Managing Group Policy ADMX Files Step-by-Step Guide
Updated June 2007
Windows Server 2008
Summary: Learn how to centrally administer and incorporate ADMX files when editing the administrative template policy settings inside a local or domain-based Group Policy object. (7 printed pages.)
ADMX Technology Review
Requirements for Editing Group Policy Objects with ADMX Files
Scenario 1: Editing the Local GPO with ADMX Files
Scenario 2: Editing Domain-Based GPOs with ADMX Files
Windows Vista and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category in the Group Policy Object Editor) are defined using a standards-based, XML file format, known as ADMX files. These new files replace ADM files, which used their own markup language. The administrative tools you use—the Group Policy Object Editor and the Group Policy Management Console—remain largely unchanged. In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks.
There are some situations that require an understanding of how ADMX files are structured and the location where they are stored. This guide introduces you to ADMX files, showing you how ADMX files are incorporated when editing Administrative Template policy settings in a local or domain-based Group Policy object (GPO). ADMX files provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy Object Editor. You need to be using a Windows Vista-based or Windows Server 2008-based computer in order for the Group Policy Object Editor to recognize the ADMX files.
Unlike ADM files, ADMX files are not stored in individual GPOs by default; however, this behavior is supported for less common scenarios. For domain-based enterprises, administrators can create a central store location of ADMX files accessible by anyone with permission to create or edit GPOs. Group Policy tools will continue to recognize other earlier ADM files you have in your existing environment. Specifically, any custom ADM files will be consumed by Group Policy tools. (The tools will exclude ADM files that were included by default in the operating system, such as System.adm and Inetres.adm, because the ADMX files supersede these files.) The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from both the ADMX and ADM files.
This guide covers two different scenarios to highlight the potential differences in the ADMX storage location and Group Policy tools needed when working with local and domain-based GPOs.
Some Important Factors about the Implications of ADMX Files in Your Environment
- New Windows Vista-based or Windows Server 2008-based policy settings can only be managed from Windows Vista-based or Windows Server 2008-based administrative machines running Group Policy Object Editor or Group Policy Management Console. Such policy settings are defined only in ADMX files and, as such, are not exposed on the Windows Server 2003, Microsoft Windows XP, or Windows 2000 versions of these tools.
- The Windows Vista or Windows Server 2008 versions of Group Policy Object Editor and Group Policy Management Console can be used to manage all operating systems that support Group Policy (Windows Vista and Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000).
- The Windows Vista or Windows Server 2008 versions of Group Policy Object Editor and Group Policy Management Console support interoperability with versions of these tools on early operating systems. For example, custom ADM files stored in GPOs will be consumed by the new tools.
- In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks.
In Windows Vista, ADMX files are divided into language-neutral and language-specific resources, available to all Group Policy administrators. These factors allow Group Policy tools to adjust their UI according to the administrator's configured language. Adding a new language to a set of policy definitions is achieved by ensuring that the language-specific resource file is available.
Comparison of ADM and ADMX Local File Locations
In Windows Vista beta 2, the operating system–defined Administrative Template policy settings will only install on the local computer as an ADMX file format.
ADMX files will be installed on each Windows Vista computer in a different file location from ADM files, as shown in the following table.
(Custom ADM files can still be copied to the listed ADM directory to be consumed by the Group Policy Object Editor and Group Policy Management Console.)
|File Type||File Location|
|ADMX language neutral (.admx)||%systemroot%\policyDefinitions|
|ADMX language specific (.adml)||%systemroot%\policyDefinitions\[MUIculture] (for example, the U.S. English ADMX language specific file will be stored in %systemroot%\policyDefinitions\en-us)|
ADMX Domain File Locations
One of the main benefits of using the new ADMX files is the central store. This option is available to you when you are administering domain-based GPOs, although the central store is not used by default. In Windows Vista and Windows Server 2008, the Group Policy Object Editor will not copy ADM files to each edited GPO—the case with earlier operating systems. Instead the Group Policy Object Editor will no longer copy the new ADMX files, but will provide the ability to read from either a single domain-level location on the domain controller sysvol (not user configurable) or from the local administrative workstation when the central store is unavailable. This capability reduces the amount of storage needed for files that should remain constant for all GPOs. In addition to storing the ADMX files shipped in the operating system in the central store, you can share a custom ADMX file by copying the file to the central store, which makes it available automatically to all Group Policy administrators in a domain.
|File Type||Domain Controller File Location|
|ADMX language neutral (.admx)||%systemroot%\sysvol\domain\policies\PolicyDefinitions|
|ADMX language specific (.adml)||%systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] (for example, the U.S. English ADMX language-specific file will be stored in %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us)|
The following sections describe specific computer setups required for editing either the local GPO or domain-based GPOs with ADMX files. This step-by-step guide assumes you understand the basic concepts of Group Policy and using the Group Policy Management Console.
Local Group Policy Object Editing Requirements
While editing the local GPO, you must use a Windows Vista-based computer to view policy settings from ADMX files.
Domain-Based Group Policy Object Editing Requirements
In order to be able to create and edit domain-based GPOs with the latest Group Policy settings using ADMX files, you must have this setup:
- A working Windows Server 2008, Windows Server 2003, or Windows 2000 domain using name resolution through a DNS server.
- A Windows Vista computer to view policy settings from ADMX files while editing the domain-based GPO.
The scenarios in this document are designed to introduce you to managing ADMX files for Group Policy editing. (Group Policy editing refers to the process in which you create a GPO or open an existing GPO and then change policy settings using the Group Policy Object Editor). The following two scenarios illustrate how the Group Policy Object Editor will transparently incorporate ADMX files into an editing session. The domain-based scenario shows you how to centrally manage ADMX files, a feature that was not available with ADM files.
Scenario 1: Editing Local Group Policy Object Administrative Template Settings
Editing a local GPO introduces you to ADMX files that are transparently included when opening the Group Policy Object Editor. The way you edit Administrative Template policy settings and the way the settings are displayed remains unchanged from previous versions of Windows.
Scenario 2: Editing Domain-Based Group Policy Object Administrative Template Settings
Editing a domain-based GPO introduces you to optional central store for ADMX files in a domain and how to edit GPOs using this central store.
This scenario shows you how ADMX files are transparently incorporated into editing the local Group Policy.
Editing the Administrative Template Policy Settings of the Local GPO with ADMX files
You must use a Windows Vista-based computer to edit local GPOs using ADMX files.
To edit administrative template policy settings using ADMX files
- To open the local Group Policy Object Editor on a Windows Vista machine, click Start, click Run, then type GPEDIT.msc.
- The Group Policy Object Editor will automatically read all ADMX files stored in the %systemroot%\PolicyDefinitions\ folder.
- Locate the policy setting you wish to edit and open it.
Note You can still remove and add ADM files to the GPO using the Add/Remove Templates menu option. There is no user interface for adding or removing ADMX files in Windows Vista.
To add ADMX files to the Group Policy editing session, copy the ADMX files to the %systemroot%\PolicyDefinitions\ folder and restart the Group Policy Object Editor.
This scenario shows you how to set up a central location of the updated ADMX files when managing domain-based Group Policy from Windows Vista–based computers.
Prerequisites for Administering Domain-Based GPOs with ADMX Files
To complete the tasks in this section, you should have at least:
- A Windows Server 2008, Windows Server 2003, or Windows 2000 domain utilizing a DNS name server.
- A Windows Vista-based computer to use as an administrative workstation.
Steps for Utilizing the Optional ADMX Central Store with Domain-Based GPOs
If you choose to not create an ADMX central store, editing GPOs will work the same way as in Scenario 1: Editing the Local GPO with ADMX Files. To edit GPOs using centrally stored ADMX files, complete these tasks in order.
Create a Central Store
The central store is a folder structure created in the sysvol directory on the domain controllers in each domain in your organization. You will need to create the central store only once on a single domain controller for each domain in your organization. The File Replication service then replicates the central store to all domain controllers. It is recommended that you create the central store on the primary domain controller because the Group Policy Management Console and Group Policy Object Editor connect to the primary domain controller by default.
The central store consists of a root-level folder containing all language-neutral ADMX files and subfolders containing the language-specific ADMX resource files.
To perform this procedure, you must be a member of the Domain Admininstrators group in Active Directory.
To create the central store
- Create the root folder for the central store %systemroot%\sysvol\domain\policies\PolicyDefinitions on your domain controller.
- Create a subfolder of %systemroot%\sysvol\domain\policies\PolicyDefinitions for each language your Group Policy administrators will use.
Note Each subfolder is named after the appropriate ISO-style Language/Culture Name. For a list of ISO-style Language/Culture Names, see Valid Locale Identifiers. For example, to create a subfolder for U.S. English, create the subfolder: %systemroot%\sysvol\domain\policies\PolicyDefinitions\EN-US
Populate the Central Store with ADMX Files
There is no user interface for populating the central store in Windows Vista. The procedure shows how to populate the central store using command line syntax from the Domain Controller.
To populate the central store
- Open a command window: click Start, click Run, then type cmd.
- To copy all the language-neutral ADMX files from your Windows Vista administrative workstation to the central store on your domain controller using the xcopy command, type:
xcopy %systemroot%\PolicyDefinitions\* %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions\
- To copy all ADMX language resource files from your Windows Vista administrative workstation to the central store on your domain controller using the xcopy command, type:
xcopy %systemroot%\PolicyDefinitions\EN-US\* %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions\EN-US\
Edit the Administrative Template Policy Settings in the Domain-Based GPOs
You can edit GPOs only using ADMX files on a Windows Vista-based computer.
To edit administrative template policy settings using ADMX files
- To open the Group Policy Management Console on a Windows Vista machine, click Start, click Run, then type GPMC.msc.
- To create a new GPO to edit, right-click the Group Policy objects node and select New.
- Type a name for the GPO and click OK.
- Expand the Group Policy objects node.
- Right-click the name of the GPO you created and click Edit.
- The Group Policy Object Editor automatically reads all ADMX files stored in the central store. When there is no central store, the Group Policy Object Editor reads the local versions of the ADMX files used by the local GPO on your Windows Vista administrative machine.
Note You can still remove and add ADM files to the GPO. There is no user interface for adding or removing ADMX files in Windows Vista.
To add local ADMX files to the Group Policy editing session, copy the ADMX files to the %systemroot%\PolicyDefinitions\ folder and restart the Group Policy Object Editor.