Managing Windows Vista Group Policy (Part 1)If you would like to read the other parts in this article series please go to: Introduction. Windows Vista includes some important changes from earlier Windows operating systems in regards to Group Policy (GP). This article introduces you to how ADM files evolved into multi- lingual files by the use of XML (ADMX/ADML files) and the Central Store with all its glory. Welcome to the constantly expanding Microsoft Group Policy universe. ADM vs. ADMX/ADML files. ADM files were first introduced with Windows NT4 and they have stuck ever since. First of all it’s important to understand, that ADM files are nothing but templates (Administrative Templates) – this means that when Group Policy Object Editor (GPOE) or Group Policy Management Console (GPMC) loads, the content is presented to the users of the console – nothing else (the administrative experience you could say). When the policy is changed or created, a Registry. Group Policy Object (GPO) container – this is the actual policy with all the corresponding and specific registry settings defined in the template file(s). So, the machine or user receiving the policy actually doesn’t need the ADM files at all. ADM files had an obscure syntax from the very beginning with its own special markup- language, which is pretty difficult to master. With customized Administrative Templates there are lots of possibilities to create your own “registry policies”, making sure your clients are configured in a specific way. Windows File Explorer defaults to a simple view of the files on your machine. You can change it to display details by default with a few steps. How do I get File. When connecting devices, such as USB drives or inserting a CD or DVD into Window Vista, Autoplay will display and prompt you to select a default action or setting. Getting Started with Settings in Windows 10. You might want to check your printer, configure privacy settings for your device camera or adjust your PC’s regional. The new ADMX/ADML files take over from where ADM files left. They are still just templates and only there for the administrators creating and modifying group policies, local as well as domain based. The managed “end users” and “end machines” will have no awareness as to whether the policy settings were configured from Vista (using ADMX/ADML files) or Windows 2. ADM files) – we still just edit and populate the Registry. This is the reason why ADM and ADMX/ADML files can coexist. You will not notice the presence of ADMX files during your day- to- day policy administration tasks. So you might ask why we now have both ADMX and ADML template files! Well, the reason for this is that ADM files only supported a single language – now we get true multi- lingual support. On a French Windows XP the French ADM files where included and on a Danish Windows XP the Danish ADM files where included – you could not have both. ADMX files are language- neutral and don’t include policy descriptions etc. Instead they reference to ADML files which are language- specific files, one ADML file is required pr. Maybe it’s now easier to create Administrative Templates for developers or 3rd party group policy tools, but not for a normal human being. I actually don’t believe we have an easier job with XML in the good old Notepad.
Unfortunately you won’t find much information these days on how to create/customize your own ADMX templates. This seems to be a . You can also use other XML tools or programmatic XML libraries (e. You can see the ADMX Schema reference online. Figure 1. With Windows Vista RC 2 build 5. ADMX files (see Figure 1) and 1. ADML files, this gives us only 3. MB of ADMX and 1. MB of ADML files – not much compared to all the functionality and possibility these files bring into an administrators life! Windows XP had 7 default ADM files containing all Windows policy settings available from Microsoft. Windows Vista will use the built- in ADMX files to present all policy settings for Windows XP/2. Vista itself – no ADM files are included anymore. This is possible because the Vista ADMX files are a SUPERSET of the old ADM files and therefore supersedes these files; they simply include all the “legacy” settings and a great deal of new ones (around 8. Vista/Longhorn alone. However, if Vista finds a custom ADM file in the GPO being edited it will also display the policy settings defined in that ADM file (just without the multi- lingual benefits of AMDX/ADML files of course). If you previously changed the contents of some of the default ADM files (even though it’s far from best practice) you have to repeat the same changes within a customized ADMX files (and create a corresponding ADML file). Microsoft has no plan to ship an ADM to ADMX conversion tool so far, in case you were wondering. We can still use the “Add/Remove Templates” dialog for ADM files – this is not an option with ADMX files as the new version of GPOE will read and load all ADMX files, from the Central Store (see below) or local directory, into the GUI on startup completely transparent to the user. If we need to add customized ADMX files, all we have to do is copy the file(s) to the Central Store or the local directory and restart GPOE. The domain policy administration workstation needs to be running Windows Vista (or Longhorn) for best interoperability and administrative experience. Windows Vista can be used to manage all operating systems that support Group Policy (from Windows 2. GPOE on Windows 2. XP/2. 00. 3 machines will not display new Windows Vista Administrative Template policy settings that may be enabled or disabled within a GPO. The reporting feature of GPMC on Windows XP/2. GPMC doesn’t run on Windows 2. Windows Vista Administrative Template policy settings as . Windows Vista has a “language fallback mechanism” which steps into action if no language file is available for the users OS language – English is the default fallback language and therefore a language file from the US- EN folder will be preferred (see below). If the English ADML file is missing too, the policy settings will show up under . On earlier Windows versions, ADM files were located in the directory %WINDIR%\inf, ADMX files are placed within %WINDIR%\Policy. Definitions and corresponding ADML files are located in %WINDIR%\Policy. Definitions\< Language. Folder>. The < Language. Folder> can be named \EN- US for U. S. English, \FR for French etc. The Central Store (CS) is actually just a new directory replicated between Domain Controllers in the SYSVOL area (which is already used by Windows 2. XP/2. 00. 3 to store Group Policy Objects). There is nothing mysterious about this folder, but it helps to centrally administer the ADMX and ADML files used for policy creation and editing – and reduces the storage requirements for GPO’s in the SYSVOL area. We either use one Central Store in the domain or the local directories on each admin client to hold ADMX/ADML files (the latter is the old approach). The two methods are mutually exclusive, either the “online” ADMX files are used or the local files. Once the Central Store is created the local ADMX/ADML files are no longer used, unless the central store for some reason is unavailable, then we fall back to the local files. ADM templates could be pretty annoying in situations where domain wide policies were administered from different administrative workstations. There could be language and version mismatches between the ADM files used, so when a French administrator edits the Default Domain Policy his/her language and operating system version (2. XP/2. 00. 3) will be reflected in the ADM files copied to the SYSVOL, as well as the Service Pack level of the computer. There is no user interface to create and populate the Central Store in Windows Vista, but the process is very simple and has to be done only once per Domain. All you have to do is to create the Central Store folder, preferably on the Primary Domain Controller (PDC Emulator) because both GPMC and GPOE connects to the PDC by default, copy all ADMX files to the directory, create a subfolder for each language, copy ADML files to these directories and let the File Replication Service (FRS) do its job replicating the content to all DCs. So, exactly where should I create this folder? Well, it’s pretty straightforward. Please note that locally on a DC the path should be %WINDIR%\SYSVOL\domain\Policies\Policy. Definitions (default location of SYSVOL). You must be a member of the “Domain Administrators” group to create the Central Store folder and the location is not user configurable or changeable. Custom ADMX policies (and their related language files) can be copied to the Central Store – all GPOEs on your group policy administrators’ computers will then consume and reflect these settings. With the old policy structure ADM files were copied to each GPO in the SYSVOL directory structure (%SYSVOL%\Policies\< Unique GPO GUID> \ADM\). For each and every GPO this took a minimum of 4. MB, so with hundreds of policies, storage and replication could become an issue. ADMX/ADML files will not be copied multiple times to the SYSVOL area – that “unfortunate” behavior is history. CS reduces the amount of storage needed minimizing unnecessary redundant data files in SYSVOL. The CS functionality does NOT require “Longhorn” Server – it works fine in pure Windows 2. Windows 2. 00. 3 Active Directory domain environments. Remember that Group Policy is mostly a client side architecture just using the AD structure (sites, domains, OU. Related Links. Managing ADMX Files Step- by- Step Guide. Group Policy Changes in Vista by Derek Melber. Managing Group Policy ADMX Files Step- by- Step Guide by Judith Herman. Group Policy in Windows Vista (level 2. Michael Murphy. Getting Started with Group Policy in Windows Vista (Level 2. Kevin Remde. If you would like to read the other parts in this article series please go to.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
September 2017
Categories |