| Author | Messages | |
jeromelcruz
Posts:120
 | | 05/14/2010 11:59 PM |
| Everyone... this is reposted for more fully understanding the behaviors of Multi-tab based Group Policy Preference Interfaces.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Handling the F5-F8 Buttons and an Interface Usage WARNING on Certain Multi-tab Based Preference Interfaces
* A solid green underline _______ (or green circle [cid:image001.png@01CAF36A.017861F0] ) indicates that the setting is CONTROLLED.
* A dashed red underline _ _ _ _ _ (or red 'busters' symbol [cid:image002.png@01CAF36A.017861F0] ) indicates that the setting is NOT CONTROLLED.
Note The solid versus dashed underline types provide an ergonomic visual resolution for those with Red/Green color experience issues.
The GPO Admin editing the policy has control over which settings on the interface they want to configure and over which settings they do not. The settings are enabled and disabled by using the function keys on the keyboard as follows:
* F5 enables all the settings on a tab within a preference item
* F6 enables the currently selected setting within a preference item
* F7 disables the currently selected setting within a preference item
* F8 disables all the settings on a tab within a preference item
WARNING - On Interface Behaviors
Since some of the Preferences interfaces display a multi-tab based interface (with a mixture of Red/Green underlined settings), you need to understand the behavior of those interfaces and be careful when you click on the OK button because you may be configuring MANY more settings than you think.
These types of interfaces may display all Green (solid underline) items, all Red (dashed underline) items, or a mixture of the two. As an example, let's say you wanted to create a preference item for Internet Explorer 5 and 6 to control the value in the Home field AND ONLY that setting. The default interface displays as shown below.
As you can see, the default interface displays a mixture of Green (solid line or 'Controlled') and Red (dashed line or 'Not Controlled') items.
[cid:image006.png@01CAF36A.017861F0]
So, you press F8 to turn all of the items Red (Not Controlled), move the mouse to the Home: field, enter http://www.microsoft.com, and then press F6 to activate that one item. You then have the following interface displayed and you're done. Good. You hit the OK button.
[cid:image007.png@01CAF36A.017861F0]
Next you go to the policy's Settings tab and observed that the web page setting is intact.
[cid:image011.png@01CAF36A.017861F0]
So Where's the Problem?
Let's say you were curious when editing the original preference and had clicked on some or all of the other tabs in that Preference interface (Security, Advanced, etc.) and then you went back, edited the Home Page setting, and clicked on the OK button.
Oops! "Houston, we have a problem..."
Even though you made absolutely no changes to the 'default' settings on those other tabs, the Preferences interface 'knew' you had clicked on other tabs, viewed the settings, and had then 'Accepted' the settings when you clicked on the OK button. Now when you view the GPMC Settings tab report, here's what you get instead. Ouch!
[cid:image012.png@01CAF36A.017861F0]
Since you ONLY wanted to configure that single Home Page setting, here's something you could try. You re-open the that Preference item, click on each of the remaining tabs, and press F8 to make sure that the noted Preference items were NOT being controlled. For example, here are before and after pictures of the items on the Advanced tab. Now, all those Green items are disabled (Red state). That should fix it, right?
[cid:image013.png@01CAF36A.017861F0] [cid:image014.png@01CAF36A.017861F0]
Well, that certainly looks like it should work because only the single setting you wanted is configured (Green state) back on the General tab.
In fact, not only did you disable those settings, you actually configured a 'Disabled' control state on all of them. You can see this when you hit the OK button to save the preference item and then go right back into the Preference dialog. When you do, you observe that the dialog has 'remembered' your F8 activity between the edit sessions. Well, that's cool, but what's the price? The 'price' is that the settings have to be stored 'somewhere' and then read when the item is re-opened for editing.
Okay Fine, So Where Are They Stored?
I'm glad you asked. The Preference settings are stored in XML files within each Group Policy. In this case, the data is stored in the \\Domain_Name\SYSVOL\Domain_Name\Policies\{GUID}\User\Preferences\InternetSettings.xml<file:///\\Domain_Name\SYSVOL\Domain_Name\Policies\%7bGUID%7d\User\Preferences\InternetSettings.xml> file within SYSVOL. Here's what the contents of the XML file look like with the single configuration setting enabled. [See TIP 2 below for a faster way to display this information.]
The Single 'Home Page' Setting XML File (2 KB file)
<?xml version="1.0" encoding="utf-8" ?>
- <InternetSettings clsid="{B611EB48-F531-42cd-AAAA-5EEEE15377BA}">
- <Internet clsid="{8C0FE68F-E8A2-4f17-BCDE-C61234208917}" name="Internet Explorer 5 and 6" status="Internet Explorer 5 and 6" changed="2009-12-04 23:45:32" uid="{12345B3F-AAAA-49D3-DDDD-5854321DCAC3}">
- <Filters>
<FilterFile hidden="1" not="0" bool="AND" path="%ProgramFilesDir%\Internet Explorer\iexplore.exe" type="VERSION" gte="1" min="4.0.0.0" max="7.0.0.0" lte="0" />
</Filters>
- <Properties>
<Reg id="Homepage" type="REG_SZ" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Internet Explorer\Main" name="Start Page" value="http://www.microsoft.com" />
<Reg id="SearchPath" disabled="1" type="REG_SZ" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Internet Explorer\Main" name="Search Bar" value="" />
<Reg id="SupportPath" disabled="1" type="REG_SZ" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Internet Explorer\Help_Menu_URLs" name="Online_Support" value="" />
<Reg id="DownloadPath" disabled="1" type="REG_SZ" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Internet Explorer" name="Download Directory" value="" />
<Reg id="DaysToKeep" disabled="1" type="REG_DWORD" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History" name="DaysToKeep" value="00000014" />
</Properties>
</Internet>
</InternetSettings>
Notice that the 'HomePage' setting is configured and is followed by several disabled settings-these correspond to the remaining 'disabled' items from the 'General' tab interface. The 'disabled' settings each have a ' disabled="1" ' entry and then the XML file ends.
Now here's that same XML file after explicitly disabling all the tab interfaces using the F8 function key. You'll see the same 'General' tab settings and then a 'lot' more of them.
All Settings Disabled XML File (20 KB file)
<?xml version="1.0" encoding="utf-8" ?>
- <InternetSettings clsid="{ B611EB48-F531-42cd-AAAA-5EEEE15377BA }">
- <Internet clsid="{8C0FE68F-E8A2-4f17-BCDE-C61234208917}" name="Internet Explorer 5 and 6" status="Internet Explorer 5 and 6" changed="2009-12-04 23:41:50" uid="{12345B3F-AAAA-49D3-DDDD-5854321DCAC3}" bypassErrors="1">
- <Filters>
<FilterFile hidden="1" not="0" bool="AND" path="%ProgramFilesDir%\Internet Explorer\iexplore.exe" type="VERSION" gte="1" min="4.0.0.0" max="7.0.0.0" lte="0" />
</Filters>
- <Properties>
<Reg id="Homepage" type="REG_SZ" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Internet Explorer\Main" name="Start Page" value="http://www.microsoft.com" />
<Reg id="SearchPath" disabled="1" type="REG_SZ" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Internet Explorer\Main" name="Search Bar" value="" />
<Reg id="SupportPath" disabled="1" type="REG_SZ" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Internet Explorer\Help_Menu_URLs" name="Online_Support" value="" />
<Reg id="DownloadPath" disabled="1" type="REG_SZ" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Internet Explorer" name="Download Directory" value="" />
<Reg id="DaysToKeep" disabled="1" type="REG_DWORD" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History" name="DaysToKeep" value="00000014" />
<Reg id="ScriptAddress" disabled="1" type="REG_SZ" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Windows\CurrentVersion\Internet Settings" name="AutoConfigURL" value="" />
<Reg id="UseProxyServer" disabled="1" type="REG_DWORD" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Windows\CurrentVersion\Internet Settings" name="ProxyEnable" value="0" />
<Reg id="ProxyServerAndPort" disabled="1" type="REG_SZ" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Windows\CurrentVersion\Internet Settings" name="ProxyServer" value="" />
<Reg id="ProxyOverride" disabled="1" type="REG_SZ" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Windows\CurrentVersion\Internet Settings" name="ProxyOverride" value="" />
<Reg id="CurrentLevelLocal" disabled="1" type="REG_DWORD" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" name="CurrentLevel" value="00011000" />
<Reg id="CurrentLevelTrusted" disabled="1" type="REG_DWORD" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" name="CurrentLevel" value="00011000" />
<Reg id="CurrentLevelInternet" disabled="1" type="REG_DWORD" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" name="CurrentLevel" value="00012000" />
.
.
. << 18 KB more of disabled settings data where 'each' possible value is recorded as 'disabled = '1' >>
.
.
</Properties>
</Internet>
</InternetSettings>
Oh, and don't forget a side effect. You XML file 'will always' contain settings from the default tabbed interface, even though you 'configured' the correct setting on any other single tab. Sigh...
The Trade Off
We face a tradeoff between the size of the files in the policy and 'knowing' that all other settings are disabled. For my systems (large number of supported systems and user accounts), I typically deem size as the more important alternative. My domain systems currently handle nearly 3.0 million SYSVOL accesses per day and that is just checking whether anything in Group Policy's have changed. When a change is detected, all of the affected systems will reprocess their policies within two hours and that's a LOT of traffic. A 2 KB download versus a 20 KB download (and that for just a single setting) is a much better tradeoff.
Here's How Let's say I configured more than one preference item for Internet Settings (like the two in the picture shown below). I know that I only have to delete the one that has all the additional 'disabled' settings configured and then re-create a smaller one based on the multi-tab interface behavior we've been discussing.
For example: If the item in 'Order 1' was too large (too many 'disabled' settings), then I only have to delete that one item and re-create it. The reason for this is that each kind of Preference setting (e.g. Internet Settings, Network Options, Start Menu, etc.) has its own independent XML file. Within each XML file, say for Internet Settings, each preference setting you create is listed separately. In this case, when I delete the preference item in position '1', the interface removes only that single set of configuration settings from within the Internet Settings XML file. I can then create a new preference item that configures only the settings I wish. I therefore deploy a much smaller XML file and all my client systems process a bit faster.
[cid:image015.png@01CAF36A.017861F0]
A Word to the Wise
ALWAYS check the settings in the GPMC Settings tab 'before' and 'after' making any edits to make absolutely sure you have configured exactly what you expected to. With many settings configured, you would also do well to run and save reports as the Preference details can get very busy, very quickly on these multi-tab based settings.
TIP 1
In the picture above, you'll notice that both items are labeled 'Internet Explorer 5 and 6'. So, how do you tell the difference between what is configured in them. One way is to take advantage of the Description field available on the Common tab. That text will then appear in the Description box shown in the left-hand panel. That does, however, require you to click on each preference item in the list to read all the descriptions. For that reason, I like to use the Rename option from the right+click menu to change the Name. I still use the Description field, but I find that quickly searching for which item I want to edit is much faster when using the Name field.
TIP 2
When you click on an existing preference in the right-hand pane of the GPO Editor, the available menu action buttons change correspondingly. One these allows you to display the XML data for that selected preference and to display that setting's current XML data. There's really no need to manually browse to the GPO folder in SYSVOL.
[cid:image003.png@01CAF36C.771A99D0]
Enjoy folks!
Jerry Cruz | Group Policies Product Manager | Boeing IT
| | | |
|
|