As I explained in my previous post I have been working on a fun PowerShell script to translate ADMX files into a CSV file to document the different GPO settings you can make. This gives you a quick reference document for the policy settings that are pushed in a production environments, or a nice overview of the policies your design documents advice to be set. After I posted my script I received a comment from Jeremy Saunders who pointed out that the output still missed some information, like the registry value that can be set when a policy is enabled. A great trigger to do some more debugging on the script and add some more lines of code to improve the quality of the output. Of course I also notified Carl Webster that an update of the script was required as I was back at bug fixing the script, which would result in an update for his Group Policy Settings Reference for Citrix XenApp and XenDesktop file. Carl asked me if I could look at generating some more Possible Values data while I was at it and that sounded like a great extension for the script. So I’ve been using the spare time that I had these last couple of weeks, to have some debugging fun with my script and add more possible values data in the output as well.
Missing the enable/disable policy settings
Like I said it was Jeremy Saunders that pointed out that I missed some very important settings in my output, as I forgot to add an separate entry for each policy to see if registry settings are changed by simple enabling the policy setting. So the first change to the script was to add a separate row to the output CSV file for each policy and check if the policy itself changed the registry.
If you look at the ADMX file for the Citrix Federated Authentication Services you’ll notice that the VirtualSmartcard policy, unlike the other policies, has a valueName attribute ‘Enabled’ and an enabledValue and disabledValue child element.
<?xml version="1.0" encoding="utf-8"?> <policyDefinitions> <policies> <policy name="VirtualSmartcard" class="Machine" key="Software\Policies\Citrix\Authentication\VirtualSmartcard" valueName="Enabled"> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> </policies> </policyDefinitions>
So I have updated the script to ensure each policy has a separate row in the output CSV file that includes the registry value (and possible values) when the policy is enabled. Keep in mind that not all policy elements in the ADMX have a valueName attribute and therefore the Name Value field can be empty for the new ‘policy’ Type rows in the output.
Processing more possible values data
As Carl Webster pointed out I there is more information stored in the ADMX and ADML files regarding possible values that can be set for each policy element. So I decided to dig deeper into the ADMX syntax and update the script to retrieve more information. Luckily for me, the syntax is documented on Microsoft’s MSDN so I could process each element step-by-step and get a better understanding of the different attributes and child elements each policy element can have.
While checking attributes, values and child elements and testing adjustments to the script to get more output, I discovered that my script generated false data due to the fact that I had not cleaned up variables that were re-used in different for and while loops within the script. So I had to do a lot of testing to ensure the ADMX file is processed correctly now.
As I still found some incorrect entries in the output, please feel free to address any errors in the way the script generates the new output. I welcome any feedback to further improve the script.
I managed to add more Possible Values information to the output for the policy and textbox Types and add extra information to the Value Name to indicate whether data entries are required or appended to existing data.
To download the latest version of the script, check out the GitHub repository at: