Windows

Securing Windows XP on K-12 networks with custom ADM files

Group Policy, in Active Directory, provides a granular way to provide access control for all aspects of local and network resources based on user account, group membership, computer name, etc. However, there are some things that Group Policy can't do by default. In those cases, you can use custom ADM files.

By William T. Evans

In a previous article "Securing Windows XP on K12 Computer Networks" I discussed four phases of the process to secure Windows XP. That article focused on using local operating system controls to secure the operating system. This article will focus on the Process phase with regard to using custom ADM files in Active Directory Group Policy.

Group Policy, in Active Directory, provides a granular way to provide access control for all aspects of local and network resources based on user account, group membership, computer name, etc. However, there are some things that Group Policy can't do by default. For example, on a K-12 workstation the network administrator may want to:

  • Hide specific drives (by letter)
  • Prevent access to specific drives (by letter)
  • Redirect Internet Explorer Favorites
  • Apply a specific desktop wallpaper
  • Disable access to the Internet
  • Modify applications such as VNC, Audacity, Windows Moviemaker

You can accomplish all these tasks by using custom ADM files. Virtually any setting that can be changed on a per-user (or per-computer) level can be managed centrally.

What are ADM files?

ADM files (also known as Administrative Templates) are text files formatted to be inserted into Group Policy objects. Group Policy uses them to provide any and all of the control settings available. For example, one can download Office XP/2003 ADM files from Microsoft to customize the end-user experience. Simply put, and ADM file contains a description, registry settings, and related values.

You can add or delete ADM files on the Add/Remove Templates screen. There are two types of ADM files: USER and SYSTEM. The USER type modifies user specific registry settings while the SYSTEM type modifies computer specific registry settings that apply to all users. Now that you know how add them, what about creating one?

Creating custom ADM Files

If the syntax of the ADM file is incorrect, it may fail to import into your Group Policy object. The link below is an ADM file that can be downloaded (it must be renamed to CustomUser.adm to work properly):

http://cn.cbsimg.net/cnwk.1d/i/tr/ADMFile.doc

1. Documentation and Notes

At the beginning of the file you will want to add any important information you can think of preceded by two semicolons per line:

;; Creator: Network Administrator
;; Date: 02/12/07
;;CustomUser.adm file for XYZ School (user settings)

2. Set Class

The class must be USER or SYSTEM depending on where the registry settings that are to be changed reside

CLASS USER

3. Set Category

This will group the settings to provide easier viewing and administration

CATEGORY "Custom Options"

4. Create a Policy

A "policy" is a particular setting that can be set to an enabled/disabled mode which controls whether or not the registry setting will be changed

An example policy with on/off settings:

POLICY "Re-Direct Favorites to Home Directory"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
EXPLAIN "Re-Direct the Favorites Folder to the H:\Favorites directory"
VALUENAME "Favorites"
VALUEON "H:\Favorites"
VALUEOFF "%USERPROFILE%\Favorites"

The above policy will redirect the users Internet Explorer Favorites directory contents to their personal home directory on H:\Favorites.

POLICY: Display name of the policy
KEYNAME: Location in the registry that the setting is found 
EXPLAIN: Simple explanation of what the setting does (for reference)  
VALUENAME: Name of the registry value that will be modified
VALUEON: Enabled effect of the setting
VALUEOFF: Disable effect of the setting

In the above example a REG_EXPAN_SZ entry is modified.  It is important to know what type of registry entry is being modified because the ADM syntax is different for each.  Other registry entry types:

REG_SZ:

POLICY "Media Player Recording Path Redirect"
KEYNAME "Software\Microsoft\MediaPlayer\Preferences"
EXPLAIN "Media Player Recording Path Redirect"
PART "CDRecordPath" EDITTEXT
VALUENAME "CDRecordPath"
DEFAULT "H:\\My Music"
END PART
END POLICY

REG_DWORD:

POLICY "Disable Proxy Settings"     
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
EXPLAIN "Disable Proxy Settings"
VALUENAME "ProxyEnable"
VALUEON NUMERIC "0"
VALUEOFF NUMERIC "1"
END POLICY

In the above examples it is the EDITTEXT and NUMERIC settings that specify the registry entry type.

5. Close Category

This closes the category created earlier; it is possible to contain multiple (or no) categories in a single ADM file:

END CATEGORY

6. End and Strings

These are required closing entries to complete file processing:

#endif
[strings]

Bringing it all together

With an understanding of the format and syntax of ADM files, a sample file, and a general knowledge of the Windows registry, the K-12 network administrator is now ready to create custom ADM files. Virtually any user or system setting can be seamlessly applied to hundreds or thousands of users with just a few moments work. From controlling applications, the Windows user environment, to even controlling automatic log off, custom ADM files are a necessary part of properly securing a Windows XP workstation in a K-12 computer network.

2 comments
mikew
mikew

I downloaded and saved the ADM file. When I try to Add the ADM to Group Policy, it adds but only shows the first two items (Hide Drives and Prevent Access to Drives). So I removed those two items and now it adds fine, but nothing shows under Custom Options? Any ideas what I did wrong? Thanks, Mike

slaky
slaky

Mike, I am sorry you are having trouble. And, that my reply is one month late. You need to change your view settings in the Group Policy tool. Highlight the policy/item and choose View-Filtering then uncheck "Only show policy settings that can be fully managed." That is it! Let me know if you need anything else. - Bill

Editor's Picks