What Is Administrative Templates Extension?
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In this section
Core Scenarios for Administrative Templates Extension
The Administrative Templates Extension is the largest of all available Group Policy extensions and includes more than 700 policy settings for applications and operating system components. These policy settings are applied by modifying the registry on target clients. Administrative Templates policy settings is also referred to as registry-based policy or simply registry policy.
Administrators need a simple way to configure policy settings and apply those changes to many users and computers throughout the network. You need to be able to modify policy settings quickly and be able to delete policy settings and remove them from all target computers without the risk of old policy settings remaining in the registry. In addition, developers need a way to integrate policy management into new applications. Administrative Templates provides dynamic management capabilities to administrators and an infrastructure for developers to policy-enable their applications.
The Administrative Templates Extension consists of a server-side snap-in that is loaded by default in Group Policy Object Editor and a client-side extension that writes policy settings that manipulate registry keys on target client computers. The server-side snap-in loads a predefined set of Administrative Template files, which are implemented as text files (with an .adm extension), that define the registry settings that can be configured in a Group Policy object (GPO).
.Adm files are Unicode files which consist of a hierarchy of categories and subcategories that define how the options are displayed through the Group Policy Object Editor and GPMC. They also indicate the registry locations where changes should be made if a particular selection is made, specify any options or restrictions (in values) that are associated with the selection, and in some cases, indicate a default value to use if a selection is activated. It’s important to note that the functionality of .adm files is limited. The only purpose of .adm files is to enable a user interface to configure policy settings. .Adm files do not contain actual policy settings; these are contained in registry.pol files located in the Sysvol on domain controllers.
Core Scenarios for Administrative Templates Extension
You use Administrative Templates Extension to modify and remove registry-based policy settings. Developers can create .adm files to integrate policy settings management into their applications.
Manipulating Administrative Template Extension Policy Settings
The Administrative Templates server-side snap-in provides an Administrative Templates node that appears twice in Group Policy Object Editor; once under the Computer Configuration node, and again under the User Configuration node. The settings under the computer node manipulate registry settings for the computer, while settings under the user node manipulate registry settings for users. Although some policy settings require simple UI elements, such as text boxes to enter values, most settings contain only the following options:
The default setting is not configured, so you only need to decide whether to turn the setting on or to turn it off.
Administrative Templates provide administrators with a Group Policy interface for the DSQ and QoS CSEs, among others.
Removing Policy Settings Implemented by Administrative Template Extension
In addition to being easy to set, administrators can also easily remove default registry-based policy settings implemented with Administrative Templates Extension. This is accomplished by having all default registry-based policy settings from Windows 2000 or later stored in one of four specific registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\policies (preferred location)
HKEY_CURRENT_USER\SOFTWARE\policies (preferred location)
Policy settings that are stored in these locations are known as true policies. Registry keys used for true policy are secured so they cannot be modified by a non-administrator. More importantly, when Group Policy changes, for any reason, all settings from these registry keys are removed, and new registry keys are written based on the policy settings in the GPO. This prevents the behavior that was often present in Windows NT 4.0, whereby System Policies resulted in persistent settings in the user and computer registry. The policy remained in effect until the value was reversed, either by a counteracting policy or by editing the registry. Persistent policy settings persist because they are stored outside the approved registry locations. These types of settings are known as preferences.
All the policy settings in the default administrative template files manipulate settings under the approved registry keys—resulting in true policy settings. This means that they will not cause persistent settings in the registry when the GPO that applies them is no longer in effect. By default, Group Policy Object Editor only displays true policy settings.
Default Administrative Template Files
Windows Server 2003 includes the following administrative template files: System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm, which contain all the settings initially displayed in the Administrative Templates node. These administrative template files are stored in two locations by default: inside GPOs in the Sysvol folder and in the Windows\inf directory on the local computer.
As new versions of Windows are released, new policy settings are added. In addition to supporting these new settings, each successive version of Windows supports all registry policy settings that were available in earlier versions of Windows. For example, the Windows Server 2003 family supports all registry policy settings available in Windows 2000 and Windows XP.
On Windows XP and Windows Server 2003, each registry setting contains a “Supported on” tag that indicates which operating system versions support that policy setting. If a setting is specified and deployed to a client operating system that does not support that setting, the settings are ignored.
Because all successive iterations of administrative template files include settings from earlier versions, and because there is no harm if a new setting is applied inadvertently to a computer running an earlier operating system that does not support that setting, it is recommended to always create and edit GPOs from a computer that has the latest administrative template files available.
Extending Registry-Based Policy with Administrative Template Files
If a developer needs to provide policy settings specific to an application, they can extend registry-based policy by using administrative template files. The Administrative Templates Extension to Group Policy provides this capability.
Developers can specify that that Administrative Templates Extension writes settings under the secure registry keys to create true policy settings; these policy settings are designed to be manipulated by an administrator using Group Policy Object Editor. Developers can also specify that the application write policy settings outside the secure registry keys to create preferences; these settings are designed to be manipulated by end-users working from within the developer’s application. The Group Policy settings set by administrators take precedence over user preferences. Because Group Policy stores the policy settings set by administrators under the approved Group Policy keys, users cannot change or disable these policy settings.
The following contains additional information that is relevant to this section.
- Group Policy Settings Reference in the Tools and Settings Collection