1. Group Policy Policies Node
The Policies node contained in both the
computer and user configuration of group policies contain settings that
in most cases are enforced and no longer configurable by the client. For
settings that can have multiple values, the settings with the Policies
node are enforced on the client, but administrators can add or still
modify a portion of the setting. For example, if a user right assignment
is configured within a domain-based policy, an administrator cannot
remove the entries within that user right applied from the policy, but
additional entries can be added and allowed. The Policies node contains
security settings, including firewall and networking settings, but the
bulk of the settings are contained within the Administrative Templates
section of the Policies node.
Group Policy Administrative Templates
Administrative templates are the core elements
that make up a GPO. Most settings available within an administrative
template are used to configure a corresponding Registry value for the
computer or a user account, usually defined within the
HKEY_Local_Machine or the HKEY_Current_User Registry hive. Other
settings are provided to run computer-based and user-based scripts and,
in some instances, install or make software packages available to
subsets of users or computers.
Administrative templates come in three basic types:
• ADM files for Windows 2000 Client and Server, Windows XP, and Windows Server 2003
• ADMX and ADML files for Windows Vista, Windows Server 2008 and later OSs
• Custom ADM, ADMX, and ADML files used
to extend GPO functionality beyond what is already included in the
Microsoft provided templates
Administrative Templates for Windows 2000, Windows XP, and Windows Server 2003
Administrative templates for Windows 2000,
Windows XP, and Windows Server 2003 have a file extension of .adm. ADM
file formats are unlike any other file format and are not the easiest to
interpret and create. ADM files include not only the policy settings
and their possible values, but they also include the friendly language
used to represent the settings to the administrator viewing the policy
settings using any of the GPO management tools.
For each GPO created by an administrator using
the Windows XP or Windows Server 2003 GPO tools, a folder for that GPO
is created in the connected domain controller’s SYSVOL folder. This
unique GPO folder contains a common set of ADM files in the language
used on the administrative client computer. As a result of this, in an
Active Directory infrastructure that has multiple GPOs that use the
common administrative templates, each GPO has copies of the same
template files within each GPO folder. Each folder is commonly 3MB to
5MB in size and this is commonly referred to as SYSVOL bloat because the
GPO folders are stored in the domain controller’s SYSVOL folder.
When new policies were created using the
Windows XP and Windows Server 2003 GPO tools, a copy of each of the of
the ADM template files from the client workstation was pushed up to the
SYSVOL folder on the domain controller. When an existing GPO was edited
or opened for viewing, the copy of the templates in the GPO folder was
compared with the version of the template files on the administrative
workstation. If the administrative workstation had a newer version, the
workstation template was copied up to the GPO folder and the existing
template in the folder was overwritten. This default behavior caused
several problems when Microsoft released updated templates with service
pack releases of Windows XP and Windows Server 2003.
A common issue related to this feature, as an
example, is that if an administrator working on a Windows XP SP2
administrative workstation opened an existing GPO that was created with a
Windows XP SP1 workstation, the template files would be updated to the
new version, causing a replication of the updated templates across all
domain controllers. Another implication of the template file is that the
template files included the friendly language of the administrative
workstation the GPO was created on and administrators across the globe
would be unable to manage the same GPO in their local OS language. This,
of course, caused several administration issues and, in some cases,
regional Active Directory domains were created to allow regional
administrators to manage their client workstations and users with GPOs
written and managed in their local language. To support global
administration, Active Directory infrastructures have become
unnecessarily complicated and moved away from the original reason GPOs
were created, to simplify the management, standardize security, and
centrally administer and configure companywide resources.
As a means of avoiding the
administrative-related and infrastructure-related issues associated with
this GPO infrastructure, a common best practice for managing GPOs for
XP or later OSs is to only manage GPOs from workstations or servers that
meet a single specification for OS version, service pack level, and
language. Another means of controlling this is to follow a common
practice of configuring all GPOs to not automatically update GPO
templates when a GPO is opened for editing. Automatic updates of ADM
files are located in the User
Configuration\Policies\Administrative Templates\System\Group Policy\
section and is named Turn Off Automatic Updates of ADM Files. As a best
practice, many administrators enable this setting to improve GPO
reliability and to keep GPO replication traffic at a minimum.
Group Policy Administrative Templates for Windows Vista and Windows Server 2008 and Later
Group Policy for Windows Vista and Windows
2008 has been completely revised and rebuilt from the XP/2003 version,
but they still support Windows XP, and Windows Server 2003. Windows 7,
Windows Server 2008 R2, and later build on this new revision, adding new
settings to support the features of the latest OSs. The original ADM
files have been replaced or split into two files:
• ADMX administrative template settings file
• ADML administrative template language file
The original GPO single administrative
template ADM file format was replaced to overcome many of the original
issues with this file format, including the unique ADM format as well as
the inclusive local language of the particular ADM files contained on
the administrative workstation.
With the separation of the ADM file into a
settings and local language file, the new templates enable the
administration of a single GPO using different local languages.
In earlier versions, when an administrator
viewed or edited a GPO, the local template files from the administrative
workstation were pushed up to the server GPO folder. With the new
Windows 8/Windows Server 2012 GPO infrastructure, when the GPO is opened
for viewing or editing, the template files located on the local hard
drive are loaded to view the GPO. The GPO folder created with the
Windows 8 or Windows Server 2012 GPO tools contains only the files and
folders that contain the configured settings of the GPO and not the
general template files, as with the earlier versions. This improves the
GPO processing time as well as reduces the amount of data stored in the
SYSVOL folder on each domain controller.
Custom Administrative Templates
Microsoft has provided, in earlier versions as
well as the current release, the ability for administrators and
independent software vendors (ISVs) to create their own administrative
templates. The current administrative templates released with Windows 8
and Windows Server 2012 have all the original ADM settings as well as
many of the settings that administrators either had to create custom
templates to support or purchase ISV-created templates. But even though
the new templates provide many more settings, there will still be custom
Registry keys and values, specific application services, and other
functions that organizations want to manage with GPOs. These settings
will still need to be provided with custom templates or by ISV GPO
products. For example, when Microsoft releases a new version of Internet
Explorer, they provide a custom administrative template Group Policy
administrators can import to block domain computers from downloading,
installing, or even presenting the new browser in Windows Updates.
Many ISVs now provide
administrative templates for their own applications. Microsoft also
provides administrative templates to further manage their own
applications and suites such as Microsoft Office include new templates
that can be used with each new version of the office suites.
Custom administrative templates can be created
in both the ADM and ADMX/ADML file formats. To support the amount of
time and effort administrators and ISVs have put into creating custom
templates and to support legacy applications, new GPOs will continue to
support administrative templates created in the original ADM file format
as well as the new ADMX/ADML formats.
Although Microsoft has provided the steps to
create custom ADMX and ADML files, the current GPO management tools only
allow adding custom ADM templates to specific GPOs. To leverage the
settings in a new custom ADM file, the file must be added to each GPO
that will use it. ADM files that are added to a GPO are made available
beneath the respective Administrative Templates\Classic Administrative
Templates (ADM) section of the computer or user configuration Policies
node.
2. Group Policy Preferences Node
The Preferences node contained in both the
computer and user configuration of group policies contain settings that
in most cases are new settings that were previously not included in
Group Policy settings and had to be managed with custom scripts and
administrative templates. Preference settings are set initially, but in
most cases the end user can change those settings after Group Policy
processing. Preferences are unique in that within a preference setting
there is a function named Item Level Targeting that allows a very
granular application of the preference setting based on many different
types of criteria. In essence, even though a group policy is applied to a
set of users or computers, the preference settings within may only
apply to a subset within that group.
