This morning I received a report from a Policy Plus user that its assessment of a policy state was inconsistent with that of the real Local Group Policy Editor. The policy had been set to Disabled in the official editor, but Policy Plus reported it as Unknown, which indicates that some Registry evidence favors it being Enabled while other evidence suggest it's Disabled. Indeed, the policy's main Registry value was deleted, but the value corresponding to a checkbox element was present and set to 0. Zero is that element's "off" value, but an unchecked checkbox is different than the whole policy being Disabled.
Experimenting with several different policies involving checkbox elements, I found that the Local Group Policy Editor writes checkbox elements' "off" values to the Registry when the policy is Disabled if the element has data explicitly defined. If the element's data is left implicit/default, disabling the policy deletes its Registry value like I expected. I still think it would be better if things worked the way I had previously assumed, since the way it actually works allows cases (in real policies!) where "policy Enabled but checkbox unchecked" is literally indistinguishable from "policy Disabled", but Policy Plus needs to reflect reality rather than my preferred design.
When judging a policy's state, Policy Plus now considers the presence of a checkbox element's "off" value as weak evidence for the policy being Disabled. When saving the state of Disabled policies, it writes checkbox elements' "off" values, if specified, instead of deleting them. While I was at it, I adjusted the setting editor window to avoid crashing when editing a mixed-state policy, not that there should be any anymore. The changes are live on GitHub.
No comments:
Post a Comment