WindowServer 2003

Using Administrative Template Files with RegistryBased Group Policy
Microsoft Corporation Published: September 2004
Abstract This white paper explains the concepts, architecture, and implementation details or registry!ased Group Policy in "icroso t# $indows# operating systems% &t shows how to create custom Administrative Template '%adm( iles and includes a complete re erence or the %adm language% &n addition, it includes in ormation a!out changes in %adm iles or $indows )P with *ervice Pac+ , '*P,(%
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. M C!"#"$T M%&'# (" W%!!%(T '#, ')P!'##, MP* '+ "! #T%T,T"!-, %# T" T.' ($"!M%T "( ( T. # +"C,M'(T. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means /electronic, mechanical, photocopying, recording, or otherwise0, or for any purpose, without the e1press written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering sub2ect matter in this document. '1cept as e1pressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ,nless otherwise noted, the e1ample companies, organi3ations, products, domain names, e4mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organi3ation, product, domain name, e4mail address, logo, person, place or event is intended or should be inferred. 5 6778 Microsoft Corp. %ll rights reserved. Microsoft, %ctive +irectory, Windows, Windows (T, and Windows #erver are either registered trademarks or trademarks of Microsoft Corporation in the ,nited #tates and9or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents
Introduction............................................................................................ 4 Overview of Registry-Based Policy and Administrative Tem late !iles...4 "esign Considerations for Creating Policy #ettings ...............................$ %ow to &rite a #im le .Adm !ile for Registry-based 'rou Policy........() Testing Administrative Tem late !iles.................................................*+ ,aintaining and ,anaging .Adm !iles..................................................** &-at.s /ew for Administrative Tem late !iles in &indows 0P #P*......*$ 1anguage Reference for Administrative Tem late !iles.......................2( Related 1in3s........................................................................................ 45
Introduction
Introduction
Administrators can use Group Policy to deliver and apply one or more desired con igurations or policy settings to a set o targeted users and computers within an Active -irectory# directory service environment% The ma.ority o availa!le policy settings are provided through Administrative Template iles '%adm iles( and are designed to modi y speci ic +eys in the registry% This is +nown as registry-!ased policy% For many applications, the use o registry-!ased policy delivered !y %adm iles is the simplest and !est way to support centrali/ed management o policy settings% &ntended or &T administrators and developers, this document descri!es how to implement registry-!ased Group Policy !y using %adm iles% For detailed instructions a!out ena!ling applications or Group Policy, see 0Group Policy1 in the "icroso t Plat orm *o tware -evelopment 2it at http344go%microso t%com4 wlin+456in+&d7,8,9:%
Overview of Registry-Based Policy and Administrative Tem late !iles

By using registry-!ased policy, operating system components and applications can respond to registry +ey settings that administrators can manage centrally with Group Policy% These policy settings determine the !ehavior o the application or targeted computers or users% As long as a component or application has !een policy-ena!led 'that is, its !ehavior changes !ased on registry values indicated in the %adm ile(, you can manage its eatures and settings through registry-!ased policy% %Adm iles are U;&<=-> text iles that Group Policy uses to descri!e where registry-!ased policy settings are stored in the registry% All registry-!ased policy settings appear and are con igured in the Group Policy =!.ect >ditor under the Administrative Templates node% %Adm iles do not apply policy settings? they simply ena!le administrators to view the policy settings in the Group Policy =!.ect >ditor% Administrators can then create Group Policy o!.ects 'GP=s( containing the policy settings that they want to use% For example, you might have one GP= that contains various policy settings or managing the Active -es+top eature% $ith the release o "icroso t# $indows )P *ervice Pac+ , '*P,(, &T administrators have more than @,ABB Administrative Template policy settings availa!le or their use% &n addition, administrators and developers can add their own custom settings%
Language Reference for Administrative Template Files
/ote
&indows 0P #P* includes modifications to t-e 1I#TBO0 A""ITI67 be-avior in .adm files 8im lemented by a new version of g te9t.dll: t-e .dll used by t-e 'rou Policy Ob;ect 7ditor.< !or details about t-ese c-anges: see t-e: =&-at.s /ew for .Adm !iles in &indows 0P #P*> section later in t-is document
Registry-!ased Group Policy uses %adm iles in the ollowing manner3 The Group Policy =!.ect >ditor reads the %adm iles% By de ault, when an administrator opens a GP=, a comparison is made !etween the timestamps o the %adm iles stored in the GP= !eing edited and those on the local computer% & the local %adm iles have a more recent timestamp then they are uploaded to the domain controller and replicated throughout the domain% The Group Policy =!.ect >ditor console 'gpedit%msc( displays the settings, and, depending on the %adm ile, the policy settings can !e displayed in a locali/ed language% The Group Policy =!.ect >ditor uses %adm iles to con igure user inter ace settings such as dialog !oxes, radio !uttons, and drop-down lists, there!y ena!ling administrators to manage these settings centrally% The Group Policy "anagement <onsole 'GP"<( uses %adm iles to display policy settings when using Group Policy Results or Group Policy "odeling, also +nown as Resultant *et o Policy 'R*oP(%
For more in ormation a!out the architecture o Administrative Templates, see Administrative Templates >xtension Technical Re erence at http344go%microso t%com4 wlin+456in+&d7A9,C@%
"efault .adm !iles

The Group Policy =!.ect >ditor displays the policy settings within the %adm iles that are included with the operating system !y de ault% These %adm iles are3 System.adm. Provides policy settings to con igure the operating system% *ystem%adm is installed !y de ault in $indows *erverD ,BBA, $indows )P, and $indows ,BBB *erver operating systems% Inetres.adm. Provides policy settings to con igure &nternet >xplorer% &netres%adm is installed !y de ault in $indows *erver ,BBA, $indows )P, and $indows ,BBB *erver operating systems% Wuau.adm. Provides policy settings to con igure $indows Update% $uau%adm is installed !y de ault in $indows *erver ,BBA, $indows )P *ervice Pac+ @ '*P@(, and $indows ,BBB *erver *ervice Pac+ A '*PA( operating systems% Wmplayer.adm. Provides policy settings to con igure $indows "edia Player% $mplayer%adm is installed !y de ault in $indows *erver ,BBA and $indows )P operating systems% $mplayer%adm is not availa!le on 8E-!it versions o the $indows *erver ,BBA operating system and $indows )P 8E-Bit >dition%
Using Administrative Template Files with Registry- ased !roup "olicy
Conf.adm. Provides policy settings to con igure ;et"eeting% <on %adm is installed !y de ault in $indows *erver ,BBA, $indows )P, and $indows ,BBB *erver operating systems% <on %adm is not availa!le on 8E-!it versions o the $indows *erver ,BBA operating system and $indows )P 8E-Bit >dition%
"ost Group Policy settings are contained in the *ystem%adm ile% The %adm iles that ship with $indows *erver ,BBA, $indows )P Pro essional, and $indows ,BBB *erver operating systems are located in the FwindirFGin G older% ' or example, <3G$indowsGin (% For more in ormation a!out %adm ile maintenance, see the 0"aintaining and "anaging %Adm Files1 in this document%
&-en to ?se Registry-Based 'rou Policy

&n general, i a policy setting can !e con igured using a simple user inter ace, and any con iguration input can !e stored in the registry as plain text, you should consider using registry!ased policy% *peci ically, registry-!ased Group Policy is an appropriate solution or the ollowing scenarios3 Creating available and unavailable (on/off, or yes/no) functionality. Hou can use registry-!ased policy as i it were a switch, to turn unctionality on or o % For example, you can create a policy setting to allow administrators to control whether a certain item is displayed on the des+top% Defining a set of static modes. For example, you can set the language used on a computer% Hou can set up a static list o the possi!le language selections, and when the policy setting is ena!led, the administrator can select a language rom the precreated list% This action is typically shown in the user inter ace as a drop-down list% Creating a policy setting that re uires simple input that can be stored in the registry as plain te!t. For example, you can create a policy setting to de ine the screensaver or !itmap that is displayed on the userIs des+top% $ith this policy setting ena!led, Group Policy administrators are provided with a text dialog !ox into which they can enter the name and path o the !itmap ile to !e used% This in ormation is then stored in the registry as plain text%
True Policies vs. Preferences

Group Policy settings that administrators can ully manage are +nown as 0true policies%1 &n contrast, settings that users con igure or that re lect the de ault state o the operating system at installation time are +nown as 0pre erences%1 Both true policies and pre erences contain in ormation that modi ies the registry on usersI computers% True policy settings ta+e precedence over pre erence settings% Registry values or true policies are stored under the approved registry +eys as listed in Ta!le @% Users cannot change or disa!le these settings%
Table (
roved Registry @ey 1ocations for 'rou Policy #ettings

!or ?ser Policy #ettingsA %@C?B#oftwareBPolicies 8T-e referred location< %@C?B#oftwareB,icrosoftB&indowsBC urrent6ersionBPolicies
!or Com uter Policy #ettingsA %@1,B#oftwareBPolicies 8T-e referred location< %@1,B#oftwareB,icrosoftB&indowsBC urrent6ersionBPolicies
Pre erences are set !y the user or !y the operating system at installation time% The registry values that store pre erences are located outside the approved Group Policy +eys listed in Ta!le @% They are located in other areas o the registry% Users can typically change their pre erences at any time% For example, users can decide to change the location o their local dictionary to a di erent location, or set their wallpaper to a di erent !itmap% "ost users are amiliar with setting pre erences that are availa!le to them through the operating system or application user inter ace% &t is possi!le or an administrator to write an %adm ile that sets registry values outside o the approved Group Policy registry trees included in Ta!le @% &n this case, the administrator is only ensuring that a given registry +ey or value is set in a particular way% $ith this approach, the administrator con igures pre erence settings, instead o true policy settings, and mar+s the registry with these settings 'that is, the settings persist in the registry even i the pre erence setting is disa!led or deleted(% & you con igure pre erence settings !y using a GP= in this manner, the GP=s that you create do not have Access <ontrol 6ist 'A<6( restrictions% As a result, users might !e a!le to change these values in the registry% $hen the GP= goes out o scope 'that is, it is unlin+ed, disa!led, or deleted(, these values are not removed rom the registry% &n contrast to this, true registry policy settings do have A<6 restrictions to prevent users rom changing them, and the policy values are removed when the GP= that set them goes out o scope% For this reason, true policies are considered to !e policy settings that can !e ully managed% By de ault, the Group Policy =!.ect >ditor only shows policy settings that can !e ully managed% To view pre erences in the Group Policy =!.ect >ditor, you need to clic+ the "dministrative #emplates node, clic+ $ie%, then clic+ &iltering, and then clear 'nly sho% policy settings that can be fully managed% Although Group Policy settings ta+e priority over pre erences, they do not overwrite or modi y the registry +eys used !y the pre erences% & a policy setting is deployed that con licts with a pre erence, the policy setting ta+es precedence over the pre erence setting% & a con licting policy setting is removed, the original user pre erence setting is restored%
%ow to ?se Policy #ettings and Preferences

Applications commonly include a user pre erence and a policy setting that per orm similar or related unctions% For example, you might want to o er users the a!ility to con igure part o a component through a user pre erence setting, and also centrally control this setting !y using a registry-!ased policy setting% An example o where !oth a policy and pre erence can co-exist is the con iguration o the wallpaper on a $indows des+top% Users can set their des+top wallpaper to !e displayed 'or not displayed( !y using the Display icon in <ontrol Panel% Hou can also use a policy setting to
con igure des+top wallpaper% To speci y the des+top wallpaper that displays on usersI des+tops, administrators can use the "ctive Des(top Wallpaper policy setting ' ound in the Group Policy =!.ect >ditor, under the )ser Configuration*"dministrative #emplates*Des(top*"ctive Des(top% As a result, the user can choose to display or not display the wallpaper, !ut the administrator can choose which wallpaper is displayed when the display setting is =;% Ta!le , lists the resultant !ehavior or Group Policy settings and pre erences% Table * Results of 'rou Policy #ettings and Preferences
#cenario /o olicy or reference Preference Only Policy Present /o /o /o Ces Preference Present Resultant Be-avior "efault be-avior. Preference configures be-avior. Policy configures be-avior. Policy configures be-avior. Preference is ignored. In all cases: olicy overrides reference.
Policy only Bot- olicy and reference
Ces Ces
/o Ces
"esign Considerations for Creating Policy #ettings

This section addresses essential issues or creating and con iguring custom policy settings in %adm iles% Use the ollowing Juestions as a guide to help you design Group Policy settings% $hat is the de ault !ehavior 'that is, when the policy is set to +ot Configured(5 $hat is the !ehavior when the policy is ,nabled, Disabled, or +ot Configured5 The ,nabled !ehavior should always !e the opposite o the de ault !ehavior 'that is, +ot Configured(% -o administrators need to explicitly disa!le a eature5 -o the proposed policy settings a ect users or computers or !oth5
$hat are some potential uture rami ications o the new policy settings5 $hen new products are released, you must continue to maintain the previous %adm settings to manage computers running legacy so tware% ;ew products and settings must !e a!le to co-exist with earlier versions%
&-en to Create Policy #ettings

An administrator should consider creating a policy setting or the ollowing purposes3 To help administrators manage and increase security o their des+top computers% To hide or disa!le a user inter ace that can lead users into a situation in which they must call the helpdes+ or support% To hide or disa!le new !ehavior that might con use users% A policy setting created or this purpose allows administrators to manage the introduction o new eatures until a ter user training has ta+en place% To hide settings and options that might ta+e up too much o usersI time%
Controlling !eature Releases to ?sers

An administrator can use %adm iles to provide policy settings to manage new eatures o a new or updated application% By creating a single GP= or all new eatures, or !y creating a GP= or each logical grouping o new eatures, an administrator can reduce the need or support and potential user rustration% A GP= should also !e considered or speci ic eatures that administrators need to control a ter the new eatures have !een ena!led% By ena!ling policy settings in this area, the administrator can control how and when users get new product eatures% By grouping related eatures, the administrator can prevent users rom using a new eature set until they have !een trained%
Create Policy #ettings to Reduce /eed for #u
ort
To reduce the need or support, administrators can start !y determining the top issues that users have and considering ways in which they can use policy settings to prevent support calls% For example, you could use policy settings to control so tware settings in the ollowing scenarios3 $hen proper con iguration settings reJuire advanced +nowledge o the application% $hen there are complicated or advanced con iguration settings that the typical user does not need to use%
&n these scenarios, it would !e appropriate to use Group Policy to give an administrator the a!ility to control access to the con iguration settings%
&'
Control "ata
Hou can create policy settings to populate data or your application% *uch data usually exists in small sets in the orm o num!ers, text strings, and so on% For example, a phone dialer could use policy settings to ena!le administrators to mandate that certain items exist in the phone directory%
&-en /ot to Create a Policy

Although registry-!ased Group Policy provides an e ective way o managing components and applications, there are some circumstances where its use is not recommended% For example3 -o not create a policy or all o your application settings !ecause large applications typically contain hundreds or even thousands o settings, and only a su!set o these needs to !e managed through Group Policy% Be selective a!out the eatures you want to ena!le or disa!le% Because Group Policy provides centrali/ed management o the setting, you should evaluate whether administrators would want this +ind o management !e ore adding the policy setting% -o not create a policy i you do not intend to provide support or the policy setting% Treat each policy as a eature that needs to !e tested, validated, and supported%
?ser Interface "esign

> ective policy settings should !e clearly written and displayed% Hou must also ensure that the user inter ace is clear and easy to understand% For example, review these user inter ace design options or disa!ling -y +et%or( .laces3 Create an error message. For example, the user clic+s "y ;etwor+ Places and the ollowing error message appears3 0This option has !een disa!led !y your administrator%1 &n response, the user calls the administrator or support des+ to as+ why this eature has !een disa!led% Disable the user interface. For example, a user inter ace eature in "y ;etwor+ Places is disa!led 'grayed-out(% This implies to the user that there is a way to ena!le the user inter ace% &n response, the user might spend a lot o time trying to get this eature to wor+% &n the end, the user might either give up in rustration or call the support des+% /ide the user interface feature. For example, a user inter ace eature in "y ;etwor+ Places is hidden% &n response, the user does not recogni/e that anything is missing or unavaila!le% This is the pre erred choice in this scenario% Do nothing. For example, when a user clic+s "y ;etwor+ Places, and the screen does not change 'that is, nothing happens(% &n response, the user assumes that something is wrong and calls the support des+%
&&
/ote
"o notnames Policy try to su are limited lementto a 'rou *4) c-aracters. Policy setting %owever: title in t-e user de ending interface witon t-e ti te9t fontt-at used can on be t-e dis user.s layed wor3station: in t-e usera smaller number ofInclude interface. c-aracters any are ti s dis for using layed:t-e and olicy all ot-ers setting truncated. in t-e On most te9t. ()plain systems: you can assume t-at you -ave t-e ability to dis lay olicy names u to )4 c-aracters. 8?sing a Resolution of (+*4 D 5)$ wit- small fonts installed<. &-en 'rou Policy names are translated into additional languages: t-ey ty ically reEuire additional c-aracters. T-erefore: if you are using 7nglis- to name a 'rou Policy: limit t-e name to 4F c-aracters. T-is limitation allows your title to grow by 22 ercent during translation: wit-out causing any truncation issues.
Policy /ames
Hou set the name o the policy setting at the same time that you create it% The name o the policy setting is displayed in the Group Policy =!.ect >ditor% Use the ollowing guidelines or creating policy names3 Use a ver! that re lects the e ect o the policy setting% >xamples o ver!s commonly used in policy setting names include3 allow, permit, turn on, prohi!it, hide, and prevent% -o not use the terms 0ena!led1 or 0disa!led1 in your policy setting names% &nstead, consider using the terms 0turn on1 and 0turn o ,1 or 0allow1 and 0prevent%1 Avoid overly technical .argon that might not !e understood !y administrators who are not experts in a particular component% &nclude technical details o the policy setting in the >xplain text% Use short, descriptive names that accurately re lect the unction o the policy setting, or example, Turn o &nternet File Association service%
79 lain Te9t
>xplain text provides in ormation a!out the !ehavior o the policy setting, its interaction with other policy settings, and can include any other in ormation that you would li+e administrators to !e aware o % $hen an administrator selects a policy setting, and then clic+s the ,!plain ta!, the >xplain text appears in the policy settingIs .roperties dialog !ox % >xplain text is limited to a maximum o EBC8 characters, and <ategory >xplain text is limited to a maximum o ,98 characters% Use the ollowing guidelines when you create the ,!plain text3 -ra t the ,!plain text soon a ter creating the speci ication document or the policy setting% This serves as a high-level roadmap or developers, and assists testers in creating a test plan or the policy% "a+e sure your documentation team is availa!le to help create the >xplain text% Target the >xplain text to the Group Policy administrator, rather than the end user%
&*
Use the ollowing template or the >xplain text, and ma+e sure that you include the ollowing items3 $rite a one- or two-line description o the policy setting% $rite a one- or two-line description o the eature that the policy setting a ects% Use separate paragraphs within your >xplain text or each policy setting state, as ollows3 & you ena!le this policy settingKLdescri!e ena!led !ehaviorM% & you disa!le this policy settingKLdescri!e disa!led !ehaviorM% & you do not con igure this policy settingKLdescri!e de ault !ehaviorM% &nclude tips or using the policy setting% &nclude notes or interactions that this policy has with other settings% &tems that are not covered !y this policy setting% Any other policy settings that are reJuired or your policy setting to unction% Any other policy settings that are related to the same component that your policy setting a ects and which may have a higher or lower priority% For example, i you have a policy setting to restrict access to the 6A; settings or a computer% This policy setting ta+es priority over more speci ic policy settings regarding the actual items you can con igure within a 6A; connection% Any related policies that the administrator needs to !e aware o %
As a !est practice, you should also provide in ormation a!out the ollowing3
The ollowing >xplain text is rom the "ctive Des(top Wallpaper policy setting in the )ser Configuration*"dministrative #emplates*Des(top*"ctive Des(top% This policy setting controls the des+top !ac+ground 'wallpaper( that is displayed on usersN des+tops%
Specifies the desktop background ("wallpaper") displayed on all users' desktops. This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp), JPEG (*.jpg), or HTML (*.htm, *.html) file. To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification. If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice.
Language Reference for Administrative Template Files Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. Note: You need to enable the Active Desktop to use this setting. Note: This setting does not apply to Terminal Server sessions.
&+
Best Practices for "evelo ing Registry-Based Policy #ettings

&t is strongly recommended that you do not try to create a single policy setting to control all aspects o your component% Group Policy is easier to implement and use i you have several smaller policy settings% This approach gives you more lexi!ility in designing and modi ying your policy settings% All policy settings should have an associated !ehavior or each o the three possi!le states shown in Ta!le A3 Table 2 Policy #tates and Associated Be-aviors
7nabled Turns on t-e be-avior indicated by t-e olicy name "isabled Turns off t-e be-avior indicated by t-e olicy name /ot Configured %as no effect G default be-avior
<onsider the ollowing guidelines when you design your policy settings3 Policy settings are never removed rom the %adm iles supplied !y $indows operating systems% >ven i su!seJuent versions o $indows no longer support the policy setting, "icroso t will continue to include that policy setting in %adm iles or all uture $indows operating systems that support Group Policy% <omputer policy settings should override user policy settings% The ,nabled !ehavior should !e the opposite o the de ault !ehavior% For example, i a eature is on !y de ault, the policy setting should !e named using something li+e 0Turn o L eatureM1, or example, #urn off reminder balloons% By de ault, reminder !alloons are displayed when the = line Files eature is ena!led? they are used to noti y users when they have lost the connection to a networ+ed ile and are wor+ing on a local copy o the ile% & #urn off reminder balloons is set to ,nabled, the system hides the reminder !alloons, and prevents users rom displaying them% <onsider whether administrators need to explicitly disa!le a eature% Hou must understand the di erences !etween the +ot Configured state 'which implies that the administrator does not care( and the Disabled state 'which means that the administrator cares and wants to implement a very speci ic !ehavior(%
&,
"a+e sure that your documentation team is involved with creating the >xplain text% $ell-written >xplain text can help reduce support calls% >ach component should expose a user inter ace that always re lects the policy setting that is applied% For example, i a Group Policy setting removes the a!ility or the user to set a pre erence or a component, the user inter ace should clearly indicate this and access to that particular item in the component should !e removed ' or example, the item is disa!led and grayed-out, or it is not visi!le to users(%
Creating Custom .Adm !iles

Hou can create custom %adm iles to extend the use o registry-!ased policy settings to new applications and components% <reating and implementing custom %adm iles involves the ollowing tas+s3 The application or component must !e ena!led to use Group Policy-ena!led% "any o -the-shel applications or $indows are already Group Policy-ena!led% For example, "icroso t = ice is developed to wor+ with Group Policy settings, and applica!le %adm iles are included in the = ice Resource 2it% & a developerIs application is not already Group Policy-ena!led, the developer must write code that changes the application so that an administrator can apply the application-speci ic Group Policy settings% For more in ormation, see "icroso t Plat orm *o tware -evelopment 2it at http344go%microso t%com4 wlin+456in+&d7,B9EB% A ter the application or component is Group Policy-ena!led, a developer or administrator must write an %adm ile that includes the appropriate settings or that application% <ustom %adm iles are created as text iles that descri!e policy settings% A ramewor+ language is provided or %adm iles, as descri!ed in 06anguage Re erence or Administrative Template Files1 later in this document% $hen you create a new policy setting in a custom %adm ile, it is more e icient i you copy and modi y existing policy settings that are similar to the ones that you want to create, rather than write new policy settings rom scratch% To use an existing %adm ile as a template or a custom %adm ile, irst copy the original %adm ile into a new ile with a di erent ile name, and then edit the new ile% *imilar policy settings can provide3 A model to use as a !asis or your Group Policy settings% <onsistency with availa!le policy settings% &n ormation a!out possi!le interactions !etween policies%
Administrators use the Group Policy "anagement <onsole to view and manage GP=s and use the Group Policy =!.ect >ditor to view the "dministrative #emplates node under Computer Configuration or )ser Configuration%
&5
Caution
Treat t-e .adm files t-at s-i in t-e o erating system as readonly files. T-ese files are often u dated w-en you install service ac3s or future releases of t-e roduct. Policy settings s-ould never be removed from .adm files t-at are included in t-e o erating system by default.
2eep in mind that !y itsel , the %adm ile does not actually apply Group Policy to the client computer% Hou must have a corresponding component or application that responds to the registry +ey that is a ected !y the policy setting% The ollowing code example illustrates a simple %adm ile%
CLASS USER CATEGORY !!DesktopLockDown POLICY !!DisableTaskMgr EXPLAIN !!DisableTaskMgr_Explain VALUENAME "DisableTaskMgr" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 KEYNAME "Software\Policies\System" END POLICY END CATEGORY [strings] DisableTaskMgr="Disable Task Manager" DisableTaskMgr_Explain="Prevents users from starting Task Manager" DesktopLockDown="Desktop Settings"
This sample code exists in the *ystem%adm ile% &t allows you to con igure a policy called Disable #as( -anager, which appears in the Group Policy =!.ect >ditor namespace in )ser Configuration*"dministrative #emplates*Des(top Settings% This policy setting de ines the ollowing !ehavior3 & an administrator ena!les this policy setting, it creates a registry +ey called Disable#as(-gr and set its value to @% The $"0),'+ tag implements this !ehavior% &n this case, users cannot start Tas+ "anager% & an administrator disa!les this policy setting, it creates a registry +ey called Disable#as(-gr and set its value to B% The $"0),'&& tag implements this !ehavior% &n this case, users can start Tas+ "anager% &n !oth cases, the Disable#as(-gr registry +ey is created !elow /1C)*Soft%are*.olicies*System in the registry% ;ote that the +ey is created under C0"SS )S,2 and not under C0"SS -"C/I+, !ecause this is a user policy setting% & an administrator sets this policy setting to +ot Configured, it deletes the registry +ey called Disable#as(-gr. &n this case, users can start #as( -anager%
&6
Ta!le E lists where registry-!ased policy settings are stored in any o the our approved registry locations or Group Policy% Table 4 A roved Registry @ey 1ocations for 'rou Policy #ettings
?ser Policy #ettingA %@C?B#oftwareBPolicies 8T-e referred location< %@C?B#oftwareB,icrosoftB&indowsBC urrent6ersionBPolicies Com uter Policy #ettings %@1,B#oftwareBPolicies 8T-e referred location< %@1,B#oftwareB,icrosoftB&indowsBC urrent6ersionBPolicies
The registry +eys are created when a GP= containing an ena!led or disa!led registry-!ased policy setting is applied% & the GP= is later removed ' or example, unlin+ed rom an =U in which a user resides(, the registry +eys associated with it are also removed% *ecurity prohi!its a standard user rom changing the registry +eys% A local administrator can overwrite these registry +eys, and thus change or disa!le the !ehavior o the policy setting% For this reason, as a Group Policy administrator, you might want to ena!le the 2egistry policy processing policy setting 'located in Computer Configuration*"dministrative #emplates*System*3roup .olicy (and select the ollowing option3 .rocess even if the 3roup .olicy ob4ects have not changed. *electing this option updates and reapplies the policy settings even i you -- the Group Policy administrator -- have not changed the policy settings% This provides an additional sa eguard in the event that local administrators try to change policy settings through the registry% Policy settings are reapplied during the regular !ac+ground re resh o Group Policy, which occurs !y de ault every CB minutes with a randomi/ed delay o up to AB minutes%
%ow to &rite a #im le .Adm !ile for Registry-based 'rou Policy

This section shows you how to create a simple %adm ile or delivering registry-!ased Group Policy settings% The code samples provided are parts o a single %adm ile% Please re er to 06anguage Re erence or Administrative Template Files,1 later in this document or ull details a!out the %adm language% The sections o the sample %adm ile illustrate how to set a registry value to3 Turn a eature on or o % Allow the selection o one or more values rom a list% -isplay a list with add and remove !uttons% >nter >-&TT>)T and static text%
&#
-isplay a numeric list to the administrator% -isplay a numeric list to the administrator, using a spin control% -isplay an actiona!le list to an administrator%
To #et a Registry 6alue to Turn a !eature O/ or O!!

This sample code displays a chec+ !ox% The value is set in the registry with the R>GO-$=Rtype% By de ault, the chec+ !ox is clear% & the chec+ !ox is selected, it writes the value @ to the registry% & the chec+ !ox is clear, it writes the value B to the registry%
CLASS USER CATEGORY!!SampleCategory KEYNAME "SOFTWARE\Policies\Microsoft\ADM_Samples" POLICY!!Sample_ADM_FeatureOnOff #if version >= 4 SUPPORTED!!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_FeatureOnOff_Help VALUENAME "ADM_Sample_FeatureOnOff" VALUEON 1 VALUEOFF 0 END POLICY END CATEGORY
To #et a Registry 6alue to Allow t-e #election of One or ,ore 6alues from a 1ist
Hou can use D2'.D'W+0IS# to display a com!o !ox with a drop-down style list% Hou can pre-populate the list o items that are displayed in the list and the corresponding registry value to !e written or each item in the list%
POLICY!!Sample_ADM_DropDownList #if version >= 4 SUPPORTED!!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_DropDownList_Help PART!!Sample_ADM_DropDownList DROPDOWNLIST REQUIRED VALUENAME "Sample_ADM_DropDownList" ITEMLIST NAME !!Sample_ADM_DropDownList_Always VALUE NUMERIC 1 DEFAULT NAME !!Sample_ADM_DropDownList_WorkStationOnly VALUE NUMERIC 2 NAME !!Sample_ADM_DropDownList_ServerOnly VALUE NUMERIC 3 END ITEMLIST END PART END POLICY
&$
To #et a Registry 6alue to "is lay a 1ist wit- Add and Remove Buttons
Hou can use registry-!ased Group Policy to display a list !ox that contains Add and Remove !uttons% By de ault, only one column appears in the list !ox, and or each entry, a value is created where the name and value are the same% For example, a name entry in the list !ox creates a value called name that contains data la!eled name%
POLICY!!Sample_ADM_ListBox #if version >= 4 SUPPORTED !!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_ListBox_Help PART!!Sample_ADM_DropDownList LISTBOX KEYNAME "Sample_ADM_ListBox" END PART END POLICY
To #et a Registry 6alue for 7"ITT70T and #tatic Te9t

This setting allows the user to type alphanumeric text in an edit ield% The text is set in the registry with the R>GO*P type% The ollowing code is an example o how you can use the ,DI##,5# ."2# type%
POLICY!!Sample_ADM_EditText #if version >= 4 SUPPORTED !!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_EditText_Help PART!!Sample_ADM_EditText EDITTEXT VALUENAME "ADM_Sample_EditText" END PART END POLICY
&%
To #et a Registry 6alue for "is laying a /umeric 1ist to t-e Administrator
To display a list o num!ers rom which administrators can select one o the prede ined numeric values, you can use a ;U">R&< PART type%
POLICY!!Sample_ADM_Numeric #if version >= 4 SUPPORTED !!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_Numeric_Help PART!!Sample_ADM_Numeric NUMERIC VALUENAME "ADM_Sample_Numeric" END PART END POLICY
To #et a Registry 6alue for "is laying a /umeric 1ist to t-e Administrator: ?sing #PI/ Control
To display a list o num!ers rom which administrators can select one o the prede ined numeric values, you can use a *P&; control%
POLICY!!Sample_ADM_Spinner #if version >= 4 SUPPORTED !!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_Spinner_Help PART!!Sample_ADM_Spinner NUMERIC VALUENAME "ADM_Sample_Spinner" MIN 5 MAX 23 DEFAULT 14 SPIN 3 END PART END POLICY
*'
To #et a Registry 6alue to "is lay an Action1ist to an Administrator

To speci y a set o ar!itrary registry changes to ma+e in response to a control !eing set to a particular state, you can use the "C#I'+0IS# option%
POLICY!!Sample_ADM_ActionList #if version >= 4 SUPPORTED !!SUPPORTED_WindowsXPSP1 #endif EXPLAIN!!Sample_ADM_ActionList_Help ACTIONLISTON KEYNAME "SOFTWARE\Policies\Microsoft\ADM_Sample\ActionOnList" VALUENAME "Action1" VALUE NUMERIC 1 KEYNAME "SOFTWARE\Policies\Microsoft\ADM_Sample\ActionOnList" VALUENAME "Action2" VALUE NUMERIC 7 KEYNAME "SOFTWARE\Policies\Microsoft\ADM_Sample\ActionOnList" VALUENAME "Action1" VALUE NUMERIC 100 END ACTIONLISTON ACTIONLISTOFF KEYNAME "SOFTWARE\Policies\Microsoft\ADM_Sample\ActionOnList" VALUENAME "Action1" VALUE NUMERIC 0 KEYNAME "SOFTWARE\Policies\Microsoft\ADM_Sample\ActionOnList" VALUENAME "Action2" VALUE NUMERIC 0 KEYNAME "SOFTWARE\Policies\Microsoft\ADM_Sample\ActionOnList" VALUENAME "Action1" VALUE NUMERIC 0 END ACTIONLISTOFF END POLICY
Testing Administrative Tem late !iles

This section provides recommended procedures or testing %adm iles% Hou should always test policy settings !e ore deploying them in GP=s% Hour test plan should examine and document the ollowing or each policy setting3 The de ault !ehavior The !ehavior when the policy setting is ena!led, disa!led, or not con igured
*&
<hanges in the user inter ace when a policy setting is ena!led, disa!led, or not con igured The possi!le settings that the policy setting can !e con igured as The associated !ehavior% For example, does con iguring the policy setting a ect other policy settings, or is one policy setting dependent on another5 Any associated pre erences The !ehavior o the associated pre erences The !ehavior in the event o invalid input !y an administrator
First, test your new policy settings individually% ;ext, test how each policy setting interacts with other policy settings that are similar, or policy settings that are also designed to manage the a ected component% *uppose or example that you create a policy setting to con igure the wallpaper that is displayed on your clientsI des+tops% The list o policy settings that ship with $indows *erver ,BBA includes other wallpaper policy settings% &n this scenario, you should test how these policy settings interact% Any issues that arise should !e addressed or documented in the >xplain text% Testing should ensure that the user inter ace is policy-aware% & the user inter ace is not aware o the policy setting, the user experience might !e con using% For example, i your policy setting restricts access to a certain item in a component, then no access to this component and its con iguration should !e availa!le in the user inter ace% *ome ways to achieve this are3 Removing the item completely visually Gray-out the item and disa!le it
Creating an .Adm Test !ile

To simpli y testing, create a sample %adm ile or your policy setting% By doing this step, you can isolate testing o the new policy settings until they are ready to !e merged into a larger %adm ile, i appropriate% Hour test plan should include the ollowing validations3 Hour policy settings display and can !e con igured in Group Policy =!.ect >ditor, and can !e set to all pertinent com!inations o values% The settings are con igured properly on the client when con igured in a GP=, and the component responds appropriately to the policy setting% Hou can generate settings and Resultant *et o Policy 'R*oP( reports or your policy settings !y using Group Policy "anagement <onsole% The >xplain text or the policy setting is accurate and thoroughly explains how your policy setting wor+s% &t should descri!e the !ehavior or all states o the setting3 ,nabled, Disabled, and +ot Configured%
**
1oading an .Adm !ile into t-e 'rou Policy #na -in

A ter you create an %adm ile, you can load it into the Administrative Templates section o Group Policy =!.ect >ditor !y per orming the ollowing procedure%
To load your .adm file into 'rou Policy Ob;ect 7ditor

(. =pen Group Policy =!.ect >ditor% *. Under either Computer Configuration or )ser Configuration, right-clic+ "dministrative #emplates, and then clic+ "dd/2emove #emplates% 2. &n the "dd/2emove #emplates dialog !ox, clic+ "dd% 4. ;avigate to the older containing the %adm ile that you would li+e to add% *elect the ile, and then clic+ 'pen% 4. -o one o the ollowing3 (. & your %adm ile was success ully loaded, in the "dd/2emove #emplates dialog !ox, clic+ Close% Hour policy template has !een added success ully% *. & your %adm ile was not success ully loaded, a dialog !ox is displayed, showing the error and line num!er o the error% "a+e a note o the errors that were ound, and clic+ '1% Although your %adm ile was not success ully loaded, it still appears in the list o %adm iles loaded% *elect your %adm ile, clic+ 2emove, and then clic+ Close% >dit the %adm ile and correct any pro!lems%
,aintaining and ,anaging .Adm !iles

This section provides guidance to ensure that your %adm iles are properly con igured or your administrative wor+stations% >ach domain-!ased GP= maintains a single older in the *ysvol older o each domain controller% This older, +nown as the Group Policy template, contains all o the %adm iles that were used in the Group Policy =!.ect >ditor when the GP=s were last created or edited% >ach $indows *erver operating system includes a standard set o %adm iles that are loaded !y de ault into the Group Policy =!.ect >ditor% By de ault, the ollowing %adm iles are pre-loaded with a $indows ,BBB or later operating system3 *ystem%adm <on %adm &netres%adm $mplayer%adm
$indows *erver ,BBA and $indows )P include the ollowing additional %adm iles3
*+
/ote Caution
Because If you create of t-e a 'PO im ortance and do not of timestam edit it: you s on will .adm create file a 'rou Policy tem late management: it wit-out is recommended any associated t-at you .adm do files. not edit systemsu lied .adm files. If a new olicy setting is reEuired: it is -ig-ly recommended t-at you create a custom .adm file. T-is revents t-e override of system-su lied .adm files w-enever service ac3s are released.
$uau%adm
Im ortance of Timestam s for .Adm !iles

>ach administrative wor+station that is used to run the Group Policy =!.ect >ditor stores its %adm iles in the FwindirFG&n older% $hen GP=s are created and irst edited, the %adm iles rom this older are copied to the *ysvol and replicated to all the domain controllers% This includes the standard %adm iles and any custom %adm iles that are created !y the administrator% By de ault, when you edit GP=s, the Group Policy =!.ect >ditor compares the timestamps o the %adm iles in the wor+stationIs FwindirFG&n older 'local %adm iles( with those that are stored in the *ysvol 'these are the %adm iles used !y the GP= that is !eing edited(% & the local %adm iles are newer, the Group Policy =!.ect >ditor copies these iles to the *ysvol, overwriting any existing iles o the same name% This comparison occurs whenever the Administrative Templates node 'under <omputer or User <on iguration( is selected in the Group Policy =!.ect >ditor, regardless o whether the administrator actually edits the GP=%
"u licate -AT(!.R/ #ections

& the %adm ile that you add includes a duplicate C"#,3'26 to one that is used in an existing %adm ile, the policy settings are merged% An error can occur when the existing and the added %adm ile contain the same C"#,3'26, and !oth o them have a de ault 1,6+"-, speci ied 'regardless o whether it is the same name(% & these conditions are met, the ollowing error message appears%
Key name specified more than once. Likely causes are: 1) the KEYNAME tag is defined multiple times in this category, 2) this KEYNAME is already defined in another category with the same name, 3) this KEYNAME is already defined in another category with the same name in a different .adm file.
*,
.Adm !iles ?sed by t-e 'rou Policy Ob;ect 7ditor

By de ault, the irst time the Group Policy =!.ect >ditor is started or a speci ied GP=, it copies the *ystem%adm ile rom the current computerIs FwindirFGin G directory to the GP=% *u!seJuently, only those %adm iles speci ied in the list are displayed% >ach time you open Group Policy =!.ect >ditor, the Group Policy =!.ect >ditor also chec+s the listed %adm iles and copies any newer versions rom the local computerNs FwindirFGin G directory to the GP=%
.Adm !iles ?sed by 'P,C

By de ault, GP"< always uses local %adm iles, regardless o their time stamp, and it never copies %adm iles to *ysvol% & an %adm ile is not ound locally, GP"< loo+s or the %adm ile in the *ysvol% &n GP"<, you can speci y an alternative location or %adm iles% & an alternative location is speci ied, this alternative location ta+es precedence%
Controlling .Adm !ile Re lication

Because %adm iles are stored in the Group Policy template !y de ault, they increase the *ysvol older si/e% The File Replication *ervice 'FR*( replicates all o the %adm iles or GP=s throughout the domain% & you edit GP=s reJuently, you might experience a signi icant amount o replication tra ic% Hou can use a com!ination o the #urn off automatic updates of adm files and "l%ays use local adm files for 3roup .olicy 'b4ect ,ditor policy settings to reduce the si/e o the *ysvol older and policy-related replication tra ic%
Turn Off Automatic ? dates of .Adm !iles

The #urn off automatic updates of adm files policy setting is availa!le under )ser Configuration*"dministrative #emplates*System*3roup .olicy in $indows *erver ,BBA, $indows )P, and $indows ,BBB operating systems% $hen this policy setting is ena!led, the updating o an existing GP= remains local to the administrative wor+station, and %adm iles are not sent rom the local computer to the *ysvol%
*5
/ote
If t-is In &indows olicy*+++ setting o is erating enabled: systems: t-e Turn w-en off you automatic edit a 'PO for t-e first time updates of adm t-e local files.adm olicy files setting are u is loaded also imto lied. t-e #ysvol: wit-out regard to -ow t-is olicy setting is set. If t-is olicy setting is enabled in &indows 0P: .adm files are not u loaded w-en a 'PO is edited for t-e first time. T-e first time t-at t-e 'PO is edited mig-t or mig-t not be w-en t-e 'PO is created.
Always ?se 1ocal .Adm !iles for 'rou Policy Ob;ect 7ditor
The "l%ays use local "D- files for 3roup .olicy 'b4ect ,ditor policy setting is availa!le under Computer Configuration*"dministrative #emplates*System*3roup .olicy in $indows *erver ,BBA and $indows )P Pro essional% $hen a GP= is created, this policy setting has no immediate e ect, and the %adm iles on the local computer are still uploaded to the *ysvol% Qowever, when you edit an existing GP=, any %adm iles that are stored in the *ysvol are ignored, and Group Policy =!.ect >ditor uses the %adm iles rom the local computer only% & a policy setting has !een set in the GP=, !ut the corresponding %adm ile that descri!es the policy setting is not availa!le on the local computer, Group Policy =!.ect >ditor does not display that policy setting%
To clear t-e #ysvol folder of .adm files

(. >na!le the #urn off automatic update of adm files policy setting or all Group Policy administrators who will !e editing GP=s and veri y that this policy has !een applied% *. <opy any custom %adm templates to the FwindirFG&n older% 2. >dit existing GP=s, and right-clic+ "dministrative #emplates, and then clic+ "dd/2emove #emplate to remove all %adm iles rom the *ysvol% 4. >na!le the "l%ays use local adm files for 3roup .olicy 'b4ect ,ditor policy setting or administrative wor+stations%
,aintaining .Adm files on Administrative &or3stations

$hen you use the "l%ays use local adm files for 3roup .olicy 'b4ect ,ditor policy setting, ma+e sure that each wor+station has the latest version o the de ault and custom %adm iles% & all %adm iles are not availa!le locally, some policy settings that are contained in a GP= will not !e visi!le to the administrator% Avoid this !y implementing a standard operating system and service pac+ version or all administrators% & you cannot use a standard operating system and service pac+, implement a process to distri!ute the latest %adm iles to all administrative wor+stations%
*6
/ote
Because t-e wor3station adm files are stored in t-e Hwindir HBInf folder: any rocess t-at is used to distribute t-ese files must run in t-e conte9t of an account t-at -as administrative credentials on t-e wor3station.
,ultilanguage Administration Issues

&n some environments, policy settings must !e presented to the user inter ace in several languages% Because the GPT older can store only one set o %adm iles, you cannot use the GPT older to store %adm iles or multiple languages% For $indows ,BBB operating systems, the use o local %adm iles or the Group Policy =!.ect >ditor is not supported% & you are using $indows ,BBB, use the #urn off automatic updates of adm files policy setting% Because this policy setting has no e ect on the creation o new GP=s, the local %adm iles will !e uploaded to the GPT older in $indows ,BBB% <reating a GP= in $indows ,BBB e ectively de ines the language o the GP=% & the #urn off automatic updates of adm files policy setting is in e ect on all computers running $indows ,BBB, the language o the adm iles in the GPT older will !e de ined !y the language o the computer that is used to create the GP=% & you are using $indows ,BBB wor+stations, use the #urn off automatic updates of adm files policy setting or administrators, and consider the adm iles in the GPT older to !e the e ective language or all $indows ,BBB wor+stations% For administrators who are using $indows *erver ,BBA and $indows )P operating systems, the "l%ays use local adm files for 3roup .olicy 'b4ect ,ditor policy setting can !e used% For example, this policy setting allows a French administrator to view policy settings !y using the French %adm iles that are installed locally, regardless o the adm ile that is stored in the GPT older% ;ote that when you use this policy setting, it is implied that the #urn off automatic updates of adm files policy setting is also ena!led, to avoid unnecessary updates o the adm iles to the GPT older% <onsider standardi/ing on $indows *erver ,BBA or administrative wor+stations in a multilanguage administrative environment% <on igure !oth the "l%ays use local adm files for 3roup .olicy 'b4ect ,ditor and #urn off automatic updates of adm files policy settings%
O erating #ystem and #ervice Pac3 Release Issues

>ach operating system or service pac+ release includes a superset o the %adm iles provided !y earlier releases, including policy settings that are speci ic to operating systems that are di erent to those o the new release% For example, the %adm iles that are provided with $indows *erver ,BBA include all policy settings or all operating systems, including those that are only relevant to $indows ,BBB or $indows )P Pro essional% This means that only viewing a GP= rom a computer with the new release o an operating system or service pac+ e ectively upgrades the %adm iles% Because later releases are typically a superset o previous %adm iles this
*#
/ote
T-e Always use local adm files for !roup "olicy .01ect (ditor olicy is ty ically used wit- t-e Turn off automatic updates of adm files olicy setting: 8t-at is: w-en it is su orted by t-e o erating system from w-ic- you are running 'rou Policy Ob;ect 7ditor<.
will not typically create pro!lems, assuming that the %adm iles that are !eing used have not !een edited% &n some situations, an operating system or service pac+ release includes a su!set o the %adm iles that were provided with earlier releases% This has the potential to present an earlier su!set o the %adm iles, resulting in policy settings no longer !eing visi!le to administrators when they use Group Policy =!.ect >ditor% Qowever, the policy settings will remain active in the GP=--only the visi!ility o the policy settings in Group Policy =!.ect >ditor is a ected% Any active 'either ,nabled or Disabled( policy settings are not visi!le in Group Policy =!.ect >ditor, !ut remain active% Because the settings are not visi!le, it is not possi!le or the administrator to view or edit these policy settings% To wor+ around this issue, administrators must !ecome amiliar with the %adm iles that are included with each operating system or service pac+ release !e ore using the Group Policy =!.ect >ditor on that operating system, +eeping in mind that the act o viewing a GP= is enough to update the %adm iles in the GPT, when the timestamp comparison determines an update is appropriate% To plan or this in your environment, it is recommended that you either3 -e ine a standard operating system4service pac+ rom which all viewing and editing o GP=s occurs, ma+ing sure that the %adm iles !eing used include the policy settings or all plat orms% Use the #urn off automatic updates of adm files policy setting or all Group Policy administrators to ma+e sure that %adm iles are not overwritten in the *ysvol !y any Group Policy =!.ect >ditor session, and ma+e sure that you are using the latest %adm iles that are availa!le rom "icroso t%
@eyboard #-ortcuts for Administrative Tem lates /ode

Hou can use the ollowing +ey!oard shortcuts to navigate the Administrative Templates namespace3 *Q&FTRasteris+ 'S( 'on the +eypad only( automatically expands the current node and all o its child nodes% The plus sign 'R( on the +eypad expands one level% "inus '-( on the +eypad collapses one level% -ou!le-clic+ a policy in the results pane to !ring up the .roperties page%
*$
$hen the .roperties page appears, move it out rom in ront o the Group Policy =!.ect >ditor window% Then, clic+ !ac+ one o the .olicies in the results pane% Hou can now use the cursor +eys to navigate up and down the list% ;otice that the in ormation in the .roperties page changes% This method also wor+s or the text on the ,!plain ta!% Hou can also use the Ta! +ey to move !ac+ and orth !etween the tree pane and the results pane, while leaving the .roperties page open%
&-at.s /ew for Administrative Tem late !iles in &indows 0P #P*

$indows )P *P, includes modi ications to tools used to administer Group Policy% This includes changes to the 0IS#7'5 "DDI#I$, !ehavior, which is implemented through an update to gptext%dll% This section includes details o these changes% For in ormation a!out managing new eatures released in $indows )P *P,, see "anaging $indows )P *ervice Pac+ , Features Using Group Policy at http344go%microso t%com4 wlin+45 6in+&d7A@CTE%
C-anges to 1I#TBO0 A""ITI67

Policy settings de ined !y the 0IS#7'5 +eyword allow you to manage multiple values under one registry +ey% $hen 0IS#7'5 is used, the speci ied settings are written as a 2,38-)0#I registry value type, which allows or multiple values to !e stored within one registry +ey% An example o the use o 0IS#7'5 is the Windo%s &ire%all9 Define .ort ,!ceptions policy setting, located in Computer Configuration*"dministrative #emplates*+et%or(*+et%or( Connections*Windo%s &ire%all, under !oth the Domain .rofile and Standard .rofile nodes% By de ault, when 6&*TB=) policy settings are used in multiple GP=s, the list o the values written to the registry is de ined entirely !y the last GP= applied '0last writer wins1(% The additive +eyword changes the !ehavior so that the aggregate values rom multiple GP=s are applied% For example, suppose that you have two GP=s with the ollowing values or the Windo%s &ire%all9 Define .ort ,!ceptions policy setting3 GP= x% *ets values A, B, and <% GP= y% *ets values -, >, and F%
$ithout the additive +eyword, only the values -, >, and F in GP= y are applied to the registry o targeted computers% This is !ecause GP= y is the last GP= applied% $ith the additive +eyword, all o the values rom !oth GP=s are applied3 A, B, <, -, >, and F%
*%
The 6&*TB=) A--&T&U> !ehavior in $indows )P with *P, gives you more lexi!ility in determining the values that will !e applied to targets in a given Active -irectory container% For example, the a!ility to disa!le policy settings rom lower precedent GP=s is a +ey tenet o Group Policy management% Prior to $indows )P with *P,, the disa!led !ehavior had no e ect or policy settings that used 6&*TB=) A--&T&U>% Furthermore, prior to $indows )P with *P,, 6&*TB=) A--&T&U> was only ound in several, rarely used policy settings a ecting o line iles% &n $indows )P with *P,, 6&*TB=) A--&T&U> is used more prominently including policy settings that a ect $indows Firewall and &nternet >xplorer% There ore, in $indows )P with *P,, the disa!led !ehavior now unctions as expected3 removing any entries inherited rom other lower precedent GP=s% For example, suppose GP=s with values A, B, and < is normally applied to all computers in a domain% But, as an =U administrator, you wish to prevent these values rom ta+ing e ect on computers in your =U% Hou can create a new GP= to disa!le values A, B, and <% This is illustrated in the ollowing example3 GP= x% >na!les values A, B, and < or all computers in the domain% GP= /% -isa!les values A, B, and <% or all computers in your =U% GP= y% >na!les values -, >, and F or all computers in the domain%
&n this scenario, the values -, >, and F are applied to the computers in your =U% Because, the disa!led unctionality only wor+s when using the latest version o the gptext%dll, all policy settings that use 6&*TB=) A--&T&U> are enclosed !y the Vi version M 9 KVend i construct% This eliminates the possi!ility o having multiple administrators experiencing di erent disa!led !ehavior i they are using earlier versions o gptext%dll% <onseJuently, the policy settings that use 6&*TB=) A--&T&U> are not visi!le when editing a GP= rom a computer running $indows *erver ,BBA, $indows )P with *P@, or $indows ,BBB operating systems% & you have administrative wor+stations that are not using $indows )P with *P,, you will need to install a hot ix in order to manage these policy settings% For more in ormation, see the 0W*tring too longKI Qot ix or >arlier =perating *ystems or *ervice Pac+s1 section later in this document%
,anaging Policy #ettings on 7arlier O erating #ystems or #ervice Pac3s

The %adm iles that use the 6&*TB=) A--&T&U> syntax do not ully load on earlier versions o the Group Policy =!.ect >ditor 'gpedit(, which is present !y de ault in $indows *erver ,BBA, $indows )P with *P@, and $indows ,BBB% & attempted, multiple error messages will appear when the system%adm and inetres%adm iles are loaded in earlier versions o gpedit% The error message is XThe ollowing entry in the YstringsZ section is too long and has !een truncated%X This occurs !ecause earlier versions o gpedit cannot correctly handle the 0Vi
+'
version M7 9 4 Vendi 1 construct in the inetres%adm and system%adm iles% Although clic+ing '1 on all the pop-up error messages does result in the %adm iles loading correctly, the new $indows )P *P, policy settings that use the 6&*TB=) syntax will not !e displayed% 'This pro!lem does not occur on computers running $indows )P with *P, or computers that have !een updated with the latest version o gpedit%( This issue is o particular signi icance !ecause o the way %adm iles are distri!uted through a domain% By de ault, when a GP= is opened, a comparison is made !etween the timestamps o the %adm iles stored in the GP= !eing edited and those on the local computer% & the local %adm iles have a more recent timestamp then they are uploaded to the domain controller and replicated throughout the domain% From that point, all earlier versions o gpedit use the new %adm iles% This scenario is illustrated in the ollowing steps% (. &nstall $indows )P *P, on the administrative computer% *. =pen existing GP= in Group Policy =!.ect >ditor% The %adm ile stored on the administrative computer is uploaded to domain controller% GP= is XupgradedX to $indows )P *P,% 2. This %adm ile is replicated to all domain controllers in the domain% 4. & the GP= is opened !y other administrative wor+stations in the domain that are not running $indows )P with *P, or the latest version o gpedit, error messages appear%
=#tring Too 1ongI> %otfi9 for 7arlier O erating #ystems and #ervice Pac3s
& you or other administrators in your organi/ation are going to manage policy settings on computers running earlier operating systems or service pac+s ' or example, $indows *erver ,BBA or $indows )P with *P@(, you need to install a hot ix in order or policy settings to appear correctly in the Group Policy =!.ect >ditor% These hot ixes are availa!le or the ollowing3 $indows *erver ,BBA $indows )P with *P@ $indows ,BBB
To o!tain these hot ixes, see article :E,CAA, XXThe ollowing entry in the YstringsZ section is too long and has !een truncatedX error message when you try to modi y or to view GP=s in $indows *erver ,BBA, $indows )P Pro essional, or $indows ,BBB,X in the "icroso t 2nowledge Base at http344go%microso t%com4 wlin+456in+&d7EEE@% & you are going to manage policy settings rom wor+station computers running $indows )P with *P, only, you will !e a!le to manage policy settings without applying any hot ixes% For example, you will !e a!le to run the Group Policy =!.ect >ditor and view all the new policy settings delivered with $indows )P *P,%
+&
Im ortant
O ening a 'PO on a com uter running &indows 0P wit- #P* causes all ot-er administrative wor3stations to use t-e new .adm files 8note t-at no c-anges need be made to t-e 'PO for t-is to occur<. T-is will generate error messages w-en earlier versions of g edit are loaded. !or more information about t-is issue: see article $4*F22: JJT-e following entry in t-e KstringsL section is too long and -as been truncatedJ error message w-en you try to modify or to view 'POs in &indows #erver *++2: &indows 0P Professional: or &indows *+++:J in t-e ,icrosoft @nowledge Base at -tt ADDgo.microsoft.comDfwlin3DM1in3IdN444(.
By installing the hot ix or $indows *erver ,BBA, $indows )P with *ervice Pac+ @, and $indows ,BBB, you ensure that the $indows )P *P, %adm iles load correctly on these plat orms%
1anguage Reference for Administrative Tem late !iles

This section includes a complete re erence guide or using the %adm language to create policy settings% >ach %adm ile can contain /ero or more policy settings, and each policy setting in turn can contain /ero or more parts% The %adm language includes the ollowing components3 <omments *trings <6A** <AT>G=RH P=6&<H PART &T>"6&*T A<T&=;6&*T
+*
.Adm !ile 1anguage 6ersions

Hou can speci y that any part o your %adm ile !e evaluated only in speci ic versions o the Group Policy editing tools% Ta!le 9 lists the versions o the Group Policy editing tools% Table 4 6ersions of 'rou Policy 7diting Tools
O erating #ystem8s< &indows 0P #P* &indows #erver *++2 and &indows 0P &indows #erver *+++ &indows /TO 2.9 and 4.9 &indows F4 4.+ 4.+ 2.+ *.+ (.+ 6ersion Ty e 'rou Policy 'rou Policy 'rou Policy #ystem Policy #ystem Policy
Comments
Hou can use two methods to add comments to an %adm ile% Hou can precede the comment either with a semicolon '?( or with two orward slashes '44(% Hou can place comments at the end o any valid line%
#trings
To add strings to an %adm ile, precede the text with two exclamation points '[[(% At the end o the %adm ile, all strings must !e de ined in the YstringsZ section% The strings must !e enclosed in Juotation mar+s 'X(% =ptionally, you can enclose a varia!le name or hard-coded string in Juotation mar+s%
79am le
POLICY 34]!!LimitSize EXPLAIN!!LimitSize_Explain TIP1 Limit Profile Size to ; This string is stored in the strings section ; This string is hard coded
[strings] LimitSize="Limit profile size" LimitSize_Explain="Limits the size of user profiles"
Best Practice
Place all strings in the YstringsZ section o the %adm ile% This acilitates conversion o the %adm ile to other languages 'that is, or locali/ation(, as you only need to modi y the YstringsZ section o an %adm ile to port it to di erent languages%
++
/ote
Cou can create define multi c-ild nodes le -LA22 by nesting U2(R a or-AT(!.R/ -LA22 3A-4I5( wit-in sections -AT(!.R/ anot-er in an .adm file. . &-en t-e file is rocessed: all t-e -LA22 U2(R sections are merged: and all -LA22 3A-4I5( sections are merged. %owever: for ease of ongoing .adm file management: it is recommended t-at you define -LA22 U2(R or -LA22 3A-4I5( once.
C1A##
This component de ines where your policy setting is displayed in the Group Policy =!.ect >ditor% The irst entry in the %adm ile is the +eyword C0"SS% This speci ies whether the su!seJuent entries should !e displayed under the Computer Configuration or )ser Configuration node o Group Policy =!.ect >ditor%
#ynta9
The C0"SS syntax is as ollows3
CLASS name
Name
This de ines the name o the C0"SS, which must !e "A<Q&;> or U*>R% & the %adm ile contains a C0"SS other than the valid classes '"A<Q&;> or U*>R(, the errors are ignored when loaded in Group Policy =!.ect >ditor%
79am le
The ollowing examples illustrate the use o the <6A** component%
CLASS MACHINE CLASS USER
CAT7'ORC
A ter you de ine the C0"SS component, you can use the C"#,3'26 component to display a node name under which your policy setting is displayed in the Group Policy =!.ect >ditor%
#ynta9
To speci y a C"#,3'26, use the ollowing syntax%
CATEGORY!!name KEYNAME key name [policy definition statements]
+,
Using Administrative Template Files with Registry- ased !roup "olicy END CATEGORY
name
The C"#,3'26 name as it should appear in the Group Policy =!.ect >ditor list !ox% =ptionally, you can enclose the varia!le name in Juotation mar+s 'X(% ;ames with spaces must !e enclosed in Juotation mar+s%
key name
The +ey name is an optional path to the registry +ey to use or the C"#,3'26% -o not use /1,680'C"08-"C/I+, or /1,68C)22,+#8)S,2 in the registry path as the preceding C0"SS statement speci ies the +eys to use% & you speci y a +ey name, all child categories, policies, and parts will use this +ey name, unless they speci ically provide a +ey name o their own% ;ames with spaces must !e enclosed in dou!le Juotation mar+s% & a +ey name is not speci ied and i no higher level category speci ies a +ey name, each policy in this category must speci y its own +ey name3 otherwise, the +ey name or the next category that does speci y a +ey name will !e used%
policy definition statements

A C"#,3'26 can include /ero or more .'0IC6 statements% A .'0IC6 de inition statement cannot appear more than once within a single category, as shown in the ollowing sample code%
79am le
CLASS USER
; The following categories will be displayed ; under User Configuration
CATEGORY !!Desktop KEYNAME "Software\Policies\System"
; <INSERT POLICIES HERE>
CATEGORY !!InternalApps KEYNAME "Software\Policies\InternalApps"
; <INSERT POLICIES HERE>
END CATEGORY
Language Reference for Administrative Template Files END CATEGORY
+5
[strings] Desktop="Desktop Settings" InternalApps="Line of Business Apps settings"
#u
orted Tag
The Group Policy =!.ect >ditor uses the Supported tag to populate the 2e uirements ield% This tag in orms the Group Policy administrator a!out the plat orms or applications or which the policy setting is supported% For example, many o the policy settings included in the *ystem%adm ile use a Supported tag that speci ies a speci ic service pac+ release% = ten, the string used or the *upported tag will ma+e re erence to multiple operating system or service pac+s% $hile operating system components generally use an operating system or service pac+ re erence in this ield, applications \ which can !e updated outside the release o a service pac+ \ can re er to a speci ic version o an application% The Supported tag is an essential element in the data presented to Group Policy administrators to ensure they are eJuipped with the right in ormation to ma+e in ormed decisions a!out the use o the policy setting% Because your %adm ile may !e locali/ed, it is highly recommended that the Supported tag use the ::Stringname construct, which allows the re erenced string to !e locali/ed easily% &n addition, since the Supported tag is only supported in $indows )P and later operating systems, it should !e enclosed within a $ersion construct, as ollows 'this ensures that the $indows ,BBB version o Group Policy =!.ect >ditor does not attempt to interpret the Supported tag(3
#if version >= 4 SUPPORTED!!SUPPORTED_MyApplication #endif
CAT7'ORC @eywords
The valid +eywords or C"#,3'26 are3 1,6+"-, C"#,3'26 .'0IC6 ,+D S)..'2#,D
+6
/ote
If you -ave a -AT(!.R/ defined wit- a default 6(/5A3( in it: and t-e same category is found again later in t-e .adm file: t-at same default 6(/5A3( is still in effect. T-is means t-at you can get an error message about @7C/A,7 being defined twice: w-en it was actually ;ust defined in t-e same category earlier. To remove t-e error condition: remove t-e du licate category entry.
PO1ICC
To identi y a policy setting that the user can modi y, use the +eyword .'0IC6% The policy and its associated controls are displayed in a dialog !ox that administrators use to set the state o the policy% Hou can use multiple .'0IC6 +ey names under one 1,6+"-,% The ollowing examples illustrate the syntax o P=6&<H%
#ynta9
POLICY name [KEYNAME key name] [EXPLAIN help string] [VALUENAME value name] [CLIENTEXT guid] [part definition statements] END POLICY
name
The name o the policy as it should !e displayed in the Group Policy =!.ect >ditor namespace%
key name
This is an optional path to the registry +ey to use or the category% -o not include /1,680'C"08-"C/I+, or /1,68C)22,+#8)S,2 in the registry path as the preceding <6A** statement determines which o these +eys is used% & you speci y a +ey name, all ."2# de inition statements will use this +ey name unless they speci ically provide a +ey name o their own% & a +ey name is not speci ied and i no higher level category speci ies a +ey name, each policy in this category must speci y its own +ey name3 otherwise, the +ey name or the next category that does speci y a +ey name will !e used%
help string
The Qelp string is the text displayed in the ,!plain ta! o the dialog !ox or the policy setting%
+#
value name
Ualue name is the registry value to modi y% *electing this option sets the value as a R>GO-$=R- o @% <learing the option removes the registry value% To speci y values other than the de ault values, use the $"0),'+ and $"0),'&& statements directly ollowing the corresponding $"0),+"-, statement% These statements are speci ied as ollows3
VALUEON on value VALUEOFF off value
$hen you use these statements, the !ehavior is modi ied such that i the administrator selects the option, the value is set to on value% & the administrator clears the option, the value is set to off value%
guid
This is an optional value that speci ies the glo!ally uniJue identi ier 'GU&-( o the snap-in extension%
part definition statements

A policy can contain /ero or more ."2# statements to speci y various options, including dropdown list !oxes, text !oxes, and text in the lower pane o the Group Policy =!.ect >ditor%
PO1ICC 79am le
CLASS MACHINE
CATEGORY!!DiskQuota
KEYNAME "Software\Policies\MS\DiskQuota"
POLICY!!DQ_Enable EXPLAIN !!DQ_Enable_Help VALUENAME "Enable" VALUEON NUMERIC 1
VALUEOFF NUMERIC 0 CLIENTEXT {3610eda5-77ef-11d2-8dc}
PART!!DQ_EnableTip1 END PART END POLICY
TEXT
+$
Using Administrative Template Files with Registry- ased !roup "olicy END CATEGORY
[strings] DiskQuota="Disk Quotas" DQ_Enable="Enable disk quotas" DQ_Enable_Help="Enables and disables disk quota management" DQ_EnableTip1="Enable disk quotas for all NTFS volumes"
PO1ICC @eywords
The valid +eywords or P=6&<H are3 1,6+"-, ."2# $"0),+"-, $"0),'+ $"0),'&& "C#I'+0IS#'+ "C#I'+0IS#'&& ,+D /,0. C0I,+#,5# .'0IC6
PART
Use ."2# to speci y various options, such as drop-down list !oxes, text !oxes, and text in the lower pane o Group Policy =!.ect >ditor% For a simple policy where you only need to set a registry +ey to either @ or B, you do not need to use ."2#% PART allows a richer system administrator experience, and collects more in ormation rom the administrator through simple controls%
#ynta9
PART name part-type type-dependent data [KEYNAME key name] [VALUENAME value name]
Language Reference for Administrative Template Files END PART
+%
name
*peci ies the ."2# name as it should appear in Group Policy =!.ect >ditor% Hou can enclose it in Juotation mar+s 'X(% ;ames with spaces must !e enclosed in Juotation mar+s 'X(%
part-type
A policy ."2# type% Ta!le 8 lists the valid types or .'0IC6% Table ) Policy PART Ty es
Ty e C%7C@BO0 "escri tion "is lays a c-ec3 bo9. T-e value is set in t-e registry wit- t-e R(!789.R8 ty e. T-e value is ot-er t-an Pero if t-e c-ec3 bo9 is selected and Pero if it is not selected. "is lays a combo bo9. "is lays a combo bo9 wit- a dro -down list style. T-e user may c-oose only one of t-e entries su lied. "is lays a list bo9 wit- Add and Remove buttons. T-is is t-e only PART ty e t-at can be used to manage multi le values under one 3ey. "is lays a te9t bo9 t-at acce ts al -anumeric te9t. T-e te9t is set in t-e registry wit- eit-er t-e R7'Q#R or t-e R7'Q70PA/"Q#R ty e. "is lays a line of static te9t. T-ere is no associated registry value wit- t-is PART ty e. "is lays a te9t bo9 wit- an o tional s in control t-at acce ts a numeric value. T-e value is set in t-e registry wit- t-e R7'Q"&OR" ty e.
CO,BOBO0 "ROP"O&/1I#T
1I#TBO0
7"ITT70T
T70T /?,7RIC
type-dependent data
This is in ormation a!out the ."2#%
key name
This is an optional path to the registry +ey to use% -o not include /1,680'C"08-"C/I+, or /1,68C)22,+#8)S,2 in the registry path as the preceding C0"SS statement determines which o these +eys is used% & no +ey name is speci ied, the previous +ey name in the hierarchy is used%
value name
The value name indicates the registry value to modi y% *electing this option sets the value to a R>GO-$=R- o @, and clearing the option removes the registry value% & you want to speci y values other than the de ault values, use the $"0),'+ and $"0),'&& statements directly ollowing the corresponding $"0),+"-, statement% Hou speci y these statements as ollows3
,'
Using Administrative Template Files with Registry- ased !roup "olicy VALUEON on value VALUEOFF off value
@eywords
The valid +eywords or ."2# are3 C/,C17'5 #,5# ,DI##,5# +)-,2IC C'-7'7'5 D2'.D'W+0IS# 0IS#7'5 ,+D C0I,+#,5# ."2#
?sing PART Ty es to Add Controls to t-e ?ser Interface

Using the valid +eywords along with the ."2# component allows you to add text and various user inter ace controls to the properties page o the policy% Because much o the syntax is related, the next section presents a tas+-!ased approach to writing the syntax or these ."2# types used to create the user inter ace elements a!ove% Using the di erent ."2# types, you can add text and controls to enhance a policy setting% These types need to !e used with the ."2# component as previously de ined%
C%7C@BO0 PART Ty e
This ."2# type displays a chec+ !ox on the .roperty page o a policy setting% The value is set in the registry with the R>GO-$=R- type% The de ault !ehavior is as ollows3 By de ault the chec+ !ox is not selected% A chec+ !ox writes the value @ to the registry i it is selected and B i it is not selected%
#ynta9
PART text CHECKBOX VALUENAME value name END PART
,&
text
This represents the text to !e displayed on the right o the chec+ !ox that you are creating% Hou can hard code it and enclose it in Juotation mar+s 'X( or you can ma+e the string a varia!le !y putting :: in ront o the varia!le name%
value name
&ndicates the registry value to which the selected value will !e written% *electing the option sets the value as a R>GO-$=R- o @% <learing the option removes the registry value% To speci y values other than the de ault values, use the $"0),'+ and $"0),'&& statements directly ollowing the corresponding $"0),+"-, statement% These statements are speci ied as ollows3
VALUEON on value VALUEOFF off value
$hen you use these statements, the !ehavior is modi ied such that i the administrator selects the option, the value is set to on value% & the administrator clears the option, the value is set to off value% To override the de ault !ehavior3 To have the chec+ !ox selected !y de ault use D,&C/,C1,D% &n the preceding sample, the syntax would !e3
PART !!SampleChkBox_NotChked CHECKBOX DEFCHECKED VALUENAME "test1" END PART
Hou can use $"0),'+ and $"0),'&&% This example accomplishes the ollowing33 $rites the string 0>na!led1 to the registry when the chec+ !ox is selected% $rites a numeric value o @, when the chec+ !ox is not selected%
PART !!SampleChkBox_NotChked CHECKBOX VALUENAME "test1" VALUEON Enabled VALUEOFF NUMERIC 12 END PART
To modi y more than one registry +ey, use an A<T&=;6&*T% The valid +eywords or C/,C17'5 are3 2>H;A"> UA6U>;A"> UA6U>=; UA6U>=FF
,*
A<T&=;6&*T=; A<T&=;6&*T=FF ->F<Q><2><6&>;T>)T >;-
T70T PART Ty e
The ."2# type #,5# can !e used to display text on the .roperty page o a policy setting% Text uses the ollowing syntax%
PART text TEXT END PART
text
Text that is to !e displayed is entered here% Hou can hard code it and enclose it in Juotation mar+s 'X(, or you can ma+e the string a varia!le !y putting :: !e ore the varia!le name% The ollowing example illustrates the use o #,5#% The Disable "ctive Des(top policy deactivates Active -es+top and prevents users rom ena!ling or disa!ling Active -es+top, or rom modi ying the con iguration%
T70T 79am le
POLICY !!NoActiveDesktop KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" EXPLAIN!!NoActiveDesktop_Help VALUENAME "NoActiveDesktop"
PART !!NoActiveDesktop_Tip END PART
TEXT
END POLICY
The valid +eyword or #,5# is ,+D%
7"ITT70T PART Ty e
The ,DI##,5# option allows the user to input alphanumeric text into an edit ield% The text is set in the registry with the R>GO*P type%
#ynta9
PART !!text EDITTEXT
Language Reference for Administrative Template Files VALUENAME value name END PART
,+
text
Text to !e displayed is entered here% Hou can hard code it and enclose it in Juotation mar+s 'X( or you can ma+e the string a varia!le !y putting two explanation points '::( !e ore the varia!le name% This text is displayed on the le t side o the edit !ox%
value name
The value name indicates the registry value to which the users input entered in the >dit Text !ox will !e written% Ta!le T lists the options or ,DI##,5#. Table 5 O tions for 7"ITT70T
O tion "7!A?1T value ,A017/ value R7S?IR7" "escri tion # ecifies t-e initial string to lace in t-e edit field. If t-is o tion is not s ecified: t-e field is initially em ty. # ecifies t-e ma9imum lengt- of a string. T-e string in t-e edit field is limited to t-is lengt-. # ecifies t-at t-e 'rou Policy Ob;ect 7ditor does not allow a olicy containing t-is PART to be enabled: unless a value -as been entered for t-is PART. #ets t-e 7#QO7,CO/67RT style in t-e edit field so t-at ty ed te9t is ma ed from A#CII to O7, and bac3. 7#QO7,CO/67RT converts te9t entered in t-e edit control. T-e te9t is converted from t-e &indows c-aracter set 8A#CII< to t-e O7, c-aracter set and t-en bac3 to t-e &indows set. T-is ensures ro er c-aracter conversion w-en t-e a lication calls t-e C-arToOem TUava#cri tA--ob;Q(.Clic38<V function to convert an A#CII string in t-e edit control to O7, c-aracters. T-is style is most useful for edit controls t-at contain file names. # ecifies t-at t-e te9t is set in t-e registry wit- t-e R7'Q70PA/"Q#R ty e. By default: t-e te9t is set in t-e registry wit- t-e R7'Q#R ty e
O7,CO/67RT
70PA/"AB17T70T
The valid +eywords or ,DI##,5# are3 1,6+"-, $"0),+"-, D,&")0# 2,;)I2,D -"50,+3#/
,,
',-C'+$,2# ,+D ,5."+D"70,#,5# C0I,+#,5#
7"ITT70T 79am le
An example o use o the ."2# component with ,DI##,5# and #,5# ollows3
CLASS USER CATEGORY !!DesktopLockDown
KEYNAME "Software\Policies\System" POLICY !!Wallpaper EXPLAIN !!Wallpaper_Explain
PART !!Wallpaper_Tip1 END PART
TEXT
PART !!Wallpaper_Filename VALUENAME Wallpaper MAXLEN 60 END PART
EDITTEXT
END POLICY
END CATEGORY
[strings] DesktopLockDown="Desktop Settings" Wallpaper="Desktop Wallpaper" Wallpaper_Explain="Used to set the desktop wallpaper" Wallpaper_FileName="Filename" Wallpaper_Tip1="Specify UNC Path for selected wallpaper"
,5
&n the preceding example, the text entered into the edit ield is written to the registry +ey /1,68C)22,+#8)S,2*Soft%are*.olicies*System*Wallpaper% The text can !e a maximum o 8B characters% $hen this policy setting is +ot Configured or Disabled, this +ey is not written%
70PA/"AB17T70T 79am le
The ollowing example writes a value to registry with data type R>GO>)PA;-O*P% For example3
PART!!MyVariable EDITTEXT EXPANDABLETEXT
VALUENAME ValueToBeChanged END PART
R7S?IR7" 79am le
The ollowing example generates an error i the user does not enter a value when reJuired%
PART!!MyVariable EDITTEXT REQUIRED
VALUENAME ValueToBeChanged END PART
,A017/ 79am le
The ollowing example speci ies the maximum length o text%
PART!!MyVariable EDITTEXT
VALUENAME ValueToBeChanged MAXLEN 4 END PART
"7!A?1T 79am le
The ollowing example speci ies a de ault value% This can !e used or text or numeric data%
PART!!MyVariable EDITTEXT
DEFAULT !!MySampleText VALUENAME ValueToBeChanged END PART
,6
/?,7RIC PART Ty e
-isplays an edit ield with an optional spinner control 'an up-down control( that accepts a numeric value%
/?,7RIC #ynta9
PART text NUMERIC VALUENAME value name MIN value MAX value ...DEFAULT value ...SPIN value END PART
text
This represents the text to !e displayed on the right o the spin control that you are creating% Hou can hard code it and enclose it in Juotation mar+s 'X( or you can ma+e the string a varia!le !y putting [[ !e ore the varia!le name%
value name
&ndicates the registry value to which the selected value will !e written%
/?,7RIC "efault Be-avior

The de ault !ehavior or the +)-,2IC PART type is as ollows3 The value is set in the registry as a R>GO-$=R- type% Hou can optionally have the value written as a R>GO*P type !y using the #5#C'+$,2# +eyword%
Ta!le : shows the options or the +)-,2IC type% Table $ O tions for /?,7RIC
O tion "7!A?1T value "escri tion # ecifies t-e initial numeric value for t-e edit field. If t-is o tion is not s ecified: t-e field is initially em ty. # ecifies t-e ma9imum value for t-e number. T-e default value is FFFF. # ecifies t-e minimum value for t-e number. T-e default value is +. # ecifies t-at t-e 'rou Policy Ob;ect 7ditor does not allow a olicy containing t-is PART to be enabled unless a value -as been entered for t-is
,A0 value ,I/ value R7S?IR7"
,#
PART. #PI/ value # ecifies increments to use for t-e s inner control. T-e default is #PI/ (. #PI/ + removes t-e s inner control. &rites values as R7'Q#R strings 8=(>: =*>: or =(*$>< rat-er t-an as binary values.
T0TCO/67RT
The valid +eywords or +)-,2IC are3 2>H;A"> UA6U>;A"> "&; "A) *P&; ->FAU6T R>]U&R>T)T<=;U>RT >;<6&>;T>)T
79am les of /?,7RIC ?se

The ollowing example illustrates use o the +)-,2IC ."2# type using the D,&")0# option%
PART!!MyVariable NUMERIC DEFAULT 5 VALUENAME ValueToBeChanged END PART
The ollowing example illustrates use o the minimum and maximum valid values or a varia!le%
PART!!MyVariable NUMERIC MIN 100 MAX 999 DEFAULT 55 VALUENAME ValueToBeChanged END PART
The ollowing example illustrates use o the +)-,2IC ."2# type using S.I+% &n this case, increments o @BB are used or the spin control%
PART !!ProfileSize NUMERIC REQUIRED SPIN 100
,$
Using Administrative Template Files with Registry- ased !roup "olicy VALUENAME "MaxProfileSize" DEFAULT 30000 MAX 30000 MIN 300 END PART
The ollowing example illustrates use o the +)-,2IC ."2# type using the #5#C'+$,2# option, which writes values as 2,38S< strings 'such as 08B1( instead o !inary values%
PART !!ScreenSaverTimeOutFreqSpin NUMERIC DEFAULT 900 MIN 0 MAX 599940 SPIN 60 TXTCONVERT VALUENAME "ScreenSaveTimeOut" END PART
CO,BOBO0 PART Ty e
This ."2# type displays a com!o !ox% &t accepts the same options as ,DI##,5#, as well as the S)33,S#I'+S option, which !egins a list o suggestions to !e placed in the drop-down list% S)33,S#I'+S are separated with spaces and must !e enclosed in Juotation mar+s 'X( when a value includes spaces% & a suggestion name includes white space, it must !e enclosed in Juotation mar+s% The list ends with ,+D S)33,S#I'+S%
79am le
The ollowing example illustrates the use o the S)33,S#I'+S option%
SUGGESTIONS Alaska Alabama Mississippi New York END SUGGESTIONS
@eywords
The valid +eywords or C'-7'7'5 are3 1,6+"-, $"0),+"-, D,&")0# S)33,S#I'+S 2,;)I2,D -"50,+3#/ ',-C'+$,2#
,%
/ote
'P,C reEuires t-at you define t-e 3ey name and value name before you s ecify "ROP"O&/1I#T.
,+D +'S'2# ,5."+D"70,#,5# C0I,+#,5# ,+D
"ROP"O&/1I#T PART Ty e
-isplays a com!o !ox with a drop-down list style% The user may choose only one o the entries supplied%
"ROP"O&/1I#T #ynta9
D2'.D'W+0IS# uses the ollowing syntax%
PART !!text DROPDOWNLIST ITEMLIST NAME name VALUE value .. NAME name VALUE value END ITEMLIST END PART
text
This represents the text to !e displayed on the right o the spin control that you are creating% Hou can hard code it and enclose it in Juotation mar+s 'X( or you can ma+e the string a varia!le !y putting :: in ront o the varia!le name%
name
This is text that will !e displayed in the drop-down list or a particular item%
value
The value to !e written to the speci ied registry +ey i this item is selected% Ualues are assumed to !e strings, unless they are preceded !y +)-,2IC% The ollowing example shows !oth string and numeric values3
VALUE Some value VALUE NUMERIC 1
The valid +eywords or D2'.D'W+0IS# are3 2>H;A">
5'
UA6U>;A"> R>]U&R>&T>"6&*T >;;=*=RT <6&>;T>)T
1I#TBO0 PART Ty e
The 6&*TB=) ."2# component speci ies various options such as drop-down list !oxes, text !oxes, and text in the lower pane o the Group Policy =!.ect >ditor% 0IS#7'5 accepts the options shown in Ta!le C% Table F 1I#TBO0 O tions
1I#TBO0 O tion A""ITI67 "escri tion By default: t-e content of list bo9es overrides any values set in t-e target registry. T-is means t-at a control value is inserted in t-e olicy file t-at causes e9isting values to be deleted before t-e values set in t-e olicy file are merged. If t-is o tion is s ecified: e9isting values are not deleted: and t-e values set in t-e list bo9 is in addition to w-atever values e9ist in t-e target registry. T-is o tion ma3es t-e user s ecify t-e value data and t-e value name. T-e list bo9 s-ows two columns: one for t-e name and one for t-e data. T-is o tion cannot be used wit- t-e 6A1?7PR7!I0 o tion. T-e refi9 you s ecify is used in determining value names. If a refi9 is s ecified: t-e refi9 and an incremented integer are used: instead of t-e default value naming sc-eme described reviously. !or e9am le: a refi9 of =#am le/ame> generates t-e value names =#am le/ame(>: =#am le/ame*>: and so on. T-e refi9 can be em ty 8=><: w-ic- causes t-e value names to be =(>: =*>: and so on.
70P1ICIT6A1?7
6A1?7PR7!I0 refi9
By de ault, only one column appears in the list !ox, and or each entry a value is created whose name and value are the same% For instance, a 0name1 entry in the list !ox creates a value called 0name1 that contains data called 0name1% $hen using a 0IS#7'5, use the "DDI#I$, +eyword unless you have a speci ic reason not to do so%
5&
/ote
&indows 0P #P* fi9ed issues relating to t-e 1I#TBO0 A""ITI67 functionality. !or more information: see t-e =C-anges to 1I#TBO0 A""ITI67> section in t-is document.
The valid +eywords or 0IS#7'5 are3 1,6+"-, $"0),.2,&I5 "DDI#I$, +'S'2# ,5.0ICI#$"0), ,5."+D"70,#,5# ,+D C0I,+#,5#
ACTIO/1I#T
Hou can use an action list to speci y a set o ar!itrary registry changes to ma+e in response to a control !eing set to a particular state%
#ynta9
The "C#I'+0IS# syntax is as ollows3
ACTIONLIST [KEYNAME key name] VALUENAME value name VALUE value END ACTIONLIST
key name
This is an optional path to the registry +ey% -o not include Q2>HO6=<A6O"A<Q&;> or Q2>HO<URR>;TOU*>R in the registry path as the preceding <6A** statement determines which o these +eys is used% & no +ey name is speci ied, the previous +ey name in the hierarchy is used%
value name
&ndicates the registry value to modi y% *electing this option sets the value to a R>GO-$=R- o @, and clearing the option removes the registry value% & you want to speci y values other than the de ault values, use the UA6U>=; and UA6U>=FF statements directly ollowing the corresponding UA6U>;A"> statement% Hou speci y these statements as ollows3
5*
Using Administrative Template Files with Registry- ased !roup "olicy VALUEON on value VALUEOFF off value
value
Ualues are treated as strings unless they are preceded !y ;U">R&<, as in the ollowing examples3
VALUE "Some value" VALUE NUMERIC 1
& $"0), is ollowed !y D,0,#, ' or example, $"0), D,0,#,(, the registry entry is deleted% Ta!le @B lists the two variants or "C#I'+0IS# that can !e used with .'0IC6 and C/,C17'5% Table (+ 6ariants for ACTIO/1I#T
6ariant ACTIO/1I#TO/ ACTIO/1I#TO!! "escri tion # ecifies an o tional action list to be used if t-e c-ec3 bo9 is selected. # ecifies an o tional action list to be used if t-e c-ec3 bo9 is not selected.
ACTIO/1I#T 79am le
The ollowing example illustrates the use o "C#I'+0IS#'+ and "C#I'+0IS#'&&%
POLICY "Deny connections requests" EXPLAIN "If enabled, TS will stop accepting connections" ACTIONLISTON VALUENAME "fDenyTSConnections" VALUE NUMERIC 1 END ACTIONLISTON ACTIONLISTOFF VALUENAME "fDenyTSConnections" VALUE NUMERIC 0 END ACTIONLISTOFF END POLICY
Additional 7lements
The %adm language supports the ollowing elements3
@7C/A,7
The 1,6+"-, +eyword is used within a C"#,3'26 to de ine which +ey within the registry is modi ied as a result o an action here% 1,6+"-, should !e ollowed !y the registry path to the +ey that contains the value that you want to change% -o not include
5+
/1,680'C"08-"C/I+, or /1,68C)22,+#8)S,2 in the registry path as the preceding <6A** statement determines which o these +eys is used% & the 1,6+"-, contains a space, you must enclose the string in Juotation mar+s 'X(%
6A1?7/A,7
-e ines the options availa!le within a .'0IC6% First identi y the registry value that is to !e modi ied as a result o using the +eyword $"0),+"-,% For example, $"0),+"-, "yFirstUalue% The ollowing example illustrates the use o $"0),+"-,% The -isa!le Boot 4 *hutdown 4 6ogon 4 6ogo status messages policy prevents the display o system status messages%
POLICY!!DisableStatusMessages KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\System" EXPLAIN!!DisableStatusMessages_Help VALUENAME "DisableStatusMessages" END POLICY
Unless you speci y otherwise, the value is written in the ollowing ormat when the user chec+s or clears the option3 <hec+ed% Uses a R>GO-$=R- type with a value o @% <leared% Removes the value%
Hou can speci y options other than these de aults !y using $"0),'&& and $"0),'+% & the option is to !e selected within the lower pane o the Group Policy =!.ect >ditor, the $"0),+"-, needs to !e within a ."2# scope%
C1I7/T70T
The C0I,+#,5# +eyword is used to speci y which client-side extension to the Group Policy =!.ect >ditor needs to process the particular settings on the client computer% By de ault, the registry extension processes all settings con igured under the Administrative Templates node% The C0I,+#,5# +eyword changes the de ault !ehavior and causes the speci ied extension to process these settings a ter the registry extension has placed them in the registry% C0I,+#,5# must !e used within either the .'0IC6 scope or the ."2# scope and should ollow the $"0),+"-, statement% The ollowing example illustrates use o C0I,+#,5#%
POLICY !!DQ_Enforce #if version >= 4 SUPPORTED !!SUPPORTED_Win2k #endif EXPLAIN !!DQ_Enforce_Help VALUENAME "Enforce" VALUEON NUMERIC 1
5,
Using Administrative Template Files with Registry- ased !roup "olicy VALUEOFF NUMERIC 0 CLIENTEXT {3610eda5-77ef-11d2-8dc5-00c04fa31a66} END POLICY
The GU&- that ollows the C0I,+#,5# +eyword is the GU&- o the client-side extension% The client-side extensions are listed in the registry under /1,680'C"08-"C/I+,*S'&#W"2,*-icrosoft*Windo%s+#*Current$ersion*Winlog on*3.,!tensions%
6A1?7O/ and 6A1?7O!!

Hou can use $"0),'+ and $"0),'&& to write speci ic values !ased on the state o the option% To ena!le this unctionality, you can write the %adm ile as descri!ed in the ollowing examples3
KEYNAME key name POLICY!!MyPolicy VALUENAME ValueToBeChanged VALUEON Turned On VALUEOFF Turned Off END POLICY
KEYNAME key name POLICY!!MyPolicy VALUENAME ValueToBeChanged VALUEON 5 VALUEOFF 10 END POLICY
?sing #im le Policies and Policies wit- t-e 6A1?7O!! and 6A1?7O/ #tatements
This section presents two examples that illustrate the di erence !etween using the de ault policy states and speci ying $"0),'+ and $"0),'&& statements% There is a signi icant di erence !etween the two example policies%
79am le (
&n this example, no explicit $"0),'+ or $"0),'&& statements are used% This means that the Administrative Templates use the de ault !ehavior when the user changes the state o this policy%
POLICY!!EnableSlowLinkDetect EXPLAIN !!EnableSlowLinkDetect_Help KEYNAME "Software\Policies\Microsoft\Windows\System" VALUENAME "SlowLinkDetectEnabled" END POLICY
Ta!le @@ lists the de ault !ehavior%
55
Table (( 79am le ( Policy "efaults

#tate Policy setting enabled Policy setting disabled Policy setting not configured Be-avior A "&OR" wit- t-e value ( is written to t-e registry. T-e registry value is deleted. /ot-ing is c-anged in t-e registry.
;ote the policy-disa!led state% The value is not written to the registry with the value o B^ instead it is explicitly deleted% This means that a component reading the policy will not ind the value in the registry, and will all !ac+ to using the de ault in the code%
79am le *
&n this example, the state values are explicitly de ined, so when the user changes the policy, the Administrative Templates use these values%
POLICY!!EnableSlowLinkDetect EXPLAIN!!EnableSlowLinkDetect_Help KEYNAME "Software\Policies\Microsoft\Windows\System" VALUENAME "SlowLinkDetectEnabled" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY
Ta!le @, lists the !ehaviors in >xample ,% Table (* 79am le * Policy "efaults

#tate Policy setting enabled Policy setting disabled Policy setting not configured Be-avior A "&OR" wit- t-e value ( is written to t-e registry. A "&OR" wit- t-e value + is written to t-e registry. /ot-ing is c-anged in t-e registry.
70P1AI/
The ,5.0"I+ +eyword is used to provide online Qelp text or a speci ic Group Policy% &n $indows ,BBB, the .roperties page or each policy setting includes an ,!plain ta!, which provides details a!out the policy settings% >ach Group Policy that you create should include one ,5.0"I+ +eyword, ollowed !y at least one space, and then the ,5.0"I+ string in Juotation mar+s 'X( or a re erence to the Qelp string% For example3
56
Using Administrative Template Files with Registry- ased !roup "olicy POLICY!!Pol_NoConfigCache #if VERSION >= 3 EXPLAIN!!Pol_NoConfigCache_Help #endif VALUENAME "NoConfigCache" PART!!Lbl_NoConfigCacheHelp1 END PART END POLICY .....
TEXT
[Strings] Pol_NoConfigCache_Help="Prevents users from changing the automatic synchronization behavior at logoff."
&n the preceding example, Qelp is o ered or one o the = line Files options% The ,5.0"I+ +eyword wrapped in the =if $,2SI'+ allows this %adm ile to !e used with the $indows ,BBB Group Policy =!.ect >ditor 'version A(%
1ine Brea3s
To start text on a new line or to create a line !rea+, use this syntax3
\n = Starts a new line \n\n = Creates a line break
WIf 6ersion for 6ersion Com arison

The I& $,2SI'+ conditional statement is used to control the display o certain policy settings and eatures in the Administrative Templates node, !ased on the version o the Group Policy =!.ect >ditor that you are using% I& $,2SI'+ allows or part o the %adm iles to !e conditionally parsed and ignored !y earlier versions o the Group Policy =!.ect >ditor tool% For example, the *UPP=RT>- tag is not supported on versions o the Group Policy =!.ect >ditor earlier than version E% For this reason any statement using the *UPP=RT>- tag should !e enclosed !y V& UersionKVendi % Hou can speci y that any part o your %adm ile !e evaluated only in speci ic versions o the Group Policy editing tools, as shown in Ta!le 9, in the 0%Adm File 6anguage Uersions1 section o this document% To compare versions, use the ollowing syntax3
#if Version (operator) x #endif
The valid operators are listed in Ta!le @A% Table (2 6alid O erators for t-e 6ersion #tatement /umber
O erator V 8'T< #ignifies 'reater t-an. !or e9am le: a V b means a is greater t-an b.
5#
T 81T< NN 87S< XN 8/7< VN 8'T7< TN 81T7<
1ess t-an. !or e9am le: a T b means a is less t-an b. 7Eual. !or e9am le: a NN b means a is eEual to b. /ot eEual. 'reater t-an or eEual to. !or e9am le: a VN b means a is greater t-an or eEual to b. 1ess t-an or eEual to. !or e9am le: a TN b means a is less t-an or eEual to b.
.Adm !ile #tringDTag 1imits

Uarious restrictions apply to %adm iles and settings% Ta!le @E provides a complete list o these restrictions% Table (4
!ile #tring ,a9imum string lengt- for 79 lain te9t ,a9imum string lengt- for Category 79 lain te9t ,a9imum string lengt- for 7"ITT70T string 4+F) *44 (+*2 Tag 1imits
Related 1in3s
To learn more a!out Group Policy, see the ollowing resources3 "icroso t Group Policy Qome Page at http344go%microso t%com4 wlin+45 6in+&d7@9B::% Group Policy A-" Files at http344go%microso t%com4 wlin+45lin+id7A@B9T% "anaging $indows )P *ervice Pac+ , Features Using Group Policy on the Tech;et $e! site at http344go%microso t%com4 wlin+456in+&d7A@CTE% Group Policy in the "icroso t Plat orm *-2 at http344go%microso t%com4 wlin+45 6in+&d7,8,9:% Group Policy "anagement <onsole on the "*-; $e! site at http344go%microso t%com4 wlin+456in+&d7@TC@,%
5$
Group Policy in $indows *erver ,BBA on the "icroso t $e! site at http344go%microso t%com4 wlin+45lin+id7,C,8C% Article :@888,, 0Recommendations or "anaging Group Policy Administrative Template '%adm( Files,1 in the "icroso t 2nowledge Base at http344go%microso t%com4 wlin+456in+&d7EEE@% The <ore Group Policy Technical Re erence collection o the 0$indows *erver ,BBA Technical Re erence1 at http344go%microso t%com4 wlin+456in+&d7A@T::% The 0-esigning a "anaged >nvironment1 !oo+ o the Microsoft Windows Server 2003 Deployment Kit on the "icroso t $e! site at http344go%microso t%com4 wlin+456in+&d7AB89B%

WindowServer 2003

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WindowServer 2003

Uploaded by

Copyright:

Available Formats

Using Administrative Template Files with RegistryBased Group Policy

Microsoft Corporation Published: September 2004

Overview of Registry-Based Policy and Administrative Tem late !iles

Language Reference for Administrative Template Files

"efault .adm !iles

Using Administrative Template Files with Registry- ased !roup "olicy

&-en to ?se Registry-Based 'rou Policy

True Policies vs. Preferences

Language Reference for Administrative Template Files

roved Registry @ey 1ocations for 'rou Policy #ettings

%ow to ?se Policy #ettings and Preferences

Using Administrative Template Files with Registry- ased !roup "olicy

Policy only Bot- olicy and reference

"esign Considerations for Creating Policy #ettings

Language Reference for Administrative Template Files

&-en to Create Policy #ettings

Controlling !eature Releases to ?sers

Create Policy #ettings to Reduce /eed for #u

Using Administrative Template Files with Registry- ased !roup "olicy

&-en /ot to Create a Policy

?ser Interface "esign

Language Reference for Administrative Template Files

Using Administrative Template Files with Registry- ased !roup "olicy

Best Practices for "evelo ing Registry-Based Policy #ettings

Using Administrative Template Files with Registry- ased !roup "olicy

Creating Custom .Adm !iles

Language Reference for Administrative Template Files

Using Administrative Template Files with Registry- ased !roup "olicy

%ow to &rite a #im le .Adm !ile for Registry-based 'rou Policy

Language Reference for Administrative Template Files

To #et a Registry 6alue to Turn a !eature O/ or O!!

Using Administrative Template Files with Registry- ased !roup "olicy

To #et a Registry 6alue for 7"ITT70T and #tatic Te9t

Language Reference for Administrative Template Files

Using Administrative Template Files with Registry- ased !roup "olicy

To #et a Registry 6alue to "is lay an Action1ist to an Administrator

Testing Administrative Tem late !iles

Language Reference for Administrative Template Files

Creating an .Adm Test !ile

Using Administrative Template Files with Registry- ased !roup "olicy

1oading an .Adm !ile into t-e 'rou Policy #na -in

To load your .adm file into 'rou Policy Ob;ect 7ditor

,aintaining and ,anaging .Adm !iles

Language Reference for Administrative Template Files

Im ortance of Timestam s for .Adm !iles

"u licate -AT(!.R/ #ections

Using Administrative Template Files with Registry- ased !roup "olicy

.Adm !iles ?sed by t-e 'rou Policy Ob;ect 7ditor

.Adm !iles ?sed by 'P,C

Controlling .Adm !ile Re lication

Turn Off Automatic ? dates of .Adm !iles

Language Reference for Administrative Template Files

To clear t-e #ysvol folder of .adm files

,aintaining .Adm files on Administrative &or3stations

Using Administrative Template Files with Registry- ased !roup "olicy

,ultilanguage Administration Issues

O erating #ystem and #ervice Pac3 Release Issues

Language Reference for Administrative Template Files

@eyboard #-ortcuts for Administrative Tem lates /ode

Using Administrative Template Files with Registry- ased !roup "olicy

&-at.s /ew for Administrative Tem late !iles in &indows 0P #P*

C-anges to 1I#TBO0 A""ITI67

Language Reference for Administrative Template Files

,anaging Policy #ettings on 7arlier O erating #ystems or #ervice Pac3s

A<T&=;6&T=; A<T&=;6&T=FF ->F<Q><2><6&>;T>)T >;-

UA6U>;A"> R>]U&R>&T>"6&T >;;==RT <6&>;T>)T