12 Creating and Deploying Administrative Templates

16/11/2014
12 Creating and Deploying Administrative Templates

Section Topics
Introducing Administrative Templates
Legacy ADM Templates
Using the New ADMX Templates
Converting and Creating Custom ADMX Templates
Using the ADMX Central Store
Section Objectives
After completing this section, you will be able to:

Describe the benefits of using Administrative templates
List some of the ADM templates that are included in each version of Windows
List tips that you can use to write your own custom Administrative templates
Describe the advantages of using the new ADMX file format
Identify which tool converts ADM templates to ADMX templates and also creates new
ADMX templates
Define ADMX Central Store
Section Overview
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=13&FontSize
1/26
16/11/2014
One of the most important functions of Group Policy is to modify the registry, and registrybased policy is implemented via something called Administrative Templates. These
templates are nothing more than specially formatted text files. This section explains the logic
behind Administrative Templates, when to use them, and even the basics of how to write
them. This section also explains how to deploy templates by loading legacy ADM templates
into the Group Policy Management Editor, and by copying ADMX templates to the Central
Store.
Introducing Administrative Templates
Figure 289: Introducing ADM Templates

This topic describes Administrative Templates and explains how they are structured.
Administrative Templates Nodes
Figure 290: Administrative Templates Nodes

2/26
16/11/2014
In both the Computer Configuration and User Configuration nodes of the Group Policy
console, there is a folder named Administrative Templates. The existence of this folder is
confusing because many of the settings that you find under the Administrative Templates
nodes deal with software settings and windows settings, and yet those two areas have their
own separate nodes in the policy console.
The explanation for this apparent contradiction might help you understand how the Group
Policy console is organized. In a nutshell:
The Administrative Templates node contains settings that can be implemented solely
through the registry and that are specified by files having the extension .adm.
Microsoft calls these settings registry-based policy.
The other nodes, Software Settings and Windows Settings, contain settings that are likely
to involve files outside the registry (such as scripts, software packages, etc.) and these
settings are not specified by *.adm files.
Helpful Hint
Do not worry too much if you see settings in different console nodes that appear
to belong together thematically, but do not. The top levels of the Group Policy console are
organized according to whether settings are implemented via *.adm files, not according to
topic.
Benefits of Using Administrative Templates
3/26
16/11/2014
Figure 291: Benefits of Using Administrative Templates

The main reason for implementing such a big part of the Group Policy console via the
Administrative Templates section is extensibility. The Group Policy console is extensible
through the additon of custom ADM/ADMX files. If your organization buys a new application
program for deployment to your user community, assuming that the application developers
saw fit to create an ADM/ADMX file for you, you may be able to centrally manage features
of that application within the Group Policy console. This approach has benefits for:
Application users: For example, say Adventure Works deploys Microsoft Office 2000.
However, a number of users have laptops that still run Microsoft Office 97. To ensure
compatibility when users exchange documents, Acme installs the Microsoft Word 2000
ADM template into the Group Policy console. Now, it is possible to specify that Microsoft
Word 2000 users will automatically save their documents in Microsoft Word 97 format, by
default.
Operating system users: Of course, the extensibility feature is handy for the operating
system, too. When Windows Server 2003 was released, Microsoft did not have to redo
completely the existing Group Policy structure; instead, it created some new templates
(ADM files) that could feed the old Group Policy console information about the new
settings available in Windows Server 2003.
Software developers: If you are a software developer, the ADM file methodology gives
you a structured, predefined way of giving your customers the ability to manage software
settings centrally, through a console that they are already using to manage the Active
Directory environment.
4/26
16/11/2014
Registry Structure Used by Administrative Templates
Figure 292: Registry Structure Used by Administrative Templates

Figure 292 lists the subjects that are described in this topic.
Computer vs. User
Administrative template files can apply to the computer-specific portion of the registry or to
the user-specific portion. Specifically:
ADM templates that apply to the Computer Configuration portion of the MMC console
affect the HKEY_LOCAL_MACHINE branch of the registry.
ADM templates that apply to the User Configuration portion of the MMC console affect
the HKEY_CURRENT_USER branch of the registry.
True Policies vs. Preferences
Windows 2000 and later Group Policy settings are located in one of four registry locations:
HKLM\Software\Policies
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
HKCU\Software\Policies
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
5/26
16/11/2014
The first and third locations in this list are preferred, but policy settings in any of these four
locations are recognized as true policies.
The older Windows NT 4-style System Policy Editor, and the ADM templates that it used,
would place policy settings in a wide variety of registry locations. This created problems with
security and with tattooing, or the undesired persistence of policy settings. Sometimes, you
may find it necessary to tattoo the registry with a setting that does not correspond to any of
the above four locations.
Settings that exist somewhere other than the above four locations are recognized as
preferences rather than true policies because it is possible for the user to change them by
using Regedit. On the other hand, if a user changes a true policy with Regedit, it will be
changed back to the original setting at the next policy refresh.
Helpful Hint
Remember that you can cause preferences to display in the Group Policy console
using the procedures described for Poledit templates.
Legacy ADM Templates
6/26
16/11/2014
Figure 293: Legacy ADM Templates

When you first look at the Group Policy console, the Administrative Templates nodes under
both the Computer Configuration and User Configuration nodes are already populated.
Some standard ADM templates are installed as part of the operating system load.
Typically, ADM files for local Group Policy reside in the %Systemroot%\Inf folder
(normally, c:\Winnt\Inf or c:\Windows\Inf), and ADM files for network-based Group Policy
reside in the Adm folder within the Group Policy template in the Sysvol share, that is,
%Systemroot%\Sysvol\Domain\Policies\GPO_GUID\Adm (see Figure 293).
The standard ADM templates vary according to the version of Windows you install. The
following topics are here for reference purposes and describe the standard templates for
Windows 2000, Windows XP, and Windows Server 2003. The last two topics describe the
Poledit templates, and Office ADM Templates, respectively.
Legacy Templates in Windows 2000

In Windows 2000, the following standard templates are installed into the Group Policy console
by default:
System.adm: Large file (727 KB), many different settings
Inetres.adm: Windows Internet Explorer settings
7/26
16/11/2014
In Windows 2000, the following standard templates are not installed into the Group Policy
console by default:
Common.adm: Settings common to Windows NT and Windows 95 or Windows 98;
Poledit style
Conf.adm: Microsoft NetMeeting settings
Inetcorp.adm: IEAK corporate settings
Inetset.adm: Settings for Windows Internet Explorer defaults that were not included in the
IEAK wizard
Windows.adm: Windows 95 policy settings; Poledit style
Winnt.adm: Windows NT policy settings; Poledit style
Wmp.adm: Windows Media Player policy settings
If you install Windows 2000 Service Pack 3, you will have the following ADM files:
Wmplayer.adm: Windows Media Player settings, versions 8 and 9
Wuau.adm: Service Pack 3: Windows Update Automatic Update
Legacy Templates in Windows XP

In Windows XP, the following standard templates are installed into the Group Policy console
by default:
System.adm: Core settings
Wmplayer.adm: Windows Media Player settings, versions 8 and 9
In Windows XP, the following standard template is not installed into the console by default:
8/26
16/11/2014
If you install Windows XP Service Pack 1, you will have the following ADM file:
Wuau.adm: Service Pack 1; Windows Update Automatic Update
Helpful Hint
Microsoft recommends that all Active Directory administrators run Windows XP with the
updated ADM files. If you run Windows XP and administer a GPO that has an outdated
ADM file, your computer will automatically update the ADM files of the GPO as long as the
new files reside in the server. Therefore, if you have Windows 2000 Server, you should
manually update the ADM files in the Windows 2000 Server Inf folder by copying them from
a Windows XP computer and then using the Add/Remove Template command to remove
the old and add the new.
Legacy Templates in Windows Server 2003

In Windows Server 2003, the following standard templates are installed into the Group Policy
console by default:
System.adm: Large file (727 KB), many different settings
In Windows Server 2003, the following standard templates are available, but not installed into
the Group Policy console by default:
Common.adm: Settings common to Windows NT and Windows 95 or Windows 98,
Poledit style
9/26
16/11/2014
Inetcorp.adm: IEAK corporate settings

Inetset.adm: Settings for Windows Internet Explorer defaults that were not included in the
IEAK wizard
Windows.adm: Windows 95 policy settings, Poledit style
Winnt.adm: Windows NT policy settings, Poledit style
Wmp.adm: Windows Media Player policy settings
Wuau.adm: Windows Update Automatic Update
Poledit Templates
The standard ADM files for use with Poledit, the System Policy Editor, in Windows NT 4
are:
Common.adm: Settings common to Windows NT and Windows 95 or Windows 98
Winnt.adm: Windows NT policy settings
The standard ADM file for use with System Policy Editor in Windows 95 is:
Windows.adm
Microsoft does not recommend using Windows NT 4, Windows 95, or Windows 98-style
ADM files with Windows 2000, Windows XP, or Windows Server 2003.
If you do use these older templates, or if you create your own custom ADM files that make
registry settings that are different from the four approved registry keys for Group Policy, the
default MMC behavior is for them not to appear. You can force them to show up with the
procedures described below.
Showing Custom ADM Templates in Windows 2000
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=13&FontSiz
10/26
16/11/2014
To show your custom ADM templates in Windows 2000, follow these steps:
1.
Select the Administrative Templates node that you wish to modify.
2.
Right-click and select View to display the cascading menu.
3.
Clear the Show Policies Only check box.
Showing Custom ADM Templates in Windows XP

To show your custom ADM templates in Windows XP, follow these steps:
1.
Select the Administrative Templates node that you wish to modify.
2.
Right-click and select View to display the cascading menu.
3.
Select Filtering.
4.
Clear the Only show policy settings that can be fully managed check box.
If you force Windows NT 4-style policies to appear in the console, they will appear in red
icons.
Windows 2000 and later Group Policy settings will appear in blue.
You can force the Show Policies Only option to always be enabled by configuring the
following policy option: User Configuration, Policies, Administrative Templates, System,
Group Policy, and Enforce Show Policies Only
Office ADM Templates

Microsoft provides ADM files for all of its Microsoft Office products since Microsoft Office
97. If your organization uses one of these versions of Microsoft Office, you might discover
that using the vendor-supplied ADM files can dramatically extend the usefulness of the Group
Policy console.
11/26
16/11/2014
With the Office templates you can control hundreds of different settings between the
Computer and User configuration sections.
These settings control the behavior of all Microsoft Office applications and settings that are
generally available inside the applications themselves and many settings that are not usually
configurable.
Custom ADM Templates
Figure 294: Custom ADM Templates

This topic explains how to create your own custom ADM templates for use with Group
Policy.
Creating Your Own ADM Templates
12/26
16/11/2014
Figure 295: Creating Your Own ADM Templates

Now that you know the major data types and sections used in creating custom ADM
templates, you can write your own. All you need is your favorite text editor (Notepad works
well).
The following topic describes some tips that you can use to write your own custom ADM
templates. You will also see an example of a custom ADM template that contains a single
policy entry.
Programming Tips
Document your custom ADM files. Use the semicolon character (;) at the start of a line to
indicate a comment. Other people are likely to read your files and edit them for their own
purposes. It is good programming practice to make that as convenient as possible.
Prevent Windows NT systems from accidentally loading your Windows 2000, Windows
Server 2003, or Windows XP ADM files by including a section beginning with #if version <=
2 and ending with #endif that merely displays explanatory text advising the administrator that
this policy file requires Windows 2000 (or another operating system). Version 2 signifies the
Windows NT policy editor, version 3 signifies the Windows 2000 console, and version 4
signifies the Windows XP console.
13/26
16/11/2014
A Simple Example
Here is an example of a custom ADM template that contains a single policy entry, the
SourcePath value in the registry that indicates where Windows 2000 was originally installed
from. You might want to modify this value from time to time, as for example if the
distribution server that was used to install client operating systems is renamed. The reason is
that Windows 2000 and Windows XP use the SourcePath value after installation. For
example:
You install a device driver that is not contained in driver.cab.
Windows File Protection needs to reinstall an operating system file that is in neither
dllcache nor driver.cab.
The registry value of interest here is:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\SourcePa
th (REG_SZ). Because the value is a string, you need to create an ADM file that lets the
administrator enter the path that contains the Windows source path (for example,
\\Dist_Srv\Winxp).
Normally, you would not create an ADM file that contains only one entry. This is just an
example.
The first part of the ADM file will refer to the part of the console (and registry) that this
setting applies to, namely, the machine:
CLASS MACHINE
Say you want to add this entry to the System node under Administrative Templates. So, the
category is a metastring referring to the literal string Acme System Settings, as follows:
14/26
16/11/2014
CATEGORY !!Administrative
Now you have to give the policy itself a metastring name:
POLICY !!SetupSourcePath
Next, specify the registry key to modify, as follows:
KEYNAME "Software\Microsoft\Windows\
currentVersion\Setup"
And then specify the value to edit:
PART
!!SourcePathBox EDITTEXT
VALUENAME "SourcePath"
END PART
Here the EDITTEXT indicates that the administrator is to edit a text box, rather than click a
check box, for example.
Including the following line provides explanatory text:
EXPLAIN !!SourcePathExplain
When you add more details, you end up with the following:
Filename: SOURCE.ADM
Example of a simple custom ADM template
15/26
16/11/2014
Jane Doe, August 2003
CLASS MACHINE
CATEGORY
!!Administrative
POLICY !!SetupSourcePath
KEYNAME "Software\Microsoft\Windows\
CurrentVersion\Setup"
PART
!!SourcePathBox EDITTEXT
VALUENAME
"SourcePath"
END PART
EXPLAIN !!SourcePathExplain
END POLICY
END CATEGORY
[STRINGS]
;
This section is typically alphabetized for
convenience.
Administrative="Acme System Settings"
SetupSourcePath="Change Setup Source Path"
SourcePathBox="Enter the path to the Windows distribution
share:"
SourcePathExplain= "Change this value if you rename the
distribution server on the
network that contains the \I386 folder.\n\nThis server
location must be available in certain
situations, such as when installing a new device driver
that is not contained in
DRIVER.CAB, or when Windows File Protection attempts to
restore a file that is not
contained in DLLCACHE or DRIVER.CAB."
To view the new setting, you need to turn on the ability of the MMC to view preferences as
opposed to true policies.
Loading Additional ADM Templates
16/26
16/11/2014
Figure 296: Loading Additional ADM Templates

The procedure for loading an additional ADM template into the Group Policy console is as
follows:
1.
Open the GPO you wish to edit.
2.
Right-click the Administrative Templates node in the tree pane (either in Computer
Configuration or in User Configuration. The software vendor will typically advise as
to the correct procedure.)
3.
Select Add/Remove Templates. A list of installed templates appears in Figure 296.
4.
Click Add.
5.
Browse to the template you wish to add, highlight it, and click Open.
6.
Click Close in the Add/Remove Templates dialog box.
Remember that if you add a template that contains preferences rather than true policy settings,
you will need to set the MMC to view those preferences, because the default behavior is to
hide them.
Using the Policy Template Editor
17/26
16/11/2014
Figure 297: Using the Policy Template Editor

If you find yourself doing a fair amount of work with custom ADM files, consider using a
product from www.tools4ever.com called Policy Template Editor. They have a demo version
available for download.
Using the New ADMX Templates
Figure 298: Using the New ADMX Templates

Microsoft has changed the structure of the administrative template files in Windows Vista,
Windows Server 2008 and later operating systems. These files are used to import settings for
18/26
16/11/2014
applications and new parts of the operating system into Group Policy. Formerly, the ADM
files followed a format that was unique to Group Policy and was not based upon any
established standard.
Administrative Templates are now based on an XML file format. The new GPO tools can
read both the older ADM files and the newer ADMX files. All ADMX files can be stored
centrally in Sysvol.
ADM vs. ADMX Format
Figure 299: ADM vs. ADMX Format

The new ADMX file format has several significant advantages over the old ADM file
structure.
ADM Files
When a new GPO is created from ADM templates, the entire ADM structure immediately
becomes a part of the GPO file. This leads to GPO bloat because thousands of unconfigured
items in the GPO file may never be used. The resulting file can be several megabytes in size,
even if it has only one item configured.
The original ADM file structure also uses a proprietary format unique to the ADM file
structure.
As such, ADM files and architectures are not easy to customize.
19/26
16/11/2014
ADMX Files
The new ADMX file structure allows for language independence. Language files can be
created independently of the actual ADMX file settings themselves.
ADMX settings are stored separately from the GPO. When an ADMX setting is configured,
only that item is copied into the GPO. This leads to much smaller GPO file sizes.
ADMX files are based upon an XML file structure that is a more widely adopted standard and
allows for extensibility.
Converting and Creating Custom ADMX Templates
Figure 300: Converting and Creating Custom ADMX Templates

Files in the ADM format can be converted to ADMX with the ADMX Migrator tool from
FullArmor. The ADMX Migrator also comes with a simple template editor that you can use to
modify existing templates or to create new ones. You can download this tool from the
Microsoft Web site (www.microsoft.com) for free.
Using the ADMX Central Store

20/26
16/11/2014
Figure 301: Using the ADMX Central Store

By default, the ADMX templates are loaded from the local C:\Windows\PolicyDefinitions
folder on the computer that the policies are being edited from. This is only true of Windows
Vistaand later systems. This can be problematic when one administrator imports a custom
ADMX on his or her own computer. Other administrators will not be able to view and edit
those policy settings.
To solve this problem, you can copy the ADMX files to a central location from which all
administrative consoles will automatically load the available ADMX templates. This is known
as the ADMX Central Store.
You must manually create the Central Store. To create the Central Store, create the following
folder on one of the domain controllers in the domain:
C:\windows\sysvol\sysvol\hq.local\policies\policydefinitions Then, copy all of the default
and custom ADMX files to the centralized policydefinitions folder.
Figure 301 lists the features of the ADMX Central Store.
Acronyms
The following acronyms are used in this section:
ADM template administrative template
ADMX
Administrative templates XML-based
CSS
Cascading Style Sheets
21/26
16/11/2014
GPO
Group Policy Object
GUI
graphical user interface
GUID
globally unique identifier
HKCU
HKEY CURRENT USER
HKLM
HKEY LOCAL MACHINE
HTML
Hypertext Markup Language
IEAK
Internet Explorer Administration Kit
KB
kilobytes
MDB
Microsoft database
MMC
Microsoft Management Console
VBA
Visual Basic for Applications
XML
Extensible Markup Language
Section Review
Summary
The benefits of using ADM templates are:
Application users: Individual application settings can be customized centrally.
Operating system users: Operating system settings can be configured or restricted from
a central location.
Software developers: The ADM file methodology gives you a structured, predefined
way of giving your customer the ability to manage software settings centrally, through a
console that they are already using to manage the Active Directory environment.
Many varieties of standard templates are included with each version of Windows.
The standard templates that are common to Windows 2000, Windows XP, and
Windows Server 2003 are:
o System.adm
o Inetres.adm
22/26
16/11/2014
o Conf.adm
o Wuau.adm
The standard templates that are used with Poledit are:
o Common.adm
o Winnt.adm
o Windows.adm
Some of the Office ADM templates include:
o Access10.adm
o Excel10.adm
o Outlk10.adm
o Word10.adm
Use the following tips to write your custom ADM templates:
Use the semicolon character (;) at the start of a line to indicate a comment.
To prevent Windows NT systems from accidentally loading your Windows 2000,
Windows Server 2003, or Windows XP ADM files, include a section beginning with #if
version <= 2 and ending with #endif that merely displays explanatory text advising the
administrator that this policy file requires Windows 2000 (or another operating system).
Version 2 signifies the Windows NT policy editor, version 3 signifies the Windows 2000
console, and version 4 signifies the Windows XP console.
The advantages of using the new ADMX file format are:
The file structure allows for language independence.
ADMX settings are stored separately from the GPO.
ADMX files are based upon an XML file structure that is a more widely adopted
standard and allows for extensibility.
The ADMX Migrator tool converts ADM templates to ADMX templates and also creates
23/26
16/11/2014
new ADMX templates.

The ADMX Central Store is where all the administrative consoles will automatically load
the available ADMX templates. You have to manually create the ADMX Central Store.
Knowledge Check
1.
What is the ADMX Central Store?
2.
Which tool is used to convert ADM templates to ADMX templates?

a.
ADMX Template Editor
b.
ADMX Migrator tool
c.
Policy Template Editor
d.
Group Policy Migrator tool
3.
What are the advantages of using the new ADMX file format?
4.
List the tips that you should use to write your custom ADM templates.
5.
Which ADM templates are included in Windows 2000, Windows XP, and Windows
Server 2003? (Choose all that apply.)
6.
a.
System.adm
b.
Conf.adm
c.
Inetres.adm
d.
Pub10.adm
What are the benefits of using ADM templates?
Knowledge Check Answer Key

The correct answers to the Knowledge Check questions are bolded.
24/26
16/11/2014
1.
What is the ADMX Central Store?

The ADMX Central Store is where all the administrative consoles will
automatically load the available ADMX templates.
2.
3.
Which tool is used to convert ADM templates to ADMX templates?

a.
ADMX Template Editor
b.
ADMX Migrator tool
c.
Policy Template Editor
d.
Group Policy Migrator tool
What are the advantages of using the new ADMX file format?
The file structure allows for language independence.
ADMX settings are stored separately from the GPO.
ADMX files are based upon an XML file structure that is a more widely adopted
standard and allows for extensibility.
4.
List the tips that you should use to write your custom ADM templates.
Use the semicolon character (;) at the start of a line to indicate a comment.
Include a section beginning with #if version <= 2 and ending with #endif that
merely displays explanatory text advising the administrator that this policy file
requires Windows 2000 (or another operating system).
5.
Which ADM templates are included in Windows 2000, Windows XP, and Windows
Server 2003? (Choose all that apply.)
a.
System.adm
b.
Conf.adm
c.
Inetres.adm
d.
Pub10.adm
25/26
16/11/2014
6.
What are the benefits of using ADM templates?

Application users: Individual application settings can be customized centrally.
Operating system users: Operating system settings can be configured or
restricted from a central location.
Software developers: The ADM file methodology gives you a structured,
predefined way of giving your customer the ability to manage software settings
centrally, through a console that they are already suing to manage the Active
Directory environment.
26/26

12 Creating and Deploying Administrative Templates

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

12 Creating and Deploying Administrative Templates

Загружено:

Авторское право:

Доступные форматы

16/11/2014