Starting in Windows 2000, and still present in Windows Server 2008 R2 today, Group Policy Objects (known also as GPO’s) provide hundreds of useful settings which can be used to automatically configure computers in your domain. The configuration options are separated into several different sections which make it easy to find the configuration option you want to set for your computers. Using GPOs, you can specify practically any setting available for your users or computers, often making them either a preferred method, or a mandated requirement. Once you know how to create a group policy, it is easy to create a policy which performs settings such as:
Of course, these are just a few of the thousands of possibilities. Practically any setting or configuration item can be established, maintained, or controlled through the effective use of Group Policy Objects.
As you can see in this screenshot, all of the settings for a Group Policy will either apply to a computer or to a user.
Some of the key differences in the sections will change how the policy is applied. For example, using a Group Policy to assign software through the Computer Configuration will apply the software to any COMPUTER which the policy is applied. However, software applied through the User Configuration is installed on every computer that the user assigned that group policy object logs onto.
Another key difference in the Computer Configuration and the User Configuration is when scripts run. A script applied to a Computer runs at either startup or shutdown. A script applied to a User runs at logon or logoff.
In both the Computer Configuration and the User Configuration there is a section titled “Administrative Templates” (selected in the screenshot above).
Administrative templates are a collection of settings for many registry based changes. The policies supply indirect access into the settings stored in the registry of either the computers hives (usually HKEY_Local_Machine) or the user account hive (HKEY_Current_User).
There are many built in administrative templates. Some of the templates only apply to certain versions of Windows, Internet Explorer, Media Player, NetMeeting, or other software. And while some of the administrative templates are for specific versions of those software products, most administrative templates apply to a certain version of software or later.
Administrative Templates provide direct configuration settings for many different products and services. Examples of what the administrative templates allow you to control are: Desktop, EventLog, Power, Printing, and Windows Remote Management. These are just a few recognizable templates.
The administrative templates are actually defined by text files with an .ADM or .ADMX extension. In Windows Server 2003, there were only 5 Admin Templates available for GPOs: Conf.adm, Inetres.adm, System.adm, Wmplayer.adm, and Wuau.adm. However, there is now a huge growth in the number of Administrative Templates available by default in Windows Server 2008 R2. This table highlights the explosion in available Group Policy Administrative Templates in the last few Operating System releases.
|OS Version||Number of Default Administrative Templates|
|Windows XP, Server 2003||5|
|Windows Vista, Server 2008||142|
|Windows 7, Server 2008R2||156|
Whether you’ve gotten a piece of software or hardware from another vendor, or you’re actually working on an older server, you can import newer ADMX files into your group policies.
If, for example, you are on a Windows Server 2008 domain, with all 2008 Domain Controllers – you will be missing some of the administrative templates for your GPOs that would be available to you if you were running 2008 R2. In that case, you are able to import group policy administrative templates so you can implement configurations from them.
Outside of using the built-in administrative templates from a more recent server version, there are also useful administrative templates that you can install for helping to work with other products entirely. Examples of this include Office 2010, SharePoint 2010, Exchange 2010, and Lync 2010. Even vendors outside of Microsoft have leveraged the technology to help improve the manageability of their hardware and software services. HP, for instance, provides options for customizing items like the printer notification from the system tray and installation of HP’s Universal Print Driver by installing their custom ADMX file.
As you can see, Administrative Templates for Group Policy Objects can make it very easy to manage large numbers of computers or users on your AD domain. The templates allow you to set up default settings for virtually anything on the machine from remote user settings to system tray icons. For more information on the process of importing new administrative templates into your GPO, you can read Adding New Administrative Templates to a GPO. Also, you can create your own ADMX files as described in the Microsoft article How to create custom .adm or .admx files to add search providers.