Unable to create ADM for specific registry entry (for AD DFS SiteCostedReferrals)

[wintelrob]

I\'ll try to keep this succinct. I took an existing ADM file, copied it to a new file, edited it down to what I needed, which was just a single entry for the MACHINE section. It didn\'t work, so I reverted the specific code to what it had been, which was to modify an entry for NetMeeting. That worked when I imported it, one-at-a-time, I started substituting in the desired entries. I changed to the desired text and description and that worked. I changed to the desired registry value \"SiteCostedReferrals\" and that worked. It failed when I entered the desired registry location \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\S ervices\\Dfs\\Parameters\".

So, it seems like I cannot create an ADM file for setting this registry key. I have noticed, after going through several other pre-existing ADM files, that all of the registry keys referenced include the word \"Policy\", which seems to imply that you can\'t change *any* registry key.

SYSTEM is under HKLM, so this should work. The result is that, after importing, there is nothing to configure and no entry listed.

So, here\'s the contents of my ADM file, if this helps:

#if version >= 3
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CLASS USER ;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

CATEGORY !!ActiveDirectory
CATEGORY !!DFS

END CATEGORY ; DFS
END CATEGORY ; ActiveDirectory

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CLASS MACHINE ;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

CATEGORY !!ActiveDirectory
CATEGORY !!DFS

POLICY !!DfsSiteCosting
KEYNAME \"SYSTEM\\CurrentControlSet\\Services\\Dfs\\Parame ters\"
EXPLAIN !!DfsSiteCosting_Help

PART !!SetSecurityLevel DROPDOWNLIST
VALUENAME \"SiteCostedReferrals\"
ITEMLIST
NAME !!SiteCostingDefault VALUE NUMERIC 0
NAME !!SiteCostingEnabled VALUE NUMERIC 1
END ITEMLIST
END PART
END POLICY

END CATEGORY ; DFS
END CATEGORY ; Active Directory

#endif

[strings]

GPOnly_Tip1=\"The DFS_Enable_SiteCosting.adm file you have loaded requires Group Policy\"
GPOnly_Tip2=\"in Windows 2000. You cannot use the System Policy Editor\"
GPOnly_Tip3=\"to display Windows 2000 Group Policy settings.\"
GPOnly_Tip4=\" \"
GPOnly_Tip5=\"Enabling or disabling this policy has no effect.\"
GPOnly=\"Unsupported Administrative Templates\"
GPOnlyPolicy=\"DFS_Enable_SiteCosting.adm\"


ActiveDirectory=\"Active Directory\"
DFS=\"Distributed File Service\"

DfsSiteCosting=\"Site-costing for DFS referrals.\"
DfsSiteCosting_Help=\"In a default AD installation, the Bridge All Site Links option is enabled, which turns on the ISTG. DFS needs the ISTG to use the cost of each site to determine the closest or best path for a referral. If the BASL option is unchecked, then the ISTG is not running and a DFS referral will yield a random list of DC\'s. This could also affect other services, possibly the netlogon and SYSVOL shares. Enabling this registry entry will allow DFS to use site costing to find the best path. Note that the DFS service will need to be restarted to take effect.\"
SiteCostingDefault=\"Site-costing based on Bridge All Site Links setting\"
SiteCostingEnabled=\"Force use of site-costing for DFS regardless of Bridge All Site Links setting\"


;; Strings used by online help

ADM_TITLE=\"Group Policy settings for DFS site-costing in Windows 2003 Active Directory\"
USER=\"User Configuration\"
COMPUTER=\"Computer Configuration\"
COMPUTER_EXPLAIN=\"Contains settings that may only be used to configure Computers\"
USER_EXPLAIN=\"Contains settings that may only be used to configure Users\"
SUPPORTEDON=\"Requirements:\"

[wintelrob]

Well, this system put a slash in front of every double-quote. If anyone tries to use this, they will have to change the \" to a " beforehand.

-- Rob --

[wintelrob]

Well, I'll answer my own question in the event this is searchable on the Internet:

Because I am doing a custom registry entry that is *not* in a policy branch, this particular setting gets treated as a "preference" and "tatoos" the registry so that, even if the policy is removed, the registry setting would remain in effect. This is the same thing that happens with security settings.

So, the problem, in my case, was that I needed to change the view option to allow viewing the ADM settings. After getting into the Group Policy editor, and then right-clicking on the "Administrative Templates" container, there's a "View..." option, which leads to another option to "Filter". The option to UN-check is "Only show policy settings that can be fully managed".

Apparently, you have to un-do this filter every time you go into the Policy Editor.

(My understanding is that a "fully managed" policy is one where, if the GPO is removed, any settings in the GPO are undone. If the system is removed from the domain, like a laptop user would do, then the settings are set back to either the local policy or the default settings. The exception is the "preference" settings, like the Event Log file size or other security-related settings.)


Rob Ingenthron
IT Tech Lead