Here's an article with quite a bit of information...
Recommendations for Managing Group Policy Administrative Template (.adm)
WGID:493
ID: 816662.KB.EN-US CREATED: 2003-03-11 MODIFIED: 2003-06-06
Public |
============================================================================
===
----------------------------------------------------------------------------
---
The information in this article applies to:
- Microsoft Windows Server 2003, 64-Bit Datacenter Edition
- Microsoft Windows Server 2003, 64-Bit Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
----------------------------------------------------------------------------
---
IN THIS TASK
------------
- #2: SUMMARY
- #3: Introduction to ADM
Files
- #4: ADM File Storage and
Defaults
- #5: Custom ADM
Files
- #6: Update ADM Files and
Timestamps
- #7: GPO
Replication
- #8: Use Policy Settings to
Control ADM File Updates
- #9: Common Scenarios and
Recommendations
- #10: Multilanguage
Administration Issues
- #11: Operating System
and Service Pack Release Issues
- #12: Remove ADM Files
from the Sysvol Folder
- #13: Maintain ADM Files
on Administrative Workstations
- #16: REFERENCES
SUMMARY
=======
This article describes how ADM files work, the policy
settings that are available to manage their operation, and
recommendations
about how to handle common ADM file management scenarios.
#1: back to the top
Introduction to ADM Files
-------------------------
ADM files are template files that are used by Group Policies to
describe where registry-based policy settings are stored in the
registry. ADM
files also describe the user interface that administrators see in the
Group
Policy Object Editor snap-in (GPEdit). GPEdit is used by administrators
when
they create or modify Group Policy Objects (GPOs).
#1: back to the top
ADM File Storage and Defaults
------------------------------
In the Sysvol folder of each domain controller, each domain GPO
maintains a single folder, and this folder is named the Group Policy
Template
(GPT). The GPT stores all the ADM files that were used in GPEdit when
the GPOs
were last created or edited.
Each operating system includes a
standard set of ADM files. These standard files are the default files
that are
loaded by GPEdit. For example, Windows Server 2003 includes the
following ADM
files:
- System.adm
- Inetres.adm
- Conf.adm
- Wmplayer.adm
- Wuau.adm
#1: back to the top
Custom ADM Files
-----------------
Custom ADM files can be created by program developers or IT
professionals to extend the use of registry-based policy settings to new
programs and components.
Note Programs and components must be designed and coded to recognize
and respond to the policy settings that are described in the ADM file.
To load ADM files in GPEdit:
1. Start the Group Policy Object Editor.
2. Right-click "Administrative Templates", and then click "Add/Remove
Templates". Note Administrative Templates are available under either
"Computer" or "User Configuration". Select the configuration that is
correct for your custom template.
3. Click "Add".
4. Click an ADM file, and then click "Open".
5. Click "Close".
6. The custom ADM file policy settings are now available in GPEdit.
#1: back to the top
Update ADM Files and Timestamps
--------------------------------
Each administrative workstation that is used to run GPEdit stores
ADM files in the %windir%\Inf folder. When GPOs are created and first
edited,
the ADM files from this folder are copied to the Adm subfolder in the
GPT. This
includes the standard ADM files and any custom ADM files that are added
by the
administrator.
Note Creating a GPO without later editing that GPO creates a GPT
without any ADM files.
By default, when GPOs are edited, GPEdit
compares the timestamps of the ADM files in the workstation?s
%windir%\Inf
folder with those that are stored in the GPTs Adm folder. If the
workstation?s
files are newer, GPEdit copies these files to the GPT Adm folder,
overwriting
any existing files of the same name. This comparison occurs when the
Administrative Templates node (computer or user configuration) is
selected in
GPEdit, regardless of whether the administrator actually edits the GPO.
Note The ADM files stored in the GPT can be updated by viewing a GPO
in GPEdit.
Because of the importance of timestamps on ADM file
management, editing of system-supplied ADM files is not recommended. If
a new
policy setting is required, Microsoft recommends that you create a
custom ADM
file. This prevents the replacement of system-supplied ADM files when
service
packs are released.Group Policy Management ConsoleBy default, the Group
Policy Management Console (GPMC) always uses
local ADM files, regardless of their time stamp, and never copies the
ADM files
to the Sysvol. If an ADM file is not found, GPMC looks for the ADM file
in the
GPT. Also, the GPMC user can specify an alternative location for ADM
files. If
an alternative location is specified, this alternative location takes
precedence.
#1: back to the top
GPO Replication
---------------
The File Replication Service (FRS) replicates the GPTs for GPOs
throughout the domain. As part of the GPT, the Adm subfolder is
replicated to
all domain controllers in the domain. Because each GPO stores multiple
ADM
files, and some can be quite large, you must understand how ADM files
that are
added or updated when you use GPEdit can affect replication
traffic.
#1: back to the top
Use Policy Settings to Control ADM File Updates
------------------------------------------------
Two policy settings area available to help with management of ADM
files. These settings make it possible for the administrator to tune
the use of
ADM files for a specific environment. These are the "Turn off automatic
updates
of ADM files" and the "Always use local ADM files for Group Policy
Editor"
settings.
Turn Off Automatic Updates of ADM Files
This policy setting is available under User
Configuration\Administrative Templates\System\Group Policy on Windows
2003,
Windows 2000 and Windows XP.
When this policy is enabled, updating an
existing GPO does not result in ADM files from the local computer being
sent to
the GPT.
In Windows 2000, the first time a GPO is edited, the local
ADM files are uploaded to the GPT, without regard to how this policy
was set.
Note The first time the GPO is edited may or may not be when the GPO
is created.
In Windows XP, ADM files are not uploaded when a GPO is
first edited if this policy is enabled.
Always Use Local ADM Files for Group Policy Editor
This policy setting is available under Computer
Configuration\Administrative Templates\System\Group Policy on Windows
2003 and
Windows XP Professional.
When a GPO is created, this policy setting
has no immediate effect, and the ADM files on the local computer are
uploaded
to the GPT as you expect. However, when you edit an existing GPO, any
ADM files
that are stored in the GPT are ignored, and GPEdit will only use the
ADM files
from the local computer. If a policy setting has been set in the GPO
but the
corresponding ADM file that describes the policy setting is not
available on
the local computer, GPEdit will not display that policy setting.
Note If this policy setting is enabled, the "Turn off automatic
updates of ADM files" policy setting is implied.
#1: back to the top
Common Scenarios and Recommendations
------------------------------------
Multilanguage Administration Issues
In some environments, policy settings may have to be presented to
the user interface in different languages. For example, an
administrator in the
United States may want to view policy settings for a specific GPO in
English,
and an administrator in France may want to view the same GPO by using
French as
their preferred language. Because the GPT can store only one set of ADM
files,
you cannot use the GPT to store ADM files for both languages.
For
Windows 2000, the use of local ADM files for the Group Policy Editor is
not
supported. To work around this, use the "Turn off automatic updates of
ADM
files" policy setting. Because this policy setting has no affect on the
creation of new GPOs, the local ADM files will be uploaded to the GPT in
Windows 2000, and creating a GPO in Windows 2000 effectively defines
?the
language of the GPO?. If the "Turn off automatic updates of ADM files"
policy
setting is in effect at all Windows 2000 workstations, the language of
the ADM
files in the GPT will be defined by the language of the computer that
is used
to create the GPO.
For administrators that are using Windows XP and
Windows Server 2003, the "Always use local ADM files for Group Policy
Editor"
policy setting can be used. This makes it possible for the French
administrator
to view policy settings by using the ADM files that are installed
locally on
his or her workstation (French), regardless of the ADM file that is
stored in
the GPT. Note that when you use this policy setting, it is implied that
the
"Turn off automatic updates of ADM files" policy setting is enabled to
avoid
unnecessary updates of the ADM files to the GPT.
Also, consider
standardizing on the latest operating system from Microsoft for
administrative
workstations in a multi-language administrative environment. Then
configure
both the "Always use local ADM files for Group Policy Editor" and "Turn
off
automatic updates of ADM files" policy settings.
If Windows 2000
workstations are being used, use the "Turn off automatic updates of ADM
files"
policy setting for administrators and consider the ADM files in the GPT
to be
the effective language for all Windows 2000 workstations.
Note Windows XP workstations may still use their local, language
specific versions.
#1: back to the
top
Operating System and Service Pack Release Issues
Each operating system or service pack release includes a superset
of the ADM files provided by earlier releases, including policy
settings that
are specific to operating systems that are different to those of the new
release. For example, the ADM files that are provided with Windows
Server 2003
include all policy settings for all operating systems, including those
that are
only relevant to Windows 2000 or Windows XP Professional. This means
that only
viewing a GPO from a computer with the new release of an operating
system or
service pack effectively upgrades the ADM files. As later releases are
typically a superset of previous ADM files, this will not typically
create
problems, assuming that the ADM files that are being used have not been
edited.
In some situations, an operating system or service pack
release may include a subset of the ADM files that was provided with
earlier
releases. This has the potential to present an earlier subset of the
ADM files,
resulting in policy settings no longer being visible to administrators
when
they use GPEdit. However, the policy settings will remain active in the
GPO.
Only the visibility of the policy settings in GPEdit is affected. Any
active
(either Enabled or Disabled) policy settings are not visible in GPEdit,
but
remain active. Because the settings are not visible, it is not possible
for the
administrator to view or edit these policy settings. To work around
this issue,
administrators must become familiar with the ADM files that are
included with
each operating system or service pack release before using GPEdit on
that
operating system, keeping in mind that the act of viewing a GPO is
enough to
update the ADM files in the GPT, when the timestamp comparison
determines an
update is appropriate.
To plan for this in your environment, Microsoft
recommends that you either:
- Define a standard operating system/service pack from which all
viewing and editing of GPOs occurs, making sure that the ADM files that
are being used include the policy settings for all platforms.
- Use the "Turn off automatic updates of ADM files" policy setting for
all Group Policy administrators to make sure that ADM files are not
overwritten in the GPT by any GPEdit session, and make sure that you
are using the latest ADM files that are available from Microsoft.
Note The "Always use local ADM files for Group Policy Editor" policy
is typically used with this policy, when it is supported by the
operating
system from which GPEdit is run.
#1: back
to the top
Remove ADM Files from the Sysvol Folder
By default, ADM files are stored in the GPT, and this can
significantly increase the Sysvol folder size. Also, frequent editing
of GPOs
can result in a significant amount of replication traffic. Using a
combination
of the "Turn off automatic updates of ADM files" and "Always use local
ADM
files for Group Policy Editor" policy settings can greatly reduce the
size of
Sysvol folder and reduce policy-related replication traffic where a
significant
number of policy edits occur.
If the size of the Sysvol volume or
Group Policy-related replication traffic becomes problematic, consider
implementing an environment where the Sysvol does not store any ADM
files. Or
consider maintaining ADM files on administrative workstations. This
process is
described in the following section.
To clear the Sysvol folder of ADM
files:
1. Enable the "Turn off automatic update of ADM files" policy setting
for all Group Policy administrators who will be editing GPOs.
2. Make sure that this policy has been applied.
3. Copy any custom ADM templates to the %windir%\Inf folder.
4. Edit existing GPOs, and then remove all ADM files from the GPT. To
do this, right-click "Administrative Templates", and then click
"Add/Remove Template".
5. Enable the "Always use local ADM files for Group Policy Object Edit"
policy setting for administrative workstations.
#1: back to the top
Maintain ADM files on Administrative Workstations
When you use the "Always use local ADM files for Group Policy
Editor" policy setting, make sure that each workstation has the latest
version
of the default and custom ADM files. If all ADM files are not available
locally, some policy settings that are contained in a GPO will not be
visible
to the administrator. Avoid this by implementing a standard operating
system
and service pack version for all administrators. If you cannot use a
standard
operating system and service pack, implement a process to distribute
the latest
ADM files to all administrative workstations.
Note Because the workstation ADM files are stored in the %windir%\Inf
folder, any process that is used to distribute these files must run in
the
context of an account that has administrative credentials on the
workstation.
#1: back to the
top
REFERENCES
==========
For additional information about Group Policies
in Windows Server 2003, click the following article number to view the
article
in the Microsoft Knowledge Base:
KBLink:316977.KB.EN-US: Group Policy Template Behavior in Windows
Server 2003
#1: back to the
top
============================================================================
===
Publishing Keywords : kbWinServ2003Data kbWinServ2003Data64bit
kbWinServ2003Data64bitSearch kbWinServ2003DataSearch kbWinServ2003Ent
kbWinServ2003Ent64bit kbWinServ2003Ent64bitSearch kbWinServ2003EntSearch
kbWinServ2003Search kbWinServ2003St
Keywords : kbinfo
Revision Type : Major
Workgroup : Server - (EntireNet) Windows .NET Server [493]
Billing Product : Windows .NET Svr Std [4751]
Original Language : EN-US
Source Language : EN-US
============================================================================
===
Created By : davidgaz Published Date : 2003-06-06
Modified By : dawnb Archived Date :
