Administrative Templates (ADM) files contain the settings that are applied by a group policy. They are simple files that can be edited or created with a text editor, like Notepad, and you can manage options that are not normally covered in the default group policies.
An ADM file is nothing more than a description, a registry setting (or settings), and the related values. An ADM file follows a simple structure.
- CLASS MACHINE or USER (defines wheter the policy affects HKEY_USER or HKEY_LocalMachine)
- CATEGORY (the name of the policy category)
- SUB-CATEGORY (the name of the policy sub-category this is optional) POLICY (defines the name of the policy)
- KEYNAME (defines the registry keyname, do not include the first level i.e. HKEY_USER)
- VALUENAME (defines the name of the registry value) VALUEON "1" VALUEOFF "0"
- END POLICY
- END CATEGORY;
You can create the file with a text editor, Notepad for example, and save it with the ADM extension. A while back I wrote a article on disabling write access to removeable storage devices like USB keys and CD burners. Next I will show you how to create an ADM file to mange this through group policy.
CLASS MACHINE
CATEGORY "Removeable Storage Write Access"
POLICY "USB Write Access"
KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
VALUENAME "WriteProtect"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY;
You can copy and paste that into a text editor and save it as Removable Devices.adm. Next copy it to %SystemRoot%\Inf. Now open up Active Directory Users and Computers MMC and expand either User or Computer Settings. Right-click Administrative Templates and select Add/Remove Templates. You will see a list of currently installed policy templates. Click Add.
Select the Removable Devices policy template and click Open. The template will be added and appear in the list.
Before we can proceed we need to change one setting in the MMC itself. Click on View and select Filtering. Remove the checkmark next to Only show policy settings that can be fully managed and then click OK to save and exit.
We are now ready to proceed. Expand Administrative Templates and you will see a folder called Removeable Storage Write Access. This was defined with the CATEGORY line in the ADM file.
Expand this folder and we will see the USB Write Access policy. This was defined with the POLICY line in the ADM file.
Open up the USB Write Access policy and we can enable it (VALUEON) or disable it (VALUEOFF).
With it enabled, open up the regisrty with regedit and drill down to HKLM\SYSTEM\CurrentControlSet\Control\ You will see that the StorageDevicePolicies key was created as well as the WriteProtect value and it was given a value of 1 (on).
