Petri Newsletter Sign-up
Tech Tuesday

Subscribe to Tech Tuesday, the latest insights from Petri.com for IT Pros.

    See All Petri Newsletters

    Understanding Administrative Templates in GPO

    Posted on by Daniel Petri in Active Directory with 2 Comments

    What are Administrative Template in Group Policy Objects?

    In Windows 2000 and Windows Server 2003 Group Policy Objects (also known as GPO) you may find hundreds of useful settings and configuration options, all nicely divided in to specific sections. With GPO, you can create policies to centralize the management of user and computer settings. Amongst the various settings that can be accomplished via GPO, you can find the following options:

    • Manage desktop environments and lock them down to reduce support calls and TCO (Total Cost of Ownership)
    • Install, update, repair, and remove software
    • Manage security settings including account policies, auditing, EFS, and user rights
    • Control running state of services
    • Redirect My Documents folders
    • Configure Internet Explorer options and security settings
    • Automate administrative tasks using log-on, log-off, startup and shutdown scripts

    and many many more.

    These sections can be clearly seen in the following screenshot:

    Note that the GPO settings is divided between the Computer settings and the User settings. In both parts of the GPO you can clearly see a large section called Administrative Templates.

    Administrative Templates are a large repository of registry-based changes (in fact, over 1300 individual settings) that can be found in any GPO on Windows 2000, Windows XP, and Windows Server 2003.

    By using the Administrative Template sections of the GPO you can deploy modifications to machine (called HKEY_LOCAL_MACHINE in the registry) and user (called HKEY_CURRENT_USER in the registry) portions of the Registry of computers that are influenced by the GPO.

    The Administrative Templates are Unicode-formatted text files with the extension .ADM and are used to create the Administrative Templates portion of the user interface for the GPO Editor.

    Windows 2000/XP/2003 has some built-in default Administrative Templates:

    Administrative Template Name Can be found on these Operating Systems Description
    Conf.adm Windows 2000/XP/2003 Contains settings for configuring NetMeeting
    Inetres.adm Windows 2000/XP/2003 Contains settings for configuring Internet Explorer
    System.adm Windows 2000/XP/2003 Contains settings for configuring core OS functions and GUI settings
    Wmplayer.adm Windows XP/2003 Contains settings for configuring Windows Media Player
    Wuau.adm Windows 2000 SP3 or higher/XP SP1 or higher/2003 Contains settings for configuring Windows Update automatic updates

    These .ADM files are located in the %SystemRoot%\inf folder, and are copied to the SYSVOL folder whenever you create a new GPO (unless to manually configure it not to do so. See Links section on an explanation on how to do this).

    On top of these templates, Windows 2000/XP/2003 also has other .ADM files that can be used in several scenarios:

    Administrative Template Name Description
    Common.adm Contains settings that are in common with Windows 9x/NT (used with the NT-based System Policy Editor)
    Inetcorp.adm Contains settings for configuring dial-up, language, and various Internet Explorer settings
    Inetset.adm Contains additional policy settings for configuring Internet Explorer
    Windows.adm Contains settings specific to Windows 9x (used with the NT-based System Policy Editor)

    However there may be times when an administrator will need to add more options to a new or existing GPO. Some examples of such additions are:

    • Settings to disable mobile storage devices (USB, MP3 players, cameras and so on)
    • Settings to control the functionality of specific Windows features
    • Settings to control behavior of specific Windows services or drivers
    • Settings that add or change registry keys
    • Changes to the Windows security model

    One method for an administrator to control such settings is by use of logon scripts and remote registry tweaks. This process requires knowledge of scripting languages, but is highly customizable and flexible, and is not restricted to GPO limitations (i.e. not working on pre-W2K computers). However we will not cover this method in this article.

    Another method for an administrator to add such extensions to the GPO is by adding new settings to the Administrative Templates sections. This can be done by adding .ADM files to the existing Administrative Templates section in GPO.

    In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the steps outlined in the Adding New Administrative Templates to a GPO article.

    A great example of new .ADM files that can and should be used on a network is the set of Administrative Templates extension files that is a part of the Office 2000/XP/2003 Resource Kit. When installing the Resource Kit for the respective Office version, new .ADM files are copied to the %SystemRoot%\inf folder of the machine on which the Resource Kit was installed. The moment you edit an Active Directory-based GPO on that machine (the machine can be either a Windows 2000/XP Pro machine, or a server-based machine) the used .ADM file(s) will be copied to the SYSVOL folder on the target DC (typically the PDC Emulator), and from there replicated throughout the domain.

    The following screenshot shows the new .ADM files while importing one of them to a GPO:

    Links

    Create Custom Administrative Templates in Windows 2000 – 323639

    Group Policy Template Behavior in Windows Server 2003 – 316977

    How to minimize SYSVOL size by removing administrative templates (.adm files) – 813338

    BECOME A PETRI MEMBER:

    Don't have a login but want to join the conversation? Sign up for a Petri Account

    Register

    Register for this Petri Webinar!

    Want to Make Your Backup Storage Unlimited & Ready for the Cloud? – Free Thurrott Premium Account with Webinar Registration!

    Tuesday, August 27, 2019 @ 1:00 pm EDT

    A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

    Register Now

    Sponsored By