Understanding Administrative Templates in GPO
What are Administrative Template in Group Policy Objects?
In Windows 2000 and Windows Server 2003 Group Policy Objects (also known as GPO) you may find hundreds of useful settings and configuration options, all nicely divided in to specific sections. With GPO, you can create policies to centralize the management of user and computer settings. Amongst the various settings that can be accomplished via GPO, you can find the following options:
- Manage desktop environments and lock them down to reduce support calls and TCO (Total Cost of Ownership)
- Install, update, repair, and remove software
- Manage security settings including account policies, auditing, EFS, and user rights
- Control running state of services
- Redirect My Documents folders
- Configure Internet Explorer options and security settings
- Automate administrative tasks using log-on, log-off, startup and shutdown scripts
and many many more.
These sections can be clearly seen in the following screenshot:
Note that the GPO settings is divided between the Computer settings and the User settings. In both parts of the GPO you can clearly see a large section called Administrative Templates.
Administrative Templates are a large repository of registry-based changes (in fact, over 1300 individual settings) that can be found in any GPO on Windows 2000, Windows XP, and Windows Server 2003.
By using the Administrative Template sections of the GPO you can deploy modifications to machine (called HKEY_LOCAL_MACHINE in the registry) and user (called HKEY_CURRENT_USER in the registry) portions of the Registry of computers that are influenced by the GPO.
The Administrative Templates are Unicode-formatted text files with the extension .ADM and are used to create the Administrative Templates portion of the user interface for the GPO Editor.
Windows 2000/XP/2003 has some built-in default Administrative Templates:
|Administrative Template Name||Can be found on these Operating Systems||Description|
|Conf.adm||Windows 2000/XP/2003||Contains settings for configuring NetMeeting|
|Inetres.adm||Windows 2000/XP/2003||Contains settings for configuring Internet Explorer|
|System.adm||Windows 2000/XP/2003||Contains settings for configuring core OS functions and GUI settings|
|Wmplayer.adm||Windows XP/2003||Contains settings for configuring Windows Media Player|
|Wuau.adm||Windows 2000 SP3 or higher/XP SP1 or higher/2003||Contains settings for configuring Windows Update automatic updates|
These .ADM files are located in the %SystemRoot%\inf folder, and are copied to the SYSVOL folder whenever you create a new GPO (unless to manually configure it not to do so. See Links section on an explanation on how to do this).
On top of these templates, Windows 2000/XP/2003 also has other .ADM files that can be used in several scenarios:
|Administrative Template Name||Description|
|Common.adm||Contains settings that are in common with Windows 9x/NT (used with the NT-based System Policy Editor)|
|Inetcorp.adm||Contains settings for configuring dial-up, language, and various Internet Explorer settings|
|Inetset.adm||Contains additional policy settings for configuring Internet Explorer|
|Windows.adm||Contains settings specific to Windows 9x (used with the NT-based System Policy Editor)|
However there may be times when an administrator will need to add more options to a new or existing GPO. Some examples of such additions are:
- Settings to disable mobile storage devices (USB, MP3 players, cameras and so on)
- Settings to control the functionality of specific Windows features
- Settings to control behavior of specific Windows services or drivers
- Settings that add or change registry keys
- Changes to the Windows security model
One method for an administrator to control such settings is by use of logon scripts and remote registry tweaks. This process requires knowledge of scripting languages, but is highly customizable and flexible, and is not restricted to GPO limitations (i.e. not working on pre-W2K computers). However we will not cover this method in this article.
Another method for an administrator to add such extensions to the GPO is by adding new settings to the Administrative Templates sections. This can be done by adding .ADM files to the existing Administrative Templates section in GPO.
In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the steps outlined in the Adding New Administrative Templates to a GPO article.
A great example of new .ADM files that can and should be used on a network is the set of Administrative Templates extension files that is a part of the Office 2000/XP/2003 Resource Kit. When installing the Resource Kit for the respective Office version, new .ADM files are copied to the %SystemRoot%\inf folder of the machine on which the Resource Kit was installed. The moment you edit an Active Directory-based GPO on that machine (the machine can be either a Windows 2000/XP Pro machine, or a server-based machine) the used .ADM file(s) will be copied to the SYSVOL folder on the target DC (typically the PDC Emulator), and from there replicated throughout the domain.
The following screenshot shows the new .ADM files while importing one of them to a GPO: