Recently I’ve been answering a few questions about the role of ADMX files (Administrative Templates) in Group Policy. For those who are new to Group Policy or haven’t spent a lot of time with it, I have seen some misunderstanding around what these template files actually do, and their role in GP processing. So I thought I would take the time to discuss that a bit more.
What Are ADMX Files?
ADMX files (and their predecessor–.ADM files) have been around as long as Group Policy (and system policy) have been around. ADMX files are XML text files that describe what you see under Computer Configuration\Policies\Administrative Templates and User Configuration\Policies\Administrative Templates in Group Policy Editor. They are literally used by GP Editor to populate the hierarchical folder structure of settings you see when you edit a GPO and drill in under “Administrative Templates”. It is important to note that no other policy areas (e.g. Security Settings, Folder Redirection, etc.) uses ADMX (or ADM) files to populate the options you see in GP Editor. ADMX files are provided by Microsoft in all Windows versions. You can also create your own customer ADMX files. Microsoft provides a free tool to help you do that. You can find the default ones that MS provides in the c:\windows\policydefinitions folder on any Windows system (server or desktop), as shown here:
The local ADMX folder in Windows
You will also notice a sub-folder in that c:\windows\policydefinitions folder. On my machine, that sub-folder is called en-us. It will vary based on the language of your Windows installation (e.g. en-us stands for US English). That folders holds .ADML files. These files are the language-specific strings that correspond to the ADMX file. So every .ADMX file in the root of c:\windows\policydefinitions should have a corresponding .ADML file in the language-specific folder. If you have an ADMX file that is missing a corresponding ADML, you will likely have an error when you launch GP Editor.
Where Are ADMX (and ADM) Files Stored?
In the “old days”, when we only had ADM files, these files were stored in c:\windows\inf. When you created a GPO these ADM files would get copied up to the SYSVOL portion of the GPO, under a folder named ADM (this is actually still how it works, if you have GPOs that contain custom ADM templates). When Microsoft introduced ADMX/ADML files, they changed the model. ADMX files are not stored in each GPO. They are either found, as I’ve mentioned, in the c:\windows\policydefinitions folder, or in something called the Central Store. The Central Store is simply a folder that gets created on the SYSVOL share, at the same level that GPOs are stored in SYSVOL–namely under \\<domainName>\SYSVOL\<domainName>\Policies\PolicyDefinitions. Creating the Central Store is a simple matter of creating that “PolicyDefinitions” folder in SYSVOL and then copying the contents of your c:\windows\policyDefinitions folder (including the folder for the language-specific ADML files), into that SYSVOL folder. I have a small utility that you can use to automate this process if you’re unsure. Once the Central Store is created, all users in that domain who edit Group Policy, will reference ADMX files from the Central Store. If you wonder whether you are using the Central Store or not, just look at the Administrative Templates node in GP Editor. After the words “Administrative Templates”, you will see, in parentheses, whether the Central Store is in use, or you are still getting your ADMX files from c:\windows\policydefinitions (as below):
Determining whether the Central Store is in use
Note that once the Central Store is created in a domain, all users who edit Group Policy will reference the ADMX/L files found in the Central Store, and only those. If you need to add or update ADMX files, those must be done against the Central Store, and will affect everyone who edits Group Policy.
A quick note on ADM files. These are still supported in GP Editor. If you right-click the Administrative Templates node under either Computer or User Configuration, you will see an option to “Add/Remove Templates”. This pertains strictly to ADM files, and allows you to associate ADM files to GPOs that are likely also using ADMX files. When you add an ADM file to a GPO, that file is copied up to the ADM folder in SYSVOL, for that GPO, just like it used to be in the pre-ADMX days.
How Are ADMX Files Used by Group Policy?
So now that we know where ADMX files are stored, let’s talk about how they’re used. As I mentioned earlier, ADMX files, like ADM files before them, have no role at all in the *processing* of Group Policy by client computers or users. They don’t even need to be present when GP processing occurs. In fact, the only time ADMX or ADM files are ever read or considered, are when you are editing GPOs in GP Editor. When you expand the Administrative Templates node, and you see all of those folders, sub-folders and policy items–those correspond to GP Editor reading each ADMX file it finds, and building that tree of nodes dynamically. To illustrate this, if I open GP Editor and drill into Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer, the editor is reaching out to where my ADMX files are found, cracking open the inetres.admx file, and populating all the settings I end up seeing in GP Editor, as shown here:
How ADMX files correspond to what you see in GP Editor
Once you are finished editing that GPO, those ADMX files are not in use at all. They are not stored in the GPO, they are not downloaded by the client that is processing that GPO, and they are never referenced during GP processing. The only thing that is referenced, are the registry keys and values, stored in the SYSVOL part of the GPO in the registry.pol file, that you’ve instructed the GPO to set. But that’s a story for another day.
Hopefully this has cleared up the role of ADMX files and helps understand where they’re stored and when they’re used!
Darren
has anyone ever been successful with this FullArmor ADMX Migrator?
Wolfgang-
It’s admittedly been a while since I’ve used it, and I do recall it had some quirks, but I was able to successfully create ADMX files with it.
Darren
Hello,
Small question from my end.
With the latest administrative templates (1607) the Language nl-NL is not delivered with it.
Can I copy the adml files from the en-US into the nl-NL folder ? I know that will change the language but I can’t open the gpmc anymore from my local PC due to it is in Dutch (NL) – and I can read English.
The Domain Controller is working fine because it is in English.
I haven’t tested this Kurt but it *should* work fine. The tags that tie a particular string to the underlying ADML text should be consistent between languages.
So why exactly would I import ADMX files into my organization’s central store? As in, what do I as an administrator gain from doing so?
I ask because there are obviously a whole bunch of settings already under Computer Configuration > Administrative Templates and User Configuration > Administrative Templates.
Would adding ADMX files (say for Windows 10) to the central store simply provide additional settings that could be configured by a GPO?
Thanks for your question. If you are using the Central Store, then everything you see in GP Editor under “Administrative Templates” appears there by virtue of the ADMX files (and ADML files) that are stored in the Central Store. So, if you update those files with, say, the Windows 10 ADMX files, then you will see those previous Windows version settings as well as those that were introduced in Win10.
Hello Darren
Thanks very much for posting this article, it explained a lot of concepts I have never seen in another post especially the fact the .admx files are not downloaded by the client or processed when the client is processing GPOs (I never understood that before).
There is one thing I still not do not understand though.
Why is there a ‘Software Settings’ and ‘Windows Settings’ section under GPO why not just has an ‘Administrator Templates’ section if everything can be configured from there for the client (or perhaps it cannot)?
Also if amendments are made outside of the Administrative Template e.g. under Software or Windows settings, do these settings also affect the Registry or do these areas deal with other aspects of Windows outside the Registry
I release the above may be basic (possibly dumb) questions but if you could answer it would really help me understand.
Thanks very much in advance
Sorry for the delayed response. Registry edits via Admin Templates are not the only things that GP can do. Or more specifically other “Client Side Extensions” like Software Installation (under Software Settings) or the various Security Settings (under Windows Settings) require additional logic or make changes to other parts of the OS (e.g. Software Installation runs MSI package installations). So while many, many areas of configuration in Windows do impact the registry, they don’t all, and even some that do require additional logic to make their values set. That’s why you see more than just Admin Templates (which actually grew out of NT 4 System Policy, if you wanted some history :-))
Great article!
Quick question, what will happen if one does “import settings” (e.g. GPO backup restore) in GPM Management Console and some specific ADMX/L (referenced in GPO backup) is missing at the time of the import? Will it all import fine or report some error? Or will it selectively fail
Here is an practical example – CIS security hardening policy refers to Search > Cortana hardening, but it is not available in standard Windows 2008 DC.
Best regards,
Serg
Serg-The import would work just fine but the settings would appear as “Extra Registry Settings” in a GPMC settings report and would not be manageable via GP Editor”.
Privileges such as SeAssignPrimaryTokenPrivilege, SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, and SeLoadDriverPrivilege, are they stored in the registry? and is using GPO the only way to set or remove those privileges?
David-
User rights are stored in the Security hive of the registry, which is not accessible to regular (i.e. non-system level) users. They are modified either via GP, secedit.exe, ntrights.exe (old utility) or via Win32 API.
Thanks, this explained a lot that’s not super clear when you read stuff from Microsoft
Hi David,
This was quite informative article and it explained me very well about the GPO templates and admx files. However I have a problem to solve, can you please help me out.
In one of our Windows application (say “APP” version 1), we already have an GPO editable template, where we can enable and define a policy for our application.
I recently observed that if you enable a group policy (with some configuration say “x=y”) using the administrative template, the configuration “x=y” gets stored in the registry (under HKLM\Software\Policies\Foo\APP\… and also under WOW6432Node path).
However, the problem is that on installing a new version of application (say “APP” version 2), the GPO editor settings are wiped away. One important note is that the new version “APP” version 2 is having modification in the registry path for the Application i.e. “HKLM\Software\Foo\APP\…” now becomes “HKLM\Software\Bar\APP\…” and similar to under HKCU and WOW6432Node.
Just for the experimental purpose (my first guess too) I tried to modify the value “x=y” to “x=z” in the registry path i.e. “HKLM\Software\Policies\Foo\APP\…”, the same modification doesn’t reflect back to the GPO editor.
I am now end-up with these 2 questions:
1. Where does the custom configurations gets stored (“x=y” in above case) when we configure a policy using GPO editor. I have observed it is being stored in registry (i.e HKLM\Software\Policies\Foo\APP\…), but it that the only place ?
2. How to retain the GPO custom settings already added over an upgrade to a newer version of software (but with modifications in the registry path).
Thanks for the article. It was very clear and very specific to points. It helped me to understand ADMX