Managing Windows ADM Templates

Creation Behavior with ADM Templates

If you want to create new GPOs and take advantage of the latest ADM templates, you really have to understand how the ADM update mechanism works. Here's the trick about creating GPOs with regard to ADM template files:

The ADM template files used to make a GPO are always copied from the place where you are running your editor. Not to put too fine a point on it, here's precisely what I mean:

• If you create new GPOs while running Active Directory Users And Computers on a computer running Windows 2000 + SP4, the ADM files are from SP4. Consequence: You won't be able to see policy settings for Windows XP or Windows 2003.

• If you create new GPOs while running Active Directory Users And Computers or the GPMC on a computer running Windows 2003, the ADM files are from Windows 2003. Consequence: You won't be able to see policy settings for Windows XP/SP2 or Windows 2003/SP1.

• If you create new GPOs while running Active Directory Users And Computers or the GPMC on a computer running Windows XP, the ADM files are from Windows XP. Consequence: You won't be able to see policy settings for Windows XP/SP2 or Windows 2003/SP1.

• If you create new GPOs while running Active Directory Users And Computers or the GPMC on a computer running Windows XP + SP2, the ADM files are from SP2. Consequence: You won't be able to see policy settings for Windows 2003/SP1.

• If you create new GPOs while running Active Directory Users And Computers or the GPMC on a computer running Windows 2003/SP1, the ADM files are from Windows 2003/SP1. Consequence: Things are great! You can see policy settings for all current and previous ver sions of Windows as far back as Windows 2000 and as far forward as Windows 2003/SP1.

In all cases, the editor you use (either Active Directory Users And Computers or GPMC) really uses the GPEDIT function (really the GPEDIT.DLL) when actually poking around or creating new GPOs. GPEDIT pulls the ADM template files from the computer it is running on. And it pulls these ADM template files from \{systemroot}\infusually c:\windows\inf.

So, if you want the latest ADM templates to be used when creating new GPOs, you need to plop them into the \{systemroot}\inf folder that contains your Group Policy Object Editor. That way, the next time GPEDIT is used to create a new GPO, it pulls the latest ADM files you copied into the \{systemroot}\inf folder.

Modification and Update Behavior with ADM Templates

Now, let's imagine that you created 200 GPOs in this way. That is, you created 200 GPOs by using the machine named W2kDC3 (which has some old-and-crusty Windows 2000 version of the ADM files). Now, you learn about a policy in Windows XP that requires the corresponding Windows XP templates.

You want to update your existing GPOs with the Windows XP versions. Here's the trick about modifying GPOs with regard to ADM template files: the ADM template files used to modify and update a GPO are always copied from the place where your editor is running.

ADM templates are automatically updated when you re-edit a GPO on a machine where the editor (Active Directory Users And Computer or GPMC) has newer ADM templates than are already in the GPT. Recall that the GPT is the Group Policy Templatethe files-based portion of Group Policy.

For instance, if you walk up to the machine named W2kDC4 (running SP4) and manipulate any Windows 2000-level GPO by editing it and merely look at the policy settings in the Administrative Templates section, the editor will say: "Ah-ha! I've got Windows XP templates available to me! This specific GPO's ADM templates are only Windows 2000! I'll update the underlying ADM templates automatically to Windows XPwithout even saying a word."

And it then proceeds. And it proceeds because the time/date stamp for Windows XP ADM templates your editor has access to is more recent than the time/date stamp for Windows 2000 ADM templates. It's doing you a favor behind your back. You must repeat for every old GPO you want to update. That is, you must open each old GPO and look at the policy settings in the Administrative Templates section. Then they'll be updated.

Again, there's no universal master update location where you can just "drop in" your latest ADM templates and be done. However, with a script, you could update all your GPOs at one time (which is what we'll discuss in the next section).

Automatically Updating All Your GPOs at Once with the Latest ADM Templates

In Chapter 7, you'll get a grip on all the myriad of things you can do with scripting and Group Policy. However, one thing that we won't tackle there (but we do want to tackle here) is how to automatically update all your existing GPOs with the latest ADM templates. As of this writing, the latest ADM templates are Windows 2003/SP1, but you could use this same tip to update all your GPOs with the ADM templates from, say, Windows XP/SP2 or earlier (not that you would really want to.)

To update all your GPOs (or just some of them), Microsoft has a downloadable script that will do this for you. You can find it at http://www.microsoft.com/technet/scriptcenter/solutions/admupdate.mspx (or shortened to http://tinyurl.com/7v4s2 ). It runs as a command line (as opposed to a GUI-based script.) I had some trouble getting this script to work 100 percent of the time. I alerted Microsoft to this problem, and they sprung into action and rightly fixed the script. However, as with everything, be sure to try in a test lab first before trying this in production.

When ready to give the script a try, be sure to set the script to run at the command line by initially typing the following command:

 cscript //h:cscript 

Once performed, you'll be ready to run it. Here's what you need to tell the script:

• You need to tell it which GPOs to update. You can update using the /GUID switch, the /GPOfriendlyname switch, or the very powerful /ALL switch.

• You need to tell it where the latest ADM files reside. You do this with the /ADMSRC switch.

• You need to tell it what domain to update. You do this with the /DNSDOM:< domain > switch.

There are other switches available, but these are the ones I'll need for this example. In the following example, I'm specifying to update all GPOs with the latest ADM files living in c:\windows\inf and update the GPOs in the corp.com domain.

If you tell it just this much information, it performs a simulation of what it will do.

You can see the output of this command run here:

 C:\script>cscript //h:cscript Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. The default script host is now set to "cscript.exe". C:\script>updateadm /ALL /ADMSRC:c:\windows\inf /DNSDOM:corp.com Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. updateadm.vbs - Updates Group Policy ADM files Updating Deploy the GPMC Adm Files... File Copy Mode:Disabled Copying File C:\WINDOWS\inf\conf.adm to \corp.com\sysvol\corp.com\Policies\{05BD2375-C45A-4FOO-898D- OA8833B75114}\Adm\conf.adm Copying File C:\WINDOWS\inf\inetres.adm to \corp.com\sysvol\corp.com\Po1icies\{05BD2375-C45A-4F00-898D- OA8833B75114}\Adm\inetres.adm Copying File C:\WINDOWS\inf\system.adm to \corp.com\sysvol\corp.com\Policies\{05BD2375-C45A-4F00-898D- OA8833B75114}\Adm\system.adm Copying File C:\WINDOWS\inf\wmplayer.adm to \corp.com\sysvol\corp.com\Policies\{05BD2375-C45A-4F00-898D- OA8833B75114}\Adm\wmplayer.adm Copying File C:\WINDOWS\inf\wuau.adm to \corp.com\sysvol\corp.com\Policies\{05BD2375-C45A-4F00-898D- OA8833B75114}\Adm\wuau.adm Updating Remove Search Adm Files... File Copy Mode:Disabled Copying File C:\WINDOWS\inf\conf.adm to \corp.com\sysvol\corp.com\Policies\{1515134B-778C-45EB-8946- 08A2792DC96C}\Adm\conf.adm Copying File C:\WINDOWS\inf\inetres.adm to \corp.com\sysvol\corp.com\Policies\{1515134B-778C-45EB-8946- 08A2792DC96C}\Adm\inetres.adm Copying File C:\WINDOWS\inf\system.adm to \corp.com\sysvol\corp.com\Policies\{1515134B-778C-45EB-8946- O8A2792DC96C}\Adm\system.adm Copying File C:\WINDOWS\inf\wmplayer.adm to \corp.com\sysvol\corp.com\Policies\{1515134B-778C-45EB-8946- 08A2792DC96C}\Adm\wmplayer.adm Copying File C:\WINDOWS\inf\wuau.adm to \corp.com\sysvol\corp.com\Policies\{1515134B-778C-45EB-8946- 08A2792DC96C}\Adm\wuau.adm 

When you're actually ready for the script to do the deed and perform the upgrade, you need to add the /FILECOPY:ON switch (not shown in the preceding example). This actually performs the work. Note that this could take a long time and cause a lot of replication traffic. So, be sure to do it in the off-hours if possible.

Again, running this script isn't expressly necessary. This is because, as we've discussed, anytime you specifically touch an old GPO with an updated management station, the GPO will be automatically updated. Use this script to simply guarantee that the latest ADM files are pushed to every GPO. However, if you choose to update all GPOs with the latest ADM files and then intend to modify those GPOs using older systems (such as Windows 2000, Windows 2003 [pre-SP1], or Windows XP [pre-SP2]), be sure to read and apply the knowledge contained within the next section, "ADM Files Beyond XP/SP2: The Retroactive Bug That Ate New York."

ADM File Fine Print for Windows 2000 SP4 and Windows XP SP1

Hopefully, you're utilizing the Windows XP/Service Pack 2 templates, as previously described. However, it could still be common that you're using Windows 2000 SP3 and Windows XP SP1 still (and not yet using any Windows XP SP2 templates). As I just stated, ADM templates are automatically updated if your editor has access to newer ADM files than those stored on the server. However, things aren't always as they seem. You might be thinking to yourself: "This is great! I'll run out and update all my current GPOs that have Windows 2000 ADM templates so now they have the Windows XP or Windows 2003 templates." That way, all GPOsold and newcan be used to manage Windows 2000, Windows XP, and Windows 2003.

The plan is good; just make sure you don't fall into the following trap. That is, the time/date stamp on Windows 2000 SP4 ADM files is more recent than even the time/date stamp on Windows XP + SP1 ADM files. Here's what that means:

• You upgrade all your Windows 2000 domain controllers to SP4.

• You create a Windows XP machine with SP1 and load the GPMC on it.

• You attempt to modify an existing GPO that you created with Windows 2000 + SP4 to update it with the Windows XP ADM templates.

When you launch the GPMC on the Windows XP machine with SP1, you would expect that the ADM files from Windows XP's SP1 would overwrite the Windows 2000 ADM files. But the Windows 2000 + SP4's ADM files in the GPTwon't be updated. Windows XP + SP1 's ADM templates are dated 9/3/2002. Windows 2000 + SP4's ADM templates are dated 6/19/2003. Who's newer? Windows 2000 + SP4, actually, so the ADM templates won't automatically update.

The solution is simple: Change the date/time stamp on the Windows XP + SP1 ADM templates to today's date. It's easy: Just open each of them ( Conf.adm, Cntetres.adm , and System.adm ) in Notepad, and then resave them. The next time your Windows XP machine with the GPMC opens the GPOs created with Windows 2000 + SP4's ADM templates, the time stamp on the ADM templates will be newer and will, in fact, be updated.