HowTo: Create group policies yourself (ADMX)

Group policies make an admin's life easier and can be created with little effort. The advantage is obvious: registry settings can be easily distributed to many computers using group policies. The following article contains a short how-to on how to create group policies yourself using the free "old-school" tool "ADMX-Migrator".

Foreword

I have also created a few separate group policies for Exchange Server and Domain Controller, as a few settings are also made here via the registry. Here are a few examples of settings in the registry that can be easily configured via GPO:

• Exchange 2010 Quota Cache
• Exchange 2010 Static RPC Ports
• Domain Controller NTP time synchronization

 

The advantage of a group policy for such settings? Once an appropriate template has been created for the settings in the registry, a group policy can be applied in different environments on several servers. New domain controllers or new Exchange servers automatically receive the same settings as the existing ones.

The classic ADM templates from Windows Server 2003 times (and earlier) could be created with little effort. Here is a small example:

ADM was still pretty self-explanatory. The current format (ADMX) is based on an XML structure. ADMX templates are a lot more flexible, but also a bit more complicated if you want to create them with a simple editor. Here is an example of an ADMX template with a language:

Admittedly, the example for the ADMX template comes from a GUI and is not a manually created template, but you can see at first glance that the XML structure is more complex to create manually.

This can be remedied by a small tool that can be downloaded free of charge:

• ADMX-Migrator Download

 

ADMX Migrator is an old tool that is no longer being developed. But I still like to use it, simply out of habit:

If anyone has a good tip for a current tool, I'd be happy to hear about it in the comments.

Installation

The installation of ADMX-Migrator is self-explanatory and can be completed in just a few clicks, so here are a few screenshots for the sake of completeness:

Enter user information:

Select storage location:

The option "Register after installation is complete" can be deselected, the corresponding website no longer exists:

Installation completed.

Create your own group policies (ADMX templates)

To create a group policy for a specific program, you must first find out where the program saves its settings in the registry, which settings are valid and what they do. To do this, the program must be installed on a test computer and the corresponding settings must be searched for in the registry. This part usually takes the longest, as trial and error is often the order of the day here. It is helpful to export the corresponding keys so that you can quickly revert to the default settings. This allows you to restore the default settings quickly.

As an example, I have taken a fictitious program that stores settings under HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE:

As soon as it has been determined which settings are relevant, a group policy can be created using ADMX Migrator:

The new template is now given a name:

Now the first category can be specified, the first category below the name creates a "folder" under "Administrative templates". The name of the category can also be freely chosen, in this case I use "FW Program" so that it is clear which settings are involved:

Further categories can be created below the first category. I create a category for users and computer settings:

In the Group Policy Editor, the categories will later be displayed like this:

So the rough structure is already in place, now it's time for the settings. In this case, we want to control the value for "UseWindowsDefault", so the key name and the name of the corresponding value are also copied here:

The information is now required for the first "Policy Setting". As this is a setting under HKEY_CURRENT_USER, it is placed in the "User" category. The corresponding values are now entered in the policy setting:

Registry Key: Key name

Registry Value Name: UseWindowsDefault

Class: User (because HKEY_CURRENT_USER)

The values are now defined under the Values setting:

Enabled Value = Enabled = 1

Disabled Value = Disabled = 0

Under Explain, a meaningful description can now be added to the setting:

It now looks like this in the Group Policy Editor:

ADMX-Migrator can be used not only to switch DWORDs, but also to create text fields or drop-down lists. In principle, the procedure here is very similar to that for DWORDS. In the next example there are two REG_SZ values:

As these are located under HKEY_CURRENT_USER, the policy settings are also placed under the User category:

Enabled and disabled values are also specified again:

A drop-down list can now be created under Presentation:

Corresponding key names and key values are again specified for the drop-down list, and the settings for the drop-down list can then be added under ItemList:

All values from the drop-down list and the corresponding values are now entered in the item list:

A description is given again under Explain:

Here is the result in the Group Policy Editor:

As soon as the group policy has been configured, it is saved:

The memory path now contains the ADMX file (contains the settings) and a folder with the respective language file:

 

To use your own group policy, the ADMX file and the folder on a domain controller must be copied to the directory c:\Windows\PolicyDefinitions:

Converting ADM to ADMX templates

ADMX-Migrator can also convert old ADM templates into ADMX templates by loading an ADM template via "Generate ADMX from ADM":

ADMX Migrator then converts the old ADM structure into the ADMX XML structure:

After conversion to ADMX format, options can be adapted or changed:

As soon as editing is complete, the ADMX template can be saved:

When saving, ADMX-Migrator creates the structure that is also required by the Windows Central Store:

In this way, old ADM templates can be easily converted to ADMX templates.

Note: ADMX-Migrator cannot cope with umlauts in the ADM templates, so the easiest way is to get rid of the umlauts in the ADM templates using "Search/Replace" before the conversion.

Example ADMX files

As already mentioned at the beginning, ADMX-Migrator is a fairly old tool and has some weaknesses; it sometimes crashes.

However, a group policy only consists of the ADMX file which contains the settings (categories, policy settings) and a language file (ADML), in which corresponding translations can be defined. Both files are available in XML format and can also be created with an editor.

Microsoft offers a group policy as an example that illustrates the possibilities. With a little copy/paste and some "try and error", the structure can be learned quickly.

The sample files can be downloaded here:

Group Policy Sample ADMX Files

A test environment with a domain controller and a member is quickly installed, so the sample policy is great for practicing.

Disadvantage

Custom group policies "tattoo" the registry. This means that the registry values that have been changed or created using your own group policy remain in the registry of the computer that applied the policy. If a group policy is deleted, the settings are therefore retained. The use of custom group policies should therefore be treated with caution.

Always remember: Deleting your own group policy does not reset any settings to default values, only defining the default values in the GPO sets the corresponding values. If you still know the default values. Own group policies should therefore be well documented and the default values of the registry should be exported in a .REG file.