View Blog

Jul 2007
17

Issue #24

edit

  • Let's get an understanding of ADMs and ADMXs, finally !
  • Did you miss the Fourth ? (Edition, that is...)
  • Some more goodies about PolicyPak Software
  • Public GP Training Schedule Update
    • Different course levels
    • XP and Vista coverage
    • Cities that are scheduled for public courses
  • Subscribe, Unsubscribe, and Usage Information

GPanswers.com News and Updates

GPanswers.com is a free service, as you know. And we try try try to keep it as up-to-date as possible. But we're a limited full time staff (that's me!) so every once in a while, I ask for some part time helpers to help give us a "boost."

These just aren't "any ol' people" .. they need to be READY and WILLING to help the cause of GP everywhere ! (Okay.. maybe that's a little much, but you get the idea.) We've added three super helpful folks to our GPanswers.com staff.

Staff Changes

In the office, I've changed my office assistant to Margot Cullen. Margot is just awesome. So, if you need receipts, want to call in to sign up for a public class, or ask her personal and revealing questions about what I do on the weekends, she's your gal. She can be reached at[email protected]. Please do not send technical questions to Margot. Please use the Community Forum (GPanswers.com/community) for that. Thanks !

GPanswers.com Helper Additions

After a long search, I'm proud to announce two helpers to GPanswers.com: Jakob Heidelberg and Eric Johnson. Jakob is a Danish Windows Expert, and well known blogger. If you read my blog, you'll be sure to love his as well. Click here for information about Jakob !and Be sure to read his blog !

Eric Johnson who works at a private healthcare firm will also be helping out at GPanswers.com. No blog from Eric yet, but maybe soon!

These two guys are going to help answer questions in the forums, and help with the Tips and Tricks section at GPanswers.com. In fact, if you look at some (most!) of the Tips and FAQ questions, you'll see Eric already hard at work. Many tips and such at the bottom will say:

" Verified by: Eric Johnson
Edited by: Eric Johnson
Last Edit date: June 30th, 2007
This question originally posted on August 7th 2004. "

That way, you get a good idea that we double-checked the accuracy of our tips and also the last time we touched them for a checkup. Hope you like that new GPanswers.com feature. If you want to submit a Tip / Trick / FAQ question .. there's only one place!

That's at the GPanswers.com/community forum, specifically in the "Submit a Tip / Trick" section here. You will need to register for a community forum account before submitting.


This Month's Newsletter Sponsored by: NetIQ

Download our new white paper, "Best Practices for Managing AD & Group Policy", to understand how your organization can improve its control over changes to Active Directory and Group Policy. You'll get the answers you need to assure changes are identified, tracked, and safely made across Active Directory and Group Policy.  

Click the link to learn more: NetIQ


Inside ADM and ADMX Templates

ADM files. You either love 'em or your hate 'em. Maybe both.

And that's because they're both necessary, but also confusing. And to add to the mix, Microsoft now has ADMX files which can only seemingly add to the confusion.

In this issue we'll tackle ADM files. Next issue -- ADMX files.

So, let's begin with the "unconfusion."

Why do we need ADM files?

Group Policy is made up of multiple areas. If you dive down into the Group Policy Object Editor (GPOE), you'll find lots of "stuff" you can do with Group Policy. For instance, Software Restriction Policy, Group Policy Software Installation, Folder Redirection. And yes, the one we play with most: "Administrative Templates" as seen here. The Administrative Templates node is on both the User and Computers sides. As suspected users can only embrace User side policy settings and Computers can only embrace Computer side policy settings.

But how do these magical settings get "born?"

It all starts when the stork brings us a new application. Really!

Okay, not really. But when new applications are "born" there's potentially some settings we can manipulate. That's where ADM files come into play. They describe the areas of the application that's ready to accept settings. ADM files are limited, right away, unfortunately, because they can only address registry settings within an application. But, an application might save it's settings in various places: .ini files, .js files, .XML files and other areas. ADM files can only address registry-based settings.

In the box ADM files

So how do all those policy settings in the box for Computer Configuration | Administrative Templates and User Configuration | Administrative Templates get there in the first place? If you right-click over the words "Administrative Templates" and select "Add/Remove Templates" in either the User or Computer side, you'll see the default templates which make up the standard configuration.

The breakdown of these files is:

  • Conf.adm -- NetMeeting settings.
  • Inetres.adm -- Internet Explorer settings, including connections, toolbars, and toolbar settings. It is equivalent to the options that are available when using the Internet Options menu inside Internet Explorer.
  • System.adm -- Operating system changes and settings. Most of the Computer and User Administrative Template settings are in this ADM template.
  • Wmplayer.adm --Windows Media Player 9 settings.
  • Wuau.adm -- Controls client's access to Windows Software Update Services servers' clients.

Adding your own ADM Template Files

Well, that's easy. First, just get the ADM template you want to use. Maybe you've downloaded one from GPanswers.com. (We have about a dozen interesting ones.) Or maybe you want to utilize the ADM files for Office 2003 or Office 2007. That's great.

Just click Add as seen in Figure 1 and add in the template. By default, templates are looked for in the Windowsinf directory, but there's no reason you cannot store them anywhere else. Here's something you may not know: once the ADM template is added, that ADM template gets added to the GPO itself.

For instance, in this example, I've added "nopassport.adm" which will let us squelch the "Do you want to add your passport?" message the first time a user logs into an XP machine. And also Word11.ADM (from the Office 2003 ADM template download.) You can see these additions in the "Add/Remove Templates" window.

Then, inside the GPO itself, specifically, the GPT, in the ADM directory, you can see the nopassport.adm and Word11.ADM file added. Click for larger graphic...

Why is it added to the GPO? Because if you then try to edit this GPO on another management station, you'll be able to see the settings contained within the ADM files.

Why Can't I see the ADM file additions?

Well, maybe you can, or maybe you can't see your ADM file additions. And this is causing a lot of confusion for a lot of administrators. Indeed, this is a top 5 FAQ at GPanswers.com, so I hope to put it to rest right here.

You should at least be able to see the results of adding the two templates as seen here. Two new nodes will appear. Computer Configuration | Nuisances (because of nopassport.adm) and User Configuration | Microsoft Office Word 2003 (because of Word11.ADM). If you dive down into the Word 2003 settings, you'll see a huge array of configurables, as seen here. Click for larger graphic...

But, you cannot see the settings within the new Nuisances node. Why not? To understand that, you need to understand the idea of "proper" vs. "improper" policies keys that an ADM template might affect.

Proper vs. Improper Policies Keys

Microsoft documentation states that four Registry areas are considered the approved places to create policies out of Registry hacks:

  • HKLM|Software|Policies (computer settings, the preferred location)
  • HKLM|Software|Microsoft|Windows|CurrentVersion|Policies (computer settings, an alternative location)
  • HKCU|Software|Policies (user settings, the preferred location)
  • HKCU|Software|Microsoft|Windows|CurrentVersion|Policies (user settings, an alternative location)

The settings contained within Word 2003's ADM writes to these "proper" locations. But the nopassport.adm file doesn't. Indeed, nopassport.adm writes to HKLM | Software | Microsoft | MessengerService | PassportBalloon

So, Microsoft puts up a little safety gate before it allows you to see these settings. The idea is that any of the settings that don't write to the proper Policies keys (listed above) will tattoo the registry. So, even if you whack the GPO, there's no way the setting will "revert" back. For example, let's say you added the nopassport.adm file, and chose squelch the "Do you want to add a passport?" pop-up balloon to every machine in your domain. Then, later, the boss said he really liked that setting. You've got a long road ahead of you because all computers now will embrace the setting - basically forever - until you expressly put that setting back.

In contract, regular policy settings have a "default" value. And if you whack the GPO, those settings will revert back to something. For instance, if you choose to prohibit access to the Control Panel using the built-in ADM templates. Then later, change your mind, all you need to do is whack the GPO and voila! The Control Panel comes back.

Again - not so with the Passport message - because the policy setting isn't in a place that will ever revert. So Microsoft protects you by (initially) not showing the policy settings at all - so you don't shoot yourself in the foot !

Seeing ADM templates

So, seeing the ADM templates isn't all that hard. The editor, by default, doesn't show you the settings. But it's easy. Click on the word "Administrative Templates" (either User or Computer half). Then select View | Filtering. Finally, uncheck (yes, uncheck) "Only show policy settings that can be fully managed." When you do, you'll see "Passport Solicitation" as a policy setting show up under the Setting column as seen here.  Click for larger graphic...

XP vs. Vista in the editor

Did you notice a subtle difference in the policy setting that just popped up? Look at the icons of policy settings that ship in the box. Click for larger graphic...

Now, look at the icon for a policy setting from an ADM template where the settings don't write to the proper Policies registry keys.  Click for larger graphic...

This blue vs. red icon differential helps you know which settings will tattoo, and which won't. But again, it's all based upon where the setting actually targets its settings. In Vista, by the way, the situation changes a bit when you use ADM files in your management station. ADM files show up in their own node called the "Classic Administrative Templates (ADM)" node, as seen below. What was red-dot settings now show up as a scroll icon with a downarrow (but while editing the setting itself, it has a little "No Enter" sign) all seen below.    Click for larger graphic...

The settings that were blue-dot (those that write to the proper Policies keys) show up as little scroll icons, as seen here. Click for larger graphic...

Next time..

This newsletter is about to get to be "too long." So, what we'll do is cut it off here, and talk more about ADM vs. ADMX files a little more in the next issue.

How PolicyPak Software Changes Things

Before I even jump to the good parts, let me just say that PolicyPak software is now ready for you to download and check out today! So, if you decide halfway through reading this, "I just gotta start playing !" ... well, you can! Just go to PolicyPak.com, register for an account, validate the account, and download the software you put in your download cart! As we've just learned, ADM templates are great, but, they're not the best solution to settings management. You still need to:

  • Figure out all the ways the target application needs to be controlled
  • Create the ADM files by hand

Then, those ADM files ...

  • "Tattoo" the Registry (boo!)
  • Can't even get to some areas of the Registry with ADM files at all! (Think reg_binary values or HKEY_Classes_Root.)

And finally,

  • The ADM language doesn't let you "craft" a look and feel similar to the application you're actually trying to control.

Not to mention that ADM files only manipulate the Registry. If your application has tweaks in .ini files, or custom configuration files or databases, ADM files just won't be able to get in there to adjust the settings you need them to.

Enter PolicyPak.

PolicyPak Software is a new venture of mine that offers software that lets you naturally control your existing applications with Group Policy.

How do we do it?

We have our own Group Policy CSE, a Client-Side-Extension. This isn't an "agent", it's an organic extension to Group Policy. Installation is super-easy. You run a component which extends the Group Policy Object editor on your administrative machine (where you create your GPOs). Then you deploy the CSE using Group Policy Software Installation to your target machines, and you're ready to control your applications using Group Policy.

  • Wanna control Adobe Acrobat Reader using Group Policy? Try PolicyPak for Adobe Acrobat Reader.
  • Wanna control Microsoft Windows Live Messenger using Group Policy? Use PolicyPak for Windows Live Messenger.
  • Wanna control WinZip using Group Policy? We're working on PolicyPak for WinZip (and lots of others...)
  • Wanna control something we don't support yet? Suggest an application at www.PolicyPak.com/suggest !

Click for larger graphic...

Our goal is to have lots of PolicyPaks to control the applications you already have.

You'll purchase them a la carte, so you'll get only the PolicyPaks you need.

Not only have we already "done the research for you", the interface looks almost exactly like the target application. No learning curve! You're gonna love them! In this example, we're changing the color of the Highlight Color in the Forms tab. Click for larger graphic...

Try doing THAT with an ADM template ! Or this trick.. Setting where files should be saved when users utilize Windows Live Messenger. Click for larger graphic...

So, how can you check them out?

We're ready for you to check us out and it for a test drive. Just mosey over to www.PolicyPak.com, register for an account and give our two PolicyPaks a whirl.


About GPanswers.com Training

Choosing the Right Course for You

Did you know that here at GPanswers.com, we have GP courses that fit what YOU need?

  • Are you dealing with mostly XP machines? We have an XP-focused course.
  • Are you warming up to Vista? We have a Vista-focused course.
  • Do you want to learn in an intensive format? Learn it in TWO DAYS.
  • Less intensive? Learn it in THREE days.
  • Want even more Advanced material? We've got that too.
  • Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?

You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take for your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private and public classes. Use the Rightsize tool to get a complete understanding of your options.

Public courses—2007 scheduled

So, here's the 2007 (first half) line-up:

  • August 8–9: Chicago, IL: Two-Day Group Policy Intensive Course (XP Focused)
  • August 10: Chicago, IL: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • Oct 23, 24 and 25: Netherlands: Three-Day Group Policy Less-Intensive Course (XP Focused). Sign up here.

For any public class, sign up online at: https://www.gpanswers.com/workshop/

What about the SECOND HALF of 2007?

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go for the first half!

Now tell me where you want me to go for the second half. The cities with the most "votes" get classes in their city.

Here's a deal you can't pass up!

Okay, let's assume I'll be in your city teaching a public class. But how would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two or three days, and you get a free student attendee!

Such a deal!

Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, the Security Team and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.

LIMITED TIME Private Course Special Offer

If you book three-days of private class training which completes before Sep 7, 2007, I'll include all travel expenses. So, maybe you'd like the Two-Day XP Training with the One-Day XP-To-Vista Catchup day. Or, maybe the Vista Two-Day and One-Day Advanced training.

Any three training days qualifies for this special offer.

I have some free time in the summer I want to fill, and want to give you an incentive to help me book that unused time. So, you pay no travel expenses if the class completes before Sep 7, 2007!


Get signed copies of...

Group Policy: Management, Troubleshooting, and Security

For Windows Vista, Windows 2003, Windows XP, and Windows 2000

-and-

Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

  If you’re in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Securitydirectly from me for $45 (including shipping).

  • If you order the book from me, I’ll sign the book for you, free! I’ve had many requests for this service, and I’m honored that you'd ask!
  • If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
  • The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
  • We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.

This book is in stock! We can ship it out today!
Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.

Order your signed copy today by clicking here.

Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0470106425 (GPO book)
 http://www.amazon.com/gp/product/0782144284 (WinLin book)


Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before! So, head on over to the Solutions Guide and see what other goodies are available! Our newest sponsors at the Solutions Guide:

  • FullArmor corp, with their Endpoint Policy Manager
  • PolicyPak Software, with their PolicyPak family of tools

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

.For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected] Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistant Margot at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Comments (0)

No Comments!