The easiest way to create an ADMX template is to build an ADM template first and then convert the latter with the help of Microsoft's free ADMX Migrator tool.

Administrative templates let us create custom Group Policy settings. Administrative template files have two different versions. Windows Vista introduced templates with the .ADMX extension. These templates use an XML syntax and can be a lot more difficult to decipher and create by hand. On the other hand, templates with the .ADM extension are straightforward and have a simple syntax that allows you to create new Group Policy templates quickly.

With that in mind, I will show you how to create an ADM template and how to convert it to an ADMX file with Microsoft's utility.

Below is an example of a simple ADM template:

CLASS USER
CATEGORY "Weird File Explorer Settings I hate"
    POLICY "Show Hidden Files"
        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
        EXPLAIN !!ShowHiddenFilesExplanation
        VALUENAME "Hidden"
        VALUEON NUMERIC "1"
        VALUEOFF NUMERIC "2"
    END POLICY

    POLICY "Show File Extensions"
        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
        EXPLAIN !!ShowFileExtensionsExplanation
        VALUENAME "HideFileExt"
        VALUEON NUMERIC "0"
        VALUEOFF NUMERIC "1"
    END POLICY

    POLICY "Show Super Hidden Files"
        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
        EXPLAIN !!ShowSuperHiddenFilesExplanation
        VALUENAME "ShowSuperHidden"
        VALUEON NUMERIC "1"
        VALUEOFF NUMERIC "0"
    END POLICY
END CATEGORY

[strings]
ShowHiddenFilesExplanation="When this setting is enabled, File Explorer will show all hidden files."
ShowSuperHiddenFilesExplanation="When this setting is enabled, File Explorer will show all SuperHidden files."
ShowFileExtensionsExplanation="When this setting is enabled, File Explorer will show file extensions."

As for any Group Policy object, we can specify settings for a User and Computer object. Within an ADM template, we specify this with the keyword CLASS followed by the object we want to configure the settings for. These keywords are USER or MACHINE, which correspond to a registry hives. For example:

CLASS USER          # USER correlates to HKEY_CURRENT_USER
CLASS MACHINE  # MACHINE correlates to HKEY_LOCAL_MACHINE

The next tag in our ADM template is CATEGORY. The CATEGORY can have a string value and corresponds to the name of the Group Policy.

CATEGORY "Weird File Explorer Settings I hate"

The POLICY section is where we start to specify the settings for our policy. With the example above, we will have three separate policies or configuration options within our custom USER ADM template. Each of these policies has a name attribute:

POLICY "Show Hidden Files"
POLICY "Show File Extensions"
POLICY "Show Super Hidden Files"

The screenshot below gives you an idea how the ADM template looks in the Group Policy editor:

An ADM template displayed in the Group Policy editor

An ADM template displayed in the Group Policy editor

Within the POLICY blocks we define more attributes or the acceptable usage of these settings. Here is an example for our Show File Extensions setting:

Our Show File Extensions policy in the Group Policy editor

Our Show File Extensions policy in the Group Policy editor

As you can see in the above example, we have a few keywords to define the policy. Note that these are not the only ones available.

Policy OptionDescription
KEYNAMEThis takes a string value that presents the Registry key location. Please remember since we are under the CLASS USER section, we already know the base hive is HKEY_CURRENT_USER.
EXPLAINThis is the Help string you see to the right in Figure 2. It can also take in a [string] variable. String variables must start with !! and should be located at the bottom of your ADM template within the [strings] section, but without the double exclamation marks.
VALUENAMEThis is the name of our registry value under our KEYNAME.
VALUEONWhen this policy is set to enabled, we should store this value in the registry.
VALUEOFFWhen this policy is set to disabled, we should use this value in the registry.

There are many options available such as display options, input option types, input restrictions, and conversion options to registry keys. Here is a quick list of the available options:

  • EDITTEXT: Adds information or input fields under the Options section within a policy
  • NUMERIC: Adds a field where you can select a numeric value or configure it within a policy
  • CHECKBOX: Add a checkbox you can select or deselect within a policy
  • COMBOBOX: Adds a combo box that can contain a predefined list of options/values in a policy
  • DROPDOWNLIST: Similar to a COMBOBOX but has slightly different options available
  • LISTBOX: Adds text that can have both a comma- or semicolon-separated list of values to add to the registry
  • CLIENTTEXT: This option is advanced, and you will probably never use it; it allows you to specify a DLL or Group Policy object processor used on the client system

Now that we have a basic understanding of an ADM template structure, we can covert it to an ADMX template. Luckily Microsoft has provided us with the free ADMX Migrator tool to get the job done.

Once you've downloaded and installed the tool, you have to open up a command prompt and navigate to "C:\Program Files (x86)\FullArmor\ADMX Migrator." If you installed the ADMX Migrator tool in a different location, you must navigate to the corresponding folder.

Running faAdmxConv.exe

Running faAdmxConv.exe

After running faAdmxConv.exe with the path of your ADM template and the output directory, you will have a brand-new ADMX template that corresponds to our ADM template. If you open up the ADMX template, you will start to understand that ADMX templates are a bit more complicated to create by hand.

Subscribe to 4sysops newsletter!

<?xml version="1.0" encoding="utf-8"?>
<policyDefinitions revision="1.0" schemaVersion="1.0">
  <policyNamespaces>
    <target prefix="fullarmor" namespace="FullArmor.845938f7-a3f6-4ebb-a5c6-9941f0d90706" />
    <using prefix="windows" namespace="Microsoft.Policies.Windows" />
  </policyNamespaces>
  <supersededAdm fileName="C:\Users\Josh\Desktop\FileExplorerSettings.ADM" />
  <resources minRequiredRevision="1.0" />
  <supportedOn>
    <definitions>
      <definition name="SUPPORTED_NotSpecified" displayName="$(string.ADMXMigrator_NoSupportedOn)" />
    </definitions>
  </supportedOn>
  <categories>
    <category name="WeirdFileExplorerSettingsIhate" displayName="$(string.unknown_0)" />
  </categories>
  <policies>
    <policy name="ShowHiddenFiles" class="User" displayName="$(string.unknown_1)" explainText="$(string.ShowHiddenFilesExplanation)" presentation="$(presentation.ShowHiddenFiles)" key="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" valueName="Hidden">
      <parentCategory ref="WeirdFileExplorerSettingsIhate" />
      <supportedOn ref="SUPPORTED_NotSpecified" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="2" />
      </disabledValue>
    </policy>
    <policy name="ShowFileExtensions" class="User" displayName="$(string.unknown_2)" explainText="$(string.ShowFileExtensionsExplanation)" presentation="$(presentation.ShowFileExtensions)" key="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" valueName="HideFileExt">
      <parentCategory ref="WeirdFileExplorerSettingsIhate" />
      <supportedOn ref="SUPPORTED_NotSpecified" />
      <enabledValue>
        <decimal value="0" />
      </enabledValue>
      <disabledValue>
        <decimal value="1" />
      </disabledValue>
    </policy>
    <policy name="ShowSuperHiddenFiles" class="User" displayName="$(string.unknown_3)" explainText="$(string.ShowSuperHiddenFilesExplanation)" presentation="$(presentation.ShowSuperHiddenFiles)" key="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" valueName="ShowSuperHidden">
      <parentCategory ref="WeirdFileExplorerSettingsIhate" />
      <supportedOn ref="SUPPORTED_NotSpecified" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
  </policies>
</policyDefinitions>

Group Policy is, in my opinion, the best tool for managing endpoints and software configurations in an Active Directory domain. Having the ability to create our own custom ADM and ADMX templates allows us to provide specific configuration settings for Windows and third-party applications.

avataravatar
3 Comments
  1. Graham Brown 3 years ago

    Josh, that is a great tutorial you did on customising adm files. This is the first tutorial that gave me some insite into customising   your own GP settings.

    Can you help me solve the following with a custom admx for my domain.

    I need to allow members of a group to be able to use specified usb memory sticks on their machines. The usb devices are recognised by their hardware ids.

    I know there are GP machine settings you can use to disable the use of all usb storage devics, and you can add policy that enables specific hardware ids, but these are associated with all machines.

    Can you help me create a GP with a custom admx that users can be added to, that allows them to use the usb memory sticks the administrator has approved, by adding there hardware ids to the GP setting created by the admx file?

    It would be appreciated if you could advance my knowledge in this area. Many thanks.

  2. Graham Brown 3 years ago

    These comments I made were for a Windows 10 client with Windows 2016 da servers.

  3. Anders 3 years ago

    Have you ever tried to do this with automation? I would very much like to add my custom adm into an existing GPO, or much better, import the adm together with `Import-GPO`. Not found anything close to this when googling. Any tips?

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account