Managing Windows Vista Group Policy (Part 1)
If you would like to read the other parts in this article series please go to:
Windows Vista includes some important changes from earlier Windows operating systems in regards to Group Policy (GP). This article introduces you to how ADM files evolved into multi-lingual files by the use of XML (ADMX/ADML files) and the Central Store with all its glory.
Welcome to the constantly expanding Microsoft Group Policy universe.
ADM vs. ADMX/ADML files
ADM files were first introduced with Windows NT4 and they have stuck ever since. First of all it's important to understand, that ADM files are nothing but templates (Administrative Templates) - this means that when Group Policy Object Editor (GPOE) or Group Policy Management Console (GPMC) loads, the content is presented to the users of the console - nothing else (the administrative experience you could say). When the policy is changed or created, a Registry.pol file is created in the Group Policy Object (GPO) container - this is the actual policy with all the corresponding and specific registry settings defined in the template file(s). So, the machine or user receiving the policy actually doesn't need the ADM files at all.
ADM files had an obscure syntax from the very beginning with its own special markup-language, which is pretty difficult to master. With customized Administrative Templates there are lots of possibilities to create your own "registry policies", making sure your clients are configured in a specific way.
The new ADMX/ADML files take over from where ADM files left. They are still just templates and only there for the administrators creating and modifying group policies, local as well as domain based. The managed "end users" and "end machines" will have no awareness as to whether the policy settings were configured from Vista (using ADMX/ADML files) or Windows 2000/2003 (using ADM files) - we still just edit and populate the Registry.pol file. This is the reason why ADM and ADMX/ADML files can coexist. You will not notice the presence of ADMX files during your day-to-day policy administration tasks
So you might ask why we now have both ADMX and ADML template files! Well, the reason for this is that ADM files only supported a single language - now we get true multi-lingual support. On a French Windows XP the French ADM files where included and on a Danish Windows XP the Danish ADM files where included - you could not have both. ADMX files are language-neutral and don't include policy descriptions etc. like ADM files did. Instead they reference to ADML files which are language-specific files, one ADML file is required pr. language, making the ADMX files multi-lingual without much effort.
ADMX and ADML files take advantage of an XML-based format - this should make them easier to read, write and understand (however I still think it's hard to make your own files by hand). Maybe it's now easier to create Administrative Templates for developers or 3rd party group policy tools, but not for a normal human being. I actually don't believe we have an easier job with XML in the good old Notepad. Unfortunately you won't find much information these days on how to create/customize your own ADMX templates. This seems to be a 'secret' for now, but you can use a utility such as XML Notepad 2006 v1.0 to view and edit the content, also Visual Studio supports and "understands" the XML format by the use of Intellisense (the technology that helps the developer while programming, showing the available classes, methods, properties, syntax etc.). You can also use other XML tools or programmatic XML libraries (e.g. the .NET Framework) to create/modify ADMX files - just remember that 'best practice' is still to leave the default ADMX files untouched and create your own customized versions. You can see the ADMX Schema reference online.
With Windows Vista RC 2 build 5744 we got 132 ADMX files (see Figure 1) and 132 corresponding ADML files, this gives us only 3.74 MB of ADMX and 1.86 MB of ADML files - not much compared to all the functionality and possibility these files bring into an administrators life! Windows XP had 7 default ADM files containing all Windows policy settings available from Microsoft. Windows Vista will use the built-in ADMX files to present all policy settings for Windows XP/2000/2003 and Vista itself - no ADM files are included anymore. This is possible because the Vista ADMX files are a SUPERSET of the old ADM files and therefore supersedes these files; they simply include all the "legacy" settings and a great deal of new ones (around 800) for Vista/Longhorn alone.
However, if Vista finds a custom ADM file in the GPO being edited it will also display the policy settings defined in that ADM file (just without the multi-lingual benefits of AMDX/ADML files of course). If you previously changed the contents of some of the default ADM files (even though it's far from best practice) you have to repeat the same changes within a customized ADMX files (and create a corresponding ADML file).
Microsoft has no plan to ship an ADM to ADMX conversion tool so far, in case you were wondering.
We can still use the "Add/Remove Templates" dialog for ADM files - this is not an option with ADMX files as the new version of GPOE will read and load all ADMX files, from the Central Store (see below) or local directory, into the GUI on startup completely transparent to the user. If we need to add customized ADMX files, all we have to do is copy the file(s) to the Central Store or the local directory and restart GPOE.
The domain policy administration workstation needs to be running Windows Vista (or Longhorn) for best interoperability and administrative experience. Windows Vista can be used to manage all operating systems that support Group Policy (from Windows 2000 and up).
GPOE on Windows 2000/XP/2003 machines will not display new Windows Vista Administrative Template policy settings that may be enabled or disabled within a GPO. The reporting feature of GPMC on Windows XP/2003 (GPMC doesn't run on Windows 2000 at all) will display new Windows Vista Administrative Template policy settings as 'Extra Registry Settings'.
Group Policy tools like GPOE/GPMC adjusts their display language according to the administrator's configured operating system (OS) language. Windows Vista has a "language fallback mechanism" which steps into action if no language file is available for the users OS language - English is the default fallback language and therefore a language file from the US-EN folder will be preferred (see below). If the English ADML file is missing too, the policy settings will show up under 'Extra Registry Settings' without any text and explanation.
Please be aware that the file location of Administrative Templates changed with Windows Vista. On earlier Windows versions, ADM files were located in the directory %WINDIR%\inf, ADMX files are placed within %WINDIR%\PolicyDefinitions and corresponding ADML files are located in %WINDIR%\PolicyDefinitions\<LanguageFolder>. The <LanguageFolder> can be named \EN-US for U.S. English, \FR for French etc. - following the ISO-style language or 'Culture Name' (see Locale Identifiers).
The Central Store
The Central Store (also called Central Repository or Domain-Wide Repository) only makes sense in a domain environment, but it's not used or "activated" by default. The Central Store (CS) is actually just a new directory replicated between Domain Controllers in the SYSVOL area (which is already used by Windows 2000/XP/2003 to store Group Policy Objects). There is nothing mysterious about this folder, but it helps to centrally administer the ADMX and ADML files used for policy creation and editing - and reduces the storage requirements for GPO's in the SYSVOL area.
We either use one Central Store in the domain or the local directories on each admin client to hold ADMX/ADML files (the latter is the old approach). The two methods are mutually exclusive, either the "online" ADMX files are used or the local files. Once the Central Store is created the local ADMX/ADML files are no longer used, unless the central store for some reason is unavailable, then we fall back to the local files.
ADM templates could be pretty annoying in situations where domain wide policies were administered from different administrative workstations. There could be language and version mismatches between the ADM files used, so when a French administrator edits the Default Domain Policy his/her language and operating system version (2000/XP/2003) will be reflected in the ADM files copied to the SYSVOL, as well as the Service Pack level of the computer.
There is no user interface to create and populate the Central Store in Windows Vista, but the process is very simple and has to be done only once per Domain. All you have to do is to create the Central Store folder, preferably on the Primary Domain Controller (PDC Emulator) because both GPMC and GPOE connects to the PDC by default, copy all ADMX files to the directory, create a subfolder for each language, copy ADML files to these directories and let the File Replication Service (FRS) do its job replicating the content to all DCs.
So, exactly where should I create this folder? Well, it's pretty straightforward... You need the following "domain-root-level" directory structure in SYSVOL: %logonserver%\SYSVOL\%userdnsdomain%\Policies\PolicyDefinitions\ with subfolders for all languages needed - see above for information about the language folder names. Please note that locally on a DC the path should be %WINDIR%\SYSVOL\domain\Policies\PolicyDefinitions (default location of SYSVOL). You must be a member of the "Domain Administrators" group to create the Central Store folder and the location is not user configurable or changeable. Custom ADMX policies (and their related language files) can be copied to the Central Store - all GPOEs on your group policy administrators' computers will then consume and reflect these settings... This is all you have to do to "share" your ADMX templates!
The "SYSVOL bloat" is an existing phenomena happening to the SYSVOL area in larger organizations. With the old policy structure ADM files were copied to each GPO in the SYSVOL directory structure (%SYSVOL%\Policies\<Unique GPO GUID>\ADM\). For each and every GPO this took a minimum of 4MB, so with hundreds of policies, storage and replication could become an issue. ADMX/ADML files will not be copied multiple times to the SYSVOL area - that "unfortunate" behavior is history.
CS reduces the amount of storage needed minimizing unnecessary redundant data files in SYSVOL. The CS functionality does NOT require "Longhorn" Server - it works fine in pure Windows 2000 or Windows 2003 Active Directory domain environments. Remember that Group Policy is mostly a client side architecture just using the AD structure (sites, domains, OU's etc.) to deploy settings and SYSVOL to store data.
In this part one of three articles we covered the difference between ADM and ADMX/ADML files and what the Central Store is all about.
In part two of this article series, "Managing Windows Vista Group Policy", which will be published here on www.windowssecurity.com in the near future, having multiple local group policy objects will be covered.
In part three (the last) of this article series, "Managing Windows Vista Group Policy", which will also be published here on www.windowssecurity.com in the near future, basic troubleshooting, improved stability and Network Location Awareness will be covered.
If you would like to read the other parts in this article series please go to: