View Blog

Aug 2007
09
  • Let's get an understanding of ADMs and ADMXs (PART TWO)
  • New Public Classes and upcoming events
  • Some more goodies about PolicyPak Software
  • Public GP Training Schedule Update
    • Cities that are scheduled for public courses
  • Subscribe, Unsubscribe, and Usage Information

In our last issue, we tackled what ADM files are, where they live, and what they look like in the interface. Here, we

GPanswers.com News and Updates

Update #1:

Search We have SEARCH! That's right, it took us, like way too long .. but we have a new search capability right on the GPanswers.com home page. Just type in what you're looking for and.. whamo !

Update #2:

FAQs Our FAQs are now more FAQ'n organized than ever. (Did I really just go there!?) Anyway, they are. Thanks to Eric Johnson, who really went the extra mile to make this happen. Each FAQ now has it's own unique URL, so, if someone in the forums asks "How do I enable GP for Windows 95" we can just say.. "Please read this: faq/5 " Okay, that one doesn't come up all that often, but you get the idea.

Update #3:

One more public class for the rest of 2007 and two new ones for 2008

I have new dates in Portland (Jan 15-18) Orlando (Jan 29- Feb 1), Washington DC (Feb 4 - 7) and Nashville (March 4-7). More on this topic later.  


This Month's Newsletter Sponsored by: NetIQ

Are you using Group Policy optimally? Ever wonder if you can do more with it? Get the best practices you need to leverage Group Policy on your servers in this new white paper, "Why Group Policy Matters for Servers," authored by Group Policy guru Jeremy Moskowitz & NetIQ. Download it now


 

This issue's big tech tip...

What’s All the Hubbub about ADMX? (Part II)

In the last issue, you learned all about ADM files. But what's this you keep hearing about ADMX files ?

Windows Vista ships with a built-in GPMC. And with that GPMC comes a new ability to shake off the use of old ADM files in lieu of newer ADMX files if you want to. Why would we want to shake off the ADM format?

Recall that the ADM file itself is placed up inside the GPT part of the GPO (the part that lives in SYSVOL). When that happens, you burn about 4MB on every Domain Controller—every time you create a GPO. Also recall that the ADM file itself is placed in the GPT of the GPO because it’s necessary when you want to re-edit the GPO on another management station. Without that ADM file, you can’t edit the custom setting contained within the GPO.

So, the ADMX format helps us break away from these issues. You no longer need to store anything inside the GPO, so you don’t get what’s known as “SYSVOL Bloat.” That is, a fat SYSVOL which has the heavy duty to store GPOs full of ADM files. To work around this, the new ADMX standard can take advantage of what’s known as the Central Store. The job of the Central Store is to have one place which can store the new ADMX files so they don’t need to get copied into each and every GPO. So, goodbye SYSVOL bloat. The other big deal about the Central Store is that if an ADMX file has an updated definition, then all Vista management stations will immediately use that updated ADMX file.

If you want to learn about the format of ADMX files, the creation and use of the Central Store in detail, I’ve got two resources for you. Darren Mar-Elia has an informative, yet succinct, article on ADMX file format internals and a brief explanation of the Central Store in his Technet Article here (http://tinyurl.com/2musnh). I also have an entire, downloadable chapter from my new book, Group Policy: Management, Troubleshooting, and Security on GPanswers.com available here.

As we’ve seen, ADM templates are still supported when you use a Vista management station; but ADM files are not supported within the Central Store. This can be a little confusing, so let’s walk through an example.

Let's assume the following:

  • I created a GPO from a Vista management station.
  • I tweaked some in-the-box settings (like Prohibiting Access to the Control Panel).
  • I wanted to add a custom ADM template.

After we do this final step, we’ll then peek into the GPO’s GPT and see what has happened to get some clarity.

To add the ADM template, we’ll repeat some steps we performed earlier. Just open up the Group Policy Object Editor, right-click “Administrative Templates” which is contained within both the Users or Computers node and select “Add/Remove Template.” You can see the added template in Figure 1.

gp
Figure 1

Note that in order to actually see the settings contained within this ADM template, click on View | Filtering. Finally, uncheck “Only show policy settings that can be fully managed”.

Then, close the Group Policy Object Editor and return to the GPMC. Figure 2 shows the Details tab of the GPO I just created from my Vista management station. (Note the catchy name of the GPO.) By looking in the “Details” tab, I can determine the GUID for the GPO, which will make it easier when I go fishing around in SYSVOL to sleuth around for that particular GPO.

 gp
Figure 2

Once I track down the GPT of the GPO (by using the GPO’s GUID), I can crack open that GPO’s ADM directory and see that there’s exactly one ADM template here—the one which I manually imported, seen in Figure 3. This is because Vista machines don’t rely on ADMs anymore. Since they don’t natively use them, they don’t natively push anything up into the GPO itself. However, if you manually import an ADM (as we just did) it will continue to honor the ADM it in the same fashion it always did.

 gp
Figure 3

This is in contrast with, say, the GPO in Figure 4, which was created on an XP or Windows Server 2003 machine. When GPOs are created using pre-Vista management stations, the original ADM files are pushed up into the GPO as previously described. This GPO was created on a Windows XP management station. You can tell, because it’s jam packed with ADM files that Vista doesn’t need or use.

gp
Figure 4

Converting ADM to ADMX Using the ADMX Migrator Tool

We just learned that Windows XP uses ADM files and Vista uses ADMX files. We also learned that Vista will continue to utilize ADM files if that’s what we have available. But, we cannot stick an ADM file into the Central Store and expect our Windows Vista management stations to all be able to utilize the file.

In order to utilize the settings contained within the ADM in the Central Store, you need to convert the ADM file to ADMX, or re-create the ADM files as ADMX files by hand. Luckily, there’s only one download that performs both of these functions.The ADMX Migrator tool (which is really composed of an ADM-to-ADMX converter tool and an ADMX creation tool) can be downloaded from Microsoft’s website here: http://tinyurl.com/yjnptj.

You can install the ADMX Migrator Tool .msi file on Windows Server 2003, Windows XP, or Windows Vista. Once installed, the applications go to C:Program FilesFullArmorADMX Migrator. The command-line application we’ll be running is called “faAdmxConv.exe”. But since the directory isn’t in the path, you would need to be in that directory in order to run the app. Therefore, when I’m using the tool, I opt to add this directory to my Windows Path. Click here for more information on how to set the path in Windows (http://tinyurl.com/3n4zy).

I usually create a temp directory, like C:ADMtemp and copy my source ADM files into it. There are a lot of possible parameters for faAdmxConv.exe, but the simplest way to convert an ADM file is to specify the name of the ADM file and the output directory. If you’ve already put the source ADM file in ADMtemp and added faAdmxConv.exe to the path, you can just run “faAdmxConv nopassport.adm .” (with the dot to signify the current directory as output). If you don’t specify the dot (for this directory) or another explicit path, the output goes somewhere you likely don’t want it to: the installation directory of the ADMX Migrator tool. Doh! In Figure 5, you can see three commands:

  • A “dir” command to see the ADM file
  • The “faAdmxConv” command with the name of the ADM and the . (dot) to represent the current directory and
  • A “dir” to see the outputted files: nopassport.admx and nopassport.adml

gp
Figure 5

Before you go plunking this into your Central Store, you might want to test this on a machine which isn’t leveraging the Central Store (like a Windows Vista machine that’s offline). After you take the machine offline, copy the ADMX file to the C:WindowsPolicyDefinitions directory, and the ADML file to the language-specific directory. In the US, that directory is C:WindowsPolicyDefinitionsen-us. An example of the copy procedure can be seen in Figure 6.

 gp
Figure 6

The ADM to ADMX converter tool doesn’t always generate ADMX files which are “ready to go” inside the Group Policy Object Editor. That is, the conversion process appears to be 100% successful. But then loading the resulting ADMX and ADML files into the Central Store and seeing the results using your Vista management station could demonstrate errors. This could manifest itself when the Group Policy Object Editor starts, with various error messages appearing about the resulting ADMX file. To remedy this, there will be another update of the ADMX Migrator tool that should produce more useful output at conversion time to help you adjust your ADM file before it makes its way through the conversion process.

This is a known issue, and one that the FullArmor and Microsoft teams are aware of and are working hard to fix. The updated tools will likely be available by the time this article goes to press. Be sure to check in at www.GPanswers.com/blog for the latest info. The official timetable for this updated tool is “soon,” but stay tuned to GPanswers.com and the ADMX Migrator tool download page for more details.

Finally, the now-converted ADM file is really now two files: an ADMX (language neutral file) and an ADML (language specific file). At this point, you can put inside the Central Store or test on a local machine. However, once again, in order to actually see the policy settings contained within this ADMX template, you’re still going to need to do what we did earlier as seen in Figure 4. That is, you’ll still need to click on View | Filtering, then uncheck the “Only show policy settings that can be fully managed” safety. That’s because the settings contained within this ADMX file does not write to one of the “proper” Policies keys, as previously discussed.

Cleaning Up Shop

The ideal state is clearly to use only ADMX files, and to utilize the Central Store. But in order to do that you need to:  

  • Convert all your current ADM files to ADMX
  • Convert all management stations to Vista (or Windows Server 2008)
  • Commit to stop editing GPOs on pre-Vista machines

If you’ve done these three steps, you have ostensibly banished ADM files from your world. At this point, the ADM files within your GPOs are just taking up space within your Domain Controller’s SYSVOL. Once you’re achieved ADMX nirvana, you could, if you wanted, simply delete the ADMs contained within the GPO’s GPT within SYSVOL. That’s right: like your body’s appendix, they’re vestigial. They did serve a purpose at one point; but their purpose is done. You can do this manually, or do it with a script. Before you do, though, note that this would be a serious mistake if the above steps haven’t been completed. So be sure to do this only if you’re sure you can leave ADM files behind.

For more about ADM, ADMX, and ADML files be sure to sign up for the GPanswers.com newsletter (the thing you're reading right now) at www.GPanswers.com/newsletter and intermediary notices via blog at www.GPanswers.com/blog.

Test some PolicyPaks for a test drive

Some of you have downloaded the software at PolicyPak to start making your admin life a little easier. We have our own Group Policy CSE, a Client-Side-Extension. This isn't an "agent", it's an organic extension to Group Policy. Installation is super-easy. You run a component which extends the Group Policy Object editor on your administrative machine (where you create your GPOs). Then you deploy the CSE using Group Policy Software Installation to your target machines, and you're ready to control your applications using Group Policy.

  • Wanna control Adobe Acrobat Reader using Group Policy? Try PolicyPak for Adobe Acrobat Reader.
  • Wanna control Microsoft Windows Live Messenger using Group Policy? Use PolicyPak for Windows Live Messenger.
  • Wanna control WinZip using Group Policy? We're working on PolicyPak for WinZip (and lots of others...)
  • Wanna control something we don't support yet? Suggest an application at www.PolicyPak.com/suggest !

gp
Click for larger graphic...

So, how can you check them out? We're ready for you to check us out and it for a test drive. Just mosey over to www.PolicyPak.com, register for an account and give our two PolicyPaks a whirl. We've made the download process even easier. So, if you "gave up" before because we asked for too much information, I think you'll be a lot happier now.  


About GPanswers.com Training

Choosing the Right Course for You

Of course you want GP training. And we know you'd prefer to use GPanswers.com as your GO TO source for GP training. We try to make it as easy as possible for you. We have GP courses that fit what you need.

  • Are you dealing with mostly XP machines? We have an XP-focused course.
  • Are you warming up to Vista? We have a Vista-focused course.
  • Do you want to learn in an intensive format? Learn it in TWO DAYS.
  • Less intensive? Learn it in THREE days.
  • Want even more Advanced material? We've got that too.
  • Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?

You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take for your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private (on site) and public classes. Use the Rightsize tool to get a complete understanding of your options.

Public courses—2007 scheduled

I have limited classes for the rest of 2007 and beginning of 2008:

  • Oct 23, 24 and 25: Netherlands: Three-Day Group Policy Essentials Course (XP Focused). Sign up here.
  • Jan 15, 16, 17, 18: Portland OR: Group Policy Essentials Course, Advanced One Day Course and XP to Vista Catchup Course.
  • Jan 29, 30, Feb 1, 2: Orlando, FL: (Yes, I spun up this course so that you, yes you, can get approval to go to Orlando in the dead of winter time.) Group Policy Essentials course, Advanced One Day Course and XP to Vista Catchup course
  • Feb 4, 5, 6, 7: Wash, DC: Group Policy Essentials course, Advanced One Day Course and XP to Vista Catchup course
  • March 4, 5, 6, 7: Nashville: Group Essentials course, Advanced One Day Course and XP to Vista Catchup Course.

For any public class, sign up online at: https://www.gpanswers.com/workshop/

What about OTHER CITIES in 2008?

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go for 2007.

Now tell me where you want me to go for 2008. The cities with the most "votes" get classes in their city. Bigger cities are a better bet, so you might want to vote for your closest "major airport" city.

Here's a deal you can't pass up!

Okay, let's assume I'll be in your city teaching a public class. But how would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two, three or four days, and you get a free student attendee !

Such a deal!

Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, the Security Team and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.


Places I'll be...

  • WinConnections 2007 Fall in Vegas: www.WinConnections.com
    • I'll be speaking on Group Policy Essentials
    • Group Policy Troubleshooting
    • Microsoft Softgrid and other Application Virtualization technologies
    • Maybe more !

Get signed copies of...

Group Policy: Management, Troubleshooting, and Security

For Windows Vista, Windows 2003, Windows XP, and Windows 2000

-and-

Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

  If you’re in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Security directly from me for $45 (including shipping).

  • If you order the book from me, I’ll sign the book for you, free! I’ve had many requests for this service, and I’m honored that you'd ask!
  • If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
  • The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
  • We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.

This book is in stock! We can ship it out today!

Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.

Order your signed copy today by clicking here.

Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
 http://www.amazon.com/gp/product/0470106425 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)


Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before! So, head on over to the Solutions Guide and see what other goodies are available! Our newest sponsors at the Solutions Guide:

  • AdventNet with their ADManager Plus

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistant Margot at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Comments (0)

No Comments!