1. The Group Policy Object Editor will launch, and it will be focused on the selected
GPO. Under the GPO name, you see two nodes: Computer Configuration and
User Configuration. To demonstrate administrative templates, let's focus on the
User Settings. Expand the User Configuration node, then expand the
Administrative Templates node. You'll see a tree of folders representing the
available areas for administrative template controls (Fig. 11.13
).

Figure 11.13: The Group Policy Object Editor focused on the Default Domain
Policy
2. What you see is a graphical representation of the ADM files that are loaded by this
particular GPO. The ADM files dictate which folders, registry keys, and values are
presented here. Each folder, such as Control Panel, Network, and System,
represents ADM categories. Within each category are sets of policies that you can
specify. For example, if you expand the System folder, you will see a subfolder
named Power Management. After you expand a specific subfolder, the right pane
of the Group Policy Object Editor window will expose the list of all available
registry limitations that can be set in relation to the selected feature. For example,
the Power Management folder contains the Prompt for password on resume
from hibernate / suspend policy. (When you configure this policy, the
appropriate setting will be created or modified in registry.)
3. To configure a specific policy, simply double-click it to open the respective
Properties window (Fig. 11.14
). Previously in this section, when discussing the
ADM file structure, I pointed out the new keywords appearing with each new
Windows version. Now, notice the effect they have on the GPO Editor user
interface. For example, the EXPLAIN keyword appears in the Properties
window's Explain tab, which you can click to read Help text associated with the
selected policy item. Also notice the Supported on: At least Windows XP
Professional… string at the bottom of this dialog. It appeared because the
SUPPORTED statement was included in the ADM file. Despite these changes to

example, user-specific Registry.pol is located in %SystemRoot%\sysvol\
domain\policies\<GPO_GUID>\User. Registry.pol replaces the Ntconfig.pol and
Config.pol files, which were used in Windows versions earlier than Windows 2000.
However, unlike Ntconfig.pol, Registry.pol is not a valid registry hive file. You can't load
it into a temporary hive, nor can you view it. It is a text file, but it contains non-printable
characters and cannot be edited using a text editor, such as Notepad.
However, one drawback of Windows NT 4.0 policies was the effect of tattooing. When
you remove a policy from the domain, the entries are left in the registry for the affected
user or machine. This is not the case in Windows 2000 and later. In these newer versions,
if you disable or remove a GPO that has made registry changes, the corresponding
changes are also removed from the registry.
In Windows NT 4.0, the default path for policy restrictions was in HKCU or HKLM,
under the Software\MS\Windows\CurrentVersion\Policies keys. (See the full path
previously given in this section.) Starting with Windows 2000, the default path for policy
settings has been changed to HKCU and HKLM under the Software\Policies key. As long
as your ADM templates make changes to either of these policy keys, any tattooing is
cleaned up when you remove a GPO. Of course, you are not limited to these keys. You
could easily create an ADM file that enforces registry policy on HKLM\Software\Myapp.
However, if a custom ADM file has been created that strays from the well-known keys,
those custom keys won't be cleaned up when the GPO is removed.
How Software Installation Works
Another important GPO feature that directly affects the system registry is Software
Installation. Any application carrying the label "Designed for Windows" must use
registry. Any time a setup program runs, it reads the registry information to determine if
all the components necessary to complete the installation procedure successfully are
present in the system. It then adds new configuration data to the registry. For this reason,
Setup programs — including Windows Setup and setup utilities that install third-party
software and/or device drivers — always hold the first position in the list of components
using the system registry.
At this point, we come to an important issue. Software installation and distribution


User State Migration. Migrating files and settings for multiple users in a corporate
environment is easier with the User State Migration Tool (USMT). USMT gives
administrators command-line capabilities when they customize specific settings or
make unique modifications to Registry. In addition, Windows Server 2003
includes a Files and Settings Transfer Wizard designed for individuals or small-
office users. The wizard is also useful in a corporate network environment for
employees who receive a new computer and need to migrate their own files and
settings without the support of an IT department or help desk.

Windows Installer. Managing software applications in a corporate environment
has traditionally burdened organizations with high costs. With Windows Installer,
administrators can greatly simplify the process of customizing installations,
updating and upgrading applications, and resolving configuration problems.
Windows Installer can also manage shared resources, enforce consistent file
version rules, and diagnose and repair applications at run time.
To deliver an application to users or machines, you normally use the Group Policy Object
Editor MMC snap-in focused on the desired GPO. When you are ready to deliver a
specific application to users:
1. Place the installation package on the network share. Make sure that it is accessible
to the clients.
2. Start the Active Directory Users and Computers MMC snap-in, right-click the
name of the domain or OU of interest, and select the Properties command from
the context menu. Then go to the Group Policy tab, highlight the required GPO,
and click the Edit button.
3. The Group Policy Object Editor will launch, and it will be focused on the selected
GPO. Expand the console tree and locate the Software installation nodes both
under Computer Configuration | Software Settings and User Configuration |
Software Settings (Fig. 11.15
). The Software Installation feature allows you to