POLICY

To identify the policy that the user can modify, you use the keyword POLICY:

POLICY !!MyFirstPolicy

...fill in all the policy specifics

...and then finish with:

END POLICY

You can use multiple POLICY key names under one KEYNAME. In the previous example, you must define the MyFirstPolicy variable in the [strings] section of the .adm file.

The valid keywords for POLICY are:

• KEYNAME
• VALUENAME
• PART
• VALUEON
• VALUEOFF
• ACTIONLISTON
• ACTIONLISTOFF
• END
• HELP
• CLIENTEXT
• POLICY

VALUENAME

Defines the options available within a policy. You must first identify the registry value that is to be modified as a result of using the keyword VALUENAME. For example, VALUENAME MyFirstValue.

Unless you specify otherwise, the value will be written in the following format when the user selects or clears the option:

• Selected: REG_DWORD with a value of 1.
• Cleared: remove the value completely.

Other options are available and are listed in the following sections. If the option is to be selected within the lower pane of the Group Policy snap-in, then the VALUENAME needs to be within a PART scope, as described in PART.

CLIENTEXT

The CLIENTEXT keyword is used to specify which client-side extension (a .dll on the user's computer, for example) to the Group Policy snap-in is needed to process particular settings on the client computer. By default, the Registry extension processes all settings configured under the Administartive Templates node. The CLIENTEXT keyword changes the default behavior and causes the specified extension to process these settings after the Registry extension has placed them in the registry.

CLIENTEXT must be used within either the POLICY scope or the PART scope and should follow the VALUENAME statement.

For example:

		EXPLAIN !!DQ_Enforce_Help

			VALUENAME "Enforce"

			CLIENTEXT {3610eda5-77ef-11d2-8dc5-00c04fa31a66}

       	PART !!DQ_EnforceTip1                         TEXT

		END PART

END POLICY

The GUID that follows the CLIENTEXT keyword is the GUID of the client-side extension. The client-side extensions are listed in the registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions.

VALUEOFF/VALUEON

You use VALUEOFF/VALUEON to write specific values based on the state of the option. You enable this functionality by writing the .adm file as shown in the following examples:

KEYNAME ....

   POLICY !!MyPolicy

   VALUENAME ValueToBeChanged

   VALUEON "Turned On" VALUEOFF "Turned Off"

   END POLICY

or:

KEYNAME .... 

   POLICY !!MyPolicy

   VALUENAME ValueToBeChanged

   VALUEON 5 VALUEOFF 10

   END POLICY

Using simple policies and policies with the VALUEOFF/VALUEON statements

This section presents two examples that illustrate the difference between using the default policy states and specifying VALUEON/VALUOFF statements.

In this example, no explicit VALUEON / VALUEOFF statements are used. This means that the Administrative Templates will use the default behavior when the user changes the state of this policy.

POLICY !!EnableSlowLinkDetect
	EXPLAIN !!EnableSlowLinkDetect_Help
	KEYNAME "Software\Policies\Microsoft\Windows\System"
	VALUENAME "SlowLinkDetectEnabled"
END POLICY

The following table lists the default behavior.

The important thing to note is the Policy disabled state. The value is not written to the registry with the value of 0; instead it is explicitly deleted. This means a component reading the policy will not find it in the registry, and will fall back to using the default in the code. Essentially, having the policy in the disabled state is the same as having it in the dimmed state.

Example 2
In this example, the state values are explicitly defined, so the Administrative Templates will use these values when the user changes the policy.

POLICY !!EnableSlowLinkDetect
	EXPLAIN !!EnableSlowLinkDetect_Help
	KEYNAME "Software\Policies\Microsoft\Windows\System"
	VALUENAME "SlowLinkDetectEnabled"
	    VALUEON NUMERIC 1
	    VALUEOFF NUMERIC 0
END POLICY

The following table lists the behavior in this example.