- Search Event Logs and error codes with Netikus.net System32 - Thu, Jan 10 2019
- Netikus.net IPMon+ - GUI for ipmon.exe - Tue, Nov 20 2018
- Understanding PowerShell Begin, Process, and End blocks - Mon, Oct 15 2018
Administrative templates let us create custom Group Policy settings. Administrative template files have two different versions. Windows Vista introduced templates with the .ADMX extension. These templates use an XML syntax and can be a lot more difficult to decipher and create by hand. On the other hand, templates with the .ADM extension are straightforward and have a simple syntax that allows you to create new Group Policy templates quickly.
With that in mind, I will show you how to create an ADM template and how to convert it to an ADMX file with Microsoft's utility.
Below is an example of a simple ADM template:
CLASS USER
CATEGORY "Weird File Explorer Settings I hate"
POLICY "Show Hidden Files"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
EXPLAIN !!ShowHiddenFilesExplanation
VALUENAME "Hidden"
VALUEON NUMERIC "1"
VALUEOFF NUMERIC "2"
END POLICY
POLICY "Show File Extensions"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
EXPLAIN !!ShowFileExtensionsExplanation
VALUENAME "HideFileExt"
VALUEON NUMERIC "0"
VALUEOFF NUMERIC "1"
END POLICY
POLICY "Show Super Hidden Files"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
EXPLAIN !!ShowSuperHiddenFilesExplanation
VALUENAME "ShowSuperHidden"
VALUEON NUMERIC "1"
VALUEOFF NUMERIC "0"
END POLICY
END CATEGORY
[strings]
ShowHiddenFilesExplanation="When this setting is enabled, File Explorer will show all hidden files."
ShowSuperHiddenFilesExplanation="When this setting is enabled, File Explorer will show all SuperHidden files."
ShowFileExtensionsExplanation="When this setting is enabled, File Explorer will show file extensions."As for any Group Policy object, we can specify settings for a User and Computer object. Within an ADM template, we specify this with the keyword CLASS followed by the object we want to configure the settings for. These keywords are USER or MACHINE, which correspond to a registry hives. For example:
CLASS USER # USER correlates to HKEY_CURRENT_USER CLASS MACHINE # MACHINE correlates to HKEY_LOCAL_MACHINE
The next tag in our ADM template is CATEGORY. The CATEGORY can have a string value and corresponds to the name of the Group Policy.
CATEGORY "Weird File Explorer Settings I hate"
The POLICY section is where we start to specify the settings for our policy. With the example above, we will have three separate policies or configuration options within our custom USER ADM template. Each of these policies has a name attribute:
POLICY "Show Hidden Files" POLICY "Show File Extensions" POLICY "Show Super Hidden Files"
The screenshot below gives you an idea how the ADM template looks in the Group Policy editor:
An ADM template displayed in the Group Policy editor
Within the POLICY blocks we define more attributes or the acceptable usage of these settings. Here is an example for our Show File Extensions setting:
Our Show File Extensions policy in the Group Policy editor
As you can see in the above example, we have a few keywords to define the policy. Note that these are not the only ones available.
| Policy Option | Description |
| KEYNAME | This takes a string value that presents the Registry key location. Please remember since we are under the CLASS USER section, we already know the base hive is HKEY_CURRENT_USER. |
| EXPLAIN | This is the Help string you see to the right in Figure 2. It can also take in a [string] variable. String variables must start with !! and should be located at the bottom of your ADM template within the [strings] section, but without the double exclamation marks. |
| VALUENAME | This is the name of our registry value under our KEYNAME. |
| VALUEON | When this policy is set to enabled, we should store this value in the registry. |
| VALUEOFF | When this policy is set to disabled, we should use this value in the registry. |
There are many options available such as display options, input option types, input restrictions, and conversion options to registry keys. Here is a quick list of the available options:
- EDITTEXT: Adds information or input fields under the Options section within a policy
- NUMERIC: Adds a field where you can select a numeric value or configure it within a policy
- CHECKBOX: Add a checkbox you can select or deselect within a policy
- COMBOBOX: Adds a combo box that can contain a predefined list of options/values in a policy
- DROPDOWNLIST: Similar to a COMBOBOX but has slightly different options available
- LISTBOX: Adds text that can have both a comma- or semicolon-separated list of values to add to the registry
- CLIENTTEXT: This option is advanced, and you will probably never use it; it allows you to specify a DLL or Group Policy object processor used on the client system
Now that we have a basic understanding of an ADM template structure, we can covert it to an ADMX template. Luckily Microsoft has provided us with the free ADMX Migrator tool to get the job done.
Once you've downloaded and installed the tool, you have to open up a command prompt and navigate to "C:\Program Files (x86)\FullArmor\ADMX Migrator." If you installed the ADMX Migrator tool in a different location, you must navigate to the corresponding folder.
Running faAdmxConv.exe
After running faAdmxConv.exe with the path of your ADM template and the output directory, you will have a brand-new ADMX template that corresponds to our ADM template. If you open up the ADMX template, you will start to understand that ADMX templates are a bit more complicated to create by hand.
Subscribe to 4sysops newsletter!
<?xml version="1.0" encoding="utf-8"?>
<policyDefinitions revision="1.0" schemaVersion="1.0">
<policyNamespaces>
<target prefix="fullarmor" namespace="FullArmor.845938f7-a3f6-4ebb-a5c6-9941f0d90706" />
<using prefix="windows" namespace="Microsoft.Policies.Windows" />
</policyNamespaces>
<supersededAdm fileName="C:\Users\Josh\Desktop\FileExplorerSettings.ADM" />
<resources minRequiredRevision="1.0" />
<supportedOn>
<definitions>
<definition name="SUPPORTED_NotSpecified" displayName="$(string.ADMXMigrator_NoSupportedOn)" />
</definitions>
</supportedOn>
<categories>
<category name="WeirdFileExplorerSettingsIhate" displayName="$(string.unknown_0)" />
</categories>
<policies>
<policy name="ShowHiddenFiles" class="User" displayName="$(string.unknown_1)" explainText="$(string.ShowHiddenFilesExplanation)" presentation="$(presentation.ShowHiddenFiles)" key="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" valueName="Hidden">
<parentCategory ref="WeirdFileExplorerSettingsIhate" />
<supportedOn ref="SUPPORTED_NotSpecified" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="2" />
</disabledValue>
</policy>
<policy name="ShowFileExtensions" class="User" displayName="$(string.unknown_2)" explainText="$(string.ShowFileExtensionsExplanation)" presentation="$(presentation.ShowFileExtensions)" key="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" valueName="HideFileExt">
<parentCategory ref="WeirdFileExplorerSettingsIhate" />
<supportedOn ref="SUPPORTED_NotSpecified" />
<enabledValue>
<decimal value="0" />
</enabledValue>
<disabledValue>
<decimal value="1" />
</disabledValue>
</policy>
<policy name="ShowSuperHiddenFiles" class="User" displayName="$(string.unknown_3)" explainText="$(string.ShowSuperHiddenFilesExplanation)" presentation="$(presentation.ShowSuperHiddenFiles)" key="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" valueName="ShowSuperHidden">
<parentCategory ref="WeirdFileExplorerSettingsIhate" />
<supportedOn ref="SUPPORTED_NotSpecified" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
</policies>
</policyDefinitions>Group Policy is, in my opinion, the best tool for managing endpoints and software configurations in an Active Directory domain. Having the ability to create our own custom ADM and ADMX templates allows us to provide specific configuration settings for Windows and third-party applications.
Josh, that is a great tutorial you did on customising adm files. This is the first tutorial that gave me some insite into customising your own GP settings.
Can you help me solve the following with a custom admx for my domain.
I need to allow members of a group to be able to use specified usb memory sticks on their machines. The usb devices are recognised by their hardware ids.
I know there are GP machine settings you can use to disable the use of all usb storage devics, and you can add policy that enables specific hardware ids, but these are associated with all machines.
Can you help me create a GP with a custom admx that users can be added to, that allows them to use the usb memory sticks the administrator has approved, by adding there hardware ids to the GP setting created by the admx file?
It would be appreciated if you could advance my knowledge in this area. Many thanks.
These comments I made were for a Windows 10 client with Windows 2016 da servers.
Have you ever tried to do this with automation? I would very much like to add my custom adm into an existing GPO, or much better, import the adm together with `Import-GPO`. Not found anything close to this when googling. Any tips?