Windows Tip Sheet

Making Everything Manageable

Get your house in order with ADM templates.

• By Don Jones
• 11/17/2004

Since Windows 95 introduced the registry to the masses, applications have been written to more or less comply with Microsoft's idea of having the registry as a central repository for configuration information. While that makes the registry a giant "eggs all in one basket" liability, it also enables technologies like Group Policy, which allow us to centrally manage a number of aspects of Windows and other applications.

Group Policy for You
First, a quick refresher: Group Policy can push out both policies and preferences. The former is what Group Policy prefers to do; these settings primarily go into HKEY_CURRENT_USER\SOFTWARE\Policies and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
\Policies, as well as the corresponding locations in HKEY_LOCAL_MACHINE. The nifty part about the registry keys in these locations is that they're not "sticky." In other words, if you unlink the GPO that applied those keys, the keys will disappear. Policies, then, are only enforced while there's a GPO actively doing so.

Preferences are like old-style WinNT and Win9x System Policies: They're any old registry key. You can push them out with a GPO, if you know how, but if you later unlink that GPO, the preferences stay put. The only way to turn them off centrally is to apply a GPO that does so. Obviously, policies are preferable to preferences (say that three times fast), so much so that Microsoft doesn't even display preferences in the GPO Editor by default. To see them, you have to select the Administrative Templates section (in User and/or Computer configuration), and deselect Show Policies Only from the View menu.

Most Microsoft apps—like Office—are written to look in the Policies section for configuration information, and come with ADM templates that allow you to configure those applications via Group Policy. Sadly, many other applications—I'll go so far as to say most, in fact—haven't twigged to the Policies section yet and still store user configurations in the other parts of the registry. Notable examples include Macromedia Shockwave, RealNetworks, and all the settings for my current Web browser. That doesn't mean these applications can't be centrally configured using GPOs, though. You can make your own ADM templates that push settings—preferences—to these applications' registry keys.

An ADM template is just a specially formatted text file that looks something like this:

CLASS USER
CATEGORY Sounds
POLICY "Sound to hear when exiting Windows"

KEYNAME "AppEvents\Schemes\Apps\.Default\SystemExit\.Current"
PART "What sound do you want?" EDITTEXT REQUIRED
VALUENAME ""
END PART
END POLICY
END CATEGORY

I've borrowed this example from Jeremy Moskowitz's book Windows 2000 Group Policy, Profiles, and IntelliMirror, an excellent source on the subject of Group Policy (it's now available in a new edition covering Win2003 and WinXP). Here's how this works:

• The CLASS statement sets this up as affecting HKEY_CURRENT_USER, which will be the base location for any included registry keys.
• The CATEGORY defines the folder name within the Administrative Templates folder of the GPO Editor.
• The POLICY statement is the policy—okay, preference—name as listed in the GPO Editor.
• KEYNAME is, of course, the name of the registry key that controls this preference.
• The PART section defines the user interface you'll use in the GPO Editor. This sets up a text box (EDITTEXT) that you must provide a value for (REQUIRED).
• There's no particular VALUENAME, meaning the registry key's default value will be modified.

Obviously this ADM stuff has capabilities beyond what I can cover in this short Tip Sheet, but it's worth checking out. Even those legacy corporate apps might be controllable via registry keys, allowing you to centrally push and maintain a desired configuration state, all via the convenience of Group Policy.

Micro Tips ADM files can be written to work both with modern Group Policy as well as older System Policies for Win9x and NT. This makes it possible to use a single template to configure both new and older clients. Planning complex Group Policy deployments can be … well, complex. Sometimes it helps to have them all laid out in front of you in a spreadsheet or something so that you can plan everything out on paper before deploying to your clients. Hop over to http://www.jsiinc.com/SUBP/tip7600/rh7682.htm to download a spreadsheet of all policy settings, including new policies in WinXP SP2.

More Resources:
• Jeremy's Group Policy-oriented Web site is at http://www.gpanswers.com
• Office Resource Kits include ADM templates for centrally managing Microsoft Office; the Office XP Resource Kit is at
http://www.microsoft.com/office/ork/xp/default.htm.
• Hate Notepad? Use a graphical tool like ADM Template Editor to create your ADM templates: http://www.tucows.com/preview/353049.html
or the Policy Template Editor:
http://www.tools4ever.com/products/utilities/policytemplateeditor/
release.asp.