Pros and cons of using ADM templates to customize Active Directory group policies

Using ADM templates
There are drawbacks to customizing Group Policy with ADM templates, but all of the pitfalls can be overcome, which is what we will show in this article.

ADM templates are the heart and soul of customizing Group Policy. ADM templates can touch many areas of the Registry, both for HKEY_Local_Machine and HKEY_Users. ADM templates do require a bit of coding, but nothing that any administrator can't handle. For more details on the syntax for an ADM template, refer to KB 225087.

Templates have shortcomings
There are some slight drawbacks to using ADM templates. The first drawback is all of the coding that must be done in order to get the template to function properly. The coding is not hard, as you can see from the example in Figure 1, but getting it just right is time consuming.

Each policy added must perform two duties. First, it must alter the interface of the GPO in the Group Policy Editor. Second, it must correctly provide the path and format of the Registry value and data. If any part of it is incorrect, the policy won't work properly.

Figure 1

CLASS MACHINE

CATEGORY !!AdministrativeServices

   POLICY !!NoSecurityMenu
      KEYNAME "SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer"
      EXPLAIN !!NoSecurityMenu_Help
      VALUENAME "NoNTSecurity"
   END POLICY

   POLICY !!NoDisconnectMenu
      KEYNAME "SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer"
      EXPLAIN !!NoDisconnectMenu_Help
      VALUENAME "NoDisconnect"
   END POLICY

   POLICY !!DisableStatusMessages
      KEYNAME "SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem"
      EXPLAIN !!!DisableStatusMessages_Help
         VALUENAME "DisableStatusMessages"
   END POLICY

You are required to have the ADM template available within each GPO for editing, which is another drawback to ADM templates. Since the template alters the Group Policy Editor interface for that GPO, it must be available when performing an edit of the GPO. This is especially important when GPO edits are performed on a computer other than a domain controller or IT admin computer.

A final downside to ADM templates is the fact that they can't touch all areas of the Registry, nor can they include binary value types. This can be very frustrating when you know the Registry path and value, but you can't get it to work in your ADM template.

One free tool solves the ADM template issues
Sure, the templates can be cumbersome, difficult to manage in each GPO, and they can't handle all Registry values, but don't fret. I am here to make your Group Policy customizations more robust, easier and more efficient. A company named DesktopStandard Corp. developed a new Group Policy extension that provides a seamless view and configuration of all Registry values. The tool is free and can be downloaded at www.desktopstandard.com. This extension solves all of the pitfalls you will experience with native ADM templates.

Summary
ADM templates are extremely powerful, useful and efficient. Microsoft provides you with numerous default ADM templates that give you hundreds of policy settings in a default Group Policy. Nothing, however, is ever as good as you want it to be, and so it is with ADM templates. ADM templates can be cumbersome to manage, a headache to code and there are limits in the scope of the Registry they can touch. With an extension to Group Policy objects like the one DesktopStandard provides, you can solve the problems and even get an easy-to-use interface to configure any Registry value you need.

Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft Group Policy Management Group Policy management gets a boost with MDOP 2009 R2 Using software restriction policies in Windows Group Policy makes strides in Windows Server 2008 R2 Using Active Directory to manage Macs in a Windows environment Group Policy Object modeling simplifies network security Microsoft Group Policy Tutorial Is a Group Policy setting changing my user rights? Mastering account lockout values in Group Policy Group Policy Object security in Windows Deny access to Windows system properties with GPOs Microsoft Active Directory Design and Administration Utilizing Active Directory snapshots in Windows Server 2008 Active Directory tops the list of hot Windows Server 2008 R2 features Creating Windows taskpad views for Active Directory management When to add new domains to your Windows environment Forcing the removal of a Windows Server 2008 domain controller Performing a staged installation of an RODC in Windows Server 2008 Using Active Directory to manage Macs in a Windows environment Scripting domain controller installations: A must for Server Core Taming the LSASS.exe process for Active Directory performance and security Top 5 Active Directory tips of 2008 Active Directory Administration How to find and remove lingering objects in Active Directory Utilizing Active Directory snapshots in Windows Server 2008 Creating Windows taskpad views for Active Directory management When to add new domains to your Windows environment Debugging Windows client logon delays: Narrowing the scope Using Active Directory to manage Macs in a Windows environment Troubleshooting poor Windows logon performance in Active Directory environments Common Active Directory security oversights Scripting domain controller installations: A must for Server Core Taming the LSASS.exe process for Active Directory performance and security RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Group Policy Object  (SearchWindowsServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.