Pros and cons of using ADM templates to customize Active Directory group policies

Expert Derek Melber explains how to customize Registry settings to ice the Active Directory cake with newfound power and flexibility.

One of the most powerful and flexible aspects of a Group Policy object (GPO) is the ability to customize almost any Registry setting. The power that this feature provides to Group Policy is the icing on the cake when it comes to implementing Group Policy in any Active Directory environment.

Using ADM templates
There are drawbacks to customizing Group Policy with ADM templates, but all of the pitfalls can be overcome, which is what we will show in this article.

ADM templates are the heart and soul of customizing Group Policy. ADM templates can touch many areas of the Registry, both for HKEY_Local_Machine and HKEY_Users. ADM templates do require a bit of coding, but nothing that any administrator can't handle. For more details on the syntax for an ADM template, refer to KB 225087.

Templates have shortcomings
There are some slight drawbacks to using ADM templates. The first drawback is all of the coding that must be done in order to get the template to function properly. The coding is not hard, as you can see from the example in Figure 1, but getting it just right is time consuming.

Each policy added must perform two duties. First, it must alter the interface of the GPO in the Group Policy Editor. Second, it must correctly provide the path and format of the Registry value and data. If any part of it is incorrect, the policy won't work properly.

Figure 1

CLASS MACHINE

CATEGORY !!AdministrativeServices

   POLICY !!NoSecurityMenu
      KEYNAME "SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer"
      EXPLAIN !!NoSecurityMenu_Help
      VALUENAME "NoNTSecurity"
   END POLICY

   POLICY !!NoDisconnectMenu
      KEYNAME "SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer"
      EXPLAIN !!NoDisconnectMenu_Help
      VALUENAME "NoDisconnect"
   END POLICY

   POLICY !!DisableStatusMessages
      KEYNAME "SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem"
      EXPLAIN !!!DisableStatusMessages_Help
         VALUENAME "DisableStatusMessages"
   END POLICY
Figure 1. As shown in this sample of the system.adm file, coding isn't difficult but it can be time consuming.

You are required to have the ADM template available within each GPO for editing, which is another drawback to ADM templates. Since the template alters the Group Policy Editor interface for that GPO, it must be available when performing an edit of the GPO. This is especially important when GPO edits are performed on a computer other than a domain controller or IT admin computer.

A final downside to ADM templates is the fact that they can't touch all areas of the Registry, nor can they include binary value types. This can be very frustrating when you know the Registry path and value, but you can't get it to work in your ADM template.

One free tool solves the ADM template issues
Sure, the templates can be cumbersome, difficult to manage in each GPO, and they can't handle all Registry values, but don't fret. I am here to make your Group Policy customizations more robust, easier and more efficient. A company named DesktopStandard Corp. developed a new Group Policy extension that provides a seamless view and configuration of all Registry values. The tool is free and can be downloaded at www.desktopstandard.com. This extension solves all of the pitfalls you will experience with native ADM templates.

Summary
ADM templates are extremely powerful, useful and efficient. Microsoft provides you with numerous default ADM templates that give you hundreds of policy settings in a default Group Policy. Nothing, however, is ever as good as you want it to be, and so it is with ADM templates. ADM templates can be cumbersome to manage, a headache to code and there are limits in the scope of the Registry they can touch. With an extension to Group Policy objects like the one DesktopStandard provides, you can solve the problems and even get an easy-to-use interface to configure any Registry value you need.

Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.

This was first published in July 2005

Dig deeper on Microsoft Group Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close