Blademonkey
asked on
What is the best way to compare two sets of GPO .pol files?
Background: My office is planning on implementing the NIST FDCC GPO and registry settings quite soon. The NIST FDCC further locks down our computers based on NIST policy mandate. Part of our deployment involves sending a package to offline Tablet PCs which need to have this update implemented without any contact to the authenticating servers.
Request: I'd like to be able to compare two sets (a set may contain only one file) of .pol file(s) to each other and find which items "overlap".
The first set of files will obviously be the NIST provisioned pol files while the second set is what we use in our OU at the moment. There are a lot overlapping settings that i will need to manually edit to apply to the Tablet PCs manually which need to be decided upon.
additional notes: Whether or not this is possible is up to interpretation. At a minimum, i'd like for someone to point me in the right direction in being able to read and manipulate .pol file data so that i could make my own tool. Optimally, i would like to know if there are tools out there that have this comparitive capability.
I have searched Google and am currently messing with RSOP's gpresults but that doesn't hit the sweet spot i'm looking for.
any advise, example would be appreciated at this point.
thanks in advance for reading the above novel.
Request: I'd like to be able to compare two sets (a set may contain only one file) of .pol file(s) to each other and find which items "overlap".
The first set of files will obviously be the NIST provisioned pol files while the second set is what we use in our OU at the moment. There are a lot overlapping settings that i will need to manually edit to apply to the Tablet PCs manually which need to be decided upon.
additional notes: Whether or not this is possible is up to interpretation. At a minimum, i'd like for someone to point me in the right direction in being able to read and manipulate .pol file data so that i could make my own tool. Optimally, i would like to know if there are tools out there that have this comparitive capability.
I have searched Google and am currently messing with RSOP's gpresults but that doesn't hit the sweet spot i'm looking for.
any advise, example would be appreciated at this point.
thanks in advance for reading the above novel.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, .pol files are registry files. It you don't find useful one of the canned tools, you should be able to write something that fits your exact specifications using the registry API from the Windows Platform SDK.
ASKER
ok so doesn't that technically mean that I could import them with regedit?
pardon my ignorance...
pardon my ignorance...
ASKER
I gave you a partial on the completeness because the solution provided was not complete. Thanks!
Well, if you open a registry.pol file with regedit, it will ask if you're sure you want to merge the file into the registry. It doesn't give you a choice where it lands. You can't import a .pol file, because it's not in registry export format.
It's a special type of registry file - it's a unicode file with a header and body, that starts with "PReg" to indicate that it's a policy registry file, and it contains a list of registry keys with semicolon-separated value changes.
It's not even as plain-English as a registry export .reg file, but it's a registry file nonetheless, written specifically to quickly modify the registry. After all, that's all that group policy does - it modifies the registry. Whether or not they're temporary modifications depends on the .adm file and whether or not the keys are supported for policy back-out, but there it is.
If you'd like, you could think of the .adm files as a schema definition and a set of function rules and the .pol file as a type of data that the schema defines, and between the two, they're like an overriding set of linked tables in the overall database called the Windows Registry... and whether or not the override permanently overwrites the original data values depends on the schema and functions defined by the .adm files and whether they fit into the basic GPO rules defined in the main schema... ;)
It's a special type of registry file - it's a unicode file with a header and body, that starts with "PReg" to indicate that it's a policy registry file, and it contains a list of registry keys with semicolon-separated value changes.
It's not even as plain-English as a registry export .reg file, but it's a registry file nonetheless, written specifically to quickly modify the registry. After all, that's all that group policy does - it modifies the registry. Whether or not they're temporary modifications depends on the .adm file and whether or not the keys are supported for policy back-out, but there it is.
If you'd like, you could think of the .adm files as a schema definition and a set of function rules and the .pol file as a type of data that the schema defines, and between the two, they're like an overriding set of linked tables in the overall database called the Windows Registry... and whether or not the override permanently overwrites the original data values depends on the schema and functions defined by the .adm files and whether they fit into the basic GPO rules defined in the main schema... ;)
ASKER
hmm, that sounds like I would need the ADM files as well.
what I'm working on right now is a POL to REG converter, which i'm actually almost done with.
It sounds like the ADM files have some kind of control that would define when and where to apply the data in the pol files? What would be the best way for me to integrate the functionality of the ADM files? and why doesn't Microsoft have a default LOCAL ADM, POL, and inf import/install utility?
what I'm working on right now is a POL to REG converter, which i'm actually almost done with.
It sounds like the ADM files have some kind of control that would define when and where to apply the data in the pol files? What would be the best way for me to integrate the functionality of the ADM files? and why doesn't Microsoft have a default LOCAL ADM, POL, and inf import/install utility?
Last question first: Because Group Policy is intended to be used by network administrators to prevent anyone else from changing the centrally-managed settings. If they made it easy to deal with on an individual file / computer basis, it would defeat the purpose. They make tools for working with and managing group policy within that framework.
As to the best way to integrate the functionality of the ADM files - well, have you looked at an ADM file? Check into it, and then go into the GPEDIT.MSC MMC console. You'll see that the GPEDIT console essentially reads the ADM file for the heirarchy, options, formatting, and even the descriptive "help" for each of the settings the ADM file applies to. The ADM file is leveraged by the GPEDIT tool, which is key in producing or editing the local GPO .pol file. AD GPO's are produced much the same way, using other administrative consoles.
Since the ADM files are very human-readable, text files, it shouldn't be too hard to figure out the format and feed a lookup table to produce a report of the exact policy setting the .pol file contains settings for, and what those settigns are. The .adm file format starts out with a bunch of policy-specific stuff, followed by a section of the text description/help info for each policy. The policy is tied to the help message through a help message entry key. You'll notice that they have GUI-related features like "radio button" and "combo box" to determine how the gpedit console will behave for each policy entry.
Also, don't forget that a policy is a temporary, reversible "on the fly" change to registry settings, while a preference (which .adm files and gpedit can also deal with) are "permanent" changes to registry entries.
You may want to do a quick web search to see if you can find a decent .ADM file syntax doc, like this one: http://media.wiley.com/product_ancillary/82/07821429/DOWNLOAD/4298Web1.pdf
As to the best way to integrate the functionality of the ADM files - well, have you looked at an ADM file? Check into it, and then go into the GPEDIT.MSC MMC console. You'll see that the GPEDIT console essentially reads the ADM file for the heirarchy, options, formatting, and even the descriptive "help" for each of the settings the ADM file applies to. The ADM file is leveraged by the GPEDIT tool, which is key in producing or editing the local GPO .pol file. AD GPO's are produced much the same way, using other administrative consoles.
Since the ADM files are very human-readable, text files, it shouldn't be too hard to figure out the format and feed a lookup table to produce a report of the exact policy setting the .pol file contains settings for, and what those settigns are. The .adm file format starts out with a bunch of policy-specific stuff, followed by a section of the text description/help info for each policy. The policy is tied to the help message through a help message entry key. You'll notice that they have GUI-related features like "radio button" and "combo box" to determine how the gpedit console will behave for each policy entry.
Also, don't forget that a policy is a temporary, reversible "on the fly" change to registry settings, while a preference (which .adm files and gpedit can also deal with) are "permanent" changes to registry entries.
You may want to do a quick web search to see if you can find a decent .ADM file syntax doc, like this one: http://media.wiley.com/product_ancillary/82/07821429/DOWNLOAD/4298Web1.pdf
ASKER
for some added points, would you happen to be able to find a .pol file importer (other than the one from http://blogs.technet.com/fdcc/). I'm having issues with that one because of the way they have their pol files created.
We're trying to do the same thing then they are but with out pol files.
Note: I've recompiled, but it's so messy i'd rather deal with a simple cli script that accepts specified pol files..