Documentation for the EZ GPO Power Management tool for Network Administrators
EZ_GPO is a tool for network administrators who manage Windows client workstations using Group Policy Objects under Active Directory, Novell NDS/Zenworks or any other client registry management system. It gives centralized control to network administrators over the user's power management settings. Due to the designs of Microsoft's implementation of power management, this is impossible using normal techniques.
Although implementing MPM through GPOs should be straight forward since MPM
uses the registry to store settings, the reality is far different. Using Microsoft's
Native GPO feature in Active Directory to manage power management directly is
not possible, because there is a limitation in the Administrative Templates
Meta language (ADM) used to create the interface for custom Group Policies.
Only two types of keys can be changed through the ADM interface to the GPO tree:
single value strings and dword (integer) values. Binary keys are the storage
of choice for power management settings and this limitation is one reason why
an interface for handling power management settings is not provided.
Additionally, changing this binary key using the same copy for each computer
on the network will cause problems on heterogeneous networks with multiple Windows
versions, as the binary strings used to store the power management settings
are OS and machine dependent. This is despite being housed in the user portion
of the registry and therefore being user based.
It is with this knowledge that EZ GPO was created to help administrators work around this in the most unobtrusive manner possible. EZ GPO is available for download at (http://www.terranovum.com/projects/energystar/) and is open source under a BSD style license.
Basically, how it works is there is a small client install of a single binary
application that will be executed from the startup group in the "Start
Menu". This will read in the desired PM settings that are set using
GPOs in integer and string value format and then, using Microsoft's core
API, will
make the appropriate changes to the PM settings, which will be available immediately
thereafter. There is no threat of a race condition (ie; the binary executing
before the policies are set) since GPOs are applied immediately
after authentication whilst the startup group executes well after user services
have initialized and are running. It is even possible to execute the client
application using an entry in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
key, thereby centrally controlling execution of the application. Theoretically
it is possible to skip the client install altogether by then executing the
client application from a network share but that is not recommended, nor
has it been
tested.
Install the ADM GPO template located at GPO/EZ_GPO.adm by opening the "Active Directory Users and Computers" MMC located in Administrative tools. Right click on the domain you want to manage and click properties. Click the "Group Policy" tab and highlight the "Default Domain Policy". Click edit and a new MMC will come up with two sub headings of "Computer" and "User". Expand the "User" hive and then under that expand the "Administrative Templates" hive. Right click on that hive and click "Add/Remove Templates". Click Add and navigate to where you unzipped/installed the EZ_GPO tool. The ADM file in under the GPO directory. Highlight the file and click open. This will load the ADM template under the "Administrative Templates" hive under the name "EZ GPO by the Environmental Protection Agency". You will have three group policies to work with.
Installing the binary (GPO/bin/EZ_GPO_Tool.exe) is straight forward and leaves a great deal of latitude for the administrator. The easiest option it to install it in the "All Users" startup folder in "Documents and Settings" so each user executes it upon log in. It is even possible to execute the client application using an entry in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key, thereby centrally controlling execution of the application. Theoretically it is possible to skip the client install altogether by then executing the client application from a network share but that is not recommended, nor has it been tested.
There is a MSI file in a folder named MSI. It installs just the file EZ_GPO_Tool.exe
and nothing else.
NB: This assumes a windows install with the "Documents and Settings"on
the "C" drive with an "All Users" shared directory.
If you install this on a machine that does not match this configuration then
you will experience problems.
To upgrade first remove the ADM file from the list of available adm templates
in the user
portion of the GPO and then apply the changes. Then add in the new updated
ADM file It should pick
up your old settings but still pick up the new version numbers. Update the
binary install according to
you normal procedures.
The first group policy is the "Base Options" GPO. This is where mandatory configuration information is stored. The GPO Tool will not run without this information. Enable this and in most cases the default will work just fine.
The settings Scheme is to tell the GPO Tool what type of configuration scheme you would like to configure. Currently there is just the "Simple" scheme which does three predetermined settings. This option will be the source of future expansion that will allow for more complex configuration options. This choice you make here relates to a GPO by the same name.
Major and Minor versions allow for ADM template changes to occur while protecting older clients from misinterpreting the options. In most cases when an ADM template is changed, that means that there is either a bug fix in the ADM template (a minor change) or a new version of the tool (a major change). In the latter case all clients should theoretically be upgraded but there is a very good chance a few will get through the system. This protects them from getting mangled. This versioning feature will undoubtedly be put to other uses in the future.
This GPO is for all optional configuration settings. Enable this GPO if any options are needed.
SecurityBypass is what the name implies. A way to bypass the security MS put on users of type "User" from being able to change their power management settings. There is some background needed to understand why this option is needed. In short, the power management subsystem is designed radically different from the rest of the operating system. It's settings are stored in binary strings which are machine and OS dependent despite half of those settings being stored in the user portion of the registry. Those binary strings are literally C data structures simply dumped from memory into the registry for ease of retrieval.
Most subsystems in the Windows OS tend to be designed in a way that separate the machine and user dependent settings into their respective portions of the registry. As well, most systems employ numerical and string based config info which is addressable via administrative tools like AD's group policy objects and allow administrators to determine to a certain resolution the ability for some users and not others to edit these settings. In the case of PM, the system is hard coded to deny users of type "User" and "Guest" the ability to edit the power management settings. This would not be a bad thing per se if the admin had a method to manage the settings remotely, or at least locally for users other than themselves. This ability is not provided however. The EZ_GPO tool has been designed to use the Windows API where ever possible but since there is a restriction hard coded in the API against the above named user groups, that is not possible.
However, since the registry keys for these settings are located in the user's hive (HKEY_CURRENT_USER) they are still writeable by any user who can access the key via regedit, etc. Since the EZ_GPO tool runs under the user's ID, this is used as a back door to make the changes by bypassing the API and reading the setting directly out of the registry directly into memory, making the changes and then writing the info back down into the registry. This is only done when the bypass is enabled and the user lacks the proper rights to make the changes through the API. Currently this is exactly how it is done through the API except for the fact that EZ_GPO loads the C data structure directly from the registry instead of having it passed by pointer from an API call that directly reads it from the registry. There is only one known issue with this and that is the settings do not show up as changed in the power management control panel, despite the fact that they are changed and active, until the system is rebooted. The known fixes for this are being evaluated and one will be implemented in a later version.
The simple scheme is currently the only scheme implemented in EZ_GPO. It contains three settings, each of which affects only the AC or plugged in settings, and are expressed in minutes. Please note that the tool is limited in what clients it will set system standby for. The limitation is hard coded into the tool and revolves around the presence of a new version of power management named ACPI (more specifically the support for the S3 sleep state). Most older hardware had Advanced Power Management v2 (APM2) and recent Pentium 3 and early Pentium 4 machine had a flavor of ACPI that was not fully implemented. Most Pentium 4s and higher machines these days have full hardware support for ACPI and the S3 sleep state.
Software\Policies\TerraNovum\EZ_GPO
Software\Policies\TerraNovum\EZ_GPO\MajorVersion = dword (1)
Software\Policies\TerraNovum\EZ_GPO\MinorVersion = dword (1)
Software\Policies\TerraNovum\EZ_GPO\SettingsScheme = string (Simple, )
Software\Policies\TerraNovum\EZ_GPO\Options
Software\Policies\TerraNovum\EZ_GPO\Options\SecurityBypass = dword (1 or 0)
Software\Policies\TerraNovum\EZ_GPO\Options\ForceUpdate = dword (1 or
0)
Software\Policies\TerraNovum\EZ_GPO\Options\Log
= dword (1 or 0)
Software\Policies\TerraNovum\EZ_GPO\Options\LogLevel = dword (1 - 10)
Software\Policies\TerraNovum\EZ_GPO\Options\LogFile = string ("%UserProfile%\Logfile.dat")
Software\Policies\TerraNovum\EZ_GPO\Options\EventMessageFile = string ("%System%\config\EZ_GPO_Resource.dll")
Software\Policies\TerraNovum\EZ_GPO\Options\LogServer = string (localhost)
Software\Policies\TerraNovum\EZ_GPO\{Scheme Name}
The Simple scheme
Software\Policies\TerraNovum\EZ_GPO\Simple
Software\Policies\TerraNovum\EZ_GPO\Simple\ACUserMonIdleTime = dword (0) in
minutes
Software\Policies\TerraNovum\EZ_GPO\Simple\ACUserStandByIdleTime = dword (0)
in minutes
Software\Policies\TerraNovum\EZ_GPO\Simple\ACMachStandByIdleTime = dword (0)
in minutes
Software\TerraNovum\EZ_GPO\Backup
Software\TerraNovum\EZ_GPO\Backup\ACUserMonIdleTime = dword (0) in minutes
Software\TerraNovum\EZ_GPO\Backup\ACUserStandByIdleTime = dword (0) in minutes
Software\TerraNovum\EZ_GPO\Backup\ACMachStandByIdleTime = dword (0) in minutes