What are Administrative Templates in Group Policy Objects?
Starting in Windows 2000, and still present in Windows Server 2008 R2 today, Group Policy Objects (known also as GPO’s) provide hundreds of useful settings which can be used to automatically configure computers in your domain. The configuration options are separated into several different sections which make it easy to find the configuration option you want to set for your computers. Using GPOs, you can specify practically any setting available for your users or computers, often making them either a preferred method, or a mandated requirement. Once you know how to create a group policy, it is easy to create a policy which performs settings such as:
- Manage services, defining whether or not they must be started automatically or disabled completely.
- Remove the ability to save data, certain parts of the hard drive or desktop.
- Enforce corporate policies that prohibit users from using Internet Explorer to run or install software.
- Manage and lock down desktop environments, including setting items on the desktop and disallowing changes to desktop items and toolbars.
- Manage all aspects of security: encryption, auditing, event logs, and the rights that users have to change these settings.
- Control the remote user profile settings, for either redirecting certain folders in the profile or making the entire profile be a roaming profile.
- Set administrative and scheduled tasks, and set scripts to run at startup, logon, logoff, and shutdown on systems.
Of course, these are just a few of the thousands of possibilities. Practically any setting or configuration item can be established, maintained, or controlled through the effective use of Group Policy Objects.
All Group Policy Settings are Configured for Either the Computer or the User
As you can see in this screenshot, all of the settings for a Group Policy will either apply to a computer or to a user.
Some of the key differences in the sections will change how the policy is applied. For example, using a Group Policy to assign software through the Computer Configuration will apply the software to any COMPUTER which the policy is applied. However, software applied through the User Configuration is installed on every computer that the user assigned that group policy object logs onto.
Another key difference in the Computer Configuration and the User Configuration is when scripts run. A script applied to a Computer runs at either startup or shutdown. A script applied to a User runs at logon or logoff.
In both the Computer Configuration and the User Configuration there is a section titled “Administrative Templates” (selected in the screenshot above).
What is an Administrative Template in a Group Policy Object?
Administrative templates are a collection of settings for many registry based changes. The policies supply indirect access into the settings stored in the registry of either the computers hives (usually HKEY_Local_Machine) or the user account hive (HKEY_Current_User).
There are many built in administrative templates. Some of the templates only apply to certain versions of Windows, Internet Explorer, Media Player, NetMeeting, or other software. And while some of the administrative templates are for specific versions of those software products, most administrative templates apply to a certain version of software or later.
Administrative Templates provide direct configuration settings for many different products and services. Examples of what the administrative templates allow you to control are: Desktop, EventLog, Power, Printing, and Windows Remote Management. These are just a few recognizable templates.
The administrative templates are actually defined by text files with an .ADM or .ADMX extension. In Windows Server 2003, there were only 5 Admin Templates available for GPOs: Conf.adm, Inetres.adm, System.adm, Wmplayer.adm, and Wuau.adm. However, there is now a huge growth in the number of Administrative Templates available by default in Windows Server 2008 R2. This table highlights the explosion in available Group Policy Administrative Templates in the last few Operating System releases.
|OS Version||Number of Default Administrative Templates|
|Windows XP, Server 2003||5|
|Windows Vista, Server 2008||142|
|Windows 7, Server 2008R2||156|
You Are Not Limited to the Default Administrative Templates
Whether you’ve gotten a piece of software or hardware from another vendor, or you’re actually working on an older server, you can import newer ADMX files into your group policies.
If, for example, you are on a Windows Server 2008 domain, with all 2008 Domain Controllers – you will be missing some of the administrative templates for your GPOs that would be available to you if you were running 2008 R2. In that case, you are able to import group policy administrative templates so you can implement configurations from them.
Outside of using the built-in administrative templates from a more recent server version, there are also useful administrative templates that you can install for helping to work with other products entirely. Examples of this include Office 2010, SharePoint 2010, Exchange 2010, and Lync 2010. Even vendors outside of Microsoft have leveraged the technology to help improve the manageability of their hardware and software services. HP, for instance, provides options for customizing items like the printer notification from the system tray and installation of HP’s Universal Print Driver by installing their custom ADMX file.
As you can see, Administrative Templates for Group Policy Objects can make it very easy to manage large numbers of computers or users on your AD domain. The templates allow you to set up default settings for virtually anything on the machine from remote user settings to system tray icons. For more information on the process of importing new administrative templates into your GPO, you can read Adding New Administrative Templates to a GPO. Also, you can create your own ADMX files as described in the Microsoft article How to create custom .adm or .admx files to add search providers.