Custom ADM template for GPO Windows Server 2003

April 15, 2012 |

Hi All,

Today we will look into how to write custom adm template to use with GPO and manage finer configuration
of software or windows server. We will use a sample ADM template to understand and write ADM template.
Quick and Fast here is the sample

*****************************************
;
CLASS MACHINE
CATEGORY “SYSTEM”
CATEGORY “McafeeEP”

POLICY “Configure ExemptNetwork Regsitry key”
KEYNAME “System\CurrentControlSet\Services\Sbce”
EXPLAIN !!Explain_1

VALUENAME “ExemptNetwork”
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY “Allow Relaxed Removable Media Definition”
KEYNAME “System\CurrentControlSet\Services\Sbce”
EXPLAIN !!Explain_2
VALUENAME RelaxedRemovableMediaDefinition
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY “Define AutoDomain”
KEYNAME “Software\Safeboot International\Safe Boot Device Encryption\AutoDomain”
EXPLAIN !!Explain_3
VALUENAME InstallPath
VALUEON “C:\Program files\McAfee\Endpoint Encryption\Autodomain”
VALUEOFF “Null”
END POLICY

POLICY “Define SBTools”
KEYNAME “SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
EXPLAIN !!Explain_4
VALUENAME SBTools
VALUEON “C:\Program files\McAfee\Endpoint Encryption\Autodomain”
VALUEOFF “Null”
END POLICY

END cATEGORY
END CATEGORY

[strings]

Explain_1=”Allows you to set ExemptNetwork Dword value to 1 or 0 when set to Enable or Disable. ExemptNetwork key is modified under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sbce. If the key doesn’t exist a new key will be written to the registry”
Explain_2=”Allows you to set RelaxedRemovableMediaDefinition Dword value to 1 or 0 when set to Enable or Disable. RelaxedRemovableMediaDefinition key is modified under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sbce. If the key doesn’t exist a new key will be written to the registry “
Explain_3=”Set InstallPath to REG_SZ value of C:\Program files\McAfee\Endpoint Encryption\Autodomain when configured to Enable and NULL on disable. InstallPath is modified under HKEY_LOCAL_MACHINE\Software\Safeboot International\Safe Boot Device Encryption\AutoDomain. If the key doesn’t exist a new key will be written to the registry”
Explain_4=”Set SBTools to REG_SZ value of C:\Program files\McAfee\Endpoint Encryption\Autodomain when configured to Enable and NULL on disable. SBTools is modified under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. If the key doesn’t exist a new key will be written to the registry”

*****************************************

; is for comments
CLASS keyword defines which registry hive will be read/modified
CATEGORY defines sub section under Administrative template
if the category doesn’t exist, a new category will be created when GPO is imported into the GPO MMC
POLICY “Configure ExemptNetwork Regsitry key” ; The name of the entry under GP
KEYNAME “System\CurrentControlSet\Services\Sbce” ; registry to query, if reg don’t exist a new reg key will be created
EXPLAIN !!Explain_1 ;description about the GP, it’s using a variable which is called from
; strings section

VALUENAME “ExemptNetwork” ; The regkey
VALUEON NUMERIC 1 ; value when GP is enabled
VALUEOFF NUMERIC 0 ; value when GP is disabled
END POLICY ; Policy closed

You can still do more than basic when using custom GP. More details can be found on technet.

http://technet.microsoft.com/en-us/library/cc779567%28v=ws.10%29.aspx

I hope this would be helpful.

Share on TwitterShare on LinkedInShare via email

Category: Top

Comments are closed.

«
»