Home > Guides > Operating Systems, Server

Administrative Templates for Registry Policy

Last updated Jan 11, 2008.

An administrative template is a kind of database used to represent settings that can be made to a local client's System Registry, by way of group policy. It explains what Registry settings are available to be customized by the administrator, and through the Group Policy Management Editor (the replacement for GPOE) in Windows Server 2008, it offers this explanation in the common language of the administrator's choice.

Why Templates Exist

If you think about it, perhaps the single least self-explanatory construct ever devised by the minds of human beings, is the Windows System Registry. It was designed exclusively for Windows' own convenience, which is why using the Registry Editor for most people is a process akin to home brain surgery. So on the surface, the idea of an administrative template makes good sense, because at least it tells someone the meaning of the various switches that affect the behavior of software and the operating system.

Of course, if it could explain those switches to everyone in his or her respective native language, then everyone might be tempted to try out those switches for herself. One of Microsoft's greatest fears is that people might become too tempted to use its software in-depth. So policy-related software switches in the Registry are typically restricted from everyday users' access by way of access control lists, and thus administrative templates are for the admins' own personal edification.

Because an application makes new settings possible in its client's Registry, new administrative templates can explain how those settings can be customized. This is why Microsoft makes available a separate set of templates for Office applications.

In a client system that's managed by group policy, the Registry switches that designate software behavior are delegated to either the computer (HKEY_LOCAL_MACHINE) or its authenticated user (HKEY_CURRENT_USER). Under either of those hives in the Registry, you'll find the specific switches under the \Software\Policies\ and \Software\Microsoft\Windows\CurrentVersion\policies tiers.

Managing Registry Settings Remotely

An administrative template pertains to a particular category of the Registry, usually a single tier. Under Group Policy Management Editor, you no longer have to manage multitudes of templates individually; instead, each template category appears as a subfolder of the Administrative Templates tier that applies to the GPO you're editing.

Up until Windows Server 2003, the physical form of templates were .ADM files that were specific to Windows. With WS2K8, this has changed entirely, although Microsoft has done its best to keep the impact of those changes under the hood. Templates now use the XML-based .ADMX format, which is particularly beneficial because now the descriptions of settings that were once embedded in the database, can now be applied separately and independently of the admin's language. This is why templates can now make sense to admins who speak Spanish or Dutch or German or Polish or Portugese.

Editing a template's settings are at last, thankfully, simpler than the process has ever been, though there is one catch: Because templates are now language-independent, you may find yourself fishing through the tiers of templates and settings—which are only described, not enumerated—to locate the one you need to set. The categorical breakdown will help you somewhat, though "browsing" may become the order of the day in some events.

Here's how the editing process works now in WS2K8:

  1. From Server Manager or Group Policy Management Console, open the default policy for the domain or domain controller.
  2. From the left pane, navigate to Computer Configuration, Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine. (Like I said, Microsoft likes to use language liberally now.)
  3. Under that long-winded tier, look for the category and related setting that best describes the policy you wish to set. For example, suppose you need to enforce a policy whereby neither users nor applications can change the active color profile being used by the system. This is so you can ensure that color documents being sent to a network printer look the same when printed from one system as they would from another. You'll find it under Windows Components, Windows Color System.
    Figure 1

    Figure 1 Setting a Registry-based policy for an administrative template under Group Policy Management Editor in Windows Server 2008.

  4. In the Setting pane in the middle, look for the entry that best describes the policy you're trying to set. In our example, there's only one: Prohibit installing or uninstalling color profiles. Double-click on this item.
  5. For a surprisingly complete explanation of what the setting actually accomplishes, click on the Explain tab. This explanation comes from the new .ADMX system, which should now use your native language.
  6. To make the policy setting, first click on the Setting tab. The default state is Not Configured, which means there is no Registry entry generated that applies to this setting. Your other choices—Enabled and Disabled—create Registry entries that turn the feature on or off, respectively. Most Registry settings managed through administrative templates work this same way, though others may have multiple options. In such cases, both the Explain tab and the labels beside your entries on the Setting tab will help you sort out the choice that best corresponds with your intent.
  7. To finalize your choices, click OK.

Books and E-books

Online Resources

Discussions

Root Domain Redundancy
Posted Jun 12, 2008 05:16 PM by tommy58673
0 Replies
NAT
Posted Apr 22, 2008 04:39 PM by v-rathim
0 Replies
the topic is very useful
Posted Mar 10, 2008 02:27 AM by wghanem57957
0 Replies

Make a New Comment

You must log in in order to post a comment.

Related Resources

Dustin SullivanIf You Are New to Mac/Objective-C Programming...
By Dustin SullivanJune 5, 2009 No Comments

We recently sat down with several top Objective-C and Cocoa developers to talk about that state of the iPhone and OS X markets as we approach this year's WWDC.  As we were wrapping up, we threw one last question at them out of curiosity, and we thought you'd like to see what some of them said.

It's Here; Put Away Your Pre-Conceptions on What an OS Must Be: Part IV
By John TraenkenschuhMay 27, 20095 Comments

Graphical User Interfaces were important.  So was cost control.  Just what must an OS be?

It's Here; Put Away Your Pre-Conceptions on What an OS Must Be: Part III
By John TraenkenschuhMay 27, 2009 No Comments

Having witnessed the PC revolution, Traenk pauses to reflect on the GUI world...

See More Blogs

Informit Network