| Executive Summary:
If you use Microsoft Windows Vista or Microsoft Windows Server 2008 to administer your systems, recent Group Policy changes will affect you. ADMX/ADML is a new XML-based template format that is centrally storable and customizable and provides increased integrity for your admin files. The ADMX Editor feature lets you create your own customized .admx files—but this feature is slow and somewhat buggy |
Even if you’re not planning to upgrade to Windows Vista anytime soon, your IT department
might use Vista for systems administration. If so, you can take advantage of the improvements
Microsoft made to Vista’s Group Policy administrative templates. Vista’s .admx files
(Microsoft’s new XML-based format for administrative templates) function differently than
previous OSs’ administrative templates.
Group Policy administrative templates, or .adm files, define the registry-based
settings that are displayed in the Group Policy Object Editor. The templates are divided into two sections
that define computer settings and user settings. These settings appear under the Administrative
Templates nodes in the Group Policy Object Editor. You can create your own administrative templates to
control registry settings with Group Policy, and add them to a Group Policy Object (GPO) by right-clicking
Administrative Templates in the Group Policy Object Editor and clicking Add/Remove Templates.
In Windows Server 2008, Group Policy Preferences
eliminate the need to create custom administrative
templates or scripts to manipulate the registry.
A New XML Format for Vista
and Server 2008
The .adm file format hails from the days of Windows
NT Server system policies. Vista’s and Server 2008’s
.admx files are based (as are other XML-formatted
files) on a documented schema—which makes it
easier to modify the files and develop applications
that can work with the new format. Files in .adm
format contain a section where strings are defined
for use by the Group Policy Object Editor. The .admx
format places that strings section into a separate .adml
file, so you don’t need to create a new .admx file for
systems that use a different language.
Centralize Storage for Improved Integrity
In Windows 2000 and Windows Server 2003 domains,
.adm files are stored locally on domain-joined
machines and in Group Policy Templates (GPTs),
which are located in the Sysvol directory on domain
controllers (DCs). Every GPO consists of a GPT;
thus multiple copies of .adm files are replicated to
every DC. Versioning of .adm files is controlled by comparing the time and date stamps of the
local and GPT copies of the file. If the local
.adm file is newer than the GPT version, the
local copy is uploaded to the Sysvol directory
and replicated.
This behavior can lead to integrity problems
if a local .adm file is corrupt, or to a
security problem if someone maliciously
modifies an .adm file. You can prevent local
copies of .adm files from being uploaded to
DCs—and force the use of local .adm files—
by enabling the Always use local .adm files
for Group Policy editor Group Policy setting
under Computer Configuration\Administrative
Templates\System\Group Policy.
However, this means that .adm files across
all administrative workstations need to be
kept in sync.
Although .adm files can’t be stored
centrally, .admx files can be stored centrally
in a Win2K or Server 2003 domain and replicated
between DCs. Once the store is created,
to avoid automatic uploading of .adm
files to the Sysvol directory, you should
only use Vista or Server 2008 to administer
GPOs. The process is optional; however,
it’s necessary in Server 2008 domains if
you want to use a central store. You should
perform the following steps in a test environment
only—they enable a preference
setting in a GPO that can’t be rolled back by
unlinking the GPO.
1. Open Windows Explorer and enter
the Universal Naming Convention (UNC)
\\DomainName.com\sysvol\Domain
Name.com\policies in the address bar, then
create a new folder called PolicyDefinitions,
as Figure 1 shows.
2. Update Vista or Server 2008 with the
latest service pack and patches.
3. Copy the contents of the PolicyDefinitions
folder (located in the Windows
directory), including the EN-US subfolder,
to the new PolicyDefinitions folder on the
server.
Vista and Server 2008’s Group Policy
tools check for a PolicyDefinitions folder, so
any new GPOs that are created and edited
exclusively on Vista or Server 2008 and
joined to a Win2K or Server 2003 domain
where this folder is present will have a GPT
without an ADM folder. Figure 2 shows
the Administrative Templates node in the
Group Policy Management Editor where
a central store for .admx files has been detected. To add an .admx template to the
central store, you must copy the file directly
to the PolicyDefinitions folder on a DC.
Once the store has been created, you can
secure the administrative templates in the store and the GPOs separately. You can still
right-click the Administrative Templates
node in the Group Policy Management Editor
and add an .adm template, which will
appear under the Classic Administrative Templates (ADM) node, but you should
avoid this by converting .adm files to .admx
format.
Migrating to the .admx Format
If you want to take full advantage of the central
store, you can convert your .adm files to
the new format, delete the old .adm templates
from each GPT on the server, and upload the
converted .admx files to the central store. To
convert .adm files to .admx, you’ll need to
download the free ADMX Migrator tool from
www.microsoft.com/downloads/details.aspx?familyid=0f1eec3d-10c4-4b5f-9625-97c2f731090c. Install the tool on an admin
workstation and follow these instructions to
convert each .adm file to .admx:
1. Open ADMX Editor selecting All
Programs, FullArmor, FullArmor ADMX
Migrator from the Start menu.
2. In the left-hand pane, right-click
ADMX Editor and select Generate ADMX
from ADM on the menu.
3. Select the .adm file you want to convert
and click Open.
4. The conversion process will take a
few seconds and you’ll be presented with a
summary of any errors that were encountered
in the Conversion Results dialog box
that Figure 3, shows. Click Close.
5. You’ll then be given the opportunity to
load the new .admx file into the editor. Click
Yes. The new template will now appear in
the central pane in the Template box.
6. Double-click ADMX Templates under ADMX Editor in the
left-hand pane, right-click the
template, and select Save As
from the menu to save a copy
of the new template in a convenient
temporary location.
Continue to page 2
Previous
