Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2008 R2 : Group Policy Administrative Templates Explained

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
3/9/2011 11:04:17 AM
Administrative templates are the core elements that make up a GPO. Most settings available within an administrative template are used to configure a corresponding Registry value for the computer or a user account, usually defined within the HKEY_Local_Machine or the HKEY_Current_User Registry hive. Other settings are provided to run computer- and user-based scripts and, in some instances, install or make software packages available to subsets of users or computers.

Administrative templates come in three basic types:

  • ADM files for Windows 2000 client and server, Windows XP, and Windows Server 2003

  • ADMX and ADML files for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2

  • Custom ADM, ADMX, and ADML files used to extend GPO functionality beyond what is already included in the Microsoft provided templates

Administrative Templates for Windows 2000, Windows XP, and Windows Server 2003

Administrative templates for Windows 2000, Windows XP, and Windows Server 2003 have a file extension of .adm. ADM file formats are unlike any other file format and are not the easiest to interpret and create. ADM files include not only the policy settings and their possible values, but they also include the friendly language used to represent the settings to the administrator viewing the policy settings using any of the GPO management tools.

For each GPO created by an administrator using the Windows XP or Windows Server 2003 GPO tools, a folder for that GPO is created in the connected domain controller’s sysvol folder. This unique GPO folder contains a common set of ADM files in the language used on the administrative client computer. As a result of this, in an Active Directory infrastructure that has multiple GPOs that use the common administrative templates, each GPO has copies of the same template files within each GPO folder. Each folder is commonly 3MB to 5MB in size and this is commonly referred to as sysvol bloat because the GPO folders are stored in the domain controller’s sysvol folder.

When new policies were created using the Windows XP and Windows Server 2003 GPO tools, a copy of each of the of the ADM template files from the client workstation was pushed up to the sysvol folder on the domain controller. When an existing GPO was edited or opened for viewing, the copy of the templates in the GPO folder was compared with the version of the template files on the administrative workstation. If the administrative workstation had a newer version, the workstation template was copied up to the GPO folder and the existing template in the folder was overwritten. This default behavior caused several problems when Microsoft released updated templates with service pack releases of Windows XP and Windows Server 2003.

A common issue related to this feature, as an example, is that if an administrator working on a Windows XP SP2 administrative workstation opened an existing GPO that was created with a Windows XP SP1 workstation, the template files would be updated to the new version, causing a replication of the updated templates across all domain controllers. Another implication of the template file is that the template files included the friendly language of the administrative workstation the GPO was created on and administrators across the globe would be unable to manage the same GPO in their local operating system language. This, of course, caused several administration issues and, in some cases, regional Active Directory domains were created to allow regional administrators to manage their client workstations and users with GPOs written and managed in their local language. To support global administration, Active Directory infrastructures have become unnecessarily complicated and moved away from the original reason GPOs were created, to simplify the management, standardize security, and centrally administer and configure companywide resources.

As a means of avoiding the administrative- and infrastructure-related issues associated with this GPO infrastructure, a common best practice for managing GPOs for XP or later operating systems is to only manage GPOs from workstations or servers that meet a single specification for operating system version, service pack level, and language. Another means of controlling this is to follow a common practice of configuring all GPOs to not automatically update GPO templates when a GPO is opened for editing. Automatic updates of ADM files, shown in Figure 1, is located in the User Configuration\Policies\Administrative Templates\System\Group Policy\ section and is named Turn off automatic updates of ADM Files. As a best practice, many administrators enable this setting to improve GPO reliability and to keep GPO replication traffic at a minimum.

Figure 1. Examining automatic updates of ADM files.

Group Policy Administrative Templates for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2

Group Policy for Windows Vista and Windows Server 2008 have been completely revised and rebuilt from the previous versions, but they still support Windows 2000 client and server, Windows XP, and Windows Server 2003. Windows 7 and Windows Server 2008 R2 build upon this new revision, adding new settings to support the features of the latest operating systems. The original ADM files have been replaced or split into two files:

  • ADMX administrative template settings file

  • ADML administrative template language file

The original GPO single administrative template ADM file format was replaced to overcome many of the original issues with this file format, including the unique ADM format as well as the inclusive local language of the particular ADM files contained on the administrative workstation.

With the separation of the ADM file into a settings and local language file, the new templates enable the administration of a single GPO using different local languages.

In previous versions, when an administrator viewed or edited a GPO, the local template files from the administrative workstation were pushed up to the server GPO folder. With the new Windows Vista/Windows Server 2008 R2 GPO infrastructure, when the GPO is opened for viewing or editing, the template files located on the local hard drive are loaded to view the GPO. The GPO folder created with the Windows Vista or Windows Server 2008 R2 GPO tools contains only the files and folders that provide the specifics of the GPO and not the general template files, as with the previous versions. This improves the GPO processing time as well as reduces the amount of data stored in the sysvol folder on each domain controller.

Custom Administrative Templates

Microsoft has provided, in previous versions as well as the current release, the ability for administrators and independent software vendors (ISVs) to create their own administrative templates. The current administrative templates released with Windows 7 and Windows Server 2008 R2 have all of the original ADM settings as well as many of the settings that administrators either had to create custom templates to support or purchase ISV-created templates. But even though the new templates provide many more settings, there will still be custom Registry keys and values, specific application services, and other functions that organizations want to manage with GPOs. These settings will still need to be provided with custom templates or by ISV GPO products. For example, when Microsoft releases a new version of Internet Explorer, they provide a custom administrative template Group Policy administrators can import to block domain computers from downloading, installing, or even presenting the new browser in Windows Updates.

Many ISVs now provide administrative templates for their own applications. Microsoft also provides administrative templates to further manage their own applications and suites; for example, Microsoft Office includes new templates that can be used with each new version of the Office suites.

Custom administrative templates can be created in both the ADM and ADMX/ADML file formats. To support the amount of time and effort administrators and ISVs have put into creating custom templates and to support legacy applications, new GPOs will continue to support administrative templates created in the original ADM file format as well as the new ADMX/ADML formats.

Although Microsoft has provided the steps to create custom ADMX and ADML files, the current GPO management tools only allow adding custom ADM templates to specific GPOs. To leverage the settings in a new custom ADM file, the file must be added to each GPO that will use it. ADM files that are added to a GPO are made available beneath the respective Administrative Templates\Classic Administrative Templates (ADM) section of the computer or user configuration Policies node.

Other -----------------
- Windows Server 2003 : Deploying DNS Servers (part 4) - Viewing and Clearing the DNS Server Cache
- Windows Server 2003 : Deploying DNS Servers (part 3) - Creating Resource Records
- Windows Server 2003 : Deploying DNS Servers (part 2) - Understanding Server Types
- Windows Server 2003 : Deploying DNS Servers (part 1) - Installing the DNS Server Service & Configuring a DNS Server
- Windows Server 2008 R2 : Elements of Group Policy (part 5)
- Windows Server 2008 R2 : Elements of Group Policy (part 4) - GPO Filtering
- Windows Server 2008 R2 : Elements of Group Policy (part 3)
- Windows Server 2008 R2 : Elements of Group Policy (part 2)
- Windows Server 2008 R2 : Elements of Group Policy (part 1) - Group Policy Object Storage and Replication
- Windows Server 2008 R2 : Group Policies and Policy Management - Security Templates
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server