Custom ADM template for GPO Windows Server 2003

Hi All, Today we will look into how to write custom adm template to use with GPO and manage finer configuration of software or windows server. We will use a sample ADM template to understand and write ADM template. Quick and Fast here is the sample ***************************************** ; CLASS MACHINE CATEGORY “SYSTEM” CATEGORY “McafeeEP” POLICY “Configure ExemptNetwork Regsitry key” KEYNAME “System\CurrentControlSet\Services\Sbce” EXPLAIN !!Explain_1 VALUENAME “ExemptNetwork” VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY “Allow Relaxed Removable Media Definition” KEYNAME “System\CurrentControlSet\Services\Sbce” EXPLAIN !!Explain_2 VALUENAME RelaxedRemovableMediaDefinition VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY “Define AutoDomain” KEYNAME “Software\Safeboot International\Safe Boot Device Encryption\AutoDomain” EXPLAIN !!Explain_3 VALUENAME InstallPath VALUEON “C:\Program files\McAfee\Endpoint Encryption\Autodomain” VALUEOFF “Null” END POLICY POLICY “Define SBTools” KEYNAME “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” EXPLAIN !!Explain_4 VALUENAME SBTools VALUEON “C:\Program files\McAfee\Endpoint Encryption\Autodomain” VALUEOFF “Null” END POLICY END cATEGORY END CATEGORY [strings] Explain_1=”Allows you to set ExemptNetwork Dword value to 1 or 0 when set to Enable or Disable. ExemptNetwork key is modified under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sbce. If the key doesn’t exist a new key will be written to the registry” Explain_2=”Allows you to set RelaxedRemovableMediaDefinition Dword value to 1 or 0 when set to Enable or Disable. RelaxedRemovableMediaDefinition key is modified under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sbce. If the key doesn’t exist a new key will be written to the registry “ Explain_3=”Set InstallPath to REG_SZ value of C:\Program files\McAfee\Endpoint Encryption\Autodomain when configured to Enable and NULL on disable. InstallPath is modified under HKEY_LOCAL_MACHINE\Software\Safeboot International\Safe Boot Device Encryption\AutoDomain. If the key doesn’t exist a new key will be written to the registry” Explain_4=”Set SBTools to REG_SZ value of C:\Program files\McAfee\Endpoint Encryption\Autodomain when configured to Enable and NULL on disable. SBTools is modified under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. If the key doesn’t exist a new key will be written to the registry” ***************************************** ; is for comments CLASS keyword defines which registry hive will be read/modified CATEGORY defines sub section under Administrative template if the category doesn’t exist, a new category will be created when GPO is imported into the GPO MMC POLICY “Configure ExemptNetwork Regsitry key” ; The name of the entry under GP KEYNAME “System\CurrentControlSet\Services\Sbce” ; registry to query, if reg don’t exist a new reg key will be created EXPLAIN !!Explain_1 ;description about the GP, it’s using a variable which is called from ; strings section VALUENAME “ExemptNetwork” ; The regkey VALUEON NUMERIC 1 ; value when GP is enabled VALUEOFF NUMERIC 0 ; value when GP is disabled END POLICY ; Policy closed You can still do more than basic when using custom GP. More details can be found on technet. http://technet.microsoft.com/en-us/library/cc779567%28v=ws.10%29.aspx I hope this would be helpful.