Powering Up Administrative Templatesby Mitch Tulloch, author of Windows Server Hacks
I was tempted to call this article "Fun with Administrative Templates," but, well, as you'll see in a moment, administrative templates are really not much fun to work with. Now that we understand the basics of what they are, however, let's move on and see what we can do with them.
Adding a Template
First, you can add a new template to give you more control over some OS or application feature in a managed Windows environment--that is, an environment where Group Policy is used to manage users and computers. For example, say we want to control how the Internet Explorer Enhanced Security Configuration behaves on Windows Server 2003 machines. (This is the annoying feature that displays a prompt each time you try to use Internet Explorer to browse a web site that hasn't yet been added to the Trusted Sites zone.) To control this feature, we need the Inetesc.adm template, which can be downloaded as part of the Windows Server 2003 Resource Kit Tools that is available from the Microsoft Download Center.
First download the Tools and install them to a directory, then copy the Inetesc.adm template either to the default %windir\inf folder where the standard templates are stored or to some other folder you create for storing nonstandard and custom templates. Now open your Group Policy object (GPO) using the Group Policy Object Editor, right-click on the Administrative Templates node under either Computer Configuration or User Configuration, and select Add/Remove Templates to display the list of installed templates (Figure 1).
Figure 1. Default templates installed
Now click on the Add button and browse to the folder where the Inetesc.adm template is stored (Figure 2).
Figure 2. Selecting the Inetesc.adm template
Click on Open, and the Inetesc.adm template is immediately installed (Figure 3).
Figure 3. Inetesc.adm is now installed
Click on Close and you can see the new user interface element added to the Group Policy Object Editor for managing the Internet Explorer Enhanced Security Configuration on Windows Server 2003 (Figure 4).
Figure 4. New user interface element for the Internet Explorer Enhanced Security Configuration added by installing Inetesc.adm
Something to note concerning what we've done here is that administrative templates are added on a GPO basis. That is, you can add administrative templates to those GPOs that need them so you can manage users and computers in the domain, site, or organizational unit to which each GPO is linked.
Something else to note is that installing an administrative template in a GPO also creates a copy of the template in the SYSVOL share on your domain controllers. This can be a problem if you install too many templates, because they increase the size of SYSVOL significantly. If you have an enterprise in which your domain spans many sites and the sites are connected with slow WAN links, that can spell replication trouble and can eat up WAN bandwidth. If you get yourself in this situation, here's how to get out of it.
Removing a Template
You can also remove a template; when you do so, it removes the corresponding GUI features in the Object Editor. For example, if you're not going to be using Windows Media Player in your enterprise--maybe you live in Europe, where Microsoft has run into legal problems with Media Player--you can remove the Wmplayer.adm standard template, since you don't need it. Just right-click on Administrative Templates in your GPO and select Add/Remove Templates, select Wmplayer.adm, click on Remove, and click on Close. Figure 5 shows the result of doing this on the same test GPO shown in Figure 4 above.
Figure 5. Test GPO after removing the Wmplayer.adm template
If you compare the two figures, you'll see that the Windows Media Player node under Administrative Templates in Computer Configuration is present in Figure 4 but missing in Figure 5.
Note that removing an administrative template that was previously installed does not change or remove any Registry settings that the GPO deployed when Group Policy was last processed. So before you remove a template, first make sure you modify its policy settings and wait for Group Policy to refresh.
You can also customize administrative templates to meet your needs. This is useful if you want to control features of applications like Office that are not managed by the default templates available from Microsoft. Here's an outline of a procedure you can follow for creating custom administrative templates--but before you start doing so, consider the following:
- Never modify the standard templates (or other templates you download from Microsoft). Instead, copy them and modify the copies as needed.
- Slog through this white paper to learn the syntax for creating administrative templates, and adhere to this syntax rigorously--administrative templates modify the Registry on target machines!
- Find an easier way of deploying Registry settings if you have only a few to deploy to target machines. For example, instead of creating custom administrative templates, check out this free tool from DesktopStandard (formerly AutoProf).
Return to the Windows DevCenter.