Managing Group Policy ADMX Files Step-by-Step Guide

TECHNET Home

TechNet
TechNet Library
Windows
Windows Vista
Windows Vista Technical Librar ...
Management and Operations

Managing Group Policy ADMX ...

ADMX Technology Review
Requirements for Editing Group ...
ADMX Scenarios
Scenario 1: Editing the Local ...
Scenario 2: Editing Domain-Bas ...

Switch View :

Classic

Lightweight

ScriptFree

Feedback

Managing Group Policy ADMX Files Step-by-Step Guide

Microsoft Windows Vista® and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category in the Group Policy Object Editor) are defined using a standards-based, XML file format known as ADMX files. These new files replace ADM files, which used their own markup language. The Group Policy tools —Group Policy Object Editor and Group Policy Management Console—remain largely unchanged. In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks.

Some situations require an understanding of how ADMX files are structured and the location where they are stored. This guide introduces you to ADMX files, showing you how ADMX files are incorporated when editing Administrative Template policy settings in a local or domain-based Group Policy object (GPO). ADMX files provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy tools. The Group Policy tools will recognize ADMX files only if you are using a Windows Vista–based or Windows Server 2008–based computer.

Unlike ADM files, ADMX files are not stored in individual GPOs. For domain-based enterprises, administrators can create a central store location of ADMX files that is accessible by anyone with permission to create or edit GPOs. Group Policy tools will continue to recognize custom ADM files you have in your existing environment, but will ignore any ADM file that has been superseded by ADMX files: System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. Therefore, if you have edited any of the these files to modify existing or create new policy settings, the modified or new settings will not be read or displayed by the Windows Vista–based Group Policy tools.

The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from ADMX files that are stored either locally or in the optional ADMX central store. The Group Policy Object Editor will automatically read and display Administrative Template policy settings from custom ADM files stored in the GPO. You can still add or remove custom ADM files with the Add/Remove template menu option. All Group Policy settings currently in ADM files delivered by the Windows Server 2003, Windows XP, and Windows 2000 will also be available in Windows Vista and Windows Server 2008 ADMX files.

This guide covers two different scenarios to highlight the potential differences in the ADMX storage location and the Group Policy tools needed when working with local and domain-based GPOs.

Some Important Factors About the Implications of ADMX Files in Your Environment

New Windows Vista–based or Windows Server 2008–based policy settings can be managed only from Windows Vista–based or Windows Server 2008–based administrative machines running Group Policy Object Editor or Group Policy Management Console. Such policy settings are defined only in ADMX files and, as such, are not exposed on the Windows Server 2003, Windows® XP, or Windows 2000 versions of these tools. An Administrator will need to use the Group Policy Object Editor from a Windows Vista–based or Windows Server 2008–based administrative machine to configure a new Windows Vista–based Group Policy settings.

In Group Policy for versions of Windows earlier than Windows Vista, if you modify Administrative template policy settings on local computers, the Sysvol share on a domain controller within the domain is automatically updated with the new ADM files. In Group Policy for Windows Server 2008 and Windows Vista, if you modify Administrative template policy settings on local computers, Sysvol will not be automatically updated with the new ADMX or ADML files (ADML files are XML-based ADM files that contain language-specific settings). This change in behavior is implemented to reduce network load and disk storage requirements, and to prevent conflicts from occurring between ADMX files and ADML files when edits to Administrative template policy settings are made across different locales. To ensure that any local updates are reflected in Sysvol as well, you must manually copy the updated ADMX or ADML files from the PolicyDefinitions folder on the local computer to the Sysvol\PolicyDefinitions folder on the appropriate domain controller.


Updates to Sysvol are replicated to all domain controllers in the domain, which results in increased network traffic and load placed on the domain controllers. Therefore, to minimize the impact of this operation in your domain, we recommend that you schedule the copying of Administrative templates to Sysvol outside core business hours.

To download the Administrative template files for Windows Server 2008, see Administrative Templates (ADMX) for Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=116434).

Group Policy Object Editor on Windows Server 2003, Windows XP, or Windows 2000 machines will not display new Windows Vista Administrative Template policy settings that may be enabled or disabled within a GPO.
The reporting function of GPMC on Windows Server 2003 and Microsoft Windows XP will display new Windows Vista Administrative Template policy settings as extra registry settings.
The Windows Vista or Windows Server 2008 versions of Group Policy Object Editor and Group Policy Management Console can be used to manage all operating systems that support Group Policy (Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000).
Administrative Template policy settings that currently exist in ADM files from Windows Server 2003, Windows XP, and Windows 2000 can be configured from all operating systems that support Group Policy (Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000).
The Windows Vista or Windows Server 2008 versions of Group Policy Object Editor and Group Policy Management Console support interoperability with versions of these tools on Windows Server 2003, and Windows XP. For example, custom ADM files stored in GPOs will be consumed by Group Policy Object Editor and GPMC on Windows Vista, Windows Server 2008, Windows Server 2003, and Windows XP.
The Windows Vista or Windows Server 2008 versions of Group Policy Object Editor support interoperability with versions of Group Policy Object Editor on Windows Server 2000. For example, custom ADM files stored in GPOs will be consumed by Group Policy Object Editor on Windows Vista, Windows Server 2008, and Windows 2000. (GPMC does not run on Windows 2000.)

Tags : admx writedaclinherit

Community Content

QuocPhu123

Office ADMX files.

One thing I ran across when trying to use admx files was a lack of information on the requirements for the central store. The main thing I wanted to accomplish was managing Office 2007 with group policy. After following instructions for creating the PolicyDefinitions folder, and copying all of my admx/adml files into the folder, I had lost all of the default policy settings under Administrative Templates like Control Panel and System. If you create the central store, you have to copy Server 2008 adminstrative template files into the folder. You cannot simply copy the Office 2007/2010 admin templates, or the only thing that will be listed under Administrative Templates is your office settings. Once the central store is created, GPME will only display settings from that store. You can get the Server 2008 R2 and Windows 7 Administrative Templates from the following location: <mtps:InstrumentedLink NavigateUrl="http://www.microsoft.com/downloads/en/details.aspx?familyid=16F69FFE-D51B-4E02-9D02-3E57F3CCD490&amp;amp;amp;displaylang=en" runat="server" xmlns:mtps="http://msdn2.microsoft.com/mtps">http://www.microsoft.com/downloads/en/details.aspx?familyid=16F69FFE-D51B-4E02-9D02-3E57F3CCD490&amp;amp;amp;amp;displaylang=en</mtps:InstrumentedLink> By default this installs adml files for 54 additional languages you may want to remove to reduce replication traffic. These language files are close to 145MB. Once you've copied both sets of Adminstrative templates into the central store, you will be able to manage both Windows and Office.

Tags :

Daniel Bomgardner

Windows 7 Security and Standardization

@westbgk - I've had success using the following resource to create a standardized image of Windows 7 <mtps:InstrumentedLink NavigateUrl="http://theitbros.com/sysprep-a-windows-7-machine-%E2%80%93-start-to-finish" runat="server" xmlns:mtps="http://msdn2.microsoft.com/mtps">http://theitbros.com/sysprep-a-windows-7-machine-%E2%80%93-start-to-finish</mtps:InstrumentedLink> They outline basic introductions on how to use the Windows Automated Installation Kit as well as a custom Win PE Bootloader. As far as locking down the local policies of a Windows 7 machine your company should provide policies that state what settings should be configured to achieve compliance. Our company uses settings that comply with the DISA STIGs found at <mtps:InstrumentedLink NavigateUrl="http://iase.disa.af.mil" runat="server" xmlns:mtps="http://msdn2.microsoft.com/mtps">http://iase.disa.af.mil</mtps:InstrumentedLink>

Tags :

Stretch606

RE: Pushing Admin Template from SBS2003 to Win7 client machines

As far as I know, you can't use Group Policy to push DNS settings, Group Policy needs DNS to be working first Use the SBS2003 box as a DHCP server and set the DNS settings in the Server Options

Tags :

KrzysztofS

Pushing Admin Template from SBS2003 to Win7 client machines

Good Afternoon all I hope someone has come across a similar issue. One of my cust. just recently got a brand new laptop with Win7 (Corporate). They have SBS2003 SP2 on the server (single server environment) Win 7 joined to the domain OK. Except, when I try to push any settings via GPO from the server, those settings are not being applied to that Win 7 machine. I have checked different forums and articles but there are number of different aproaches and some of them seem to contradict. All suggestions welcome. Regards Kris >>>>>>>>>>>>>>>>> UPDATE >>>>>>>>>>>>>>>>> I am particularly looking for pushing DNS setting (address and suffics) from the server via GPO. Those policies are not included in the OFFICE 2010 Admin Templates.

Tags :

Esther Fan

The caveman said it best... "what???"

I graduated with top honors in computer networking, these previous posts that knock this site and the difficulty on not getting straight answers are ever so kind. to search through this site and actually understand this complex trash and not getting a simple answer to a simple question is just beyond comprehension. we need simple answers to simple questions.

Tags : contentbug wtf

Esther Fan

ADML files, not ADMX files

The download actually downloads ADML files and not ADMX files. If you use 2008 and the GPMC and try to add one of the downloaded templates, they don't show up.

Tags : contentbug

Professional Integations

Hopefully this will help get you started.

Maybe this will break it down to its simplest form: Just download the Office 2010 Admin Templates Extract the files to a new temp directory, this will create 3 directories and a spreadsheet file (ADM, Admin, ADMX, Office2010GroupPolicyAndOCTSettings.xls) Now create the directory PolicyDefinitions under: your_domain_controller\SYSVOL\your_domain_name\Policies\ It's easy to do this from your domain controller or just UNC to your sysvol share off your domain controller Copy all the files that were unzipped in the temp ADMX directory to the new PolicyDefinitions directory you created. Restart GPMC and either edit or create a new group policy When the Group Policy Management Editor window comes up, you should see new templates under Administrative Templates. The folder should state: Administrative Templates: Policy Definitions (ADMX) Retrieved from the Central Store That's it - so easy a Cave Man could do it. - Professional Integrations LLC

Tags :

westbgk

Windows 7

Can anyone point to a good article for Windows 7 security. This operating system has made my life miserable. What procedure would we look at for keeping our desktop settings in a common profile including the theme for our company logo. I'm not a programmer.

Tags :