[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

What is the best way to compare two sets of GPO .pol files?

Posted on 2008-01-25
8
Medium Priority
?
2,357 Views
Last Modified: 2010-04-21
Background: My office is planning on implementing the NIST FDCC GPO and registry settings quite soon. The NIST FDCC further locks down our computers based on NIST policy mandate. Part of our deployment involves sending a package to offline Tablet PCs which need to have this update implemented without any contact to the authenticating servers.

Request: I'd like to be able to compare two sets (a set may contain only one file) of .pol file(s) to each other and find which items "overlap".
The first set of files will obviously be the NIST provisioned pol files while the second set is what we use in our OU at the moment. There are a lot overlapping settings that i will need to manually edit to apply to the Tablet PCs manually which need to be decided upon.


additional notes: Whether or not this is possible is up to interpretation. At a minimum, i'd like for someone to point me in the right direction in being able to read and manipulate .pol file data so that i could make my own tool. Optimally, i would like to know if there are tools out there that have this comparitive capability.

I have searched Google and am currently messing with RSOP's gpresults but that doesn't hit the sweet spot i'm looking for.

any advise, example would be appreciated at this point.

thanks in advance for reading the above novel.
0
Comment
Question by:Blademonkey
  • 4
  • 3
8 Comments
 
LVL 13

Accepted Solution

by:
brent_caskey earned 1200 total points
ID: 20746729
You can use regview to see what is in the .pol file. Regview is included in the windows 2003 resource kit tools.

http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en

You might want to also look at a program like the following:
http://www.torchsoft.com/en/rw_information.html
0
 
LVL 1

Author Comment

by:Blademonkey
ID: 20747141
Thanks for the quick response, let me play with if for a bit.

for some added points, would you happen to be able to find a .pol file importer (other than the one from http://blogs.technet.com/fdcc/).  I'm having issues with that one because of the way they have their pol files created.

We're trying to do the same thing then they are but with out pol files.

Note: I've recompiled, but it's so messy i'd rather deal with a simple cli script that accepts specified pol files..
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 20747211
Yes, .pol files are registry files.  It you don't find useful one of the canned tools, you should be able to write something that fits your exact specifications using the registry API from the Windows Platform SDK.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
LVL 1

Author Comment

by:Blademonkey
ID: 20747251
ok so doesn't that technically mean that I could import them with regedit?

pardon my ignorance...
0
 
LVL 1

Author Closing Comment

by:Blademonkey
ID: 31425129
I gave you a partial on the completeness because the solution provided was not complete.  Thanks!
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 20747653
Well, if you open a registry.pol file with regedit, it will ask if you're sure you want to merge the file into the registry.  It doesn't give you a choice where it lands.  You can't import a .pol file, because it's not in registry export format.

It's a special type of registry file - it's a unicode file with a header and body, that starts with "PReg" to indicate that it's a policy registry file, and it contains a list of registry keys with semicolon-separated value changes.

It's not even as plain-English as a registry export .reg file, but it's a registry file nonetheless, written specifically to quickly modify the registry.  After all, that's all that group policy does - it modifies the registry.  Whether or not they're temporary modifications depends on the .adm file and whether or not the keys are supported for policy back-out, but there it is.

If you'd like, you could think of the .adm files as a schema definition and a set of function rules and the .pol file as a type of data that the schema defines, and between the two, they're like an overriding set of linked tables in the overall database called the Windows Registry... and whether or not the override permanently overwrites the original data values depends on the schema and functions defined by the .adm files and whether they fit into the basic GPO rules defined in the main schema... ;)


0
 
LVL 1

Author Comment

by:Blademonkey
ID: 20747855
hmm, that sounds like I would need the ADM files as well.

what I'm working on right now is a POL to REG converter, which i'm actually almost done with.

It sounds like the ADM files have some kind of control that would define when and where to apply the data in the pol files?  What would be the best way for me to integrate the functionality of the ADM files? and why doesn't Microsoft have a default LOCAL ADM, POL, and inf import/install utility?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 20748410
Last question first:  Because Group Policy is intended to be used by network administrators to prevent anyone else from changing the centrally-managed settings.  If they made it easy to deal with on an individual file / computer basis, it would defeat the purpose.  They make tools for working with and managing group policy within that framework.

As to the best way to integrate the functionality of the ADM files - well, have you looked at an ADM file?  Check into it, and then go into the GPEDIT.MSC MMC console.  You'll see that the GPEDIT console essentially reads the ADM file for the heirarchy, options, formatting, and even the descriptive "help" for each of the settings the ADM file applies to.  The ADM file is leveraged by the GPEDIT tool, which is key in producing or editing the local GPO .pol file.  AD GPO's are produced much the same way, using other administrative consoles.

Since the ADM files are very human-readable, text files, it shouldn't be too hard to figure out the format and feed a lookup table to produce a report of the exact policy setting the .pol file contains settings for, and what those settigns are.  The .adm file format starts out with a bunch of policy-specific stuff, followed by a section of the text description/help info for each policy.  The policy is tied to the help message through a help message entry key.  You'll notice that they have GUI-related features like "radio button" and "combo box" to determine how the gpedit console will behave for each policy entry.

Also, don't forget that a policy is a temporary, reversible "on the fly" change to registry settings, while a preference (which .adm files and gpedit can also deal with) are "permanent" changes to registry entries.

You may want to do a quick web search to see if you can find a decent .ADM file syntax doc, like this one: http://media.wiley.com/product_ancillary/82/07821429/DOWNLOAD/4298Web1.pdf
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question