desired settings
programmatically?
Thanks once again for such a quick reply.
~Semal

Hi Semal-

It sounds like we have settings that can do what you want to do already.

If you have a terminal server and you would like to restrict user access
when they log on to it, you can configure a policy, linked to the OU which
contains the terminal server(s). In that policy, enable loopback policy
processing, and give the users (or groups they are members of) the Read and
Apply Group Policy Allow permissions.

Once that policy is created, you can add the resitrctions you would like for
the users. This can be a list of applications you want the users to NOT be
able to use, or you can exclude their use of all applications except ones
you specify.

You can also edit what options appear in Windows, removing nearly all
default selections. There are many user-based settings that be enabled to
alter (and inhibit of needed) the user's Windows experience.

However, for something similar to kiosk mode you may consider editing the
Computer Configuration portion of a different policy (not loopback policy
processing enabled) to run a specific application in the session, and
nothing else (no access to the classic Windows shell or Explorer).

That setting is available in Computer Configuration->Administrative
Templates->Terminal Services. The setting name is "Start a program on
connection". For this setting to work, GPO must be link to the OU the
terminal server is in, and the terminal server, or a group it is a member
of, must have Read and Apply Group Policy Allow permissions.

Please repost if the above suggestions do not help.
--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks a lot Tim,

Your quick and helpful response is really appreciated.
Actually All I want to do is apply some policies on Terminal Server
programmatically. And didnt want to mess up individual resgitry key on my
own.
I would if that Winlogon or whatever compopnent of OS usually does. My
understanding is that WinLogon retrieves GPO from ADS and actually

synch

up
the registry when ever a User loggs in. I could not figure out how one can
create GPO or local policy objects programmatically. So I was looking for
the central entity from where winlogon or whatever component reads the
newest policy settings. and wanted to manipulate them directly. thats

how

I
stumbled across this \System32\GroupPolicy folder. So tried to find

out
the

same on Windows 2003 but unfortunately it has some different infrastructure
altogether.
I had a detailed NEWS group discussion with one of the Microsoft

onlin
guys

Eric Fleischman [MSFT]" (e-mail address removed). And it describes what
exactly I am trying to do. You can read what exactly I am trying to achieve

here:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&frame=right&th=509f66dcb7

284521&seekm=3515b09d.0309012339.7075fd5b%40posting.google.com#link3 managers
and

launches

a see
any a
way tuned

thought

is which into file policies
are