Administrative
templates are the core elements that make up a GPO. Most settings
available within an administrative template are used to configure a
corresponding Registry value for the computer or a user account, usually
defined within the HKEY_Local_Machine or the HKEY_Current_User Registry
hive. Other settings are provided to run computer- and user-based
scripts and, in some instances, install or make software packages
available to subsets of users or computers.
Administrative templates come in three basic types:
ADM files for Windows 2000 client and server, Windows XP, and Windows Server 2003
ADMX and ADML files for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2
Custom
ADM, ADMX, and ADML files used to extend GPO functionality beyond what
is already included in the Microsoft provided templates
Administrative Templates for Windows 2000, Windows XP, and Windows Server 2003
Administrative
templates for Windows 2000, Windows XP, and Windows Server 2003 have a
file extension of .adm. ADM file formats are unlike any other file
format and are not the easiest to interpret and create. ADM files
include not only the policy settings and their possible values, but they
also include the friendly language used to represent the settings to
the administrator viewing the policy settings using any of the GPO
management tools.
For each GPO
created by an administrator using the Windows XP or Windows Server 2003
GPO tools, a folder for that GPO is created in the connected domain
controller’s sysvol folder. This unique GPO folder contains a common set
of ADM files in the language used on the administrative client
computer. As a result of this, in an Active Directory infrastructure
that has multiple GPOs that use the common administrative templates,
each GPO has copies of the same template files within each GPO folder.
Each folder is commonly 3MB to 5MB in size and this is commonly referred
to as sysvol bloat because the GPO folders are stored in the domain
controller’s sysvol folder.
When new policies were
created using the Windows XP and Windows Server 2003 GPO tools, a copy
of each of the of the ADM template files from the client workstation was
pushed up to the sysvol folder on the domain controller. When an
existing GPO was edited or opened for viewing, the copy of the templates
in the GPO folder was compared with the version of the template files
on the administrative workstation. If the administrative workstation had
a newer version, the workstation template was copied up to the GPO
folder and the existing template in the folder was overwritten. This
default behavior caused several problems when Microsoft released updated
templates with service pack releases of Windows XP and Windows Server
2003.
A common issue related to this
feature, as an example, is that if an administrator working on a Windows
XP SP2 administrative workstation opened an existing GPO that was
created with a Windows XP SP1 workstation, the template files would be
updated to the new version, causing a replication of the updated
templates across all domain controllers. Another implication of the
template file is that the template files included the friendly language
of the administrative workstation the GPO was created on and
administrators across the globe would be unable to manage the same GPO
in their local operating system language. This, of course, caused
several administration issues and, in some cases, regional Active
Directory domains were created to allow regional administrators to
manage their client workstations and users with GPOs written and managed
in their local language. To support global administration, Active
Directory infrastructures have become unnecessarily complicated and
moved away from the original reason GPOs were created, to simplify the
management, standardize security, and centrally administer and configure
companywide resources.
As a means of
avoiding the administrative- and infrastructure-related issues
associated with this GPO infrastructure, a common best practice for
managing GPOs for XP or later operating systems is to only manage GPOs
from workstations or servers that meet a single specification for
operating system version, service pack level, and language. Another
means of controlling
this is to follow a common practice of configuring all GPOs to not
automatically update GPO templates when a GPO is opened for editing.
Automatic updates of ADM files, shown in Figure 1,
is located in the User Configuration\Policies\Administrative
Templates\System\Group Policy\ section and is named Turn off automatic
updates of ADM Files. As a best practice, many administrators enable
this setting to improve GPO reliability and to keep GPO replication
traffic at a minimum.
Group Policy Administrative Templates for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2
Group Policy for Windows
Vista and Windows Server 2008 have been completely revised and rebuilt
from the previous versions, but they still support Windows 2000 client
and server, Windows XP, and Windows Server 2003. Windows 7 and Windows
Server 2008 R2 build upon this new revision, adding new settings to
support the features of the latest operating systems. The original ADM
files have been replaced or split into two files:
The original
GPO single administrative template ADM file format was replaced to
overcome many of the original issues with this file format, including
the unique ADM format as well as the inclusive local language of the
particular ADM files contained on the administrative workstation.
With the separation of the
ADM file into a settings and local language file, the new templates
enable the administration of a single GPO using different local
languages.
In
previous versions, when an administrator viewed or edited a GPO, the
local template files from the administrative workstation were pushed up
to the server GPO folder. With the new Windows Vista/Windows Server 2008
R2 GPO infrastructure, when the GPO is opened for viewing or editing,
the template files located on the local hard drive are loaded to view
the GPO. The GPO folder created with the Windows Vista or Windows Server
2008 R2 GPO tools contains only the files and folders that provide the
specifics of the GPO and not the general template files, as with the
previous versions. This improves the GPO processing time as well as
reduces the amount of data stored in the sysvol folder on each domain
controller.
Custom Administrative Templates
Microsoft has
provided, in previous versions as well as the current release, the
ability for administrators and independent software vendors (ISVs) to
create their own administrative templates. The current administrative
templates released with Windows 7 and Windows Server 2008 R2 have all of
the original ADM settings as well as many of the settings that
administrators either had to create custom templates to support or
purchase ISV-created templates. But even though the new templates
provide many more settings, there will still be custom Registry keys and
values, specific application services, and other functions that
organizations want to manage with GPOs. These settings will still need
to be provided with custom templates or by ISV GPO products. For
example, when Microsoft releases a new version of Internet Explorer,
they provide a custom administrative template Group Policy
administrators can import to block domain computers from downloading,
installing, or even presenting the new browser in Windows Updates.
Many ISVs now
provide administrative templates for their own applications. Microsoft
also provides administrative templates to further manage their own
applications and suites; for example, Microsoft Office includes new
templates that can be used with each new version of the Office suites.
Custom administrative
templates can be created in both the ADM and ADMX/ADML file formats. To
support the amount of time and effort administrators and ISVs have put
into creating custom templates and to support legacy applications, new
GPOs will continue to support administrative templates created in the
original ADM file format as well as the new ADMX/ADML formats.
Although Microsoft
has provided the steps to create custom ADMX and ADML files, the current
GPO management tools only allow adding custom ADM templates to specific
GPOs. To leverage the settings in a new custom ADM file, the file must
be added to each GPO that will use it. ADM files that are added to a GPO
are made available beneath the respective Administrative
Templates\Classic Administrative Templates (ADM) section of the computer
or user configuration Policies node.
