12 Creating and Deploying Administrative Templates

8/10/2019 12 Creating and Deploying Administrative Templates

1/26


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=13&FontSize 1/26

12 Creating and Deploying Administrative Templates

Section Topics

Introducing Administrative Templates

Legacy ADM Templates

Using the New ADMX Templates

Converting and Creating Custom ADMX Templates

Using the ADMX Central Store

Section Objectives

After completing this section, you will be able to:

Describe the benefits of using Administrative templates

List some of the ADM templates that are included in each version of Windows

List tips that you can use to write your own custom Administrative templates

Describe the advantages of using the new ADMX file format

Identify which tool converts ADM templates to ADMX templates and also creates new

ADMX templates

Define ADMX Central Store

Section Overview


2/26



One of the most important functions of Group Policy is to modify the registry, and registry-

ased policy is implemented via something called Administrative Templates. These

emplates are nothing more than specially formatted text files. This section explains the logic

ehind Administrative Templates, when to use them, and even the basics of how to write

hem. This section also explains how to deploy templates by loading legacy ADM templates

into the Group Policy Management Editor, and by copying ADMX templates to the Central

Store.

Introducing Administrative Templates

igure 289: Introducing ADM Templates

This topic describes Administrative Templatesand explains how they are structured.

dministrative Templates Nodes

igure 290: Administrative Templates Nodes


3/26



n both the Computer Configuration and User Configurationnodes of the Group Policy

console, there is a folder named Administrative Templates. The existence of this folder is

confusing because many of the settings that you find under theAdministrative Templates

odes deal with software settings and windows settings, and yet those two areas have their

own separate nodes in the policy console.

The explanation for this apparent contradiction might help you understand how the Group

olicy console is organized. In a nutshell:

The Administrative Templatesnode contains settings that can be implemented solely

through the registry and that are specified by files having the extension .adm.

Microsoft calls these settings registry-based policy.

The other nodes, Software Settingsand Windows Settings, contain settings that are likely

to involve files outside the registry (such as scripts, software packages, etc.) and these

settings are not specified by *.admfiles.

elpful Hint

Do not worry too much if you see settings in different console nodes that appear

o belong together thematically, but do not. The top levels of the Group Policy console are

organized according to whether settings are implemented via *.admfiles, not according toopic.

Benefits of Using Administrative Templates


4/26



igure 291: Benefits of Using Administrative Templates

The main reason for implementing such a big part of the Group Policy console via the

Administrative Templates section is extensibility. The Group Policy console is extensible

hrough the additon of custom ADM/ADMX files. If your organization buys a new application

rogram for deployment to your user community, assuming that the application developers

saw fit to create an ADM/ADMX file for you, you may be able to centrally manage features

of that application within the Group Policy console. This approach has benefits for:

Application users: For example, say Adventure Works deploys Microsoft Office 2000.

However, a number of users have laptops that still run Microsoft Office 97. To ensurecompatibility when users exchange documents, Acme installs the Microsoft Word 2000

ADM template into the Group Policy console. Now, it is possible to specify that Microsoft

Word 2000 users will automatically save their documents in Microsoft Word 97 format, by

default.

Operating system users: Of course, the extensibility feature is handy for the operating

system, too. When Windows Server 2003 was released, Microsoft did not have to redo

completely the existing Group Policy structure; instead, it created some new templates

(ADM files) that could feed the old Group Policy console information about the new

settings available in Windows Server 2003.

Software developers: If you are a software developer, the ADM file methodology gives

you a structured, predefined way of giving your customers the ability to manage software

settings centrally, through a console that they are already using to manage the Active

Directory environment.


5/26



Registry Structure Used by Administrative Templates

igure 292: Registry Structure Used by Administrative Templates

igure 292 lists the subjects that are described in this topic.

Computer vs. User

Administrative template files can apply to the computer-specific portion of the registry or to

he user-specific portion. Specifically:

ADM templates that apply to the Computer Configurationportion of the MMC console

affect the HKEY_LOCAL_MACHINEbranch of the registry.

ADM templates that apply to the User Configurationportion of the MMC console affect

the HKEY_CURRENT_USERbranch of the registry.

True Policies vs. Preferences

indows 2000 and later Group Policy settings are located in one of four registry locations:

HKLM\Software\Policies

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies

HKCU\Software\Policies

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies


6/26



The first and third locations in this list are preferred, but policy settings in any of these four

locations are recognized as true policies.

The older Windows NT 4-style System Policy Editor, and the ADM templates that it used,

ould place policy settings in a wide variety of registry locations. This created problems with

security and with tattooing, or the undesired persistence of policy settings. Sometimes, you

ay find it necessary to tattoo the registry with a setting that does not correspond to any of

he above four locations.

Settings that exist somewhere other than the above four locations are recognized as

preferences rather than true policies because it is possible for the user to change them by

sing Regedit. On the other hand, if a user changes a true policy with Regedit, it will be

changed back to the original setting at the next policy refresh.

elpful Hint

Remember that you can cause preferences to display in the Group Policy console

sing the procedures described for Poledit templates.

Legacy ADM Templates


7/26



igure 293: Legacy ADM Templates

hen you first look at the Group Policy console, the Administrative Templates nodes under

oth the Computer Configurationand User Configurationnodes are already populated.

Some standard ADM templates are installed as part of the operating system load.

Typically, ADM files for local Group Policy reside in the %Systemroot%\Inf folder

(normally, c:\Winnt\Inf or c:\Windows\Inf), and ADM files for network-based Group Policy

eside in the Admfolder within the Group Policy template in the Sysvol share, that is,

%Systemroot%\Sysvol\Domain\Policies\GPO_GUID\Adm(see Figure 293).

The standard ADM templates vary according to the version of Windows you install. The

ollowing topics are here for reference purposes and describe the standard templates for

indows 2000, Windows XP, and Windows Server 2003. The last two topics describe the

oledit templates, and Office ADM Templates, respectively.

Legacy Templates in Windows 2000

n Windows 2000, the following standard templates are installed into the Group Policy console

y default:

System.adm: Large file (727 KB), many different settings

Inetres.adm: Windows Internet Explorer settings


8/26



n Windows 2000, the following standard templates are not installed into the Group Policy

console by default:

Common.adm: Settings common to Windows NT and Windows 95 or Windows 98;

Poledit style

Conf.adm: Microsoft NetMeeting settings

Inetcorp.adm: IEAK corporate settings

Inetset.adm: Settings for Windows Internet Explorer defaults that were not included in the

IEAK wizard

Windows.adm: Windows 95 policy settings; Poledit style

Winnt.adm: Windows NT policy settings; Poledit style

Wmp.adm: Windows Media Player policy settings

f you install Windows 2000 Service Pack 3, you will have the following ADM files:

Wmplayer.adm: Windows Media Player settings, versions 8 and 9

Wuau.adm: Service Pack 3: Windows Update Automatic Update

Legacy Templates in Windows XP

n Windows XP, the following standard templates are installed into the Group Policy console

y default:

System.adm: Core settings


Wmplayer.adm: Windows Media Player settings, versions 8 and 9

n Windows XP, the following standard template is not installed into the console by default:


9/26




f you install Windows XP Service Pack 1, you will have the following ADM file:

Wuau.adm: Service Pack 1; Windows Update Automatic Update

Helpful Hint

icrosoft recommends that all Active Directory administrators run Windows XP with thepdated ADM files. If you run Windows XP and administer a GPO that has an outdated

ADM file, your computer will automatically update the ADM files of the GPO as long as the

ew files reside in the server. Therefore, if you have Windows 2000 Server, you should

anually update the ADM files in the Windows 2000 Server Inffolder by copying them from

a Windows XP computer and then using the Add/Remove Templatecommand to remove

he old and add the new.

Legacy Templates in Windows Server 2003

n Windows Server 2003, the following standard templates are installed into the Group Policy

console by default:

System.adm: Large file (727 KB), many different settings



n Windows Server 2003, the following standard templates are available, but not installed into

he Group Policy console by default:

Common.adm: Settings common to Windows NT and Windows 95 or Windows 98,

Poledit style


10/26


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=13&FontSiz 10/26

Inetcorp.adm: IEAK corporate settings

Inetset.adm: Settings for Windows Internet Explorer defaults that were not included in the

IEAK wizard

Windows.adm: Windows 95 policy settings, Poledit style

Winnt.adm: Windows NT policy settings, Poledit style

Wmp.adm: Windows Media Player policy settings

Wuau.adm: Windows Update Automatic Update

Poledit Templates

The standard ADM files for use with Poledit, the System Policy Editor, in Windows NT 4

are:

Common.adm: Settings common to Windows NT and Windows 95 or Windows 98

Winnt.adm: Windows NT policy settings

The standard ADM file for use with System Policy Editor in Windows 95 is:

Windows.adm

icrosoft does not recommend using Windows NT 4, Windows 95, or Windows 98-style

ADM files with Windows 2000, Windows XP, or Windows Server 2003.

f you do use these older templates, or if you create your own custom ADM files that make

egistry settings that are different from the four approved registry keys for Group Policy, the

default MMC behavior is for them not to appear. You can force them to show up with the

rocedures described below.

Showing Custom ADM Templates in Windows 2000


11/26



To show your custom ADM templates in Windows 2000, follow these steps:

1. Select the Administrative Templatesnode that you wish to modify.

2. Right-click and select Viewto display the cascading menu.

3. Clear the Show Policies Onlycheck box.

Showing Custom ADM Templates in Windows XP

To show your custom ADM templates in Windows XP, follow these steps:

1. Select the Administrative Templatesnode that you wish to modify.

2. Right-click and select Viewto display the cascading menu.

3. Select Filtering.

. Clear the Only show policy settings that can be fully managedcheck box.

f you force Windows NT 4-style policies to appear in the console, they will appear in red

icons.

indows 2000 and later Group Policy settings will appear in blue.

You can force the Show Policies Onlyoption to always be enabled by configuring theollowing policy option: User Configuration,Policies,Administrative Templates,System,

Group Policy, and Enforce Show Policies Only

Office ADM Templates

icrosoft provides ADM files for all of its Microsoft Office products since Microsoft Office

97. If your organization uses one of these versions of Microsoft Office, you might discoverhat using the vendor-supplied ADM files can dramatically extend the usefulness of the Group

olicy console.


12/26



ith the Office templates you can control hundreds of different settings between the

Computer and User configuration sections.

These settings control the behavior of all Microsoft Office applications and settings that are

enerally available inside the applications themselves and many settings that are not usually

configurable.

Custom ADM Templates

igure 294: Custom ADM Templates

This topic explains how to create your own custom ADM templates for use with Group

olicy.

Creating Your Own ADM Templates


13/26



igure 295: Creating Your Own ADM Templates

ow that you know the major data types and sections used in creating custom ADM

emplates, you can write your own. All you need is your favorite text editor (Notepad works

ell).

The following topic describes some tips that you can use to write your own custom ADM

emplates. You will also see an example of a custom ADM template that contains a single

olicy entry.

rogramming Tips

ocument your custom ADM files. Use the semicolon character (;) at the start of a line to

indicate a comment. Other people are likely to read your files and edit them for their ownurposes. It is good programming practice to make that as convenient as possible.

revent Windows NT systems from accidentally loading your Windows 2000, Windows

Server 2003, or Windows XP ADM files by including a section beginning with #if version


14/26



A Simple Example

ere is an example of a custom ADM template that contains a single policy entry, the

SourcePathvalue in the registry that indicates where Windows 2000 was originally installed

rom. You might want to modify this value from time to time, as for example if the

distribution server that was used to install client operating systems is renamed. The reason is

hat Windows 2000 and Windows XP use the SourcePathvalue after installation. For

example:

You install a device driver that is not contained in driver.cab.

Windows File Protection needs to reinstall an operating system file that is in neither

dllcachenor driver.cab.

The registry value of interest here is:

KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\Sourc

h (REG_SZ). Because the value is a string, you need to create an ADM file that lets the

administrator enter the path that contains the Windows source path (for example,

\Dist_Srv\Winxp).

ormally, you would not create an ADM file that contains only one entry. This is just an

example.

The first part of the ADM file will refer to the part of the console (and registry) that this

setting applies to, namely, the machine:

CLASS MACHINE

Say you want to add this entry to the Systemnode under Administrative Templates. So, the

category is a metastring referring to the literal string Acme System Settings, as follows:


15/26



CATEGORY !!Administrative

ow you have to give the policy itself a metastring name:

POLICY !!SetupSourcePath

ext, specify the registry key to modify, as follows:

KEYNAME "Software\Microsoft\Windows\currentVersion\Setup"

And then specify the value to edit:

PART !!SourcePathBox EDITTEXTVALUENAME "SourcePath"

END PART

ere the EDITTEXTindicates that the administrator is to edit a text box, rather than click a

check box, for example.

ncluding the following line provides explanatory text:

EXPLAIN !!SourcePathExplain

hen you add more details, you end up with the following:

; Filename: SOURCE.ADM

; Example of a simple custom ADM template


16/26



; Jane Doe, August 2003

CLASS MACHINE

CATEGORY !!Administrative

POLICY !!SetupSourcePath

KEYNAME "Software\Microsoft\Windows\

CurrentVersion\Setup"

PART !!SourcePathBox EDITTEXT

VALUENAME

"SourcePath"

END PART

EXPLAIN !!SourcePathExplain

END POLICY

END CATEGORY

[STRINGS]

; This section is typically alphabetized for

convenience.

Administrative="Acme System Settings"

SetupSourcePath="Change Setup Source Path"

SourcePathBox="Enter the path to the Windows distribution

share:"

SourcePathExplain= "Change this value if you rename the

distribution server on the

network that contains the \I386 folder.\n\nThis server

location must be available in certain

situations, such as when installing a new device driver

that is not contained inDRIVER.CAB, or when Windows File Protection attempts to

restore a file that is not

contained in DLLCACHE or DRIVER.CAB."

To view the new setting, you need to turn on the ability of the MMC to view preferences as

opposed to true policies.

oading Additional ADM Templates


17/26



igure 296: Loading Additional ADM Templates

The procedure for loading an additional ADM template into the Group Policy console is as

ollows:

1. Open the GPO you wish to edit.

2. Right-click the Administrative Templatesnode in the tree pane (either in Computer

Configurationor in User Configuration. The software vendor will typically advise as

to the correct procedure.)

3. Select Add/Remove Templates. A list of installed templates appears in Figure 296.

. Click Add.

5. Browse to the template you wish to add, highlight it, and click Open.

6. Click Closein the Add/Remove Templates dialog box.

emember that if you add a template that contains preferences rather than true policy settings,

ou will need to set the MMC to view those preferences, because the default behavior is to

ide them.

sing the Policy Template Editor


18/26



igure 297: Using the Policy Template Editor

f you find yourself doing a fair amount of work with custom ADM files, consider using a

roduct from www.tools4ever.comcalled Policy Template Editor. They have a demo version

available for download.

Using the New ADMX Templates

igure 298: Using the New ADMX Templates

icrosoft has changed the structure of the administrative template files in Windows Vista,

indows Server 2008 and later operating systems. These files are used to import settings for
http://www.tools4ever.com/


19/26



applications and new parts of the operating system into Group Policy. Formerly, the ADM

iles followed a format that was unique to Group Policy and was not based upon any

established standard.

dministrative Templatesare now based on an XML file format. The new GPO tools can

ead both the older ADM files and the newer ADMX files. All ADMX files can be stored

centrally in Sysvol.

DM vs. ADMX Format

igure 299: ADM vs. ADMX Format

The new ADMX file format has several significant advantages over the old ADM file

structure.

ADM Files

hen a new GPO is created from ADM templates, the entire ADM structure immediately

ecomes a part of the GPO file. This leads to GPO bloat because thousands of unconfigured

items in the GPO file may never be used. The resulting file can be several megabytes in size,

even if it has only one item configured.

The original ADM file structure also uses a proprietary format unique to the ADM file

structure.

As such, ADM files and architectures are not easy to customize.


20/26



ADMX Files

The new ADMX file structure allows for language independence. Language files can be

created independently of the actual ADMX file settings themselves.

ADMX settings are stored separately from the GPO. When an ADMX setting is configured,

only that item is copied into the GPO. This leads to much smaller GPO file sizes.

ADMX files are based upon an XML file structure that is a more widely adopted standard and

allows for extensibility.

Converting and Creating Custom ADMX Templates

igure 300: Converting and Creating Custom ADMX Templates

iles in the ADM format can be converted to ADMX with the ADMX Migrator tool from

ullArmor. The ADMX Migrator also comes with a simple template editor that you can use to

odify existing templates or to create new ones. You can download this tool from the

icrosoft Web site (www.microsoft.com)for free.

Using the ADMX Central Store
http://www.microsoft.com/


21/26



igure 301: Using the ADMX Central Store

y default, the ADMX templates are loaded from the local C:\Windows\PolicyDefinitions

older on the computer that the policies are being edited from. This is only true of Windows

istaand later systems. This can be problematic when one administrator imports a custom

ADMX on his or her own computer. Other administrators will not be able to view and edit

hose policy settings.

To solve this problem, you can copy the ADMX files to a central location from which all

administrative consoles will automatically load the available ADMX templates. This is known

as the ADMX Central Store.

You must manually create the Central Store. To create the Central Store, create the following

older on one of the domain controllers in the domain:

C:\windows\sysvol\sysvol\hq.local\policies\policydefinitions Then, copy all of the default

and custom ADMX files to the centralized policydefinitionsfolder.

igure 301 lists the features of the ADMX Central Store.

cronyms

The following acronyms are used in this section:

ADM template administrative template

ADMX Administrative templates XML-based

CSS Cascading Style Sheets


22/26



GPO Group Policy Object

GUI graphical user interface

GUID globally unique identifier

KCU HKEY CURRENT USER

KLM HKEY LOCAL MACHINE

TML Hypertext Markup Language

EAK Internet Explorer Administration Kit

B kilobytes

DB Microsoft database

MC Microsoft Management Console

BA Visual Basic for Applications

ML Extensible Markup Language

Section Review

Summary

The benefits of using ADM templates are:

Application users: Individual application settings can be customized centrally.

Operating system users: Operating system settings can be configured or restricted from

a central location.

Software developers: The ADM file methodology gives you a structured, predefinedway of giving your customer the ability to manage software settings centrally, through a

console that they are already using to manage the Active Directory environment.

Many varieties of standard templates are included with each version of Windows.

The standard templates that are common to Windows 2000, Windows XP, and

Windows Server 2003 are:

o System.adm

o Inetres.adm


23/26



o Conf.adm

o Wuau.adm

The standard templates that are used with Poledit are:

o Common.adm

o Winnt.adm

o Windows.adm

Some of the Office ADM templates include:

o Access10.adm

o Excel10.adm

o Outlk10.adm

o Word10.adm

Use the following tips to write your custom ADM templates:

Use the semicolon character (;) at the start of a line to indicate a comment.

To prevent Windows NT systems from accidentally loading your Windows 2000,

Windows Server 2003, or Windows XP ADM files, include a section beginning with #if

version


24/26



new ADMX templates.

The ADMX Central Store is where all the administrative consoles will automatically load

the available ADMX templates. You have to manually create the ADMX Central Store.

nowledge Check

1. What is the ADMX Central Store?

2. Which tool is used to convert ADM templates to ADMX templates?

a. ADMX Template Editor

b. ADMX Migrator tool

c. Policy Template Editor

d. Group Policy Migrator tool

3. What are the advantages of using the new ADMX file format?

. List the tips that you should use to write your custom ADM templates.

5. Which ADM templates are included in Windows 2000, Windows XP, and Windows

Server 2003? (Choose all that apply.)

a. System.adm

b. Conf.adm

c. Inetres.adm

d. Pub10.adm

6. What are the benefits of using ADM templates?

Knowledge Check Answer Key

The correct answers to the Knowledge Check questions are bolded.


25/26



1. What is the ADMX Central Store?

The ADMX Central Store is where all the administrative consoles will

automatically load the available ADMX templates.

2. Which tool is used to convert ADM templates to ADMX templates?

a. ADMX Template Editor

b. ADMX Migrator tool

c. Policy Template Editor

d. Group Policy Migrator tool

3. What are the advantages of using the new ADMX file format?

The file structure allows for language independence.

ADMX settings are stored separately from the GPO.

ADMX files are based upon an XML file structure that is a more widely adopted

standard and allows for extensibility.

. List the tips that you should use to write your custom ADM templates.

Use the semicolon character (;) at the start of a line to indicate a comment.

Include a section beginning with #if version


26/26


6. What are the benefits of using ADM templates?

Application users: Individual application settings can be customized centrally.

Operating system users: Operating system settings can be configured or

restricted from a central location.

Software developers: The ADM file methodology gives you a structured,

predefined way of giving your customer the ability to manage software settings

centrally, through a console that they are already suing to manage the Active

Directory environment.

12 Creating and Deploying Administrative Templates

Documents

Transcript of 12 Creating and Deploying Administrative Templates