Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Vista

Managing Change through Group Policy (part 4) - Assigning PC-Related GPOs, Troubleshooting and monitoring Group Policy

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
7/18/2013 6:04:34 PM
9.1.4. Working with ADMX/ADML files

Despite the fact that Vista GPOs include up to 2450 settings, there is always one setting that you cannot find but want to control. This is done by using administrative templates. Administrative templates are structured text files which allow you to modify components in the system registry. These templates are imported into the GPO of your choice through GPEdit. In GPEdit, go to the settings you want to control: either computer or user, right-click on Administrative Templates in the Tree pane and select Add/Remove Templates. In the Add/Remove Templates dialog box, click the Add button. Navigate to the appropriate template, select it, and click Open. Close the Add/Remove Template dialog box when done.

Prior to Windows Vista, all GPO definition templates used an ADM file format — pure text files that were organized in a structured manner. With Vista, Microsoft introduces the ADMX format — a format based on the Extended Markup Language (XML), which provides much richer content for GPO templates. Note that ADMX templates no longer need to be imported into GPOs; they are automatically referenced when GPEdit is opened.

ADMX templates are now language independent, globalizing Group Policy settings. Each ADMX file is accompanied by one or more ADML files which include language-specific content. Global organizations will want to include an ADML file for each language their administrators work in. In addition, ADMX files can be centrally stored as opposed to the distributed approach used by ADM files — one on each domain controller in a particular AD domain. And, because of the increased number of policy settings in Vista, 132 ADMX files are included in the release version of Vista by default.

Because of the changes to Group Policy in Vista, the ADMX format is incompatible with the ADM format. Environments who manage a mix of Windows 2000 and/or XP with Vista need to either translate their existing templates to ADMX format or create new ones. Organizations that want to make sure critical settings are applied to all of their Windows clients need to put in place a strategy that supports the translation of ADM to ADMX and vice versa, but of course, only for the settings that apply to specific Windows versions. ADM and ADMX files can coexist together. End users and end machines will have no awareness as to whether the policy settings were configured from Vista or Windows 2000 or XP. However, it is a good idea to think about migrating your existing ADM files to ADMX format.

The location of administrative templates has also changed with Vista. In the earlier Windows versions, ADM files were located in the directory %WINDIR%\INF. Note that text-based ADM templates are still located in this folder. Now ADMX files are located in %WINDIR%\PolicyDefinitions and the corresponding ADML files are placed in %WINDIR\PolicyDefinitions\<LanguageFolder>.


Microsoft licensed an ADM to ADMX conversion tool from FullArmor Corporation. This free utility is available at www.fullarmor.com/ADMX-download-options.htm.

In previous versions of Windows, each time a new ADM template was created it would be copied from the local system to the SYSVOL share on a domain controller. It would then be copied to every DC in the domain. This method was cumbersome and could lead to errors. If a user had an outdated ADM template on their system, it could overwrite the proper one. It was difficult to have an authoritative store for ADM templates.

In Vista, ADMX template files are obtained by default from the PC they are generated from. If you have multiple technicians working on ADMX templates, then it is a good idea to create a central ADMX file store that will be referenced each time someone needs to edit a GPO no matter which machine they use. The central store is usually created by a server administrator because it involves changes in a domain controller, something PC technicians often don't have access to. Follow these steps to create the central store:

  1. Log on with domain administrative rights.

  2. Locate the PDC Emulator domain controller in your network. The easiest way to do this is to open the Active Directory Users and Computers console and right-click on the domain name to choose Operations Masters, click on the PDC tab to find the name of the DC. Then use Explorer to navigate to its SYSVOL shared folder. You use the PDC Emulator because it is the engine which drives GPO changes in the network.

  3. Navigate to the SYSVOL\domainname\Policies folder where domainname is the DNS name of your domain.

  4. Create a new folder called PolicyDefinitions.

  5. Copy the contents of the C:\Windows\PolicyDefinitions from any Windows Vista PC to the new folder created in Step 4.

  6. Include the appropriate ADML folders. For example, U.S. English systems would use the en-US folder.

  7. Launch the Group Policy Editor. From now on, it will automatically reference the new central store as will all editors on any Vista PC in your domain.

Make sure that you create this central store as soon as possible to help mitigate any potential versioning issues with your templates.

There is no Group Policy interface for loading ADMX files into a GPO. If you want to add new settings based on an ADMX file, create the ADMX file and copy it to your central store. It will appear in the Group Policy Object as soon as you reopen GPEdit. 

5. Assigning PC-Related GPOs

To create your own GPOs, you need to think through each one of the changes you want to apply to your systems. There are lots of different settings you can apply, but the most common are listed in Table 4. Remember that if you are using Windows Server 2008 domain controllers, you must use Policy in the path after either Computer Configuration or User Configuration.

Table 4. Recommended Computer Configuration Group Policy Object Settings
Software SettingsUse this setting to deploy software in your organization. Deploy software to PCs (Computer Configuration section) instead of users. This automatically makes the software available to all users on a PC and makes it easier to manage. Multiple packages can be deployed in the same GPO.
Windows SettingsThis section lets you control scripts, deploy printers, security settings, and Quality of Service (QoS) communications. Scripts are normally applied to users (User Configuration section). Printers are deployed to groups of users or groups of computers. Security settings are most often assigned in the Default Domain Policy so that they apply to all systems and user accounts. 
Administrative TemplatesAdministrative templates let you control most of the settings in a GPO. You can set regional and language options, control user account behavior, control network and printer behavior, and work with both system and Windows components.
Administrative Templates => Network => Offline FilesOffline files allow users to work on local copies of files that are normally stored on a server. Configure these settings to control the synchronization behavior between PCs and servers.
Administrative Templates => Network => Windows Connect NowThis section is useful for mobile workers because it controls the behavior of their system when a wireless connection is available.
Administrative Templates => PrintersControls how Vista PCs interact with printers.
Administrative Templates => SystemControls items such as logon or logoff messages, as well as the locations of service pack and Windows Installer installation files.
Administrative Templates => System => Device InstallationControls whether or not users can plug in USB storage devices. This is quite useful when you do not want users to walk away with confidential data. 
Administrative Templates => System => Driver InstallationControls whether non-administrators can install specified device drivers or not. This is useful for mobile workers who need to add devices while on the road.
Administrative Templates => System => Folder RedirectionControls the location (local versus remote) of user data folders such as Documents, Pictures, Videos, and more. Helps protect user data by moving it to centralized storage areas. 
Administrative Templates => System => Group PolicyControls the general behavior of Group Policy.
Administrative Templates => System => Internet CommunicationControls any Vista activity that requires either use of the HTTP protocol or an Internet connection to function.
Administrative Templates, System, Locale ServicesAllows you to automatically switch the PC's language to match a user's when they log in to Vista.
Administrative Templates => System => Logon or Net LogonControl the local or network logon behavior of the system.
Administrative Templates => System => Power ManagementHelps reduce the power consumption of PCs in your organization by putting them on stand-by when not in use.
Administrative Templates => System => Remote AssistanceControls the behavior of the Remote Assistance tool built into Vista. 
Administrative Templates => System => Removable Storage AccessControls whether or not users can rely on removable storage to access data. Use in environments that need to protect sensitive data. 
Administrative Templates => System => ScriptsControls general script behavior such as timeouts and display settings.
Administrative Templates => System => Trusted Platform Module ServicesControls the Trusted Platform Module (TPM) that can be used in conjunction with BitLocker Full drive Encryption. Used in environments that are sensitive to laptop theft. 
Administrative Templates => System => User ProfilesControls how user profiles are managed in Vista. Should be reviewed to set all defaults for your organization.
Administrative Templates => Windows ComponentsIncludes controls for over 50 Vista components from Movie Maker — something you probably don't need in your network — to the Task Scheduler and the Event Viewer. You should take the time to review each of the settings in this section and assign those you think are best for your organization.


Most settings have default configurations even if they are listed as Not configured. Make sure you read the details of the Explanation before you change behavior that might already be set by default.

As you can see, GPOs can be quite granular and can control almost any aspect of a PC's behavior. Take the time to review all of these settings and then determine which ones should be set to meet your organization's security and system usage policies.

6. Troubleshooting and monitoring Group Policy

GPO issues arise most often when too many technicians have access to the ability to create GPOs and they proliferate GPOs at all levels of the directory. It gets even worse when these technicians do not document the GPOs they create. The first step you should take to reduce GPO issues is to limit who has control of GPOs and make sure they always document their changes.


For organizations that want tighter control over their policies, Microsoft offers Advanced Group Policy Management (AGPM), a tool that is designed to provide change management on all GPOs. The AGPM is available through the Microsoft Desktop Optimization Pack for Software Assurance.

If you do run into issues anyway, you can rely on two tools to resolve them. Both are found in the GPMC. RSoP allows you to identify the resultant settings on an object that might have several GPOs applied to it. Modeling lets you perform "what if" scenarios to see how changes might affect objects.

Troubleshooting GPOS

If a computer or user account is behaving oddly, then perform an RSoP test on the object. Use the following procedure to do so:

  1. Go to Start Menu, Search and then type GMPC.MSC and press Enter. Accept the UAC prompt.

  2. After the GPMC is launched, expand the Forest to view all subitems in the Tree pane.

  3. Right-click on Group Policy Results and select Group Policy Results Wizard. Click Next.

  4. Select which computer you want to test the policy on. If you are troubleshooting a policy for a user, select the user's main computer. Click Another computer and click Browse. Type the computer name and click Check Names. Click OK.

  5. If you are testing for a user account only, select the Do not display policy settings for the selected computer in the results. Otherwise, click Next.

  6. Identify the user account for which you want to test settings. Click Next.

  7. If you only want computer settings, then select Do not display user policy settings in the results, otherwise, click Next.

  8. Review your selections. Click Back to change settings. Click Next when ready.

  9. Click Finish once the results are generated.

  10. Name the Report and review its contents. Repair any untoward setting assignment.

Reports include several items as shown in Figure 13. The Details pane includes three tabs. The first, Summary, provides a summary of all settings. The second, Settings, provides a list of the actual settings that are applied to the object. The third, Policy Events, lists all of the events that have occurred on the system in relation to Group Policy application. Each provides valuable information in the troubleshooting of GPO application.

Figure 13. Troubleshooting resultant set of policies


Be very careful when moving objects in the directory. Objects are located in specific containers because they are managed from that particular container. When you move an object, it will automatically change its management scope and will now receive the GPO settings that are applied to the new location. If a user or computer system is facing GPO issues, begin by identifying if the object was recently moved in the directory.

Performing what-if scenarios

What-if scenarios are also quite useful when troubleshooting GPOs. They let you identify what would happen if an object were moved or if a new GPO setting were applied. They are similar to RSoP but instead of detailing the actual results, they detail potential results.

Follow these steps to perform a what-if scenario:

  1. Choose Start Menu, => Search, type GMPC.MSC, and press Enter. Accept the UAC prompt.

  2. After the GPMC is launched, expand the Forest to view all subitems in the Tree pane.

  3. Right-click on Group Policy Modeling and select Group Policy Modeling Wizard. Click Next.

  4. Select the domain controller to perform the modeling and click Next. Note that you should not perform this first thing in the morning as users log on to the network because it affects the domain controller's performance.

  5. Select either the container or the object. To simulate for users in a container, select the OU by using the Browse button. Do the same for computers in a container. For individual simulations, select the actual object, computer, or user. Click Next.

  6. Identify that you want to test for Slow network connections or Loopback processing. Also identify the Site if you need to. Click Next when done.

  7. Select the security user group used to filter the policy. In most cases, this is the Authenticated Users group. Click Next when ready. Repeat for the security computer group.

  8. Select the applicable WMI filter for users if required. Click Next when ready. Repeat for computer WMI filters.

  9. Review your selections. Click Back to change settings. Click Next when ready. Click Finish once the results are generated.

  10. Name the Report and review its contents.

Note that the resulting report is very similar to the RSoP report. One significant difference is the last tab in the Details pane. It includes the contents of the query you generated instead of the events related to GPO processing. Use these two tools to troubleshoot and repair policy settings in your network.

Other -----------------
- Securing the Workstation : Applying the Castle Defense System (part 7) - Working with external access - Working with Public Key Infrastructures, Working with Virtual Private Network connections
- Securing the Workstation : Applying the Castle Defense System (part 6) - Working with external access - Working with the Windows Firewall with Advanced Security
- Securing the Workstation : Applying the Castle Defense System (part 5) - Managing information access
- Securing the Workstation : Applying the Castle Defense System (part 4) - Hardening the system - USB Device Control, Windows Defender
- Securing the Workstation : Applying the Castle Defense System (part 3) - Hardening the system - User Account Control
- Securing the Workstation : Applying the Castle Defense System (part 2) - Hardening the system - Local Security Policy and security configurations
- Securing the Workstation : Applying the Castle Defense System (part 1) - Protecting information, Working with protection
- Participating in Internet Newsgroups : Setting News Options - Options for Newsgroups and Messages, Options for Individual Newsgroups
- Participating in Internet Newsgroups : Filtering Newsgroup Messages, Rating Posts
- Participating in Internet Newsgroups : Notes on Working with Newsgroup Messages, Following Up a Message, Posting a New Message
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Windows Vista
Windows 7
Windows Azure
Windows Server