Typical ADM Templates
| | ||
| | ||
| | ||
Before we begin our proper ADM template journey, let's do a brief orientation. ADM templates come in three flavors, and each is used for a different purpose:
-
Default ADM Templates These are provided free, right out of the box to help you control your stuff. These templates give you access to the myriad of policy settings inside the Administrative Templates branch when you first open the Group Policy Object Editor.
-
Vendor-Supplied ADM Templates Another type of ADM template is provided by a vendor. Good examples of vendor-supplied ADM templates are those that come with the Microsoft Office suites. There is a set of ADM templates for almost every one of today's versions of the suite, including Office 2000, Office XP, and Office 2003, as we'll explore later. Vendor-supplied ADM templates let you control aspects of an application. Again, recall that the application needs to be smart enough to be controlled via the Registry and, optimally, controlled via the "proper" Policies keys.
-
Custom Templates Sometimes you want to do something "outside the box." That is, you want to scratch an itchy problem out there with your own policy settings. Creating these templates is not that difficult if you know the syntax rules. Custom templates are extremely important when you want to take the administration of your network to the next level, and they can truly add to the administrative power of almost any Microsoft network. On GPanswers.com , we have a repository of some custom templates that you might want to check out.
As you can see, ADM templates come in many styles and have many options. But keep in mind that all ADM templates, default and custom, do essentially the same thing: they simply spell out how to modify a portion of the Registry on the target computer system.
Default ADM Templates
Many settings are available in both the Computer and the User Administrative Template sections of the Group Policy Object Editor. How these settings are displayed depends on what is inside the default ADM templates. Therefore, when you create any new GPO, you start with baseline policy settings.
The default templates are stored in the %systemroot%\inf folder, which is usually C:\ windows \inf , and you'll find the following:
-
Three ADM templates that are installed by default on Windows 2000 machines:
-
Conf.adm
-
Inetres .adm
-
System.adm
-
-
One additional template, Wmplayer.adm , in Windows XP
-
One more additional template, Wuau.adm , on Windows 2003 and Windows 2000 + SP4 machines
These five ADM templates create both the computer and user portion of a default Group Policy. Table 5.1 provides information about what each default template is and what lives inside it.
| ADM Template | Features | Where To Find In Interface |
|---|---|---|
| Conf.adm | NetMeeting settings. | Computer Configuration/User Configuration ˜ Administrative Templates ˜ Windows Components ˜ NetMeeting |
| Inetres.adm | Internet Explorer settings, including connections, toolbars , and toolbar settings. It is equivalent to the options that are available when using the Internet Options menu inside Internet Explorer. | Computer Configuration/User Configuration ˜ Administrative Templates ˜ Windows Components ˜ Internet Explorer |
| System.adm | Operating system changes and settings. Most of the Computer and User Administrative Template settings are in this ADM template. | Everything else under Computer Configuration/User Configuration ˜ Administrative Templates |
| Wmplayer.adm | Windows Media Player 9 settings. | User Configuration ˜ Administrative Templates ˜ Windows Components ˜ Windows Media Player |
| Wuau.adm | Controls client's access to Software Update Services servers. | Computer Configuration ˜ Administrative Templates ˜ Windows Components ˜ Windows Update |
The default templates harness a lot of power, but sometimes you just want more control. Additional ADM templates can quickly give an administrator power over myriad settings on a Windows client system, as you'll see in the next section.
Vendor-Supplied ADM Templates
The templates Microsoft provides with Windows are just the beginning of possibilities when it comes to Administrative Templates. The idea behind ADM templates is that you or third-party software vendors can create them to restrict or enhance features of either the operating system or applications.
Microsoft Office ADM Templates
If you are also interested in deploying Office 2000, Office XP, or Office 2003, you'll be happy to know that they each comes with a slew of customized ADM templates for you to import and use to your advantage.
-
For Office 2000, download the Office 2000 Resource Kit tools at www.microsoft.com/office/ork/2000/appndx/toolbox.htm .
-
For Office XP, download the Office XP Resource Kit tools at www.microsoft.com/office/ork/xp/appndx/appa18.htm .
-
Office 2003 templates are located in the Office 2003 Resource Kit. Check www.microsoft.com/office . At last check, some even newer templates are available at http://tinyurl.com/3zlko .
| Tip | For information on how to automatically deploy Office 2000, XP, or 2003 (with patches and personalized customizations) to your users, see Chapter 10. |
The file you're looking for (with either Office 2000 or XP) is called Orktools.exe (for Office 2003, it's Ork.exe ), and it's about 9MB. After you install the corresponding Resource Kit on your machine, the following files are automatically placed in the \windows\inf folder for importation like the other ADM files.
| Warning | Sometimes this transfer to \windows\inf does not happen automatically. Feel free to copy the files directly to the Domain Controller's \windows\inf folder. |
| Tip | If you're zipping through these exercises in a test lab, feel free to load the Office Resource Kit on your test Domain Controller. Otherwise, don't to this now, and be sure to read the advice later in the "Create a Windows XP Management Workstation" section. |
Office 2000, Office XP, and Office 2003 Templates
Here is a list of the ADM templates available for Office 2000, Office XP, and Office 2003.
| Office 2000 Templates | Office XP Templates | Office 2003 Templates | Description |
|---|---|---|---|
| Access9.adm | Access10.adm | Access11.adm | Access settings |
| Clipga15.adm | Gal10.adm | GAal11.adm | Restrict access to media clips |
| Excel9.adm | Excel10.adm | Excel11.adm | Excel settings |
| Frontpg4.adm | Fp10.adm | Fp11.adm | FrontPagesettings |
| Instlr1.adm | Instalr11.adm | Instalr11.adm | Windows Installer settings |
| Office9.adm | Office10.adm | Office11.adm | Common Office settings |
| Outlk9.adm | Outlk10.adm | Outlk11.adm | Outlook 2000 settings |
| Ppoint9.adm | Ppt10.adm | Ppt11.adm | PowerPoint settings |
| Pub9.adm | Pub10.adm | Pub11.adm | Publisher settings |
| Word9.adm | Word10.adm | Word11.adm | Word settings |
| N/A | N/A | Aer.adm | Corporate Windows Error Reporting (see the "Microsoft Corporate Error Reporting" section later in this chapter) |
| N/A | N/A | Rm11.adm | Microsoft Relationship Manager File location |
| N/A | N/A | Scrib11.adm | Microsoft OneNote 2003 settings |
Implementing a Customized Office Policy
After the Office templates are on the server, you can simply load them alongside the currently loaded templates. You can load all, some, or noneit's up to you.
In this example, we'll make believe we need to set up a custom Word 2000 policy for a collection of users. Normally, as in this example, Office template settings are meant for users, not computers. However, Office does include computer-side settings that you can use to override user-side settings if you want.
| Tip | If you don't want to use the Office 2000 ADM templates in this example, you can substitute Office XP or Office 2003 templates. Just make sure you also have the corresponding Office suite installed on the target machine! |
Here, you'll see how to use an additional template. We'll load the WORD9.ADM template alongside our current default templates. Then, we'll change the default behavior of our Human Resources users for Word 2000 as follows :
-
The grammar checker is turned off while we type in Word.
-
The spell checker is turned off while we type in Word.
-
Word will ignore words in uppercase during spell check.
-
Word will ignore words with numbers during spell check.
To change Word's default behavior for the Human Resources Users OU , follow these steps:
-
Log on to the server as the Domain Administrator.
-
Download the Office 2000 Resource Kit tools and make sure the ADM templates are properly installed in the \windows\inf folder.
-
Fire up the GPMC.
-
Right-click Human Resources Users OU and select "Create and link a GPO here."
-
Create a new GPO called "Word 2000 Settings."
-
Edit the "Word 2000 Settings" GPO.
-
Choose either User Configuration ˜ Administrative Templates or Computer Configuration ˜ Administrative Templates, right-click over either instance of Administrative Templates, and choose Add/Remove Templates (see Figure 5.1) to open the Add/Remove Templates dialog box.
Note When adding an administrative template, the interface suggests that you can choose to add it from either the Computer Configuration or the User Configuration node. In actuality, you can add the ADM template from either section, and the appropriate policy settings appear under whichever node the ADM template was designed for.
-
Click the Add button to open up the file requester, and select to load the Word9.adm template from the \windows\inf folder. Click Close to close the Add/Remove Templates dialog box to return to the Group Policy Object Editor (see Figure 5.2).
Tip If you do not see the Office templates, it's almost certainly because you did not load the templates where the Group Policy Object Editor could find them. See the "Create a Windows XP Management Workstation" section a bit later in this chapter for the best practice.
-
To turn off the "Check Grammar As You Type" feature, drill down to User Configuration ˜ Administrative Templates ˜ Microsoft Word 2000 ˜ Tools ˜ Options ˜ Spelling & Grammar ˜ Check Grammar As You Type. Then, enable the setting, but do not select the check box. This forces the policy on the user, but clearing the check box forces it off.
-
Repeat step 9 for "Check Spelling As You Type," "Ignore Words in Upper case," and "Ignore Words with Numbers."
Figure 5.1: Choose Add/Remove Templates from the shortcut menu.
Figure 5.2: The Word9 ADM template is now loaded.
You can try this exercise with the other Office 2000-supplied templates listed earlier. These will affect Excel, PowerPoint, Access, and the like.
To test your new policy on the Human Resources Users OU, simply log on to any Windows 2000 or Windows XP machine loaded with Word 2000 as a user who would be affected by the new policy. For instance, log on to XPPro1 as Frank Rizzo, our old HR pal from Chapter 1 ( assuming you have Word 2000 loaded).
Then in Word, choose Tools ˜ Options to open the Options dialog box, as shown in Figure 5.3, and make sure the settings reflect the policy settings you dictated.
Figure 5.3: Word obeys your policy commands when you load the corresponding ADM template.
Other Microsoft ADM Templates
Microsoft has two additional applications outside the Office family of products that leverage the Group Policy infrastructure by using ADM templates.
Microsoft Software Update Services (SUS) and Windows Server Update Services (WSUS)
The job of Microsoft's Software Update Services (SUS) and the newer Windows Server Update Services (WSUS) is to ensure that patches are deployed to your Windows 2000, Windows XP, and Windows 2003 client systems. After a server is set up to deploy the patches, the client system learns about the server by way of a custom ADM template.
The template is built in to Windows 2003 and Windows 2000 + SP4 as Wuau.adm . However, the template is not built in to Windows 2000 + SP3, and the Wuau.adm template might be upgraded along with the next SUS service pack.
You can learn more about SUS, how to deploy it, and how to use the rather complex ADM templates from two articles I wrote for MCP Magazine, which you can find at http://tinyurl.com/86sbj and http://tinyurl.com/5gfuk . These articles form a two-part series about installation and troubleshooting. The latter's main focus is on understanding the ADM template. Lastly, Microsoft has an excellent guide to the policy settings with regard to WSUS available at http://tinyurl.com/8nalu .
Microsoft Corporate Error Reporting
Microsoft has a service that lets corporate IT administrators "trap" error messages to a central server, instead of being sent directly to Microsoft, which is called Corporate Error Reporting (CER). CER can help track systems that frequently crash and can provide an easier way to connect with Microsoft if a system does fail often. It can trap information for a lot of Microsoft's most popular applications including Office XP, Windows XP, Windows 2003, Project 2002, and Sharepoint Portal Server.
Microsoft CER uses the ADM file Cer2.adm. You can get more information on CER at www.microsoft.com/resources/satech/cer/ . You'll find the ADM file in the "toolbox" section of the web page.
Other Vendor ADM Templates
To be honest, finding non-Microsoft applications that have ADM templates that leverage the Group Policy infrastructure can be difficult. The vendors that have stepped up to the 21st century are still few and far between. In my humble opinion, it's a crying shame that everyday applications such as Norton's AntiVirus or Lotus Notes are still controlled from custom
EAN: 2147483647
Pages: 110