By William T. Evans
In a previous article "Securing Windows XP on K12 Computer Networks" I discussed four phases of the process to secure Windows XP. That article focused on using local operating system controls to secure the operating system. This article will focus on the Process phase with regard to using custom ADM files in Active Directory Group Policy.
Group Policy, in Active Directory, provides a granular way to provide access control for all aspects of local and network resources based on user account, group membership, computer name, etc. However, there are some things that Group Policy can't do by default. For example, on a K-12 workstation the network administrator may want to:
- Hide specific drives (by letter)
- Prevent access to specific drives (by letter)
- Redirect Internet Explorer Favorites
- Apply a specific desktop wallpaper
- Disable access to the Internet
- Modify applications such as VNC, Audacity, Windows Moviemaker
You can accomplish all these tasks by using custom ADM files. Virtually any setting that can be changed on a per-user (or per-computer) level can be managed centrally.
What are ADM files?
ADM files (also known as Administrative Templates) are text files formatted to be inserted into Group Policy objects. Group Policy uses them to provide any and all of the control settings available. For example, one can download Office XP/2003 ADM files from Microsoft to customize the end-user experience. Simply put, and ADM file contains a description, registry settings, and related values.
You can add or delete ADM files on the Add/Remove Templates screen. There are two types of ADM files: USER and SYSTEM. The USER type modifies user specific registry settings while the SYSTEM type modifies computer specific registry settings that apply to all users. Now that you know how add them, what about creating one?
Creating custom ADM Files
If the syntax of the ADM file is incorrect, it may fail to import into your Group Policy object. The link below is an ADM file that can be downloaded (it must be renamed to CustomUser.adm to work properly):
1. Documentation and Notes
At the beginning of the file you will want to add any important information you can think of preceded by two semicolons per line:
;; Creator: Network Administrator
;; Date: 02/12/07
;;CustomUser.adm file for XYZ School (user settings)
2. Set Class
The class must be USER or SYSTEM depending on where the registry settings that are to be changed reside
3. Set Category
This will group the settings to provide easier viewing and administration
CATEGORY "Custom Options"
4. Create a Policy
A "policy" is a particular setting that can be set to an enabled/disabled mode which controls whether or not the registry setting will be changed
An example policy with on/off settings:
POLICY "Re-Direct Favorites to Home Directory"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
EXPLAIN "Re-Direct the Favorites Folder to the H:\Favorites directory"
The above policy will redirect the users Internet Explorer Favorites directory contents to their personal home directory on H:\Favorites.
POLICY: Display name of the policy
KEYNAME: Location in the registry that the setting is found
EXPLAIN: Simple explanation of what the setting does (for reference)
VALUENAME: Name of the registry value that will be modified
VALUEON: Enabled effect of the setting
VALUEOFF: Disable effect of the setting
In the above example a REG_EXPAN_SZ entry is modified. It is important to know what type of registry entry is being modified because the ADM syntax is different for each. Other registry entry types:
POLICY "Media Player Recording Path Redirect"
EXPLAIN "Media Player Recording Path Redirect"
PART "CDRecordPath" EDITTEXT
DEFAULT "H:\\My Music"
POLICY "Disable Proxy Settings"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
EXPLAIN "Disable Proxy Settings"
VALUEON NUMERIC "0"
VALUEOFF NUMERIC "1"
In the above examples it is the EDITTEXT and NUMERIC settings that specify the registry entry type.
5. Close Category
This closes the category created earlier; it is possible to contain multiple (or no) categories in a single ADM file:
6. End and Strings
These are required closing entries to complete file processing:
Bringing it all together
With an understanding of the format and syntax of ADM files, a sample file, and a general knowledge of the Windows registry, the K-12 network administrator is now ready to create custom ADM files. Virtually any user or system setting can be seamlessly applied to hundreds or thousands of users with just a few moments work. From controlling applications, the Windows user environment, to even controlling automatic log off, custom ADM files are a necessary part of properly securing a Windows XP workstation in a K-12 computer network.