The death of custom ADM/ADMX templates?

Posted: April 22, 2011 in Group Policy

There are many reasons to create a custom ADM/ADMX template: managing settings for software that doesn’t include GPO support, a modification to an OS setting that isn’t part of the standard templates, disable or enable a specific component (e.g. IPv6) or to extend the features of existing policy settings (e.g. redirect user shell folders).

All of these have one thing in common: they complete their function by modifying registry keys, the core function of the custom ADM or ADMX template. This commonality results in the following typical high level process for creating or modifying custom ADM/ADMX files:

  1. Research the registry keys that control the required settings.
  2. Learn and understand the template file format.
  3. Create and test the custom template file.
  4. Repeat step 3 until everything works right (usually the longest step in the process).
  5. Deploy the templates to configure GPOs after training administrators about the differences between managed and unmanaged settings.
  6. Respond to questions and issues when the mechanism malfunctions, the specific requirements change or people forget the operation process for using the custom template.

There’s not much we can do about step 1 since we need to determine how to configure the required settings but past that step, this is a fairly long and sometimes painful road to implement the required change. As a result, many administrators choose to use scripts or .REG files to simplify the process and avoid having to dig into the ADM/ADMX file format.

With the introduction of group policy preferences with Windows 2008, we now have the registry extension that can accomplish the same task and much much more. The base functionality allows us to deploy registry keys as well as custom templates or scripts but this mechanism includes the following additional benefits:

  • The ability to import keys from the local computer’s registry – once you configure the required settings on your admin computer, you can import them directly into the GPO.
  • The ability to organize and manage keys by collection.
  • The ability to manage all of the key types: strings, DWORD, QWORD, multi-string value, expandable-string value and binary values.
  • The ability to update, replace or delete existing strings – the update action will only update the value data whereas the replace action will delete the existing key/value and create a new one with the desired value data.

In addition to the registry extension specific benefits, we also get the following benefits that are global to all preferences:

  • The ability to run user settings using the system security context
  • The ability to remove the item when the setting is no longer applied – this is an important option that allows the preference to behave similar to a managed policy setting (note that this will not re-instate an original value, just remove the setting).
  • The ability to create a true preference and apply the setting only once allowing the user to change it.
  • ..and most importantly, the ability to configure conditional expressions for each registry key or collection to further define its target. This capability, known as item-level targeting (or ILT) is a very granular and powerful engine that provides an administrator the tools to direct each setting to the computers or users who need it based on over 25 categories of properties including hardware levels, OS, networking configuration, group membership and any registry/file/LDAP/WMI query.

Given these benefits, the registry extension becomes the ‘Swiss army knife’ of custom registry modifications to Windows systems and user environments.

So while there is still a need for ADMX templates from Microsoft to manage the OS and there’s a strong need for templates from other software vendors, when those templates are not available, I reach for the registry extension and avoid any authoring of custom ADM/ADMX templates.

So are custom ADM/ADMX template a thing of the past?  please share in the comments section. I’m interested in how many folks out there are still creating custom template files.

  1. StylusPilot says:

    They wouldn’t be if a decent GUI ADMX creation tool was available. The one from Full Armour is crap and causes more issues.

  2. Howard says:

    The news of the death of custom ADM/X are greatly exaggerated. Although very convenient and powerful (ILT etc), a preference is not a replacement for all things ADM/X. A preference is a preference, not enforced like a group policy is. Also, a preference is only applied upon startup or logon, while a group policy gets applied during every policy refresh interval.

  3. Guy Yardeni says:

    Thank you for your comment Howard. Actually both listed features are part of group policy preferences.

    First, there is a common option called “Apply once and do not reapply”. When this setting is unchecked, the preference is enforced and applied repeatedly regardless of the user changing it. True that it doesn’t lock the setting in the UI but that only applies for settings that support true policies and are rarely part of a custom ADMX.

    When combined with the common options to ‘Run in logged-on user’s security context (user policy option)’ and ‘Remove this item when it is no longer applied’, the result is almost identical to a policy.

    Even if the component supports a true policy (i.e. using a registry key in the Policies folder), you can always use registry key preferences to mimic the same behavior as a policy including locking the UI.

    Finally, group policy preferences do refresh in the background in the same manner as policies with a default refresh time of 90 minutes.

    For more information, check out this great white paper on preferences: Specifically pages 19-20.

  4. William Manser says:

    I find this almost believable. However, omitting the fact that client side extensions will generally create longer GP processing times may confuse you.

  5. clan8blogger says:

    ADMX files are not dead for a number of reasons. 1. if you want to add the same settings to another GPO then you have to re-enter all the reg keys again. 2. if you want to allow someone to apply a bunch of reg keys in a GPO with a single selection in the GPO. 3. The settings can be placed in a custom category making it easy to see that the settings have been applied. Yes you can enter a full description in the preference policy but what if the change was to 10 or more reg keys – as an example I set all of the desktop colours in my lab using a custom ADMX which means I can select my custom colour scheme from a drop down list. If I did this in a preference it would not be anywhere near a user friendly.

    I’ve spent the last few days deciphering ADMX files so I could write a blog entry on how to convert an ADM, almost done so hopefully it will be a useful post. The ADMX converter MS provide just never ever works for me and writes a really poorly written ADMX file with virtually unreadable string placeholders and categories.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s