There are many reasons to create a custom ADM/ADMX template: managing settings for software that doesn’t include GPO support, a modification to an OS setting that isn’t part of the standard templates, disable or enable a specific component (e.g. IPv6) or to extend the features of existing policy settings (e.g. redirect user shell folders).
All of these have one thing in common: they complete their function by modifying registry keys, the core function of the custom ADM or ADMX template. This commonality results in the following typical high level process for creating or modifying custom ADM/ADMX files:
- Research the registry keys that control the required settings.
- Learn and understand the template file format.
- Create and test the custom template file.
- Repeat step 3 until everything works right (usually the longest step in the process).
- Deploy the templates to configure GPOs after training administrators about the differences between managed and unmanaged settings.
- Respond to questions and issues when the mechanism malfunctions, the specific requirements change or people forget the operation process for using the custom template.
There’s not much we can do about step 1 since we need to determine how to configure the required settings but past that step, this is a fairly long and sometimes painful road to implement the required change. As a result, many administrators choose to use scripts or .REG files to simplify the process and avoid having to dig into the ADM/ADMX file format.
With the introduction of group policy preferences with Windows 2008, we now have the registry extension that can accomplish the same task and much much more. The base functionality allows us to deploy registry keys as well as custom templates or scripts but this mechanism includes the following additional benefits:
- The ability to import keys from the local computer’s registry – once you configure the required settings on your admin computer, you can import them directly into the GPO.
- The ability to organize and manage keys by collection.
- The ability to manage all of the key types: strings, DWORD, QWORD, multi-string value, expandable-string value and binary values.
- The ability to update, replace or delete existing strings – the update action will only update the value data whereas the replace action will delete the existing key/value and create a new one with the desired value data.
In addition to the registry extension specific benefits, we also get the following benefits that are global to all preferences:
- The ability to run user settings using the system security context
- The ability to remove the item when the setting is no longer applied – this is an important option that allows the preference to behave similar to a managed policy setting (note that this will not re-instate an original value, just remove the setting).
- The ability to create a true preference and apply the setting only once allowing the user to change it.
- ..and most importantly, the ability to configure conditional expressions for each registry key or collection to further define its target. This capability, known as item-level targeting (or ILT) is a very granular and powerful engine that provides an administrator the tools to direct each setting to the computers or users who need it based on over 25 categories of properties including hardware levels, OS, networking configuration, group membership and any registry/file/LDAP/WMI query.
Given these benefits, the registry extension becomes the ‘Swiss army knife’ of custom registry modifications to Windows systems and user environments.
So while there is still a need for ADMX templates from Microsoft to manage the OS and there’s a strong need for templates from other software vendors, when those templates are not available, I reach for the registry extension and avoid any authoring of custom ADM/ADMX templates.
So are custom ADM/ADMX template a thing of the past? please share in the comments section. I’m interested in how many folks out there are still creating custom template files.