General GP Concepts
.. GPMC
.. Create/Edit GPOs
.. Targeting GPOs
.. Applying GPOs
.. Developer Issues
Extensions
.. Admin Templates
.... Windows Firewall
.... Internet Explorer
.. Security Policy
.. Software Installation
.. IE Maintenance
.. Scripts
Policy Exceptions
.. Loopback
.. Enforce/Block
.. Slow Links
.. WMI Filters
Reference
.. Third Party Products
.. KB Articles
.. Community
Administrative Templates |
Administrative templates, (.ADM files before Windows Vista; .ADMX files after Windows Vista), facilitate registry-based Group Policy. These settings appear under the Administrative Templates folder for both user configuration and computer configuration in the console tree of the Group Policy Object Editor and in HTML reports produced by GPMC.
.ADM and .ADMX files are not the actual settings deployed to client operating systems. Instead, it is a template file used to populate the administrative interface (GPEdit). On Windows XP and Windows Server 2003, each registry setting specifies a "Supported on" tag that indicates which operating system versions support that policy setting. If a setting is specified and deployed to a client operating system that does not support that setting, the settings are ignored.
.ADM files are stored in two locations by default: inside GPOs (in Sysvol) and in the %windir%\inf folder on the local computer.
.ADMX (XML-based settings files) and .ADML (XML-based localized language strings) are also stored in two locations: when created on SYSVOL, in the CENTRAL STORE; in the %windir%\PolicyDefinitions folder on the Windows Vista local computer.
Windows includes a predefined set of Administrative template files that define the registry settings that can be configured in a Group Policy object (GPO). The .ADM files can be added or removed from the Group Policy Object Editor by right-clicking Administrative Templates and clicking Add/Remove Templates. Adding or removing .ADM files does not affect which policies are processed by the Group Policy engine. It only affects whether a specific Administrative Template policy setting is displayed in the Group Policy Object Editor. For example, if you removed all the .ADM files from the GPO via the Add/Remove Templates dialog box, no Administrative Template policy settings would be displayed under the Administrative Templates node. This will not affect the policies already stored in the Registry.pol file.
More information about .ADMX files
Details on using Windows Vista .ADMX and .ADML files, creating and populating the Central Store on Windows 2000 or Windows 2003 Active Directory domains, and ADMX-ADM coexistance for Group Policy Object management can be found in the Windows Vista technical library:
In November 2006, Microsoft and FullArmor announced the availability of a free (web download) tool that can be used to convert ADM files into ADMX files. The details and download point for this tool, the ADMX Migrator, are available at this site:
Contents of .adm files
An .ADM file consists of a hierarchy of categories and subcategories that together define how the policy settings are to appear in the Group Policy Object Editor user interface (UI), and also contains information about which registry locations control the settings.
The following information is included in .ADM files:
- Registry locations that correspond to each setting in the Administrative Templates section of the Group Policy Object Editor.
- Options or restrictions in values that are associated with each setting. These are only restrictions for the user interface. There is no checking of value ranges during the actual policy processing.
- Check box, editbox, and other methods of parameter input.
- For many settings, a default value to display.
- Explanations of what each setting does, and about settings that affect and are affected by it, is included in Help text embedded in the .adm file. This information is displayed on an Explain tab in Group Policy Object Editor.
- The versions of Windows that support each setting are indicated by use of the Suppported keyword.
- Registry location for the setting, hive name, key name, and value name. Type of registry key, whether DWORD, REG_SZ, or other type. Binary data is not supported.
True Policies vs Preferences
A "true policy" is a registry setting that lives either under \Software\Policies or \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies in the registry (in HKLM for machine policy settings and HKCU for user policy settings). All other registry values are called preferences.
True policy settings are fully managed by Group Policy and have the following advantages:
- Secure. Aside from through Group Policy, can only be modified by a local administrator on the box. This is most relevant to user policy settings (since only a local admin can modify HKLM, which is where machine policy settings are stored).
- Do not "tattoo". If a GPO containing a policy setting is applied to a machine or user, the relevant registry value is updated while the GPO remains linked. If an administrator subsequently unlinks the GPO, Group Policy ensures that the registry value is removed at the next refresh. By comparison, if a preference is used in a GPO, unlinking the GPO will not result in the registry value being removed – the administrator must explicitly undo the preference by specifying a value in a GPO.
- Respect user preferences. Depending on the component, it is usually appropriate to have a separate value in the registry to represent the user preference. When the policy is removed this preference takes over. True policies are able to retain the preference because they use a separate value in \software\policies.
Managing ADM Files
Factors related to the management of ADM files are described in KB 816662. In addition, a script is available to support the "upgrade" of ADM files stored in GPOs (on a one-off basis or for all GPOs in the domain). This script is called UpdateADM.VBS
Related Links
Comments:
From rmavancini (mala.a@uol.com.br) [200.254.144.18] - 8/8/06 7:12 AM
From marklaw99 - 5/8/06 1:40 PM
From 137.91.114.239 - 12/1/05 10:02 AM
Last Modified 11/15/06 11:46 AM