Hack 10 Extend Group Policy

figs/moderate.gif figs/hack10.gif

Group Policy is a powerful tool for managing Windows systems, but by configuring ADM files you can extend its capabilities even further.

One day, one of my customers gave me a phone call to say that "the Group Policy Plan we made was pretty nice, but there's something missing, and if we had this we could really impress our boss." From that day on, my life wasn't the same, because this comment led to me discover the true power of Group Policy through customizing ADM files.

But first you need to understand the basics of ADM files.

ADM Files

An ADM file is an ASCII file that defines the Group Policy settings; every checkbox, drop-down menu, and folder in the Group Policy window is defined in this file. The ADM file can also be hacked with any text editor to extend the built-in settings of Group Policy, or you could even build a custom ADM to import to your own Group Policies files. This customization feature makes Group Policy a more powerful tool to manage computers.

The default Group Policy Object (GPO) created in Active Directory is composed of three ADM files: conf.adm, inetres.adm, and system.adm. The conf.adm file holds all the policy settings for Microsoft NetMeeting. The inetres.adm file holds some of the settings for the Windows Components section under both Computer and User Configuration portions of Group Policy. Finally, the system.adm file has additional settings for the Windows Components and System sections under Administrative Template in both the Computer and User Configuration portions of the Group Policy.

These ADM files are located in the %winnt%\inf folder, and every other ADM file that is installed on your machine will be put into that location as well. Also, many products that Microsoft has released for Windows 2000/XP have their own ADM files. For example, the Microsoft Office XP Resource Kit has a corresponding ADM file for each product of the Office suite. For instance, an ADM file called word10.adm adds policy settings that affect Word XP on clients computers.

Hacking ADM Files

How do you to find the policy you want to edit? And how do you change it? In the following example, I want to find and edit the "Save Word files as" policy in the word10.adm file. This policy defines the way a file is saved by default in Word XP. I usually add the option to save the Word file in a format that appears in a local version of Word but doesn't appear in the ADM.

Figure 1-11 shows what the policy looks like.

Figure 1-11. Editing a policy setting

As you can see, the policy setting is found in the Save folder and its name is "Save Word files as." Now, if I want to find this policy in the appropriate ADM file, I simply need to look for "Save Word files as." To do this, just open the correct ADM file (which in this case is word10.adm) and do a text search for the string "Save Word files as". You'll find the following section of the ADM file:

POLICY "Save Word files as"

KEYNAME Software\Policies\Microsoft\Office\10.0\Word\Options

PART "Save Word files as" DROPDOWNLIST

VALUENAME DefaultFormat


NAME "Word document (*.doc)" VALUE "DEFAULT"

NAME "Web Page (*.htm; *.html)" VALUE "HTML"

NAME "Word 6.0/95 (*.doc)" VALUE "MSWord6Exp"

NAME "Word 6.0/95 - Japanese (*.doc)" VALUE"MSWord6JExp"

NAME "Word 6.0/95 - Korean (*.doc)" VALUE "MSWord95KExp"

NAME "Word 97-2002 & 6.0/95 - RTF" VALUE "MSWord6RTFExp"

NAME "Works 4.0 for Windows (*.wps)" VALUE "MSWorksWin4"

NAME "Works 3.0 for Windows (*.wps)" VALUE "MSWorksWin3"





As you can see, the first line, Policy "Save Word files as", defines the name of the policy as it appears in Figure 1-11, while everything under that line defines the policy settings until the last line, END POLICY, closes the policy. Looking at this further, KEYNAME defines the path to the affected key in the Registry, PART defines the way the policy box will appear in the GUI (in this case, a drop-down menu list), VALUENAME defines the name of the affected value in the Registry, NAME defines the name of each option as it appears in the drop-down list, and VALUE specifies the actual data that will be inserted into the affected value that is defined by VALUENAME.

So, if I want to add another option to be displayed in the drop-down list of this policy, all I need to do is add the following line wherever I want (within the section bounded by ITEMLIST and END ITEMLIST):

NAME "Word 97-2002 & 6.0/95 Hebrew Converter\doc" VALUE "MSWord6HBRExp"

Figure 1-12 shows the result of what will be added to the policy drop-down list in the GUI.

Figure 1-12. Adding an option to a drop-down list

Easy, isn't it? With this method, you can manipulate virtually any Registry key that is in the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives to extend Group Policy.

If you'd like to learn more about hacking ADM files, see http://www.microsoft.com/windows2000/en/server/help/sag_spconcepts_34.htm from the Windows 2000 Server online documentation. Note that occasionally you might not see the results of your hack; see article 228723 in the Knowledge Base on TechNet for more information (http://support.microsoft.com/default.aspx?scid=kb;en-us;228723).

?Oren Zippori