Installing Remote Registry Editing on Windows 95, Windows 98, and Windows Me

Note This section addresses the concerns of system administrators working in mixednetworking environments. Though Windows NT Workstation and Windows 2000 Professional have remote registry editing installed already, Windows 95, 98, and Me do not. The installation process is similar on both operating systems, though the source of the necessary drivers differs with each version. You have to install a network service to enable remote registry editing. This service, REGSERV, is found in the following location:

• Windows 95: Look on the Windows 95 distribution CD, in the directory \Tools\ResKit\NetAdmin\RemotReg, for the regserv program files.

• Windows 98/Me: Look on the Windows 98/Me distribution CD, in the directory \Admin\NetTools\RemotReg, for the regserv program files.

In each operating system, the installation is identical:

1. Open the Control Panel. 2. Start the Network applet. 3. Click the Add button in the Configuration tab. 4. Select Service from the list, and click the Add button. 5. Click the Have Disk button, and provide the directory information as given above. 6. Select Microsoft Remote Registry. 7. Install the Remote Registry service, and reboot the computer when prompted.

Tip The Remote Registry service files are identical in Windows 95 and Windows 98/Me. Either will work with either version of the operating system.

Windows 2000 Backup's Emergency Repair Disk Features

The RDisk utility is not available under Windows 2000 or Windows XP. Windows 2000's Backup program contains the functionality of RDisk. With Windows 2000, the ERD (Emergency Repair Disk) has slightly different contents than under previous versions of Windows NT. Note Windows XP does not support the ERD disk capability! The repair disk holds some of the system configuration components. Backup can back up registry files to a location on the hard drive (the Repair directory) and configuration files to a diskette (the ERD). The ERD contains files used to help Windows 2000 restore the system to a known state in the event of damage to the working copy of the registry. Generally, copies of the registry contained in the Repair directory are only usable with the Setup program's repair facility. This may seem to limit their usefulness. However, when disaster strikes, anything is better than nothing. Actually, spending half an hour running the Setup repair function is a small price to pay to recover from a damaged registry. There can be only one Repair directory on a Windows 2000 system, always at %SystemRoot%\Repair. However, there may be many ERDs in existence at one time. Since an ERD's contents are (generally) matched to the registry, it is best to simply keep one or two copies of the most recent registry backed up. Tip Actually, you can copy the files in the Repair directory to another safe location, as well, then copy them back to the Repair directory if necessary. Make sure that all files are copied or backed up and restored as a set-don't attempt to back up only some of the files in the Repair directory. If you copy the Repair directory files to another location, also create a copy of the ERD and save that as well. Creating an Emergency Repair Disk To create an ERD, follow these steps:

1. Start Backup without any options. 2. Select the Emergency Repair Disk button in the Welcome tab. 3. At the prompt to insert a diskette, insert a diskette containing nothing of value. The diskette must already be formatted. 4. Once Backup is done, it will display a dialog box prompting you to label the ERD and place it in safekeeping. You may then create another ERD, update the repair information on the hard disk, perform other backup tasks, or exit.

Note Remember to remove the floppy diskette from the drive once Backup finishes writing the repair information to it. Attempting to boot this diskette won't cause a problem; however, it will have to be removed before the system can be rebooted.

Saving to the Repair Directory

In Windows 2000, Backup can save the entire registry to the Repair directory. To update the %SystemRoot%\Repair directory, follow these steps:

1. Start Backup without any options. 2. Select the Emergency Repair Disk button in the Welcome tab. 3. At the prompt to insert a diskette, insert a diskette containing nothing of value. The diskette must already be formatted. 4. Select the "Also backup the registry..." check box. 5. Once Backup is done, it displays a dialog box prompting you to label the ERD and place it in safekeeping. You may then create another ERD, perform other backup tasks, or exit.

The Windows 2000 Resource Kit

The Windows 2000 Resource Kit contains a number of very useful tools. Many of these tools run from a command prompt, although one has a Windows-type interface. The Resource Kit changed substantially in Windows 2000. Gone are all the old registry utilities, leaving only the multipurpose reg.exe program. Note There are two resource kits: one is included with the operating system, on the distribution CD, and has only limited contents. The second version has both a tutorial and a CD with many more utilities and is available from Microsoft Press. Try the URL http://www.microsoft.com/ mspress/windows/ windowsxp/itpros/default.asp for more information. If nothing else, the Windows 2000 Resource Kit is an excellent source of both information and a whole bunch of really neat utilities and tools for the Windows 2000 user. Note While I've got you in support mode, make a link on your Desktop for the URL http://support.microsoft.com/ support/search/c.asp?SPR=. This URL links to the online TechNet search support. TechNet contains a vast amount of technical information oriented toward system administrators. I don't know what I'd do without TechNet. Warning Many of the earlier versions of the Windows Resource Kit utilities work with both Windows NT 4 and Windows 2000. However, be most cautious when using older utilities with Windows XP, as they may not have been well tested on the Windows XP platform!

Policies-Good for One, Good for All

Overview

Windows XP Professional stores configurations for all users, and computers, as policies. (Windows XP Home does not support policies.) By default, no policies are set, but an administrator can easily set policies for a group of users or for the entire system. It's possible to set some policies by manually "hacking" the registry. However, that's the hard way. An easier way to change policies is to use one of the policy tools that Microsoft provides. The first question on your mind is, "What does this have to do with the registry?" Well, of all things in Windows XP Professional, policies affect (and change) the registry more than anything else. With policy settings, you can change the way hardware and software behave and can be used.

An Introduction to Policies

Policies govern a site, a domain, or an organizational unit (often referred to as an OU) but not a specific user or computer. Policy is applied in a hierarchy, with higher-level policies used where no lower-level policy exists. For example, policy is applied as site (the highest level), then domain, organizational unit, and user. Policies in the domain override those they conflict with in the site, while conflicts between the domain and organizational unit are resolved with

the organizational unit taking precedence. Conflicts between nested organizational units are resolved with the lower-level organizational unit taking precedence. Note Policy objects and settings can be set, unset, or not configured. Policy settings are configured in objects called group policy objects (GPOs). GPOs are edited using the Microsoft Management Console (MMC). The Official Order of Policy Implementation Is... When Windows XP Professional (when joined to a domain) implements system policies, the policies are applied in this order: 1. Policies inherited from previous versions of Windows. For example, Windows NT 4 policies are contained in the NTConfig.pol file. Note that Windows NT 4 policies need not exist, and they will not exist on a clean installation of Windows XP Professional. 2. The policies contained in the local group policy object. 3. Site group policy objects, in the order specified by the administrator. 4. Domain group policy objects, in the order specified by the administrator. 5. Organizational unit group policy objects, from higher-level to lower-level organizational unit (parent to child organizational unit), and in administratively specified order at the level of each organizational unit. Organizational units may be nested. That is, you can have an organizational unit called Students. Within Students, you then might have Freshmen, Sophomores, Juniors, and Seniors, representing the four classes. (You might also have Graduate Students, Master's, or Doctoral.) Nesting can be as simple or as complex as your organization is. When nesting organizational units, policy may be either inherited or not. You, the administrator, specify inheritance rules, within the following framework:

• Inheritance is downward only. In the example above, Freshmen inherit from Students, but Students never inherit from Freshmen.

• Settings that have not been configured are not inherited.

• Settings that are disabled are inherited as disabled.

• When a setting is configured in the higher-level organizational unit, and not configured in the lower-level organizational unit, then the lower-level organizational unit inherits the setting from the parent organizational unit.

• When settings between the higher-level organizational unit and a lower-level organizational unit don't conflict (are compatible), but are not the same, both are used to form the lower-level organizational unit's policy.

• When settings between the higher-level organizational unit and a lower-level organizational unit do conflict (are incompatible), but are not the same, the lower-level organizational unit's policy is used. Note Well, almost always...An attribute called No Override, if selected at the higher-level

organizational unit, will cause the lower-level organizational unit to always execute the higher-level OU's policy.

Just More Confusion?

In the previous section, you saw that policies are set for sites, domains, and organizational units. Now, I'm going to confuse things a bit and say that policies are divided into two parts, Computer Configuration and User Configuration. Computer Configuration specifies policies that are applied to a computer without regard to who the user is. User Configuration specifies policies that are applied to a user without regard to which computer the user logs on to. Both the Computer Configuration and the User Configuration are made up of three sections: Software Settings Everything in Software Settings deals with software installation policy-for example, what can be installed, what must be uninstalled, and when. Windows Settings Settings for Windows XP Professional are controlled in this section. There are more items in the Windows Settings section for the User Configuration than for the Computer Configuration. Administrative Templates The extensible section, almost a catchall for everything that doesn't fall into the other two sections, is the Administrative Templates section. Items are added to Administrative Templates using .adm files. Note Though we are talking about Office throughout this tutorial, many other Microsoft components use .adm files, including Microsoft Internet Explorer.

Software Settings

The Software Settings section contains policies that deal with software installation and maintenance, such as what applications can be installed, what must be uninstalled and when, what maintenance must be done, and so on. For example, if you configure Microsoft Word XP under Software Settings, and a user logs on to a computer that doesn't have Microsoft Word XP installed already, the user will still see a Start menu selection (shortcut) for Microsoft Word XP. If the user selects this shortcut, Microsoft Word XP will install itself (from a network share) for the user to use.

Windows Settings

In both Computer Configuration and User Configuration, you'll find a Windows Settings section. For Computer Configuration, the settings are applied to each user who logs on to the computer. For User Configuration, the settings are applied to users who log on regardless of the computer they log on to.

Administrative Templates

The Administrative Templates section contains all registry-based information. Two hives are used:

• HKEY_CURRENT_USER, the location where user configuration settings are saved

• HKEY_LOCAL_MACHINE, the location where computer configuration information is saved Both user application policy items and policy for Windows XP Professional are managed in Administrative Templates. Adding policy items to Administrative Templates is simple. Most applications (that support policy) come with .adm files that contain information about which registry settings can be configured. For example, Microsoft Office XP has an .adm file named word10.adm (to Microsoft, Word XP is also known as both Microsoft Word version 10 and Microsoft Word 2002). You can download the Microsoft Office policy tools from Microsoft's Internet website. They are part of the Microsoft Office Resource Kit located at http://www.microsoft.com/office/techinfo/reskit/default.htm. A small fraction of the Microsoft Word XP.adm file is:

CLASS USER
   CATEGORY "Microsoft Word 2002"
   KEYNAME Software\Policies\Microsoft\Office\10.0\Word\Options
   CATEGORY "Tools | Options..."
   KEYNAME Software\Policies\Microsoft\Office\10.0\Word\Options\vpref
   CATEGORY "View"
   KEYNAME Software\Policies\Microsoft\Office\10.0\Word\Options\vpref
   CATEGORY "Show"
   KEYNAME Software\Policies\Microsoft\Office\10.0\Word\Options\vpref
   POLICY "Startup Task Pane"
   KEYNAME Software\Policies\Microsoft\Office\10.0\Word\Options
   PART "Check to enforce setting on; uncheck to enforce setting off"
   CHECKBOX
   VALUENAME StartupDialog
   VALUEON NUMERIC 1
   VALUEOFF NUMERIC 0
   END PART
   END POLICY
   POLICY "Highlight"
   PART "Check to enforce setting on; uncheck to enforce setting off"
   CHECKBOX
   VALUENAME fShowHighlight_533_1
   VALUEON NUMERIC 1
   VALUEOFF NUMERIC 0
   END PART
   END POLICY
   POLICY "Bookmarks"
   PART "Check to enforce setting on; uncheck to enforce setting off"
   CHECKBOX
   VALUENAME grpfvisi_146_1
   VALUEON NUMERIC 1
   VALUEOFF NUMERIC 0
   END PART
   END POLICY
   POLICY "Status bar"
   PART "Check to enforce setting on; uncheck to enforce setting off"
   CHECKBOX
   VALUENAME fStatusBar_83_1
   VALUEON NUMERIC 1
   VALUEOFF NUMERIC 0

ACTIONLISTON
   VALUENAME fStatLine_3_1 VALUE NUMERIC 1
   END ACTIONLISTON
   ACTIONLISTOFF
   VALUENAME fStatLine_3_1 VALUE NUMERIC 0
   END ACTIONLISTOFF
   END PART
   ACTIONLISTOFF
   VALUENAME fStatLine_3_1 VALUE DELETE
   END ACTIONLISTOFF
   END POLICY
   POLICY "ScreenTips"
   PART "Check to enforce setting on; uncheck to enforce setting off"
   CHECKBOX
   VALUENAME grpfvisi_159_1
   VALUEON NUMERIC 1
   VALUEOFF NUMERIC 0
   END PART
   END POLICY
   <Many deleted lines...>
   POLICY "Tools | Compare and Merge Documents, Legal blackline"
   KEYNAME Software\Policies\Microsoft\Office\10.0\Word\Options\vpref
   PART "Check to enforce setting on; uncheck to enforce setting off"
   CHECKBOX
   VALUENAME fDefaultToCompare_1848_1
   VALUEON 1
   VALUEOFF 0
   END PART
   PART " " TEXT
   END PART
   PART "When this option is turned on, a comparison between two documents"
   TEXT
   END PART
   PART "automatically generates a new Legal Blackline document, leaving"
   TEXT
   END PART
   PART "the originals unchanged." TEXT
   END PART
   END POLICY
   END CATEGORY
 END CATEGORY

In this example, we see that the registry section being changed is HKEY_CURRENT_USER. The key being set (or changed) is Software\Policies\Microsoft\Office\10.0\Word\Options\vpref (vpref stands for "view preferences"). The key to be changed is shown in a KEYNAME line in the .adm file. Checking Microsoft Word XP's menu structure, we see a top-level menu item called Tools, and under Tools is a menu selection called Options. Clicking Options will display Microsoft Word XP's Options dialog box, which has a tab named View. On the View tab is a section called Show. Each of these items correlates to a CATEGORY line in the .adm file, shown partially in the above listing.

Finally, in the .adm file, we have the POLICY lines. The first POLICY line shown is Startup Task Pane.

Back to the above listing, under POLICY, there's a PART line with the text "Check to enforce setting on; uncheck to enforce setting off", followed by the keyword CHECKBOX. CHECKBOX specifies that this policy is toggled on and off (that is, checked and unchecked). If on, the value of the key will be 1 (specified with the line VALUEON NUMERIC 1) or 0 (specified by the next line, VALUEOFF NUMERIC 0). The next two lines end blocks that start at PART (ends at the END PART line) and POLICY (ends at the END POLICY line). Each policy has one or more parts; most policies have only a single part, however. Armed with this information, you can go out and create policy files for other applications. Granted, if you are not the application's creator, it will be difficult-but not impossible-to set things like defaults using policies. The changes made under Administrative Templates are saved in two Registry.pol files. These files are stored in subdirectories under %SystemRoot%, one called Machine (which contains the Registry.pol file that is used to update HKEY_LOCAL_MACHINE) and the other called User (which contains the Registry.pol file that is used to update HKEY_CURRENT_USER). Finding Registry.pol Files I can't say where the Registry.pol files are, except to tell you to use the Windows Find feature, or a command session's dir command. Why? Well, each installation is unique in the locations where these files are stored; for example, on my computer, I have the following Registry.pol files:

G:\WINNT\System32\GroupPolicy\Machine\Registry.pol
   G:\WINNT\System32\GroupPolicy\User\Registry.pol
   G:\WINNT\SysVol\Domain\Policies\{31B2F340-016D-11D2-945F-
   00C04FB984F9}\MACHINE\Registry.pol
   G:\WINNT\SysVol\Domain\Policies\{6AC1786C-016F-11D2-945F-
   00C04fB984F9}\USER\Registry.pol
   G:\WINNT\SysVol\Domain\Policies\{EE520C60-1F3E-11D3-A6E8-
   00A024D2DD82}\User\Registry.pol
   G:\WINNT\SysVol\SysVol\darkstar.mv.com\Policies\{31B2F340-
   016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol
   G:\WINNT\SysVol\SysVol\darkstar.mv.com\Policies\{6AC1786C-
   016F-11D2-945F-00C04fB984F9}\USER\Registry.pol
   G:\WINNT\SysVol\SysVol\darkstar.mv.com\Policies\{EE520C60-
   1F3E-11D3-A6E8-00A024D2DD82}\User\Registry.pol

Notice the use of GUIDs (globally unique identifiers) for some of the directory names-those may be different for each installation.