Mark Minasi's Windows 2000/NT/XP Newsletter
Issue #28 November 2002

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. To change e-mail address, switch between HTML or text format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.  Visit the Archives at http://www.minasi.com/archive.htm.  Please do NOT reply to this mail; for comments, please link to www.minasi.com/gethelp.  Document copyright 2002 Mark Minasi.

What's Inside

  • News: 
    • TechMentor:  I'm Back... And Thanks!
    • XP Support Seminars: Philly, Kansas City, Honolulu, LA, DC and NY in 2003
    • Windows .NET 2003 Server Seminars in Tampa in November, Chicago, Houston, Honolulu and LA in 2003
    • Linux for Windows Administrators Is Here
    • Pick Up A Copy of our Windows 2000/.NET Audio Seminar and Software Quality Book 
  • Tech Section
    • Mark 3, Printers 0:  Three Rounds With The Ink-Stained Devils
    • Exploiting the Group Policy Editor And Creating Custom Policies
  • Conferences
  • Bring a Seminar to Your Site

News

Hello all --

Thanks for once again visiting a URL for the newsletter.  I hope after this newsletter to have all of the mailing list issues ironed out.  Some of you told me some amazing things about your company's spam filters -- apparently just the word "newsletter" has become an indication of spam and so the newsletter gets axed by the spam filter.  Others told me that "to unsubscribe" appears so often in spam that some spam filters torpedo the newsletter for that reason.  It'd be funny if it weren't so sad.  I'm thinking of renaming this to "Mark Minasi's Windows 2000/NT/XP/.NET Thingie," but that just doesn't have the right ring for some reason... seriously, when I return to e-mailing the entire newsletter, I'm thinking of also doing a separate text e-mail that says only something like "this month's issue is available at the Archives at such-and-such URL."  And if I get time, I'll finally get around to offering a third subscription option, the "just mail me a notice that there's a newsletter" option.

This issue, I've got just two tips, but they're big and I think you'll like them -- an article on troubleshooting some really nasty printing problems and another on using group policies even in a no-Active Directory world, as well as taking group policies further with three useful examples that show you how to create your own custom group policies.

I also have some really terrific news on the Techmentor conference -- I'm back! -- as well as the second edition of the Linux book, which is finally in print.

TechMentor:  I'm Back... And Thanks!

In the last newsletter I told you that 101 Communications had decided to drop me from their speaker list.  I reported that just to keep anyone from being surprised by my absence, but apparently many of you thought that was a bad idea and e-mailed 101 to share your feelings, and so they changed their minds.  The truth is that I think they were a bit ambivalent in the first place about not hiring me, as my relationship with the 101 management has been very good over the years and, as I said last time, they were making what they saw as an advantageous business decision rather than any sort of personal commentary on me or my abilities -- but the feelings that you expressed to them made the difference, and I cannot thank all of you enough for this very unexpected and kind gesture.  (I feel like William Shatner must have in 1968.<grin>)

In any case, I'll be keynoting their show on 8 April in New Orleans at the end of the day... but I'll be done with plenty of time after for us all to go find some great food in the French Quarter!  You can find out more about the rest of the program at www.techmentorevents.com/neworleans.

Again, many thanks, both to you readers and to the 101 management.

XP Support Seminars: Philly, Kansas City, Honolulu, DC, LA and NY in 2003

If your company is making the move from Wintendo (Win 9x), NT 4.0 or Windows 2000 Pro to XP Professional, then we've got the seminar for you!  "XP Professional for Support Professionals" shows your desktop support techies how to deploy, network, manage, support and troubleshoot XP Professional, in just two days.  This seminar is packed with demonstrations and a course guide filled with step by step procedures.  As always, I try my best to make explaining entertaining so come join us in 2003 in Philadelphia, Kansas City, Honolulu, LA, DC or New York.  Visit www.minasi.com/pubsems.htm for schedule specifics or www.minasi.com/xpsupport.htm for the course outline.

Or, if you just can't wait... contact us about bringing me to your site, where I can tailor the class to your company's needs.

Windows .NET 2003 Server Seminars in Chicago, Houston, Honolulu, DC and LA in 2003

Our very successful two-year run of our seminar on how to plan for, install, manage and troubleshoot Windows 2000 Server is over; we won't be running any more public 2000 Server seminars.

In February, we'll inaugurate a brand-new class on planning, installing, managing and troubleshooting Windows .NET 2003 Server!  Okay, I'm kidding a bit.  Yes, there will be a new seminar starting in February.  But it won't be an earth-shaking change from the Windows 2000 Server class simply because despite the drastic-sounding name change, Windows .NET 2003 Server isn't that different from Windows 2000 Server.  Not that there's nothing new to learn, not by any means.  But where Windows 2000 Server was a major change from NT 4.0, .NET Server is more of a "Windows 2000 Server version 1.1."  Many of the concepts will remain unchanged from the first course -- but naturally .NET Server adds some new goodies, and we'll cover them in the class.  But you'll still learn a lot... 2003 Server doesn't always change what Server can do, but it often changes how you make it do something.

Our first .NET Server class will be in Chicago in February, then we'll go to Houston, Honolulu, Los Angeles (downtown, at the Biltmore), and DC.  I hope you'll join me for a seminar that will fill your brain with knowledge and share a few laughs in the process.

NOTE that every attendee gets the Mastering Windows .NET 2003 Server book (once the book's finished).

Linux for Windows Administrators Is Here

A few years ago, I noticed that according to some IDG numbers, Novell and Unix usage were waning as a percentage of installed server software, while NT's share was growing.  But interestingly enough, NT wasn't the only server OS on the grow; Linux was also chewing up market share.  NT was ahead, but not by much.  That led me to want to learn more about Linux.  But I found two kinds of references on Linux.  The first assumed that I already knew some variant of Unix, and explained everything about Linux in Unix terms.  As Linux is a free variation of Unix, that was a simple job ... sort of like learning Italian if you already know Spanish.  But I "spoke" no Unix at all.  The second sort of tutorial material tended again to assume that I knew more than I did about Linux, and was difficult to read because it was heavily laced with anti-Microsoft rhetoric -- you know, the kind of text that spells "Windows" as "Windoze" and characterizes any user of any Microsoft product as an idiot.

I thought to myself, "what I really want is a book that explains Linux in NT terms.  Something that says 'NT stores user accounts in a file named SAM or Active Directory, Linux stores user accounts in a file called /etc/passwd or can alternatively centralize accounts in the following ways.'  Something that walks me through how Linux works, how to install it, how to perform basic maintenance tasks, and how to set up some useful servers."  And to keep the politics out of it.  I don't use NT or Linux because I have any strong personal opinions for or against Bill or Linus; I use them because I just want to get my job done.

But writing a book like that would involve getting up a pretty steep learning curve.  So I recruited a couple of Linux experts, Craig Hunt and Dan York, to help me through the tall grass.  That led to the book's first edition, Linux for Windows NT/2000 Administrators:  The Secret Decoder Ring.  It sold pretty well, but it also first appeared in early 2000.  Since then, a lot has changed.

For one, Linux got a new and far better kernel, version 2.4.  USB devices work, multiple processors scale better, and you can get decent performance out of multi-homed systems.  A service called Winbind lets you avoid re-creating user accounts on your Linux boxes, allowing them to log on using a Microsoft domain account.  The GUIs have matured; they still crash sometimes, yes, but not as often as before.

In 2000, I saw a lot of problems when trying to install Linux to a variety of machines.  In 2002, I saw that Linux setup programs had come a long way.  I also saw a lot of distributions fall by the wayside, and many of you wrote to tell me that you wanted to see the book focus on just one distribution -- RedHat.

This book is intended to say "hey, you understand Windows concepts but need to understand Linux? I'll explain Linux in Windows terms. No previous Unix experience required."  It focuses on RedHat 7.3 (8.0 wasn't out when I wrote the book, but it doesn't seem that different than 7.3), and updates all of the old book to bring it in line not only with RedHat, but also modern Linux distributions in general.  By focusing on RedHat, I could offer more step-by-step procedures than I could in the first book.

It also goes into detail on Winbind, a really neat new tool that you'll want to learn if you work in a Windows environment.  It covers making Orinoco wireless NICs work under Linux -- you'll find that Linux is still a bit difficult to make work on a wireless network, but not with the right wireless NICs.  You'll see how to set up no-CD installs, a real bonus now that Linux requires three CDs to install.

Of course the chapter on getting things done from the command line in Linux is updated and expanded.  The very popular Chapter 8, which includes step-by-step "cookbooks" for creating DNS, DHCP, Web, Telnet, FTP and Sendmail servers have been updated to the latest software.  Chapter 9, on Microsoft interoperability, updates the Samba information and includes the Winbind coverage that I mentioned before.

If you liked the first edition but want a copy that's better attuned to working with modern RedHat versions, or if you're a current Windows NT, 2000, XP or .NET administrator who'd like to find out what all the fuss is about Linux, then I think you'll find this the quickest path to Linux Enlightenment.  (And I don't mean the window manager named "Enlightenment."  And if you don't know what a window manager is, don't worry... that's explained too!)

Amazon has it for $35 at http://www.amazon.com/exec/obidos/tg/detail/-/0782141196/markminasi, Bookpool has it for $31 at http://www.bookpool.com/.x/3k34tijmkr/sm/0782141196 and Readme.Doc has it at http://www.readmedoc.com/bookdetails.asp?ISBN=0782141196 for $35. 

If you have an interest in Linux, I hope you'll consider adding this book to your library.

Pick Up A Copy of our Windows 2000/.NET Audio Seminar and Software Quality Book 

Want to attend the Server class but haven't the time or money?  $225 gets you the audio version of the seminar complete with over 10 hours of lecture accompanied by illustrative PowerPoints, all nicely cross-indexed for future reference.  Pick up a copy today at www.minasi.com/audiosales

Do computer bugs bug you?  Find out why they're so prevalent and what you can do about them by grabbing a copy of my 1999 McGraw-Hill book The Software Conspiracy:  Why Software Vendors Produce Faulty Products, How They Can Harm You, And What You Can Do About It.  It's just five bucks in e-book (PDF) format.  If you've read my other books then you know my technical writing -- but this book is aimed at both techies and non-techies.  The much-respected Kirkus Reviews said of that it was "A lucidly written, eminently practical guide to fighting back against the modern scourge of software 'bugs' ... An absorbing, easily understandable, and inspiring book..."  Get your copy at www.softwareconspiracy.com.

Tech Section

This issue, I do battle with printers... and win!  But that's just the opening event.  Ever wanted to create a custom group policy, but it looked like too much work?  You'll see step-by-step examples in the following article, on using group policies on a system whether or not it uses Active Directory.

Mark 3, Printers 0:  Three Rounds With The Ink-Stained Devils

I hate printers.  About the only thing that I hate more than printers is modems.

This past week, I had just the darnedest time with printers.  I installed two printers (an Epson 1280 PhotoPrinter and an EZCD Printer) and finally got around to fixing a really irritating thing that our LaserJet was doing -- it didn't delete documents from its queue after printing them.

Round 1:  The Epson 1280 PhotoPrinter

For the opening round, I installed an Epson 1280 PhotoPrinter.  This printer was a total wimp, and capitulated to my will in no time at all.  I just inserted the ink cartridges, plugged it in, attached it to my print server, loaded the drivers and it worked the first time. Pah!  What kind of challenge is that?

Seriously, I needed a new local inkjet as my personal printer and figured as long as I was going to do it, why not get a few more features?  The 1280 can print up to 11"x17" sheets, so I'll be able to mock up the odd brochure with it.  Its photo printing capabilities are wonderful, and the 1280 even ships with about a dozen 8.5"x11" sheets of their high-quality photo paper.  I've worked with photo printers before, but this printer produces stuff that is, at least to my eyes, simply indistinguishable from actual photos.  But I suspect that Epson wasn't just being nice guys in including a few high-quality paper sheets, any more than a drug dealer is when handing out free samples; I suspect that once I've used these sheets I'll be hooked and won't be able to resist lightening my wallet for a bunch more!  Still, it is considerably cheaper than getting 8x10's printed.  The 1280 also turns out simple text pages quickly and fairly quietly.  Overall, a very nice printer that is easy to set up and use.

Round 2:  JetDirect and Laserjet 1200 Tag Team!

After that little warmup, I thought I'd give a close look to a problem that we've had since we bought our Laserjet 1200N about six months ago:  documents go into the queue... but they never come out.

After printing a document with the 1200N, the document always stays in the queue.  So on those rare occasions when I reboot the server that it's attached to, the silly thing starts re-printing every single document.  Arrrgh!  We've worked around it by manually deleting every document once printed, but the whole thing was driving me crazy.  Unfortunately, I'd been too busy to figure it out -- the shoemaker's kids and all that -- until this week.

My first thought was that it was a security problem.  If the spool directory somehow got a set of ACLs on it that would let the print monitor write spool files to the directory, but not to delete them ... clever idea, Mark, but nope, nothing like that.  I even audited object access on the spool directory just so I could see if something tried to delete a spool file but failed.  So there I am in the ring, dancing with Laserboy, and whammo, a blow to the head... where did that come from, I didn't even see that printer swing? Curses.  I hate to lose...  But then I realized, he had a buddy in the ring with us -- the JetDirect card!

I stumbled across an Knowledge Base article (104817) that I had frankly ignored because it said that it referred only to NT 4 and earlier.  It had the answer.  It was the simplest thing.

In a Laserjet printer's Properties page, click the Advanced tab.  There is a check box "Enable advanced printing features."  Un-check it.  Apparently the printer is trying to have a chat with the server about whether or not things worked out okay.  But such a conversation only works if your printer is connected directly to the server with a USB or bidirectional parallel cable.  For some reason, printers talking to their servers over a JetDirect card can't offer bidirectional connections... so half of the conversation gets lost and the server never gets told to dump the documents.  The answer, again, is to un-check "Enable advanced printing features."  I don't think I even had to re-start the Print Spooler service.  Two against one's no fun... but I knocked the printer and the JetDirect's heads together, and they were out like a light.  They're out for the count.

Round 3:  EZCD Printer Locks Up The Spooler Service

Finally, I took on the champ.  I thought this would be the "easy" install of the day.  Little did I know that the George Foreman of printer installs awaited me.

I'm soon going to start offering 75-minute talks on CD.  It'll be just one module from a class or a separate talk, a stand-alone lecture on some aspect of 2000, XP or .NET.  The first will be ".NET:  Good Bet or Not Yet?," a quick introduction to what's good and bad about Windows .NET 2003 Server.  (The CD's not ready yet, but I'll put out an announcement when it is.)  I plan to sell the CDs for $30 with a PDF of the accompanying PowerPoints on the mixed-mode CD.  But I'd like to be able to put a nice logo on the disc instead of just writing something on the CD with a Sharpie, so I thought I'd buy a CD printer.

Casio's got a nice but very basic thermal transfer CD printer for about $150, but it really couldn't do much in the way of graphics, so I looked for an inexpensive ink-jet CD printer.  As it turns out, the market for those is pretty small.  In fact, there's only one vendor of CD printers under $1000:  ezcdprint.com.  I got the "EZCD Printer" for just under $400.

The printer appears to be a refurbished Epson C60 printer modified to accept a CD-ROM tray.  As the printer wasn't ever intended to print on CDs, there's no settings in the driver to tell it to print CDs.  But I'm getting ahead of myself...

I set up the printer with the ink cartridges and loaded the driver disc before attaching the USB cable.  At the end of the driver setup program, the driver tells you to plug the printer's USB or parallel cable in so that it can detect it.  This worked flawlessly on the Epson 1280, so I'd seen this particular "plug it in and I'll detect your Epson printer" dialog box before, and expected no trouble.  Unfortunately, the driver never did find the printer.  It then loaded a printer monitoring routine which also couldn't find the printer.

The printer takes paper in addition to CDs, so I fed it a sheet and tried to do a test print.  Opening up the Printers folder, I went to right-click the printer so I could do a test print.

That's when it sucker-punched me.

You see, my Printers folder was empty.

This is the Printers folder on the server that I hang several printers off of.  The server that normally knows about three other printing devices.  The server that everyone in the company attaches to in order to print.  That Printers folder.  Empty.  In the middle of a work day.  When we needed to print some invoices.  Yikes.

So I thought, okay, we'll do it your way, EZCD Printer.  I clicked "New Printer."  And that's when the news got worse:

Printer operation cannot continue due to lack of resources.  The print subsystem is unavailable.

So I restarted the Print Spooler service and the printers appeared... for a few moments.  The service then stopped.  Event Viewer wasn't much help:

The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: No action.

Well, at least I felt better that it was unanimous:  that is, the termination was unexpected.  I even rebooted the server... no good news.  My next thought was, "I've got to get rid of that blasted Epson C60 driver."  The only problem was that I couldn't remove the driver unless I could get the Print Spooler to run for more than a millisecond or two.  Turning off the EZCD Printer did nothing.  No Print Spooler, no removing the EZCD driver that was making the Print Spooler crash.

Yarggh...here I'd thought I was in the ring with a ham-and-egger and I'm taking it on the chin!  I just about threw in the towel... when I remembered Regmon.  A free download at www.sysinternals.com, Regmon lets you track all of the Registry references.  I started Regmon and restarted the Print Spooler service, then watched the Spooler die again.  I stopped Regmon and looked at the log to see what Registry entries the system had been trying to get to... and that's when I found my opponent's Achilles' Heel.  He had a good right arm, but a glass jaw.  To see how I got my printers back, take a look in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers.  Printers typically install both a "monitor" in the first key, and a driver in the second.  Something about the EZCD Printer's Epson C60 driver was laying the Print Spooler out flat and yes, I had downloaded the latest C60 driver and monitor.

Fortunately, the Epson driver announced itself pretty clearly with a clearly-labeled folder (key) in the Registry, so it was simplicity itself to dump it.  Restarted the Print Spooler service... and everything came back!  With the immediate crisis over, I could contact tech support for EZCD Printer and when I eventually got to them, they told me that the problem was probably that there was more than one printer on the server.  Apparently EZCD's kind of a loner; he likes a place all to himself.  I understood, as I've seen that a lot... back in 1992.  But in 2002?  I don't think so.

As our assistant will be the person making the CDs, we thought we'd just attach it to her system, which had no other printers directly attached.  A re-install convinced the printer to work, even though the setup program for the driver never did find the printer.  It sort of works, although it's prone to just sucking up the CD and then spitting it out without printing anything on it.  It usually works on the second or third pass.  Not a TKO, but the judges gave it to me in a split decision.

We're still playing with the EZCD Printer, but I'm not certain that we won't send it back and just spend the extra $600 for the next level up.  I wish I could recommend it but cannot in good conscience.  So I'm the champ for now, but I suspect EZCD will want a rematch or two.  Watch this space for the eventual outcome.

Exploiting the Group Policy Editor And Creating Custom Policies

Have you got Windows 2000, XP or 2003 Server?  Then have you played with the Group Policy snap-in?  No?  Waiting for your Active Directory?  Bad.  You can use group policies even if you don't have an AD, as I'll remind you here.  And those of you who are using group policies, have you looked in Computer Configuration / Administrative Templates / System?  You should.

In some ways, policies, from Windows 95's System Policy editor to Windows .NET 2003 Server's Group Policy snap-in, are nothing more than easier-to-understand Registry controls, a kind of annotated Registry.  For example, consider the Registry setting ExpectedDialupDelay, a REG_DWORD that you can find in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters.  As I described in Mastering Windows NT Server 4.0, you can use this parameter to combat persistent "no domain controller found" errors.  When your workstation starts up in the morning, it casts about for a DC to log it on.  Your system will only wait about a minute for a DC to acknowledge it before your workstation just says the heck with it, no one's going to log me on, I give up.

Now, on a really busy network, assuming that a DC will respond to you within one minute is, well, optimistic.  So you can tell your Windows 2000 or later system to relax and wait a bit longer by going to the Registry and adding the ExpectedDialupDelay parameter, setting it to however many seconds you want your workstation to wait for a DC to respond.

I hope that's a useful tip, although that wasn't my aim in mentioning it.  Instead, I wanted to discuss how handy the Group Policy editor can be and to use that setting as an example.  Suppose you had a system that kept getting "no domain controller found" errors and you suspected that if you just told it to wait about 120 seconds then it would find its DC most of the time. So you remember that there's a Netlogon parameter that fixes this ... umm ... somewhere.  It's not much fun digging around for Registry entries -- what Web page did you last see it at? -- and here's where the group policy snap-in makes things easier.

Open the group policy snap-in on your workstation.  If you had an AD then you could make a group policy change that's system-wide, but (1) you might not have an AD and (2) you might want to make this change to just one system, so again let's just make the change on one workstation.  At that system, click Start/Run and fill in "gpedit.msc" to start the group policy snap-in.  Look in the Computer Configuration / Administrative Templates / System folder and you'll see a folder named "Net Logon."  Open it and you'll see "Expected dial-up delay on logon."  Double-click it and you'll see a "Setting" and an "Explain" tab.  Click "Setting" and you can choose "Enabled" and fill in a value; let's try out 120 and click OK.

What did you just do?  Open up Regedit and look in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters and you'll see that you modified the ExpectedDialupDelay parameter.  (And in case you're wondering, the "dialup" in the name doesn't mean anything; this works if you're logging on via the LAN as well.)  Which brings me back to my initial point -- the group policy editor is really just a more-useful Registry editor, complete with that very useful Explain tab.

While You're in GPEDIT...

If you've never been in Computer Configuration / Administrative Templates, take a minute and do so.  There are some really neat settings in there, things you might not have known you could do.  Here are a few examples:

  • Windows Components / Terminal Services (on XP) controls a ton of remote desktop and remote assistance things.
  • Look down in the User Configuration / Administrative Templates / Windows Components / Internet Explorer and you'll see how you can customize anything in IE, including getting rid of the annoying "branding" that vendors do to IE.
  • Back on the Computer Configuration side, you can kill off Microsoft Messenger and tweak Media Player.
  • In the System folder, you'll see folders offering some useful options for user profiles, settings about how to apply group policies, and Windows Time settings, among others.
  • Look right in the System folder and you'll see "Display Shutdown Event Tracker," which is that irritating screen that pops up whenever you want to shut down a Windows .NET 2003 Server system, asking "why are you shutting me down?"  You can also select verbose logon/logoff messages, which puts more information on the "Now logging on" window that appears at logon and the corresponding one at logoff.

Again, a set of interesting Registry tweaks that come with explanations because you're using gpedit.msc to modify them.

Making GPEDIT.MSC Able To Modify Any Registry Setting

If you think that this is pretty neat, then you'll probably be disappointed to learn that not every Registry setting is in gpedit.msc.  But that's easily fixed, as you can extend gpedit.msc's abilities by creating a custom policy template.  It's not terribly hard, once you've seen an example or two -- so I'll show you three.

Unlike NT 4's system policies, not all group policies directly correspond to a Registry entry.  As far as I can see, the group policies that do correspond to Registry entries all live in Administrative Templates, and you've probably noticed by now that there are two Administrative Templates folders -- one in Computer Configuration and one in User Configuration.  On a basic XP system (2000 Pro will look very similar), I have folders inside Administrative Templates called Windows Components, System, Network, Printers, Start Menu and Taskbar, Desktop, Control Panel, and Shared Folders.  (Some of those are under Computer Configuration, some under User Configuration.)  All of those folders, and the things inside of them, are all created by a set of ASCII text files called "administrative templates."  (Strange coincidence, eh?)  They're all in in \winnt\inf or \windows\inf and you can identify them by their extension -- .ADM.  There are ten of them in my system but by default, my XP box loads four of them: conf.adm, inetres.adm, system.adm and wmplayer.adm.  You can look at them in Notepad; again, they're just standard ASCII text files, but they can be a bit overwhelming-looking.  We're going to build a template of our own that lets us control three basic things:

  • Our first policy will enable or disable the special ctrl-scroll lock-scroll lock setting that forces a blue screen.  (I explained this in issue #6.)   It's an example of an on/off Registry setting.
  • Our second policy will let us give Windows 2000 or XP a command to execute whenever we open a command prompt, like an "autoexec.bat" for every command prompt window. (I explained this in issue #27.)  It's an example of a Registry setting that uses text, as in a REG_SZ setting.
  • Our third policy lets us control the level of logging that Windows (2000 or XP) will do about group policies themselves; we'll see how to tell Windows to create a log file that details just what your computer did when it loaded your policies and your profile.  It's an example of a REG_DWORD setting that can take a range of numeric values.

Please understand that there are more than these three kinds of data in Registry settings, but I didn't want to make this into a whole new book!  You can read more about custom templates both in Mastering Windows 2000 Server or Jeremy Moskowitz's Intellimirror and Group Policies book.

Forcing a Blue Screen

You can force 2000 or XP to blue screen by navigating to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\i8042prt\Parameters and adding a new value entry named CrashOnCtrlScroll of type REG_DWORD, which you set to 1.  Then if your system locks up and you need a memory dump to analyze it you can press the Ctrl key on the right side of the keyboard, followed by Scroll Lock twice.  (Hold down the Ctrl key.)  Quick now, how many of you will remember that?  Not many, eh?  That's why we're going to create a template so that gpedit.msc becomes our easy interface to neat Registry tweaks.  Open up Notepad and type (or cut and paste) this:

CLASS MACHINE
CATEGORY "My Fixes"
POLICY "Enable blue screen key"
  SUPPORTED "Win2K and later"
  KEYNAME "SYSTEM\CurrentControlSet\Services\i8042prt\Parameters"
  VALUENAME "CrashOnCtrlScroll"
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
  EXPLAIN !!BSKEY_HELP 
END POLICY
END CATEGORY
[strings]
BSKEY_HELP="If enabled, this lets you force a blue screen at any time by holding down the Ctrl key on the right-hand side of the keyboard, then Scroll Lock twice."

Please note that while it's likely that your browser broke the last line, the one that starts "BSKEY_HELP=," into two lines, it's actually one lone line.  In Notepad, turn off Word Wrap and ensure that it's all one line, from BSKEY_HELP to the last quote mark.  Also an important note:

NOTE that the SUPPORTS statement only works on XP and later.  If you are running 2000 then do not include the SUPPORTS command!

Once you've got this in Notepad, save it in either \winnt\inf or \windows\inf (2000 and upgraded copies of XP use \winnt, fresh installs of XP use \windows) as bsonly.adm.  Make absolutely sure that you save it as bsonly.adm, not bsonly.adm.txt.  I'll explain how this template works in detail in a minute, but for now let's take it out for a spin.  Back in the group policy snap-in, right-click Administrative Templates and choose Add/Remove Templates...,  and select bsonly.adm.

Under Administrative Templates, you will now see a new folder:  My Fixes.  But you won't see anything inside that folder.  Why not?  Because there are preferences and there are policies.

Preferences Versus Policies

You probably know that one of the great things about group policies is that when you set a group policy then something happens, but when you remove the group policy then the effects of the group policy are un-done.  Any changes to the Registry get rolled back automatically when you set a group policy item to "not configured." NT 4's system policies didn't do that -- setting something to "not configured" didn't roll it back to the out-of-the-box setting, it just didn't change it any further. Microsoft refers to NT 4's policy behavior by saying that NT 4's system policies "tattooed" the Registry.  Group policies don't do that, or at least they're not supposed to -- setting something to "not configured" restores it to whatever state it was in before you started messing with the group policy on that item.

Sounds neat, right?  Too bad it doesn't always work.

You see, this "magic rollback" of Registry settings only works if the Registry setting is in HKEY_LOCAL_MACHINE\Software\Policies or HKEY_CURRENT_USER\Software\Policies.  Any group policy that affects any other Registry setting doesn't get the magic rollback.  Such a policy is not called a "policy" but instead a "preference."  That doesn't mean that you can't create group policies to control them.  Instead, it just means that if a you do create a policy that controls a Registry entry other than the ones in \Software\Policies then any changes are permanent -- choose "not configured" and it stays in whatever state you've changed it to.  Thus, suppose you had a Registry entry with two settings, 0 and 1.  Suppose also that 0 means "disabled," 1 means "enabled," and it comes out of the box as 0.  You write a custom policy that lets you set it to 1, and you enable that policy.  It's now 1.  Then you go back and set the policy not to "enabled" or "disabled" but "not configured."  If it were a Registry entry in \Software\Policies, then it'd magically return to the out-of-the-box state, 0.  But if it's a Registry entry from somewhere else, then setting "not configured" just says, "whatever you're set to, just stay that way, I don't care."  So in that case if you wanted to truly set the item back to a value of 0, then you'd explicitly choose not "not configured," but "disabled."

We have just created a policy that changes a Registry key not in \Software\Policies, so it's not "magic."  By default, gpedit.msc does not show policies that modify keys other than the \Software\Policies keys; such policies are called "unmanaged" policies by Microsoft, which is probably why they don't show them to you.  You can change that behavior, though.  Right-click Administrative Templates and choose View, then Filtering.  You may not get "View" as an option the first time; if so, just left-click it once, then right click it.  When you choose Filtering, you'll get a dialog box that lets you restrict what gpedit.msc shows you.  Un-check the box that says "Only show policy settings that can be fully managed."  Now look in My Fixes, and you'll see a policy called "Enable blue screen key."  You'll notice that its icon has a red dot next to it -- that means that the policy doesn't automatically un-do itself.  Policies that do un-do themselves -- "manageable" policies, in Microsoft's words -- have a blue dot to the right of them.  To use the other Microsoft phrase, the red dot things are "preferences," the blue dot things are "policies."  (Forgive me if I continue to call them all "policies," it's easier to keep track of.)

Double-click your new policy and you'll see a policy page just like the ones you've seen before.  Click "Explain" and you'll see the long explanatory line in the BSKEY_Help text.  Click "Setting" and you'll see that you've got three settings -- Not Configured, Enabled and Disabled.  On the bottom of the page, you'll see "Supported on: Win2K and later."

Let's try it out.  Click the "Enabled" radio button and then OK.  That sets the new policy. Let's then force the system to refresh the policies.  If you're running XP, then open a command line and type

gpupdate /force

If it asks you permission to reboot or log off, just answer "n" and press enter.  If you're running Windows 2000, open a command line and type

secedit /refreshpolicy machine_policy

You can try it out in one of two ways.  First, you could blue screen your system (please save anything before you do -- this is a real, honest-to-God blue screen) by holding down the Ctrl key on the right-hand side of your keyboard and, while still holding down Ctrl, press the Scroll Lock key, release it, and then press Scroll Lock a second time.

If that sounds a bit drastic, then you could just poke around in the Registry to see if your change got made.  You can do this from the command line like so:

reg query HKLM\System\CurrentControlSet\Services\i8042prt\parameters

Or just open up Regedit and navigate over to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\parameters. Either will let you verify that there is indeed a value entry called "CrashOnCtrlScroll" and that it's set to 1.

Understanding the Template

Now let's return to that template and see how it worked.  Here it is and again I've broken the last line so that your browser doesn't get really wide:

CLASS MACHINE
CATEGORY "My Fixes"
POLICY "Enable blue screen key"
  SUPPORTED "Win2K and later"
  KEYNAME "SYSTEM\CurrentControlSet\Services\i8042prt\Parameters"
  VALUENAME "CrashOnCtrlScroll"
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
  EXPLAIN !!BSKEY_HELP 
END POLICY
END CATEGORY
[strings]
BSKEY_HELP="If enabled, this lets you force a blue screen at any time by holding down the
Ctrl key on the right-hand side of the keyboard, then Scroll Lock twice."

The first line, CLASS MACHINE, says that this is a setting that goes in HKEY_LOCAL_MACHINE, rather than HKEY_CURRENT_USER.  I've never tried to create a policy that affects any of the other Registry subtrees, so I don't know how you'd do that or if it's possible at all.

The second line, CATEGORY "My Fixes," gives the folder a name.  That's why you have a folder in gpedit.msc called "My Fixes."  Note the line towards the end that says "END CATEGORY."  You can, as you'll see, have any number of policies/preferences within a folder.  If for some reason I wanted to separate my policies into folders, I'd just surround them with a CATEGORY and END CATEGORY statement.  CATEGORY and END CATEGORY act like left and right parentheses to define which statements fit in that category.

Next you'll see POLICY "Enable blue screen key" and, down towards the end of the text, its partner, END POLICY.  Like CATEGORY and END CATEGORY, these bracket the meat of the policy or preference, like left and right parentheses.  The text "Enable blue screen key" is then the name of the policy, and you noticed that gpedit.msc showed that text when offering the policy.  Notice that I have indented the lines between POLICY and END POLICY.  You do not need to do this; it just makes for easier reading.

The first line in our policy is a "SUPPORTED" statement.  This is just a text string the tells gpedit.msc's user which versions of the operating system this command is supported on.  This text is for gpedit.msc's user, not the computer -- the computer will gleefully try to apply a policy that doesn't make sense to a computer.  The gpedit.msc user -- the administrator, that is -- is responsible for making sure that he or she doesn't apply meaningless or incorrect settings, as might be the case if you were to apply a new XP policy to a Windows 2000 Pro desktop.  In most cases it won't harm the 2000 Pro desktop, but in theory it might so, again, it's a good idea to use SUPPORTED as a reminder.

KEYNAME and VALUENAME are very important.  As their name suggests, KEYNAME tells gpedit.msc where the desired Registry key is, and VALUENAME tells gpedit.msc the value entry's name.  Notice that the key name seems incomplete -- SYSTEM\CurrentControlSet\Services\i8042prt\Parameters instead of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters.  Remember CLASS MACHINE?  That tells gpedit.msc that any Registry keys referred to are in HKEY_LOCAL_MACHINE.  You could alternatively use the statement CLASS USER before any set of policies, and gpedit.msc would then interpret any key names as being inside HKEY_CURRENT_USER.

Now, CrashOnCtrlScroll is a REG_DWORD, which means that it's got enough space to take any integer value from 0 to about four billion, so we could have just said "OK, Mr. Administrator, I hope you're smart enough to know that there are only two valid values -- 0 to disable and 1 to enable, and any of the other four billion values won't have predictable results."  But because so many Registry keys are like CrashOnCtrlScroll in that they use just two values to enable or disable a setting, Microsoft provided a way to simplify things for the administrator.  Instead of having to know which setting turns a value on or off, we get to pre-define those values.  Then the admin just has to click the Enable or Disable radio button, and gpedit.msc knows which value to stuff into the value entry to get the desired result.  But for that to happen, we've got to tell gpedit.msc which is "enable" and which is "disable."  We do that with this pair of commands:

VALUEON NUMERIC 1
VALUEOFF NUMERIC 0

These just say that to enable the setting, use a numeric value (rather than a TEXT value) of 1, and to use a numeric 0 to disable the setting.  

Next is the EXPLAIN !!BSKEY_HELP line.  This just specifies the Help text on the Explain tab.  Now, I could have written it as

EXPLAIN "If enabled, this lets you...<rest of the line>"

But I'd have ended up with a pretty long line.  That's where the !!BSKEY_HELP comes in.  Any time you use !! followed by a name in a template, that tells gpedit.msc that you're referring to a string variable.  The string variables are then stored at the end of the template, in a section called [strings].  I could have, if I'd wanted to, replaced any of the text in quotes with a string variable.  For example, the POLICY line could have been

POLICY !!BSKEY

So long as I had a string down in the bottom of the template in the [strings] section that said

BSKEY="Enable blue screen key"

When would you embed a string right inside a policy, and when would you use a string variable?  It's a matter of taste.  If it's a string that you'll use over and over again, like the ones in the SUPPORTED line -- you'll only see "Works on Windows 2000 and later" or "Works on XP only" -- then you might get tired of typing that over and over again, so you might define a variable !!2K for "Works on Windows 2000 and later" and !!XP for "Works on XP only."  Or you might want to use the [strings] section to separate out the text strings so that it's easy to translate them from English to some other language.

Controlling A Command Prompt:  Using REG_SZ

With our first policy, I showed you how to create a template for an on/off Registry setting.  Now let's build one that takes any text as a possibility, a REG_SZ type entry.  Recall from the last newsletter that there's a key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor that accepts a value AutoRun that you can fill with commands to execute every time that you open a command prompt.  I suggested that putting "cd \" into AutoRun would avoid that irritating "c:\documents and settings" nonsense and instead just make the prompt "c:\." Instead of having to remember where that Registry setting is, here's a template that includes a policy to set the startup commands for a new command prompt window:

CLASS MACHINE
CATEGORY "My Fixes"
POLICY "Enable blue screen key"
SUPPORTED "Win2K and later"
KEYNAME "SYSTEM\CurrentControlSet\Services\i8042prt\Parameters"
VALUENAME "CrashOnCtrlScroll"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
EXPLAIN !!BSKEY_HELP
END POLICY

POLICY "Automatic commands for command prompt window"
SUPPORTED "Windows XP and later"
KEYNAME "Software\Microsoft\Command Processor" 
EXPLAIN !!CPSetting_HELP
PART "Enter command to run when command prompt opens." EDITTEXT REQUIRED
VALUENAME "AutoRun"
END PART
END POLICY


END CATEGORY
[strings]
BSKEY_HELP="If enabled, this lets you force a blue screen at any time by holding down the Ctrl key on the right-hand side of the keyboard, then Scroll Lock twice."
CPSetting_HELP="This defines a command, like an AUTOEXEC.BAT, that gets executed whenever you open a command prompt. You could, for example, just enter 'cd \' and your command windows would then start out in the root of C:\ instead of inside the profile directory."

Here, I've taken our bsonly.adm file and added a new POLICY/END POLICY section, as well as a new string.  As before, any strings that are broken across a line should not be typed that way -- each string is one long line.  The new policy looks like the previous policy, except for a few lines:

PART "Enter command to run when command prompt opens." EDITTEXT REQUIRED
VALUENAME "AutoRun"
END PART

Here, gpedit.msc wants us to define the value entry's name inside a new kind of construct, a "PART" construct.  Modify your bsonly.adm file, resave it, close and re-open gpedit.msc and look in My Fixes (you'll probably have to tell gpedit.msc one more time that you want to see the "unmanageable" settings) and you'll see the new policy.  Try it out and you'll see that you get a field that you can use to enter any value.  In my example, I'd just enter "cd \" and close the policy's page.  As before, use gpupdate or secedit to force a policy refresh and then try opening up a command prompt -- you'll see it go to C:\> instead of somewhere in the profile directory.

Creating Policies With Freeform Numeric Entries

Finally, let's create a policy that modifies a Registry entry that is a REG_DWORD, but that might take any of a number of values.  For this, let's use UserEnvDebugLevel, a REG_DWORD setting that goes in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.  Userenv is the name of a DLL that does most of the work in processing both policies and profiles.  It will, if asked, create a log called \windows\debug\UserMode\userenv.log or \winnt\debug\UserMode\userenv.log.  It'll do several levels of reports.

  • 0 says "no logging."
  • 1 says "log problems with group policies."
  • 2 says to do "verbose logging." 
  • 65536 says to do "basic debug output"
  • 131072 says to offer "verbose debug output"
  • 196610 just says to dump everything

There are other options; I'm simplifying here.  In any case, we want a group policy item that lets us punch in any number that we want.  The following template adds UserEnvDebugLevel:

CLASS MACHINE
CATEGORY "My Fixes"
POLICY "Enable blue screen key"
SUPPORTED "Win2K and later"
KEYNAME "SYSTEM\CurrentControlSet\Services\i8042prt\Parameters"
VALUENAME "CrashOnCtrlScroll"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
EXPLAIN !!BSKEY_HELP
END POLICY

POLICY "Automatic commands for command prompt window"
SUPPORTED "Windows XP and later"
KEYNAME "Software\Microsoft\Command Processor" 
EXPLAIN !!CPSetting_HELP
PART "Enter command to run when command prompt opens." EDITTEXT REQUIRED
VALUENAME "AutoRun"
END PART
END POLICY

POLICY "Control UserenvDebugLevel Logging"
SUPPORTED "Win2K and later"
KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
PART "Logging code" NUMERIC REQUIRED
VALUENAME "UserEnvDebugLevel"
MIN 0 MAX 196610 DEFAULT 0
END PART
EXPLAIN !!USERENV_HELP
END POLICY


END CATEGORY
[strings]
BSKEY_HELP="If enabled, this lets you force a blue screen at any time by holding down the Ctrl key on the right-hand side of the keyboard, then Scroll Lock twice."
CPSetting_HELP="This defines a command, like an AUTOEXEC.BAT, that gets executed whenever you open a command prompt. You could, for example, just enter 'cd \' and your command windows would then start out in the root of C:\ instead of inside the profile directory."
USERENV_HELP="This controls logging of profile and policy actions. Set this to 196610 decimal and reboot the system, then look in Windows\Debug\UserMode\userenv.log. Good debugging info in there. Or set to 0 to disable, 1 for 'normal,' 2 for 'verbose,' 65536 for 'logfile' (that is, VERY verbose), or 131072 for 'debug' (really REALLY verbose). You can add the values for different combinations, which is where 196610 came from -- it's 131072+65536+2"

Again, the only really new thing is the PART/END PART construct:

PART "Logging code" NUMERIC REQUIRED
VALUENAME "UserEnvDebugLevel"
MIN 0 MAX 196610 DEFAULT 0
END PART

Notice that the PART statement alerts gpedit.msc that this is a numeric value.  The MIN, MAX and DEFAULT let you set limits and a default value.  This setting won't take effect until you reboot, so if you want to try it out then you'll need to reboot.

Further Study

There are plenty of other things that you can do with policy templates -- drop-down list boxes, multi-part pages, and so on -- but I meant here only to give you a few examples.  Microsoft documents the template "language" in the Resource Kit or, better, you can learn a lot by looking at the INF files in \winnt\inf or \windows\inf.

Conferences

I hope you'll join me for a seminar but if you can't attend a class then please consider attending another show:

TechMentor New Orleans April 8-12

A terrific show, headed for a great location.  Great sessions and even better speakers make this real deal.  Industry experts like Bill Boswell, Roberta Bragg, Brian Komar and Jeremy Moskowitz (to name but a few) make this a reliably information-packed event.  Even better, it's located this April in the Wonderful Food Capital of America, New Orleans.  Or, if you're just coming to work, work, work, then you'll like the fact that you can take Microsoft certification tests at half price.  Info at www.techmentorevents.com/neworleans.

I will be keynoting with my new talk "The .NET Report Card."  .NET will be on the eve of shipping so it'll be very timely.  If you can make it then I surely hope to see you there!

Bring Mark to your site to teach

I'm keeping busy doing Windows .NET Server seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into 2000 and/or .NET techies.  To join the large educational, pharmaceutical, agricultural, aerospace, banking, government, transportation, and other organizations that I've assisted, either take a peek at the course outline at www.minasi.com/w2koutln.htm, mail our assistant at Assistant@Minasi.com, or call her at (757) 426-1431 (only between 9-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month.  The holidays are soon upon us, but after New Year's I'm hoping that the economy will finally get back on track.   

Please share this newsletter; I'd like very much to expand this newsletter into a useful source of NT/2000/.NET Server/XP information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over 21,000 subscribers and I hope to use this to get information to every single Mastering XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care -- the economy's coming back soon, I'm sure of it!  Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum

To subscribe, visit http://www.minasi.com/nwsreg.asp. To change e-mail, format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.asp. Visit the Archives at http://www.minasi.com/archive.htm. Please do NOT reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2002 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.