You are on page 1of 12

Managing Group Policy ADMX Files Stepby-Step Guide

Microsoft Corporation Published: December 2005 Author: Judith Herman Editor: Craig iebendorfer

Abstract
!his step"b#"step guide demonstrates centrall# administering ADM$ files and incorporating ADM$ files %hen editing the administrati&e template polic# settings inside a local or domain"based 'roup Polic# ob(ect)

This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including UR and other Internet !eb site references, is sub"ect to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organi#ations, products, domain names, e$mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organi#ation, product, domain name, e$mail address, logo, person, place, or event is intended or should be inferred. %omplying with all applicable copyright laws is the responsibility of the user. !ithout limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means &electronic, mechanical, photocopying, recording, or otherwise', or for any purpose, without the express written permission of Microsoft %orporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering sub"ect matter in this document. (xcept as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

) *++, Microsoft %orporation. -ll rights reserved.

Microsoft, ./ .erver, !indows 0ista, !indows, and !indows .erver are either registered trademarks or trademarks of Microsoft %orporation in the United .tates and1or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents
Managing 'roup Polic# ADM$ *iles +tep"b#"+tep 'uide)))))))))))))))))))))))))))))))))))))))))))))))))), Abstract))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))), Contents)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))Managing 'roup Polic# ADM$ *iles +tep"b#"+tep 'uide ))))))))))))))))))))))))))))))))))))). +ome /mportant *actors About the /mplications of ADM$ *iles in 0our En&ironment)))))5 ADM$ !echnolog# 1e&ie% ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))5 Comparison of ADM and ADM$ ocal *ile ocations)))))))))))))))))))))))))))))))))))))))))))))))))))))5 ADM$ Domain *ile ocations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))2 1e3uirements for Editing 'roup Polic# 4b(ects %ith ADM$ *iles )))))))))))))))))))))))))5 ocal 'roup Polic# 4b(ect Editing 1e3uirements)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))5 Domain"6ased 'roup Polic# 4b(ect Editing 1e3uirements))))))))))))))))))))))))))))))))))))))))))))5 ADM$ +cenarios )))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))7 +cenario ,: Editing ocal 'roup Polic# 4b(ect Administrati&e !emplate +ettings)))))))))))7 +cenario 2: Editing Domain"6ased 'roup Polic# 4b(ect Administrati&e !emplate +ettings)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))7 +cenario ,: Editing the ocal 'P4 %ith ADM$ *iles ))))))))))))))))))))))))))))))))))))))))))))7 Editing the Administrati&e !emplate Polic# +ettings of the ocal 'P4 %ith ADM$ files))8 +cenario 2: Editing Domain"6ased 'P4s %ith ADM$ *iles ))))))))))))))))))))))))))))))))))8 Prere3uisites for Administering Domain"6ased 'P4s %ith ADM$ *iles)))))))))))))))))))))))))8 +teps for 9tili:ing the 4ptional ADM$ Central +tore %ith Domain"6ased 'P4s)))))))))),0 Create a Central +tore)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))),0 Populate the Central +tore %ith ADM$ *iles))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))),, Edit the Administrati&e !emplate Polic# +ettings in the Domain"6ased 'P4s)))))))))))))),, +ee Also)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))),2

Managing Group Policy ADMX Files Stepby-Step Guide


Microsoft ;indo%s <ista= and ;indo%s +er&er= Code >ame ? onghorn? introduce a ne% format for displa#ing registr#"based polic# settings) 1egistr#"based polic# settings @located under the Administrati&e !emplates categor# in the 'roup Polic# 4b(ect EditorA are defined using a standards"basedB $M file formatB Cno%n as ADM$ files) !hese ne% files replace ADM filesB %hich used their o%n marCup language) !he administrati&e tools #ou useDthe 'roup Polic# 4b(ect Editor and the 'roup Polic# Management ConsoleD remain largel# unchanged) /n the ma(orit# of situationsB #ou %ill not notice the presence of ADM$ files during #our da#"to"da# 'roup Polic# administration tasCs) !here are some situations that re3uire an understanding of ho% ADM$ files are structured and the location %here the# are stored) !his guide introduces #ou to ADM$ filesB sho%ing #ou ho% ADM$ files are incorporated %hen editing Administrati&e !emplate polic# settings in a local or domain"based 'roup Polic# ob(ect @'P4A) ADM$ files pro&ide an $M "based structure for defining the displa# of the Administrati&e !emplate polic# settings in the 'roup Polic# 4b(ect Editor) 0ou need to be using a ;indo%s <ista"based or ;indo%s +er&er ? onghorn?"based computer in order for the 'roup Polic# 4b(ect Editor to recogni:e the ADM$ files) 9nliCe ADM filesB ADM$ files are not stored in indi&idual 'P4s b# defaultE ho%e&erB this beha&ior is supported for less common scenarios) *or domain"based enterprisesB administrators can create a central store location of ADM$ files accessible b# an#one %ith permission to create or edit 'P4s) 'roup Polic# tools %ill continue to recogni:e other earlier ADM files #ou ha&e in #our eFisting en&ironment) +pecificall#B an# custom ADM files %ill be consumed b# 'roup Polic# tools) @!he tools %ill eFclude ADM files that %ere included b# default in the operating s#stemB such as +#stem)adm and /netres)admB because the ADM$ files supersede these filesA) !he 'roup Polic# 4b(ect Editor automaticall# reads and displa#s Administrati&e !emplate polic# settings from both the ADM$ and ADM files) !his guide co&ers t%o different scenarios to highlight the potential differences in the ADM$ storage location and 'roup Polic# tools needed %hen %orCing %ith local and domain"based 'P4s)

Some Important Factors About the Implications o ADMX Files in !our "n#ironment
>e% ;indo%s <ista"based or ;indo%s +er&er ? onghorn?"based polic# settings can onl# be managed from ;indo%s <ista"based or ;indo%s +er&er ? onghorn?" based administrati&e machines running 'roup Polic# 4b(ect Editor or 'roup Polic# Management Console) +uch polic# settings are defined onl# in ADM$ files andB as suchB are not eFposed on the ;indo%s +er&er 200-B Microsoft ;indo%sG $PB or ;indo%s 2000 &ersions of these tools) !he ;indo%s <ista or ;indo%s +er&er ? onghorn? &ersions of 'roup Polic# 4b(ect Editor and 'roup Polic# Management Console can be used to manage all operating s#stems that support 'roup Polic# @;indo%s <ista and ;indo%s +er&er ? onghorn?B ;indo%s +er&er 200-B ;indo%s $PB and ;indo%s 2000A) !he ;indo%s <ista or ;indo%s +er&er ? onghorn? &ersions of 'roup Polic# 4b(ect Editor and 'roup Polic# Management Console support interoperabilit# %ith &ersions of these tools on earl# operating s#stems) *or eFampleB custom ADM files stored in 'P4s %ill be consumed b# the ne% tools) /n the ma(orit# of situationsB #ou %ill not notice the presence of ADM$ files during #our da#"to"da# 'roup Polic# administration tasCs)

ADMX $echnology %e#ie&


/n ;indo%s <istaB ADM$ files are di&ided into language"neutral and language"specific resourcesB a&ailable to all 'roup Polic# administrators) !hese factors allo% 'roup Polic# tools to ad(ust their 9/ according to the administratorHs configured language) Adding a ne% language to a set of polic# definitions is achie&ed b# ensuring that the language" specific resource file is a&ailable)

Comparison o ADM and ADMX 'ocal File 'ocations


/n ;indo%s <ista beta 2B the operating s#stemIdefined Administrati&e !emplate polic# settings %ill onl# install on the local computer as an ADM$ file format)

* ADM$ files %ill be installed on each ;indo%s <ista computer in a different file location from ADM filesB as sho%n in the follo%ing table) @Custom ADM files can still be copied to the listed ADM director# to be consumed b# the 'roup Polic# 4b(ect Editor and 'roup Polic# Management Console)A *ile !#pe ADM ADM$ language neutral @)admFA ADM$ language specific @)admlA *ile ocation 2systemroot2)in 2systemroot2)policyDe initions 2systemroot2)policyDe initions)3MUIculture4 @for eFampleB the 9)+) English ADM$ language specific file %ill be stored in 2systemroot 2)policyDe initions)en-usA

ADMX Domain File 'ocations


4ne of the main benefits of using the ne% ADM$ files is the central store) !his option is a&ailable to #ou %hen #ou are administering domain"based 'P4sB although the central store is not used b# default) /n ;indo%s <ista and ;indo%s +er&er ? onghorn?B the 'roup Polic# 4b(ect Editor %ill not cop# ADM files to each edited 'P4Dthe case %ith earlier operating s#stems) /nstead the 'roup Polic# 4b(ect Editor %ill no longer cop# the ne% ADM$ filesB but %ill pro&ide the abilit# to read from either a single domain"le&el location on the domain controllerHs s#s&ol @not user configurableA or from the local administrati&e %orCstation %hen the central store is una&ailable) !his capabilit# reduces the amount of storage needed for files that should remain constant for all 'P4s) /n addition to storing the ADM$ files shipped in the operating s#stem in the central storeB #ou can share a custom ADM$ file b# cop#ing the file to the central storeB %hich maCes it a&ailable automaticall# to all 'roup Polic# administrators in a domain) *ile !#pe Domain Controller *ile ocation

ADM$ 2systemroot2)sys#ol)domain)policies)PolicyDe initions language neutral @)admFA

/ *ile !#pe Domain Controller *ile ocation

ADM$ 2systemroot2)sys#ol)domain)policies)PolicyDe initions)3MUIculture4 language @for eFampleB the 9)+) English ADM$ language"specific file %ill be specific @)admlA stored in 2systemroot 2)sys#ol)domain)policies)PolicyDe initions)en-usA

%e+uirements or "diting Group Policy ,b-ects &ith ADMX Files


!he follo%ing sections describe specific computer setups re3uired for editing either the local 'P4 or domain"based 'P4s %ith ADM$ files) !his step"b#"step guide assumes #ou understand the basic concepts of 'roup Polic# and using the 'roup Polic# Management Console)

'ocal Group Policy ,b-ect "diting %e+uirements


;hile editing the local 'P4B #ou must use a ;indo%s <ista"based computer to &ie% polic# settings from ADM$ files)

Domain-.ased Group Policy ,b-ect "diting %e+uirements


/n order to be able to create and edit domain"based 'P4s %ith the latest 'roup Polic# settings using ADM$ filesB #ou must ha&e this setup: A %orCing ;indo%s +er&er ? onghorn?B ;indo%s +er&er 200-B or ;indo%s 2000 domain using name resolution through a D>+ ser&er) A ;indo%s <ista computer to &ie% polic# settings from ADM$ files %hile editing the domain"based 'P4)

ADMX Scenarios
!he scenarios in this document are designed to introduce #ou to managing ADM$ files for 'roup Polic# editing) @'roup Polic# editing refers to the process in %hich #ou create a 'P4 or open an eFisting 'P4 and then change polic# settings using the 'roup Polic# 4b(ect EditorA) !he follo%ing t%o scenarios illustrate ho% the 'roup Polic# 4b(ect Editor %ill transparentl# incorporate ADM$ files into an editing session) !he domain"based scenario sho%s #ou ho% to centrall# manage ADM$ filesB a feature that %as not a&ailable %ith ADM files)

Scenario 01 "diting 'ocal Group Policy ,b-ect Administrati#e $emplate Settings


Editing a local 'P4 introduces #ou to ADM$ files that are transparentl# included %hen opening the 'roup Polic# 4b(ect Editor) !he %a# #ou edit Administrati&e !emplate polic# settings and the %a# the settings are displa#ed remains unchanged from pre&ious &ersions of ;indo%s)

Scenario 21 "diting Domain-.ased Group Policy ,b-ect Administrati#e $emplate Settings


Editing a domain"based 'P4 introduces #ou to optional central store for ADM$ files in a domain and ho% to edit 'P4s using this central store)

Scenario 01 "diting the 'ocal GP, &ith ADMX Files


!his scenario sho%s #ou ho% ADM$ files are transparentl# incorporated into editing the local 'roup Polic#)

"diting the Administrati#e $emplate Policy Settings o the 'ocal GP, &ith ADMX iles
0ou must use a ;indo%s <ista"based computer to edit local 'P4s using ADM$ files) $o edit administrati#e template policy settings using ADMX iles ,) !o open the local 'roup Polic# 4b(ect Editor on a ;indo%s <ista machineB clicC StartB clicC %unB then t#pe GP"DI$4msc) 2) !he 'roup Polic# 4b(ect Editor %ill automaticall# read all ADM$ files stored in the 2systemroot2)PolicyDe initions) folder) -) 5ote 0ou can still remo&e and add ADM files to the 'P4 using the Add6%emo#e $emplates menu option) !here is no user interface for adding or remo&ing ADM$ files in ;indo%s <ista) !o add ADM$ files to the 'roup Polic# editing sessionB cop# the ADM$ files to the 2systemroot2)PolicyDe initions) folder and restart the 'roup Polic# 4b(ect Editor) ocate the polic# setting #ou %ish to edit and open it)

Scenario 21 "diting Domain-.ased GP,s &ith ADMX Files


!his scenario sho%s #ou ho% to set up a central location of the updated ADM$ files %hen managing domain"based 'roup Polic# from ;indo%s <istaIbased computers)

Prere+uisites or Administering Domain.ased GP,s &ith ADMX Files


!o complete the tasCs in this sectionB #ou should ha&e at least: A ;indo%s +er&er ? onghorn?B ;indo%s +er&er 200-B or ;indo%s 2000 domain utili:ing a D>+ name ser&er) A ;indo%s <ista"based computer to use as an administrati&e %orCstation)

0:

Steps or 8tili9ing the ,ptional ADMX Central Store &ith Domain-.ased GP,s
/f #ou choose to not create an ADM$ central storeB editing 'P4s %ill %orC the same %a# as in scenario , @?Editing the ocal 'P4 %ith ADM$ *iles?A) !o edit 'P4s using centrall# stored ADM$ filesB complete these tasCs in order)

Create a Central Store


!he central store is a folder structure created in the +#s&ol director# on the domain controllers in each domain in #our organi:ation) 0ou %ill need to create the central store onl# once on a single domain controller for each domain in #our organi:ation) !he *ile 1eplication ser&ice then replicates the central store to all domain controllers) /t is recommended that #ou create the central store on the primar# domain controller because the 'roup Polic# Management Console and 'roup Polic# 4b(ect Editor connect to the primar# domain controller b# default) !he central store consists of a root"le&el folder containing all language"neutral ADM$ files and subfolders containing the language"specific ADM$ resource files) !o perform this procedureB #ou must be a member of the Domain Admininstrators group in Acti&e Director#) $o create the central store ,) Create the root folder for the central store 2systemroot2)sys#ol)domain)policies)PolicyDe initions on #our domain controller) 2) Create a subfolder of 2systemroot 2)sys#ol)domain)policies)PolicyDe initions for each language #our 'roup Polic# administrators %ill use) Each subfolder is named after the appropriate /+4" st#le anguageJCulture >ame) *or a list of /+4"st#le anguageJCulture >amesB see ocale /dentifiers) *or eFampleB to create a subfolder for 9)+) EnglishB create the subfolder: 2systemroot2)sys#ol)domain)policies)PolicyDe initions)"5-8S)

00

Populate the Central Store &ith ADMX Files


!here is no user interface for populating the central store in ;indo%s <ista) !he procedure sho%s ho% to populate the central store using command line s#ntaF from the Domain Controller) $o populate the central store ,) 4pen a command %indo%: clicC StartB clicC %un; then t#pe cmd4 2) !o cop# all the language"neutral ADM$ files from #our ;indo%s <ista administrati&e %orCstation to the central store on #our domain controller using the <copy commandB t#pe: <copy 2systemroot2)PolicyDe initions)= 2logonserver2)sys#ol) 2userdnsdomain2)policies)PolicyDe initions) -) !o cop# all ADM$ language resource files from #our ;indo%s <ista administrati&e %orCstation to the central store on #our domain controller using the <copy commandB t#pe: <copy 2systemroot2)PolicyDe initions)"5-8S)= 2logonserver2)sys#ol) 2userdnsdomain2)policies)PolicyDe initions)"5-8S)

"dit the Administrati#e $emplate Policy Settings in the Domain-.ased GP,s


0ou can edit 'P4s onl# using ADM$ files on a ;indo%s <ista"based computer) $o edit administrati#e template policy settings using ADMX iles ,) !o open the 'roup Polic# Management Console on a ;indo%s <ista machineB clicC StartB clicC %unB then t#pe GPMC4msc) 2) !o create a ne% 'P4 to editB right"clicC the Group Policy ob-ects node and select 5e&) -) !#pe a name for the 'P4 and clicC ,>) .) EFpand the Group Policy ob-ects node) 5) 1ight"clicC the name of the 'P4 #ou created and clicC "dit) 2) !he 'roup Polic# 4b(ect Editor automaticall# reads all ADM$ files stored in the central store) ;hen there is no central storeB the 'roup Polic# 4b(ect Editor reads the local &ersions of the ADM$ files used b# the local 'P4 on #our

02 ;indo%s <ista administrati&e machine) 5ote 0ou can still remo&e and add ADM files to the 'P4) !here is no user interface for adding or remo&ing ADM$ files in ;indo%s <ista) !o add local ADM$ files to the 'roup Polic# editing sessionB cop# the ADM$ files to the 2systemroot2)PolicyDe initions) folder and restart the 'roup Polic# 4b(ect Editor)

See Also
Enterprise Management %ith the 'roup Polic# Management Console 'roup Polic# +ettings 1eference for ;indo%s <ista 6eta 2 /+4"+t#le anguageJCulture >ames for ADM$ 1esource +ubfolders