Understanding Administrative Templates in GPO

Posted on January 8, 2009 by Daniel Petri in Active Directory with 0 Comments

What are Administrative Template in Group Policy Objects?

In Windows 2000 and Windows Server 2003 Group Policy Objects (also known as GPO) you may find hundreds of useful settings and configuration options, all nicely divided in to specific sections. With GPO, you can create policies to centralize the management of user and computer settings. Amongst the various settings that can be accomplished via GPO, you can find the following options:

  • Manage desktop environments and lock them down to reduce support calls and TCO (Total Cost of Ownership)
  • Install, update, repair, and remove software
  • Manage security settings including account policies, auditing, EFS, and user rights
  • Control running state of services
  • Redirect My Documents folders
  • Configure Internet Explorer options and security settings
  • Automate administrative tasks using log-on, log-off, startup and shutdown scripts

and many many more.

These sections can be clearly seen in the following screenshot:

Note that the GPO settings is divided between the Computer settings and the User settings. In both parts of the GPO you can clearly see a large section called Administrative Templates.

Administrative Templates are a large repository of registry-based changes (in fact, over 1300 individual settings) that can be found in any GPO on Windows 2000, Windows XP, and Windows Server 2003.

By using the Administrative Template sections of the GPO you can deploy modifications to machine (called HKEY_LOCAL_MACHINE in the registry) and user (called HKEY_CURRENT_USER in the registry) portions of the Registry of computers that are influenced by the GPO.

The Administrative Templates are Unicode-formatted text files with the extension .ADM and are used to create the Administrative Templates portion of the user interface for the GPO Editor.

Windows 2000/XP/2003 has some built-in default Administrative Templates:

Administrative Template Name Can be found on these Operating Systems Description
Conf.adm Windows 2000/XP/2003 Contains settings for configuring NetMeeting
Inetres.adm Windows 2000/XP/2003 Contains settings for configuring Internet Explorer
System.adm Windows 2000/XP/2003 Contains settings for configuring core OS functions and GUI settings
Wmplayer.adm Windows XP/2003 Contains settings for configuring Windows Media Player
Wuau.adm Windows 2000 SP3 or higher/XP SP1 or higher/2003 Contains settings for configuring Windows Update automatic updates

These .ADM files are located in the %SystemRoot%\inf folder, and are copied to the SYSVOL folder whenever you create a new GPO (unless to manually configure it not to do so. See Links section on an explanation on how to do this).

On top of these templates, Windows 2000/XP/2003 also has other .ADM files that can be used in several scenarios:

Administrative Template Name Description
Common.adm Contains settings that are in common with Windows 9x/NT (used with the NT-based System Policy Editor)
Inetcorp.adm Contains settings for configuring dial-up, language, and various Internet Explorer settings
Inetset.adm Contains additional policy settings for configuring Internet Explorer
Windows.adm Contains settings specific to Windows 9x (used with the NT-based System Policy Editor)

However there may be times when an administrator will need to add more options to a new or existing GPO. Some examples of such additions are:

  • Settings to disable mobile storage devices (USB, MP3 players, cameras and so on)
  • Settings to control the functionality of specific Windows features
  • Settings to control behavior of specific Windows services or drivers
  • Settings that add or change registry keys
  • Changes to the Windows security model

One method for an administrator to control such settings is by use of logon scripts and remote registry tweaks. This process requires knowledge of scripting languages, but is highly customizable and flexible, and is not restricted to GPO limitations (i.e. not working on pre-W2K computers). However we will not cover this method in this article.

Sponsored

Sponsored
Another method for an administrator to add such extensions to the GPO is by adding new settings to the Administrative Templates sections. This can be done by adding .ADM files to the existing Administrative Templates section in GPO.

In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the steps outlined in the Adding New Administrative Templates to a GPO article.

A great example of new .ADM files that can and should be used on a network is the set of Administrative Templates extension files that is a part of the Office 2000/XP/2003 Resource Kit. When installing the Resource Kit for the respective Office version, new .ADM files are copied to the %SystemRoot%\inf folder of the machine on which the Resource Kit was installed. The moment you edit an Active Directory-based GPO on that machine (the machine can be either a Windows 2000/XP Pro machine, or a server-based machine) the used .ADM file(s) will be copied to the SYSVOL folder on the target DC (typically the PDC Emulator), and from there replicated throughout the domain.

The following screenshot shows the new .ADM files while importing one of them to a GPO:

Links

Create Custom Administrative Templates in Windows 2000 – 323639

Group Policy Template Behavior in Windows Server 2003 – 316977

How to minimize SYSVOL size by removing administrative templates (.adm files) – 813338

Sponsored