Administrative templates overview for GPMC

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Administrative Templates

Administrative templates, (or .adm files), enable administrators to control registry settings using Group Policy. These settings appear under the Administrative Templates folder for both user configuration and computer configuration in the console tree of the Group Policy Object Editor, and in HTML reports produced by GPMC.

It is important to understand that .adm files are not the actual settings that are deployed to client operating systems. The .adm file is simply a template file (implemented as text file with an .adm extension) that provides the friendly name for the setting and an explanation. This template file is used to populate the user interface. The settings that are deployed to clients are contained in the registry.pol file inside the GPO. On Windows XP and Windows Server 2003, each registry setting contains a "Supported on" tag that indicates which operating system versions support that policy setting. If a setting is specified and deployed to a client operating system that does not support that setting, the settings are ignored. These .adm files are stored in two locations by default: inside GPOs, and in the %windir%\inf folder on the local computer.

Windows includes a predefined set of Administrative template files that define the registry settings that can be configured in a Group Policy object (GPO). The .adm files can be added or removed from the Group Policy Object Editor by right-clicking Administrative Templates and clicking Add/Remove Templates. Adding or removing .adm files does not affect which policies are processed by the Group Policy engine. It only affects whether a specific Administrative Template policy setting is displayed in the Group Policy Object Editor. For example, if you removed all the .adm files from the GPO via the Add/Remove Templates dialog box, no Administrative Template policy settings would be displayed under the Administrative Templates node. This will not affect the policies already stored in the Registry.pol file.

Contents of .adm files

An .adm file consists of a hierarchy of categories and subcategories that together define how the policy settings are to appear in the Group Policy Object Editor user interface (UI), and also contains information about which registry locations control the settings.

The following information is included in .adm files:

  • Registry locations that correspond to each setting in the Administrative Templates section of the Group Policy Object Editor.

  • Options or restrictions in values that are associated with each setting. These are only restrictions for the user interface. There is no checking of value ranges during the actual policy processing.

  • Check box, editbox, and other methods of parameter input.

  • For many settings, a default value to display.

  • Explanations of what each setting does, and about settings that affect and are affected by it, is included in Help text embedded in the .adm file. This information is displayed on an Explain tab in Group Policy Object Editor.

  • The versions of Windows that support each setting are indicated by use of the Suppported keyword.

  • Registry location for the setting, hive name, key name, and value name. Type of registry key, whether DWORD, REG_SZ, or other type. Binary data is not supported.

Standard .adm files included with Windows

The predefined set of Administrative template files that define the registry settings for controlling various aspects of the operating system are grouped into five .adm files listed below.

A description of each policy setting in Administrative Templates appears in searchable online Help.

Administrative Template Description

System.adm

System settings

Inetres.adm

Internet Explorer settings

Wmplayer.adm

Windows Media Player settings. This tool is not available on Windows XP 64-Bit Edition and the 64-bit versions of the Windows Server 2003 family.

Conf.adm

NetMeeting settings. This tool is not available on Windows XP Professional, 64-Bit Edition and the 64-bit versions of the Windows Server family.

Wuau.adm

Windows Update settings.

True Policies or Preferences

The standard Administrative Templates shipped with Windows only contain true policies, as distinct from preferences. The registry information for true policies is located under \Software\Policies or under \Software\Microsoft\Windows\CurrentVersion\Policies in the HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE hives.

Policy settings that are stored in these specific locations of the registry are known as true policies. Storing settings here has the following advantages:

  • These trees are secure and cannot be modified by a non-administrator.

  • When Group Policy changes, for any reason, these trees are cleaned, and the new policies are then rewritten.

This prevents the behavior that was often present in Windows NT 4.0, whereby System Policies resulted in persistent settings in the user and computer registry. The policy remained in effect until the value was reversed, either by a counteracting policy or by editing the registry. These settings are stored outside the approved registry locations above and are known as preferences.

All the policy settings in the standard Administrative Templates shipped with Windows use registry settings in the Policies trees of the registry. This means that they will notcause persistent settings in the registry when the GPO that applies to them is no longer in effect.

The Group Policy Object Editor does not show preferences. If you add an .adm file that contains preferences rather than policy settings, you will have to clear the Only show policy settings that can be fully managed check box on the Filtering dialog box under the View menu of Group Policy Object Editor, otherwise the settings will not be visible in the console.

If you plan to create entries for Administrative Templates, populate the namespace by using the following naming convention, which is also used in the registry: \CompanyName\product\version (or \CompanyName\product&version). For example, the operating system settings for Windows are in \Microsoft\Windows.

For information about creating custom policy settings in .adm files, see "Implementing Registry-based Policy" at the Microsoft Web site. (https://msdn.microsoft.com/)

Registry.pol files

Group Policy Object Editor, when setting Administrative Templates policy settings, saves information in Registry.pol files. These Unicode files contain the customized registry settings that you specify (by using Group Policy) that are to be applied to the computer or user portion of the registry. The Registry.pol files contain the actual Group Policy settings used by the Group Policy engine during processing. They contain instructions to add or delete registry keys, corresponding to the settings specified by the administrator in the Group Policy Object Editor.

  • One of the Registry.pol files contains registry settings that are specific to the HKEY_LOCAL_MACHINE key. It is stored in the GPT\Machine folder.

  • The other Registry.pol file contains registry settings that are specific to the HKEY_CURRENT_USER key. It is stored in the GPT\User subdirectory.

See Also

Concepts

Group Policy Object Editor Extensions
Deployment considerations for Group Policy