One of the most powerful and flexible aspects of a Group Policy object (GPO) is the ability to customize almost...
any Registry setting. The power that this feature provides to Group Policy is the icing on the cake when it comes to implementing Group Policy in any Active Directory environment.
Using ADM templates
There are drawbacks to customizing Group Policy with ADM templates, but all of the pitfalls can be overcome, which is what we will show in this article.
ADM templates are the heart and soul of customizing Group Policy. ADM templates can touch many areas of the Registry, both for HKEY_Local_Machine and HKEY_Users. ADM templates do require a bit of coding, but nothing that any administrator can't handle. For more details on the syntax for an ADM template, refer to KB 225087.
Templates have shortcomings
There are some slight drawbacks to using ADM templates. The first drawback is all of the coding that must be done in order to get the template to function properly. The coding is not hard, as you can see from the example in Figure 1, but getting it just right is time consuming.
Each policy added must perform two duties. First, it must alter the interface of the GPO in the Group Policy Editor. Second, it must correctly provide the path and format of the Registry value and data. If any part of it is incorrect, the policy won't work properly.
CLASS MACHINE CATEGORY !!AdministrativeServices POLICY !!NoSecurityMenu KEYNAME "SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer" EXPLAIN !!NoSecurityMenu_Help VALUENAME "NoNTSecurity" END POLICY POLICY !!NoDisconnectMenu KEYNAME "SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer" EXPLAIN !!NoDisconnectMenu_Help VALUENAME "NoDisconnect" END POLICY POLICY !!DisableStatusMessages KEYNAME "SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem" EXPLAIN !!!DisableStatusMessages_Help VALUENAME "DisableStatusMessages" END POLICYFigure 1. As shown in this sample of the system.adm file, coding isn't difficult but it can be time consuming.
You are required to have the ADM template available within each GPO for editing, which is another drawback to ADM templates. Since the template alters the Group Policy Editor interface for that GPO, it must be available when performing an edit of the GPO. This is especially important when GPO edits are performed on a computer other than a domain controller or IT admin computer.
A final downside to ADM templates is the fact that they can't touch all areas of the Registry, nor can they include binary value types. This can be very frustrating when you know the Registry path and value, but you can't get it to work in your ADM template.
One free tool solves the ADM template issues
Sure, the templates can be cumbersome, difficult to manage in each GPO, and they can't handle all Registry values, but don't fret. I am here to make your Group Policy customizations more robust, easier and more efficient. A company named DesktopStandard Corp. developed a new Group Policy extension that provides a seamless view and configuration of all Registry values. The tool is free and can be downloaded at www.desktopstandard.com. This extension solves all of the pitfalls you will experience with native ADM templates.
ADM templates are extremely powerful, useful and efficient. Microsoft provides you with numerous default ADM templates that give you hundreds of policy settings in a default Group Policy. Nothing, however, is ever as good as you want it to be, and so it is with ADM templates. ADM templates can be cumbersome to manage, a headache to code and there are limits in the scope of the Registry they can touch. With an extension to Group Policy objects like the one DesktopStandard provides, you can solve the problems and even get an easy-to-use interface to configure any Registry value you need.
Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at firstname.lastname@example.org.