Administrative Templates Extension Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In this section

• Administrative Templates Extension Tools

• Administrative Templates Extension Registry Locations

• Administrative Templates Extension Group Policy Settings

• Administrative Templates Extension WMI Classes

• Network Ports Used by Administrative Templates Extension

• Related Information

This section describes the tools and templates available for the Group Policy Administrative Templates extension.

Administrative Templates Extension Tools

The following tools are associated with the Group Policy Administrative Templates extension. For more information about Group Policy administrative tools, see the following topics in this collection:

• Group Policy Administrative Tools

• Group Policy Object Editor Tools and Settings

• Group Policy Management Console Technical Reference

• What Is Resultant Set of Policy?

For information about tools specific to other Group Policy extensions, see the appropriate Group Policy Components Tools topics in this collection. For more information about other Resource Kit tools, see the Windows Server 2003 Resource Kit Tools page.

AdmX.exe: ADM File Parser

Category

The ADM File Parser (AdmX) is a command-line tool that enables an administrator to export Group Policy settings to a tab-delimited text file. The administrator can then use the text produced by ADM File Parser (AdmX) to find changes for the policy settings between different versions of the operating systems. AdmX is for use only with policies based on administrative templates.

Version compatibility

The AdmX.exe tool runs on Windows 2000, Windows Server 2003, and Windows XP Professional. AdmX.exe also requires the Microsoft .NET Framework 1.0.

Administrators use AdmX.exe to perform the following two tasks:

• Extract policy setting information from .adm files.

• Compare two .adm files. This can be used to determine what has changed between two like files, such as the system.adm file from two different operating systems.

For more information about the ADM File Parser, type AdmX.exe /? at the command line.

GPUpdate.exe

This tool is used for refreshing local and Active Directory policy settings on the computer from which you run the GPUpdate command.

Category

This command-line tool is included in Windows XP and Windows Server 2003.

Version compatibility

You can use GPUpdate locally on computers running Windows XP and higher to refresh policy immediately. On computers running Windows 2000, this behavior is provided by the using the secedit.exe command line tool, with a specific parameter.

GPUpdate refreshes changed local Group Policy settings and Group Policy settings that are stored in Active Directory, including security settings, on the computer from which it is run. This command supersedes the now obsolete /refreshpolicy option for the secedit command line tool. Group Policy can be forced to reprocess all policy settings whether there has been a change or not by using the /force switch.

For more information about GPUpdate, see “Core Group Policy Tools and Settings” in this collection.

GPResult.exe: Group Policy Results

This command line tool displays Resultant Set of Policy (RSoP) for a user or computer. You can use GPResult.exe to see what policy is in effect and to troubleshoot problems on computers running Windows XP or later.

Category

There are two versions of GPResult: One shipped with the Windows 2000 Resource Kit; the other is included with Windows XP and Windows Server 2003. The Windows 2000 version of GPResult runs only locally on Windows 2000. The Windows Server 2003 version runs locally or remotely on Windows XP or Windows Server 2003.

The different versions are not compatible.

Version compatibility

The GPResult.exe that ships with Windows XP and Windows Server 2003 family is completely different than the original version of GPResult.exe that shipped in the Windows 2000 Resource Kit. The newer version cannot be used to view policy information for computers running Windows 2000.

For more information about GPResult, see “Core Group Policy Tools and Settings” in this collection.

Dcgpofix.exe: Dcgpofix

Category

Dcgpofix ships with Windows Server 2003.

Version compatibility

You can run Dcgpofix only on servers in a Windows Server 2003 domain. This tool can restore default domain policy and default domain controllers policy to their original state after installation. When you run Dcgpofix, you will lose any changes made to these Group Policy objects. This tool should be used as a last-resort disaster-recovery tool. A better solution is to use Group Policy Management Console (GPMC) to back up and restore these GPOs.

For more information about Dcgpofix, type Dcgpofix /? at the command line.

GPMonitor.exe: Group Policy Monitor Tool

Category

Group Policy Monitor tool is included in the Windows Server 2003 Deployment Kit.

Version compatibility

The Group Policy Monitor tool works on Windows XP and higher computers. Group Policy Monitor tool collects Group Policy information at every Group Policy refresh and sends the information to a centralized location that you specify. You can then use the Group Policy Monitor user interface (UI) to view the data. The Group Policy Monitor UI can provide a historical view of policy changes. The UI is also designed to make it easy to navigate through historical snapshots of data and trace changes. For more information about the Group Policy Monitor tool, type GPMonitor /? at the command line. You can find full documentation for the Group Policy Monitor tool in the Windows Server 2003 Resource Kit Tools.

GPOTool.exe: Group Policy Verification Tool

Category

Group Policy Verification Tool is included in the Windows Server 2003 Deployment Kit.

Version compatibility

The Group Policy Verification tool works on Windows 2000 and higher computers. You can use Group Policy Verification Tool to check the health of the Group Policy objects on domain controllers. The tool checks GPOs for consistency on each domain controller in your environment. The tool also determines whether the policies are valid and displays detailed information about replicated Group Policy objects (GPOs).

GPOTool.exe ships with the Microsoft Windows 2003 Server Resource Kit and is also available as a free download at the Gpotool.exe: Group Policy Verification Tool page.

For more information about the Group Policy Verification tool, type GPOTool /? at the command line. You can find full documentation for Group Policy Verification Tool in the Windows Server 2003 Resource Kit Tools.

Regview.exe: Registry.pol Viewer Tool

Category

Regview.exe is a Group Policy tool for viewing the contents of any registry.pol file, which is created by the Group Policy Object Editor for containing the administrative settings. It is included in the Windows Server 2003 Deployment Kit.

Version compatibility

The Group Policy Viewer tool works on Windows 2000 and higher computers. Because the registry.pol file is not an ASCII file, you cannot easily view the contents. If an administrator needs to troubleshoot or just wants to document the contents of the file, this tool supplies the contents in a delimited format.

Other Tools

For information about tools specific to Group Policy extensions, see the appropriate Group Policy Components Tools topics in this collection.

Administrative Templates Extension Registry Locations

The following registry locations are associated with the Administrative Templates extension. All default registry-based policy settings from Windows 2000 or later are stored in one of four specific registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies (preferred location)

• HKEY_CURRENT_USER\SOFTWARE\Policies (preferred location)

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

• HKEY_ CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

Policy settings that are stored in these locations are known as true policies.

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. You should not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

Administrative Templates Extension Group Policy Settings

Administrative templates (.adm files) enable administrators to configure registry settings by using Group Policy. These settings appear under the Administrative Templates item for both User Configuration and Computer Configuration in the console tree of the Group Policy Object Editor (GPEdit.dll), and in HTML reports produced by the Group Policy Management Console (GPMC).

For a full list of Administrative Templates policy settings, see Group Policy Settings Reference for Windows Server 2003.

Group Policy Settings

For more information about Group Policy settings, see the Group Policy Settings Reference for Windows Server 2003.

Administrative Templates Extension WMI Classes

Like other Administrative Templates policy settings, RSoP data is updated whenever policies applied to a computer changes. The extension writes this data into WMI during processing so that the data maintained in WMI is consistent with what is applied to the computer. The administrative template files themselves used in editing the GPO are stored in the Windows/inf folder of the administrative computer. The extension writes to the following WMI namespaces:

• Root/RSoP/Computer

• Root/RSoP/User/<user SID>

For more information about these WMI classes, see the WMI SDK documentation on MSDN.

Network Ports Used by Administrative Templates Extension

The Group Policy Administrative Templates extension communicates with Active Directory using Lightweight Directory Access Protocol (LDAP) to complete the following tasks:

• GPO list retrieval

• Group Policy container retrieval

The Administrative Templates extension uses Server Message Block (SMB) to complete the following tasks:

• Request Distributed File System (DFS) referral for \\domainname\sysvol

• SysvolDFS replica location \\dcname.domainname\sysvol

• Open and read GPT.INI

• Return GPT.INI

• Open and read Group Policy template (GPT) settings files

• Return GPT file

The following table lists the network ports used by the Administrative Templates extension.

Port Assignments for Group Policy Administrative Templates

Related Information

The following resources contain additional information that is relevant to this section.

• The Group Policy Administrative Tools topic in this collection.

• The Group Policy Object Editor Tools and Settings topic in this collection.

• The What Is Group Policy Management Console? topic in this collection.

• The appropriate Group Policy Components Tools topics in this collection.

• The Implementing Registry-Based Group Policy page.

• The Group Policy Management Console page.

• The Group Policy Settings Reference for Windows Server 2003.

• The Microsoft Platform SDK page.

• The Windows Server 2003 Resource Kit Tools page.

• The Tools and Settings Collection