[gptalk] Re: ADMX confusion...

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 11 Jul 2007 16:05:17 -0700



Alan has covered most of your questions-and you are correct that downlevel
clients that edit GPOs that were created with Vista will copy up ADMs into
the SYSVOL part of that GPO unless you disable this auto-update behavior via
policy (which I recommend if you expect that downlevel clients will continue
to edit Vista GPOs). 


Bottom line is that if you want to add a custom ADMX/L file into a GPO, you
either copy it into the local machine's c:\windows\policydefinitions folder
where you're editing the policy, or, if the Central Store exists, you copy
it into that, and everyone in the domain that edits policy will see those
new setting options.




P.S. Alan-we've complained about the "show only managed settings" thing
forever. I think they are finally going to fix this in Vista SP1, but I
could be wrong!




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: Wednesday, July 11, 2007 3:54 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: ADMX confusion...


Hi Jason,


I preface my remarks with the fact that I have done little testing of this,
but my understanding is as follows:-


.         On a Vista Client, the Add/Remove Templates works exactly as it
used to. That is it copies an ADM template into the group policy that you
are editing. That copy then remains with that policy. As such, it will not
see or copy ADMX files since they are not valid ADM files.

.         ADMX files are a totally different format. Renaming it to an ADM
file will definitely make it unreadable

.         If a non vista client opens a policy it will have no knowledge of
the ADMX files, therefore it cannot copy the ADMX files from the ADMX store
to the ADM store in the policy


Note: Since the non-vista client cannot see the ADMX files, it cannot
display any of the Administrative Template policy settings set via ADMX
templates, unless of course there is also an ADM file present that can
interpret it.


I must admit I am not really sold on the ADMX file concept. They are harder
to edit, they are visible in all Policies (which can be annoying) and can be
difficult to manage when you enhance them. For instance if you have a policy
setting that sets 3 values, then want to change it in a new policy to set 4
values, both the old and the new policy see the template that sets 4 values.
The two advantages of ADMX files are that they save space (you don't have a
copy per Policy) and they support multiple languages (which is normally not
important for most sites). One thing which would make a BIG difference would
be if Microsoft allowed you to Hide certain ADMX files in each policy. This
would allow each policy to have a different set if required. And while it
complaining mood, it would also be a real bonus if by default it did not
"Only show policy settings that can be fully managed". i.e the default
should be to show all policies.  


Alan Cuthbertson



 Policy Management Software:-



ADM Template Editor:-



Policy Log Reporter(Free)






-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason B. Halladay
Sent: Thursday, 12 July 2007 7:56 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] ADMX confusion...


As I've posted recently, I'm doing some research/testing with the Vista 

central store....  In my testing I've come up with a couple of questions 

that I hope someone can answer...


Without the central store created, I opened the GPOE on a Vista client 

and tried to use the Add/Remove Templates... to add a custom ADMX 

template (converted an older ADM to ADMX using the FullArmor ADMX 

migrator) but while browsing for the ADMX file, it does not show up in 

the browse window. The window will only show Policy Templates files but 

I expected the Vista GPOE to see .admx as a valid policy template file.  

If I rename my admx file to an adm, it shows up but errors when I try to 

open it.  I must be missing something....


I'm not convinced the central store will be a big benefit initially here 

because we have upwards of 100 OU administrators creating and editing 

GPOs from many different clients. If I understand it correctly if 

someone with an XP client so much as opens a GPO for editing that was 

originally created on a Vista client (that had used the central store) 

the ADMs from that XP client will be copied to sysvol.  Do I understand 

that right?  I realize that's an administrative "issue" on our 

part--just want to make sure my thinking is correct. 








You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/


Other related posts: