[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 9054
  • Last Modified:

GPO's, adm, adml, admx - terminology & best practice implementation


I’m somewhat confused on terminology and best practises adm, adml admx, GPO’s on Windows 2008 R2.
I wanted to and implement default search provider GPO and found this link  http://blog.concurrency.com/infrastructure/customize-ie8-through-group-policy  and this http://www.bibble-it.com/2010/05/18/vista-windows-7-custom-google-search-engine-policy-ie7-ie8 

Now my questions on GPO/policies:
•      When would you use “Restore from Backup” or “Import Settings” on policy?
•      When you edit the policy, you have the “add/remove templates” section, what  is the idea behind this compared to the “Restore from Backup” or “Import Settings”?
•      I have downloaded adm-files (f.e. Office 2010), but I see at c:\windows\policydefinitions contains a lot of admx-files, what is the story here & how should I import them?
•      Why is there a registry section in GPO (GPO preferences) whereas GPO’s are actually setting registry settings?
•      What about the “Central Store” policy definitions, is this a best practice in companies, what if you don’t use it (I haven’t set it up in my lab)
•      What about tools to convert registry files to GPO

I googled around and found this but I’m not fully able to put the pieces together of  http://www.experts-exchange.com/Database/Software/Microsoft_Enterprise/Q_27864871.html ; http://technet.microsoft.com/en-us/library/cc749513%28v=ws.10%29.aspx 

Please advise.
1 Solution
James HaywoodCommented:
Thats a lot of questions!

1. Restore from backup: Allows you to replace a GPO with a backup (if you changed settings and caused errors)
2. Import settings: Allows you to transfer GPO settings from one environment to another (e.g. Development system to Production)
3. This lets you add software specific settings to your GPO (e.g. options for Office 2010, IE9)
4. .adm files are for any version of Windows, .admx are Vista upwards, amdl files are the language files to support .admx.
5. To allow you to set/import registry settings via GPO (rather than via logon script)
6. If you have more than one DC then a Central Store is recommended as new .adml and .admx files you have uploaded are not replicated unless you create one.
7. Not sure, never used one. I would export the key/s and deploy using a GPO

Hope this helps
janhoedtAuthor Commented:
-“Central Store” is this a best practice in companies?
-so admx can t be used on xp? don t understand since these are files on the dc, not on client side
-admx, adml: can t figure out what advantage they have to adml and howto implement them correctly (don t see them when importing)
David Johnson, CD, MVPOwnerCommented:
Change XP and Vista to XP based (WS2k3)and Vista Based (WS2K8)
or os major version 5 and major version 6

adm files are located in the %systemroot%\inf folder
admx files are located in the %systemroot%\PolicyDefinitions Folder

don't forget that gpedit.msc is available on the non-domain joined machine, same with the local policy editor they will use the appropriate ADM/ADMX depending upon the O/S Version

the adml files are localized versions of the admx files i.e. if you had German in your regional and languages, the TEXT shown by the Group Policy Editor will be in your language rather than just in EN-US.

When you add the files to your Central store NO settings get changed, you are just given more things that have templates for you to then change things.

ADMX files are xml versions of the ADM files but with the added feature of localization.

You don't import them you copy them to your central store i.e. (C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions)
btanExec ConsultantCommented:
vista and 7 shd be same category...as mentioned below

4. The Group Policy tools will recognize ADMX files only if you are using a Windows Vista–based or Windows Server 2008–based computer.

> Group Policy Object Editor on Windows Server 2003, Windows XP, or Windows 2000 machines will not display new Windows Vista Administrative Template policy settings that may be enabled or disabled within a GPO.

> The Windows Vista or Windows Server 2008 versions of Group Policy Object Editor and Group Policy Management Console support interoperability with versions of these tools on Windows Server 2003, and Windows XP. For example, custom ADM files stored in GPOs will be consumed by Group Policy Object Editor and GPMC on Windows Vista, Windows Server 2008, Windows Server 2003, and Windows XP.


6. The design of the central store and the new way that GPOs store files greatly reduces the amount of storage space required to maintain GPOs. In Windows Vista and Windows Server 2008, Group Policy Object Editor will not copy ADM files to each edited GPO, which was the case with earlier operating systems. Nor will Group Policy Object Editor copy the new ADMX files. Instead, it will provide the ability to read from a single domain-level location on the domain controller's sysvol (not user configurable). If the central store is unavailable, Group Policy Object Editor will read from the local administrative workstation.

In addition to storing the ADMX files shipped in the operating system in the central store, you can share a custom ADMX file by copying the file to the central store. This makes it available automatically to all Group Policy administrators in a domain

Also see this @ http://technet.microsoft.com/en-us/library/cc749513(v=ws.10).aspx

ADML files are language files and are responsible for creating the folder and policy structure in the GPO editor. This allows for many languages to be supported, where ADM templates only supported English.

7. script to convert .reg into admx or using reg2xml tool. the admx files is then used for gpo
free - http://gallery.technet.microsoft.com/scriptcenter/8c703a2e-4685-4093-a1fc-dec107c53d13
trial - http://reg2xml.com/

Excerpt: http://www.windowsnetworking.com/articles_tutorials/Using-Custom-ADM-Templates-Windows-Server-2008-Vista-7.html

There has been a change from ADM templates to ADMX/ADML files in Windows Server 2008/Vista/7. This change could have an impact on your custom ADM templates, if you are not aware of the overall big picture of the changes. Keep in mind that ADM templates are no longer used, but are instead replaced by ADMX/ADML files in the creation of the Administrative Templates nodes in the GPO editor, as well as the definition of the Registry entry that will be altered. Custom ADM templates are stored in the GUID folder of the GPO that they are associated with, regardless of the version of the OS that is performing the administration of the GPO. It is this structure and the ability of the newer OSs that provide the cohabitation of the newer files along with the custom ADM templates. Just keep in mind that the custom ADM template settings will show up under the Classic Administrative Templates (ADM) folder.

The Central Store (also called Central Repository or Domain-Wide Repository) only makes sense in a domain environment, but it’s not used or “activated” by default. The Central Store (CS) is actually just a new directory replicated between Domain Controllers in the SYSVOL area (which is already used by Windows 2000/XP/2003 to store Group Policy Objects). There is nothing mysterious about this folder, but it helps to centrally administer the ADMX and ADML files used for policy creation and editing - and reduces the storage requirements for GPO's in the SYSVOL area.

We either use one Central Store in the domain or the local directories on each admin client to hold ADMX/ADML files (the latter is the old approach). The two methods are mutually exclusive, either the "online" ADMX files are used or the local files. Once the Central Store is created the local ADMX/ADML files are no longer used, unless the central store for some reason is unavailable, then we fall back to the local files.

ADM templates could be pretty annoying in situations where domain wide policies were administered from different administrative workstations. There could be language and version mismatches between the ADM files used, so when a French administrator edits the Default Domain Policy his/her language and operating system version (2000/XP/2003) will be reflected in the ADM files copied to the SYSVOL, as well as the Service Pack level of the computer.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now