Administrative Template

Administrative Templates are a feature of Group Policy, a Microsoft technology for centralized management of machines and users in an Active Directory environment.

Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines. An ADM file is a text file with a specific syntax which describes both the interface and the registry values which will be changed if the policy is enabled or disabled.

ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified "namespace" in GPEdit and presented to the administrator under the Administrative Templates node (for both machine and user policy).

Syntax

A simple ADM example follows:

 CLASS MACHINE
 CATEGORY "Wikipedia Apps"
 	POLICY "Wikipedia"
 		KEYNAME "Software\WikiSoft\Preferences"
 		EXPLAIN "Configures WikiSoft Preferences"
 		VALUENAME "SharingEnabled"
 	        VALUEON "Yes"
 		VALUEOFF "No"
 	END POLICY
 END CATEGORY

A valid ADM file must have the following keywords:

  • Class - either MACHINE or USER
  • Category - Defines organizational structure of ADM and where it will be displayed in the GPEdit window.
  • Policy - Groups definitions into one node and configuration screen of the GPEdit tree

Optional keywords used include:

  • Keyname - used to define what registry key will be affected

View Filtering must be turned off in order to see custom preference settings (such as this example) in the Group Policy Editor.

ADM files across different platforms

It is important to note that ADM files shipped with Microsoft operating systems include descriptions of policy settings for not just that platform but for all other platforms on which Group Policy is supported. For example, the Windows XP Service Pack 2 ADM files described policy settings not just for this platform but also for Windows 2000 and Windows Server 2003. This approach allows management of machines that are running an operating system other than that on which GPEdit is used.

Managing ADM files

By default, ADM files are stored in each GPO, within Sysvol on domain controllers. This creates a simple and effective model for replicating ADM files across domain controllers (which is handled by the File Replication Service). However, in some instances this can cause operational issues. To this end, various policy settings are available to manage the manner in which ADM files are read and stored. These are described in Microsoft's KB article 816662.

gollark: I'd like to see. Some offense, but I bet it either doesn't allow you the ability to write/run arbitrary code or doesn't work.
gollark: That's nice, but you still have to implement very complex sandboxing to *do* it.
gollark: The option #3 I suggested was to not have multiple users; just let the person using it edit everything and don't try some awful nonfunctional sandboxing implementation like you've made.
gollark: I mean, you could do that; that's option #1. It would be an awful solution. But you could.
gollark: Oh, actually there's option #3: just do single user mode and don't bother stopping editing of "OS" files.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.