15.2 Computer/User Extensible Policies (Workstation/User Packages)

For any Windows-compatible software program, an extensible policy allows you to control any application function that is configured in the Windows registry. Desktop Management lets you easily customize and deploy extensible policies across your network to accommodate your specific business practices.

NOTE:Computer Extensible policies are contained in the Workstation Package; User Extensible policies are contained in the User Package. The information in this section applies to both packages; however, there are differences between the two packages. When you set Computer Extensible policies in the Workstation Package, the policies apply to all users who log in to an associated workstation. When you set User Extensible policies in the User Package, the policies apply to all associated users regardless of the workstation they use.

The following sections contain additional information:

15.2.1 Understanding Extensible Policies

Desktop Management leverages Microsoft desktop enhancements by doing the following to provide extensible policies that are enabled in the directory:

  • Moving the policy editor functionality into the directory

  • Moving Windows registry information for applications into the directory

  • Enabling the directory to point to extensible policy files

Review the following sections for more information:

How Extensible Policies Work

When you install a software application that is compatible with Windows, the application's installation program uses the Microsoft policy editor (poledit.exe) to read the application's .adm file and create a .pol file that updates the workstation’s Windows registry. However, when you install an application on a workstation under the umbrella of Desktop Management, the Desktop Management policy editor (wmpolsnp.exe) is used to read the .adm file and make the necessary changes to the workstation’s Windows registry.

The Microsoft policy editor lets you make changes to the policies created by the .adm files, but only per workstation. If an application is installed using the Application Management component of Desktop Management, the Desktop Management policy editor ensures that the application’s directory-enabled policies are automatically applied across the network, rather than manually to one workstation at a time.

Extensible policies are not supported on Windows XP. You should use Windows Group policies to configure policies for Windows XP systems. Additionally, we recommend that you use Windows Group policies instead of extensible policies for Windows 2000 or newer. You should continue using extensible policies for the Windows 9.x/NT platforms.

Extensible policies are not cumulative. Unless specified differently in a Search policy, when Desktop Management starts searching for an object's associated policy packages, it starts at the object and works its way up the tree. Because extensible policies are not cumulative, Desktop Management walks the tree until it finds the first effective policy for the object and applies that policy's settings.

.Adm Files

Files with the .adm extension provide customizable attributes for users and workstations. You can add existing .adm files and configure their settings to create extensible policies. Depending on whether you are configuring User Extensible policies or Computer Extensible policies, the attributes you can customize will vary.

The .adm files are static templates for creating policies in the ZENworks database. When you edit a policy in Desktop Management, the changes are made in the database rather than in the .adm file. Even so, you should not delete an .adm file from a directory after it has been used in Desktop Management because it is needed to undo registry changes if you should remove the policy from Desktop Management.

When you have .adm files that you want to use, you should place them in a location where you can easily browse for them. You should save them on a server, because after the .adm file has been used to create a policy, it is not needed again until you modify the policy.

Because Desktop Management automatically displays any policies listed in the following location when you view an Extensible Policies page, we recommend that you use it:

sys:\public\mgmt\consoleone\1.2\bin\zen\adm files

This is the default location where .adm files shipped with Desktop Management are placed if you run ConsoleOne from the server. If you run ConsoleOne from a workstation, .adm files are placed in the consoleone\1.2\bin\zen directory on the workstation.

15.2.2 Configuring Extensible Policies

The Computer Extensible/User Extensible policies are not found on the General or Windows XP platform pages.

To set up the Computer Extensible or User Extensible policies:

  1. In ConsoleOne, right-click the User Package or the Workstation Package, click Properties, then click the appropriate platform page.

    For more information about Desktop Management support for the Windows NT platform, see Interoperability with Windows NT 4 Workstations in the Novell ZENworks 7 Desktop Management Installation Guide.

  2. Select the check box under the Enabled column for the Computer Extensible or User Extensible policies.

    This both selects and enables the policy.

  3. Click Properties to display the User Extensible/Computer Extensible Policies page.

    The User Extensible Policies page.

    The User Extensible/Computer Extensible Policies page is divided into three areas.

    • ADM Files: The ADM Files list box displays, by default, the four .adm files that are automatically pulled into ConsoleOne by the Desktop Management plug-in: admin.adm, common.adm, winnt.adm, and zakwinnt.adm. You can use the Add button to add .adm files for applications that you have installed using ZENworks Application Management to the list. You can use the Remove button to remove .adm files from the list. Do not manually delete an .adm file from its directory without first removing it in ConsoleOne from the ADM Files list. If you first delete the .adm file from the directory, registry changes that enable the policy are still in effect.

    • Policies: When you select an .adm file in the ADM Files list box, its registry contents are displayed in the Policies list box. You can expand and traverse the policy tree to enable or disable each policy attribute.

    • Settings: The policy-specific Settings box at the bottom right of the page displays other attribute options with check boxes that can be enabled or disabled. It can also provide fields for information entry or drop-down lists for selecting attribute options.

  4. To edit the properties of a policy, click the policy in the ADM Files box, then browse and edit the policy settings in the Policies and Settings list boxes.

    The check box states are as follows:

    Check Box

    State

    Description

    Enabled

    The attribute is enabled in the client. Any values you enter for it are applied.

    Disabled

    The attribute is disabled in the client.

    or

    Ignored

    The attribute is ignored (not changed in the client). If the attribute is already enabled in the client, it remains enabled. If it is already disabled in the client, it remains disabled.

  5. (Optional) Select the Always Update Extensible Policies on eDirectory Authentication check box if you want extensible policies to be pushed when the user or workstation is authenticated.

  6. Repeat Step 4 and Step 5 for each extensible policy to be added.

  7. Click the Policy Schedule tab.

    The User Extensible Policies' Policy Schedule page.

    When you create an extensible policy, you must schedule it to run before it can take effect. Some hard-coded policies are run explicitly at login. Such policies are not scheduled.

  8. Select a schedule type:

    • Package Schedule
    • Event
    • Daily
    • Weekly
    • Monthly
    • Yearly

    Click the Help button on the Schedule tab for more information about each schedule.

    For a Windows 98 User Extensible policy, even if you select User Login on the Policy Schedule page, the Color Scheme settings are not applied until the user logs out. When the user logs in again, the settings are correct. However, if you first create a user profile on the workstation under Control Panel > Users, the settings are applied when the user logs in the first time.

  9. Click Apply.

    Until you click Apply, policy changes are kept in a temporary location. Because of this, if two .adm files have the same check box item attribute (the same Windows registry entry), a change made in one .adm file is seen in the other.

  10. Repeat Step 1 through Step 9 for each platform where you want to set a User Extensible/Computer Extensible policy.

  11. When you have finished configuring all of the policies for this package, continue with the steps under Section 15.13, Associating the User or Workstation Package to associate the policy package.