- Table of Contents
- Introduction to the Reference Guide
- The New Itinerary for Windows Server 2008
- The Registry
- Domain Organization
- Putting Our Terms on the Table
- One World, One Domain Model
- The World of Difference in Active Directory
- Why Windows Has Forests
- The Domain Functional Level
- Birth of a Domain
- The Types and Levels of Trusts
- The Benefits of an Empty Forest
- Configuring a Domain Controller
- User and Group Accounts in Active Directory
- iNetOrgPerson: More Than Your Ordinary Person
- Dueling Documentation: Can a User Become an iNetOrgPerson?
- Groups of Groups and Their Associated Groups
- The DNS Namespace
- The United Federation of Forests
- Walking the Path of Trust
- Organizational Units
- Maximizing Security with Group Policy
- Federating Active Directory to Non-Windows Platforms
- The Power of Policy
- Utilizing Group Policy Management Console
- There Are Computers and There Are Users
- Inheriting a Meager Comprehension of Policy Inheritance
- Using Folder Redirection to Mould the Client Desktop
- Administrative Templates for Registry Policy
- Group Policies Make Way for Group Preferences
- Knowing When to Delegate, and to Whom
- Using Resultant Set of Policies in GPMC
- Using Group Policy to Restrict Group Membership
- Introducing System Center Operations Manager
- Why Operations Manager is a Commercial Package
- Executing the Migration Plan
- Resource Management
- Security
- Networking at the Link Level
- Network Applications
- Windows Management Instrumentation
- The Dawn of Windows Server 2008
- Windows Server By Command
Administrative Templates for Registry Policy
Last updated Jan 11, 2008.
An administrative template is a kind of database used to represent settings that can be made to a local client's System Registry, by way of group policy. It explains what Registry settings are available to be customized by the administrator, and through the Group Policy Management Editor (the replacement for GPOE) in Windows Server 2008, it offers this explanation in the common language of the administrator's choice.
Why Templates Exist
If you think about it, perhaps the single least self-explanatory construct ever devised by the minds of human beings, is the Windows System Registry. It was designed exclusively for Windows' own convenience, which is why using the Registry Editor for most people is a process akin to home brain surgery. So on the surface, the idea of an administrative template makes good sense, because at least it tells someone the meaning of the various switches that affect the behavior of software and the operating system.
Of course, if it could explain those switches to everyone in his or her respective native language, then everyone might be tempted to try out those switches for herself. One of Microsoft's greatest fears is that people might become too tempted to use its software in-depth. So policy-related software switches in the Registry are typically restricted from everyday users' access by way of access control lists, and thus administrative templates are for the admins' own personal edification.
Because an application makes new settings possible in its client's Registry, new administrative templates can explain how those settings can be customized. This is why Microsoft makes available a separate set of templates for Office applications.
In a client system that's managed by group policy, the Registry switches that designate software behavior are delegated to either the computer (HKEY_LOCAL_MACHINE) or its authenticated user (HKEY_CURRENT_USER). Under either of those hives in the Registry, you'll find the specific switches under the \Software\Policies\ and \Software\Microsoft\Windows\CurrentVersion\policies tiers.
Managing Registry Settings Remotely
An administrative template pertains to a particular category of the Registry, usually a single tier. Under Group Policy Management Editor, you no longer have to manage multitudes of templates individually; instead, each template category appears as a subfolder of the Administrative Templates tier that applies to the GPO you're editing.
Up until Windows Server 2003, the physical form of templates were .ADM files that were specific to Windows. With WS2K8, this has changed entirely, although Microsoft has done its best to keep the impact of those changes under the hood. Templates now use the XML-based .ADMX format, which is particularly beneficial because now the descriptions of settings that were once embedded in the database, can now be applied separately and independently of the admin's language. This is why templates can now make sense to admins who speak Spanish or Dutch or German or Polish or Portugese.
Editing a template's settings are at last, thankfully, simpler than the process has ever been, though there is one catch: Because templates are now language-independent, you may find yourself fishing through the tiers of templates and settings—which are only described, not enumerated—to locate the one you need to set. The categorical breakdown will help you somewhat, though "browsing" may become the order of the day in some events.
Here's how the editing process works now in WS2K8:
- From Server Manager or Group Policy Management Console, open the default policy for the domain or domain controller.
- From the left pane, navigate to Computer Configuration, Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine. (Like I said, Microsoft likes to use language liberally now.)
- Under that long-winded tier, look for the category and related setting that
best describes the policy you wish to set. For example, suppose you need to
enforce a policy whereby neither users nor applications can change the active
color profile being used by the system. This is so you can ensure that color
documents being sent to a network printer look the same when printed from one
system as they would from another. You'll find it under Windows
Components, Windows Color System.
Figure 1 Setting a Registry-based policy for an administrative template under Group Policy Management Editor in Windows Server 2008.
- In the Setting pane in the middle, look for the entry that best describes the policy you're trying to set. In our example, there's only one: Prohibit installing or uninstalling color profiles. Double-click on this item.
- For a surprisingly complete explanation of what the setting actually accomplishes, click on the Explain tab. This explanation comes from the new .ADMX system, which should now use your native language.
- To make the policy setting, first click on the Setting tab. The default state is Not Configured, which means there is no Registry entry generated that applies to this setting. Your other choices—Enabled and Disabled—create Registry entries that turn the feature on or off, respectively. Most Registry settings managed through administrative templates work this same way, though others may have multiple options. In such cases, both the Explain tab and the labels beside your entries on the Setting tab will help you sort out the choice that best corresponds with your intent.
- To finalize your choices, click OK.
)
Books and E-books
- Willis, Will. MCSE 70-294 Exam Cram: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure. Exam Cram, 2006. Preview "Controlling User Environments with Administrative Templates" from Chapter 5, "Planning a Group Policy Implementation," on Safari.
Online Resources
- "Group Policy." Overview document from Microsoft TechNet.
- "Windows Server 2008 Group Policy." Blog entry on PointBridge dated November, 2007, by Derek Seaman.
Digg
Del.icio.us
Your Account
Account Sign In
View your cart