UGTS Document #17 - Last Modified: 8/29/2015 3:23 PM
Custom Group Policies

Group policy template (.ADM) files in Windows Server 2003 are text files that define a list of registry settings and the user interface to set them through GPMC (Group Policy Management Console).

It is not too difficult to create a custom ADM file - just take any existing ADM file in the WINDOWS\inf directory, and cut out everything that you don't need from it.  For example, this ADM file defines the Point and Print settings for Windows 7 which are not otherwise defined by the built-in ADM templates.

In this ADM file, a single policy item (Point and Print Restrictions) is defined under Computer Settings (CLASS MACHINE), Administrative Templates (all custom templates will appear under this folder), Control Panel, Printers.  The policy points to a registry key and the values to set under it, depending on the user's choices in the GPMC.  These registry settings are then applied to the computers that get the group policy.

From there, the software on the client machine (Windows or Office) looks for these settings in hard-coded places in the registry to determine what kind of policy to apply.  For example, Windows 7 will look at the registry keys HKCU\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint and HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint to determine how printer driver installation should be handled.  The default behavior is to require admin privileges to install new printer drivers on the machine, but with a certain setting under these two keys, any user can install a printer driver, so long as the driver comes from a printer that is listed in Active Directory (and therefore is trusted).

To import a custom ADM file, just open GPMC, edit a GPO, select the Administrative Templates folder under Computer Settings or User Settings, and do Add/Remove Templates, then Add..., and browse for the ADM file.  Adding the file here copies it to the GPO folder under sysvol\[domain]\policies\[gpo-guid]\adm.  Since it can be difficult to find which folder belongs to the GPO you're looking for, just use Agent Ransack on the policies folder to find the ADM file by the filename, to verify that it's in there.

Custom ADM files created by UGTS that you might find useful:
  • Windows 7 - Contains policy definitions for Windows 7 machines if all you've got is Windows 2003 servers, including Point and Print settings.