What
are Administrative Templates in Group Policy Objects?
Starting in Windows 2000, and still
present in Windows Server 2008 R2 today,
Group Policy Objects (known also as GPO's) provide hundreds of useful
settings which can be used to automatically configure computers in your domain.
The configuration options are separated into several different sections which
make it easy to find the configuration option you want to set for your
computers. Using GPOs, you can specify practically any setting
available for your users or computers, often making them either a preferred
method, or a mandated requirement. Once you know how to create a group policy,
it is easy to create a policy which performs settings such as:
- Manage services, defining whether or not they must be started automatically or disabled completely.
- Remove the ability to save data, certain parts of the hard drive or desktop.
- Enforce corporate policies that prohibit users from using Internet Explorer to run or install software.
- Manage and lock down desktop environments, including setting items on the desktop and disallowing changes to desktop items and toolbars.
- Manage all aspects of security: encryption, auditing, event logs, and the rights that users have to change these settings.
- Control the remote user profile settings, for either redirecting certain folders in the profile or making the entire profile be a roaming profile.
- Set administrative and scheduled tasks, and set scripts to run at startup, logon, logoff, and shutdown on systems.
Of course, these are just a few of
the thousands of possibilities. Practically any setting or configuration item
can be established, maintained, or controlled through the effective use of
Group Policy Objects.
All
Group Policy Settings are Configured for Either the Computer or the User
As you can see in this screenshot,
all of the settings for a Group Policy will either apply to a computer or to a
user.
Some of the key differences in the
sections will change how the policy is applied. For example, using a Group
Policy to assign software through the Computer Configuration will apply the
software to any COMPUTER which the policy is applied. However, software applied
through the User Configuration is installed on every computer that the user
assigned that group policy object logs onto.
Another key difference in the
Computer Configuration and the User Configuration is when scripts run. A script
applied to a Computer runs at either startup or shutdown. A script applied to a
User runs at logon or logoff.
In both the Computer Configuration
and the User Configuration there is a section titled “Administrative Templates”
(selected in the screenshot above).
What
is an Administrative Template in a Group Policy Object?
Administrative templates are a
collection of settings for many registry based changes. The policies
supply indirect access into the settings stored in the registry of either the
computers hives (usually HKEY_Local_Machine) or the user account hive (HKEY_Current_User).
There are many built in
administrative templates. Some of the templates only apply to certain
versions of Windows, Internet Explorer, Media Player, NetMeeting, or other
software. And while some of the administrative templates are for specific
versions of those software products, most administrative templates apply to
a certain version of software or later.
Administrative Templates provide
direct configuration settings for many different products and services.
Examples of what the administrative templates allow you to control are: Desktop,
EventLog, Power, Printing, and Windows Remote Management. These
are just a few recognizable templates.
The administrative templates are
actually defined by text files with an .ADM or .ADMX extension. In Windows
Server 2003, there were only 5 Admin Templates available for GPOs: Conf.adm,
Inetres.adm, System.adm, Wmplayer.adm, and Wuau.adm. However,
there is now a huge growth in the number of Administrative Templates available
by default in Windows Server 2008 R2. This table highlights the explosion
in available Group Policy Administrative Templates in the last few Operating
System releases.
|
OS Version
|
Number of Default Administrative
Templates
|
|
Windows 2000
|
5
|
|
Windows XP, Server 2003
|
5
|
|
Windows Vista, Server 2008
|
142
|
|
Windows 7, Server 2008R2
|
156
|
You
Are Not Limited to the Default Administrative Templates
Whether you’ve gotten a piece of
software or hardware from another vendor, or you’re actually working on an
older server, you can import newer ADMX files into your group policies.
If, for example, you are on a
Windows Server 2008 domain, with all 2008 Domain Controllers – you will be
missing some of the administrative templates for your GPOs that would be
available to you if you were running 2008 R2. In that case, you are able
to import group policy administrative templates so you can implement
configurations from them.
Outside of using the built-in
administrative templates from a more recent server version, there are also
useful administrative templates that you can install for helping to work with
other products entirely. Examples of this include Office 2010, SharePoint
2010, Exchange 2010, and Lync 2010. Even vendors outside of Microsoft have
leveraged the technology to help improve the manageability of their hardware
and software services. HP, for instance, provides options for customizing
items like the printer notification from the system tray and installation of
HP’s Universal Print Driver by installing their custom ADMX file.
No comments:
Post a Comment