EZ GPO Power Management Tool for Network Administrators.
Table of Contents Introduction...3 Installation...4 Configuration...6 Base Options...7 Options Properties Dialogue...8 Suggested Configuration Settings...9 Maintenance...10 Errata...10 Simple Scheme (AC & DC )...10 Troubleshooting...11 Configurations A graphical representation Standard Configuration...13 Security Override...17 Machine Override...21
Introduction EZ GPO is an open source set of tools developed by Terra Novum, under a BSD style license for network administrators to manage computer and user power management settings within computing environments. Originally authored to address power management policy and permission issues with Windows 2000 and Windows XP machines, the tool works natively with Active Directory via Group Policy Objects as well as with Novell NDS/Zenwork clients via registry management systems. The approach taken was to create a process by which users who were not local Administrators or Power Users, the ability to modify the required registry string settings needed for power management. As the native GPO interface for ADM meta language is limited in the Group Policies interface, the method utilized accesses the only areas of the registry that can be managed via process which are Single Value Strings and DWORD (integer) values, both of which are accessed through the GPO tree. EZ GPO is introduced to target environment in two stages. The first stage is the installation, configuration and activation of the server side GPO via ADM (Administrative Template), with the second being the client/workstation application installation via MSI (Microsoft Installer). As with most.adm files, EZ_GPO.adm is a template of set parameters defined by an administrator to configure Group Policy Objects for registry settings. The client/workstation MSI places two executable binary files onto the machine that is to be managed. They are 'EZ_GPO_Tool.exe', which will run as the user, to specify to the system, which power management settings are to be applied for that users account at login. The second executable is named PMService.exe', which is a service application that is run by the machine account, as itself, which will specify, to the machine, which power management settings are to be applied to that machine when no user is logged on. These two client side applications will work in conjunction with the GPO set by the ADM template. Failing the propagation of the GPO from an AD Default Policy, the applications will utilize registry entries set in the HKLM and HKCU software registry branches -allowing administrators without AD or administrators who manage Novell NDS/Zenwork systems the ability to directly manipulate registry settings for required custom values. As the registry entries are Single Value Strings and DWORD (integer) values, which follow Microsoft core API procedures, the settings are available immediately. Since GPOs are applied prior to the actual logon prompt, there is no concern for a binary race condition where the binary would execute prior to the policy set.
Installation 1) ADM Template Unzip the EZ_GPO.zip file. Browse to the Server GPO directory and locate the ADM file named EZ_GPO.adm, you may extract this file to your desktop. {{Note to complete this procedure you must be a member of the Domain Administrators group}} No matter which interface method you use for Group Policy administration, the installation procedure is the same: Non-GPMC install steps: Open Active Directory Users and Computer via the Administrative tools start menu or type: dsa.msc at the run prompt. Right click on the container that holds the domain you wish to manage, select properties and move to the Group Policy tab. Highlight 'Default Domain Policy' and click edit. (continue below) GPMC installation: Open the GPMC console via Administrative tools start menu or type: gpmc.msc at the run prompt. Right click the 'Default Domain Policy' GPO, select Edit. A new MMC will open at the root level showing both Computer Configuration and User Configuration console trees. Expand either of those trees right until you see 'Administrative Templates', right click on Administrative Templates and select 'Add/Remove Templates'. Click Add, browse to your desktop or whichever location you stored the EZ_GPO.adm file, select open, and then click close. At this point within both the Administrative Templates you will see ' EZ GPO by the Environmental Protection Agency', which will contain three new group polices for you to manage. Please be advised on Server2003, the snapin will no longer copy the ADM template to the general store: %SystemRoot%System32 directory. If desired, please copy it there prior to loading the template. 2) Client Binary Executables Installation of the binary client, EZ GPO Installer.msi, is pretty straightforward. It is suggested to install it via assignment computer based software installation policy. {{Having first ensured the msi is available from a readable UNC path.}}
Browse to the Software Settings tree under Computer Configuration. Right click, select new, select package. Select the location of the msi, click open, click assigned, click ok. It is also suggested if installed via the Software Settings assignment, that the client machines are rebooted a few times to give the software a chance to fully install. This is due to Fast Login Optimization and Asynchronous policy refresh. For more information please see: http://support.microsoft.com/default.aspx?scid=kb;en-us;305293&product=winxp and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/logon_optimization.asp
Configuration The installed ADM under your selected Group Policy will show you the following options. (fig 1a) Base Options, Options, AC Profile Scheme and the DC Profile Scheme (fig 1a)
Base Options Suggestion: Enabled In order to activate the GPO the Base Options configuration must be set to Enabled. The default values will work for most systems. The other options are: Control Settings Scheme Major/Minor Version Informs the client applications if the GPO is valid at this location, or if they should look elsewhere for their configuration. Which configuration scheme you would like to configure. The default setting of Simple holds values for six predetermined settings. Options for upgrading between versions, both Minor (revision) and Major (version).
Options Properties Dialogue Suggestion: Enabled Only applies to the machine policy. This option allows an IT admin to have the user's policy be derived from the Machine's policy. In other words, this allows an IT admin to apply a policy on a per machine basis and as users move from machine to machine, their power policies match that of the machine and they do not bring with them a power policy from another machine. Machine Override The option does not require the User Configuration settings to be set, but does require the Computer Configuration to be set and that the workstation to be managed. To verify this setting has been applied, run: powercfg.exe /q at the command prompt. Do not open the Contol Panel Power Options Applet. This will cause the setings to be overwritten. For older Non-S3 capable machines. Force Standby This is a legacy setting and does not have to be enabled for most systems. If it is enabled, it most likely will do no harm. Found only under Admin User Policy. Allows the user binary
Security Bypass Security Override application to bypass OS restrictions that would prevent registry modifications. This option must be set in Computer Configuration, and must be applied to all computer accounts of the workstations to be managed. To verify this setting has been applied, run: powercfg.exe /q at the command prompt. Force Update Do not open the Contol Panel Power Options Applet. This will cause the setings to be overwritten. Forces the system to update the power management settings even if the settings match. Otherwise if no changes need to be made, the application will wait in a loop or exit. Suggested Configuration Settings Depending on your requirements and needs there are three general methods that ensure for a smooth operation of EZ GPO within your environment. : For a graphical representation of these configurations, please see Appendix pages 11-24 Standard configuration: Security Override: Machine Override: You have settings the settings in both the User Configuration and the Computer Configuration GPOs, all of the User and Machine Accounts are managed. The Machine Override option is not enabled. You have set the settings are set in both the User Configuration and the Computer Configuration GPO, all of the User and Machine Accounts are managed The Machine Override option is not enabled. Security Override is enabled. You have set the settings are set in only for the Computer Configuration GPO, all of the Machine Accounts are managed. The Machine Override is enabled. User Configuration is not enabled.
Maintenance Upgrading between versions To upgrade first remove the ADM file from the list of available adm templates in the user portion of the GPO and then apply the changes. Then add in the new updated ADM file It should pick up your old settings but still pick up the new version numbers. Update the MSI installer according to you normal procedures. Errata Simple Scheme (AC & DC ) Where applicable, there are options in both the AC and DC panels. AC controls when the machine is plugged into a wall or other AC power source. DC controls the behavior of the machine when the portable is being powered off of it's internal battery source. User Monitor Timeout - Time until monitor off occurs in minutes User System Standby Timeout - Time until System Standby occurs in minutes Machine Hibernation Timeout - Time until hibernation occurs in minutes (NB: should be 0 or at least one minute larger than system standby and requires that hibernation be enabled)the simple scheme is currently the only scheme implemented in EZ_GPO. It contains six settings, each of which affects either the AC (plugged in settings) or the DC (when on battery settings), and are expressed in minutes. To set any setting to never, input a value of 0 (zero). Please note that the tool is limited in what clients it will set system standby for by default. The limitation is revolves around the presence of a new version of power management named ACPI (more specifically the support for the S3 sleep state). Most older hardware had Advanced Power Management v2 (APM2) and recent Pentium 3 and early Pentium 4 machine had a flavor of ACPI that was not fully implemented. Most Pentium 4s and higher machines these days have full hardware support for ACPI and the S3 sleep state. This behavior can be overridden by employing the ForceStandby option in the above options. This can be useful for machines that are AMD based as they support a form of S3 but do not always show it consistently. There is no reason why you can not set both AC and DC power settings in one policy. If you do, desktops will completely ignore the DC settings since the machine will never be placed on a DC power source. For example, the settings get set but the opportunity never arises for the machine to use them, in essence making them inert. This allows you to manage laptops and desktops with the same policy. Please note that when the laptops are plugged in, they will have the same PM idle times as desktops. To use the hibernation settings, hibernation must first be enabled to allow this setting to take effect. There is unfortunately no way that MS provides, in the form of a (published) API call, to make this happen. If they did, it would have been made an option. The only way for admins to enable this is to do so before deployment, via the source image.
Troubleshooting Verification of Software Installation Verification of GPO application to the User or Machine. I have installed the GPO tool, but I am not seeing any results when I check the power settings via the control panel applet on managed machines. Check to see if the software is installed properly. First check the Add/Remove software for the EZ GPO tool entry. If that exists, verify the software was properly installed by AD by checking for the presence of a file called PMService.exe in the \Windows\System32 directory. If that file is not there, you need to roll back the installation and install the software from the computer policy and not the user policy in AD or chose a different installation method. Verify the GPO was properly applied by checking the registry on the target computer. Under either HKLM or HKCU (which one is dependant on the configuration chosen above), look for entries under \SOFTWARE\Policies\TerraNovum\EZ_GPO Whenever the Control Panel Power Options applet is utilized the system will revert to the last cached power configuration and will makes those settings authoritative despite any updated configuration. This will occur even if you just open the applet and cancel it. This bug is present in Windows XP and will occur regardless of which tool was used to make the power settings. To check the power settings, from the command line enter: powercfg.exe /q for the results. Reboot the system and then check to see if the your defined power settings are visible via powercfg.exe. I have installed the GPO tool, but the managed machines do not seem to be sleeping. You may not be using the Standard Configuration as required for your needs. Check that you have configured settings under Computer Configuration and not the User Configuration. What may be occurring is that the settings are set for the machine only and not for the users,
I have installed the GPO tool, but the managed machines do no seem to be sleeping. I have installed the GPO tool, but the managed machines do not seem to be sleeping. the result would be that the machine itself will sleep but those settings will be overridden by any non defined user settings. : Check the software on the managed machine to see if there are any screen savers or other idle cycle applications running. Any process that requires more than 20% of the CPU time, tells the machine that it is not in an active low power state. Check the Device Manager tab from the System menu. The system will indicate a device error with an exclamation point (!) or a question mark (?) next to the device in an error state. Be advised that generic drivers that are on your system may not be written in a manner to accept or yield to requested sleep or suspend requests from the system. Ensure that all the devices on your system have up to date and accurate drivers for their use.
Configurations A graphical representation Standard Configuration Standard Configuration: Computer Configuration Base Option Properties Standard Configuration: Computer Configuration Options Properties
Standard Configuration: Computer Configuration AC Profile Standard Configuration: Computer Configuration DC Profile
Standard Configuration: User Configuration Base Options Standard Configuration: User Configuration Options
Standard Configuration: User Configuration AC Profile Standard Configuration: User Configuration DC Profile
Security Override Security Override: Computer Configuration Base Options Security Override: Computer Configuration Options
Security Override: Computer Configuration AC Profile Security Override: Computer Configuration DC Profile
Security Override: User Configuration Base Options Security Override: User Configuration Options
Security Override: User Configuration AC Profile Security Override: User Configuration DC Profile
Machine Override Machine Override: Computer Configuration Base Options Machine Override: Computer Configuration - Options
Machine Override: Computer Configuration AC Profile Machine Override: Computer Configuration DC Profile
Machine Override: User Configuration Base Options Machine Override: User Configuration Options
Machine Override: User Configuration AC Profile Machine Override: User Configuration DC Profile