Secure Active Directory With XML-Based Templates

Even if you’re not planning to upgrade to Windows Vista anytime soon, your IT department might use Vista for systems administration. If so, you can take advantage of the improvements Microsoft made to Vista’s Group Policy administrative templates. Vista’s .admx files (Microsoft’s new XML-based format for administrative templates) function differently than previous OSs’ administrative templates.

Group Policy administrative templates, or .adm files, define the registry-based settings that are displayed in the Group Policy Object Editor. The templates are divided into two sections that define computer settings and user settings. These settings appear under the Administrative Templates nodes in the Group Policy Object Editor. You can create your own administrative templates to control registry settings with Group Policy, and add them to a Group Policy Object (GPO) by right-clicking Administrative Templates in the Group Policy Object Editor and clicking Add/Remove Templates. In Windows Server 2008, Group Policy Preferences eliminate the need to create custom administrative templates or scripts to manipulate the registry.

A New XML Format for Vista and Server 2008
The .adm file format hails from the days of Windows NT Server system policies. Vista’s and Server 2008’s .admx files are based (as are other XML-formatted files) on a documented schema—which makes it easier to modify the files and develop applications that can work with the new format. Files in .adm format contain a section where strings are defined for use by the Group Policy Object Editor. The .admx format places that strings section into a separate .adml file, so you don’t need to create a new .admx file for systems that use a different language.

Centralize Storage for Improved Integrity
In Windows 2000 and Windows Server 2003 domains, .adm files are stored locally on domain-joined machines and in Group Policy Templates (GPTs), which are located in the Sysvol directory on domain controllers (DCs). Every GPO consists of a GPT; thus multiple copies of .adm files are replicated to every DC. Versioning of .adm files is controlled by comparing the time and date stamps of the local and GPT copies of the file. If the local .adm file is newer than the GPT version, the local copy is uploaded to the Sysvol directory and replicated.

This behavior can lead to integrity problems if a local .adm file is corrupt, or to a security problem if someone maliciously modifies an .adm file. You can prevent local copies of .adm files from being uploaded to DCs—and force the use of local .adm files— by enabling the Always use local .adm files for Group Policy editor Group Policy setting under Computer Configuration\Administrative Templates\System\Group Policy.

However, this means that .adm files across all administrative workstations need to be kept in sync. Although .adm files can’t be stored centrally, .admx files can be stored centrally in a Win2K or Server 2003 domain and replicated between DCs. Once the store is created, to avoid automatic uploading of .adm files to the Sysvol directory, you should only use Vista or Server 2008 to administer GPOs. The process is optional; however, it’s necessary in Server 2008 domains if you want to use a central store. You should perform the following steps in a test environment only—they enable a preference setting in a GPO that can’t be rolled back by unlinking the GPO.

1. Open Windows Explorer and enter the Universal Naming Convention (UNC) \\DomainName.com\sysvol\Domain Name.com\policies in the address bar, then create a new folder called PolicyDefinitions, as Figure 1 shows.

2. Update Vista or Server 2008 with the latest service pack and patches.

3. Copy the contents of the PolicyDefinitions folder (located in the Windows directory), including the EN-US subfolder, to the new PolicyDefinitions folder on the server.

Vista and Server 2008’s Group Policy tools check for a PolicyDefinitions folder, so any new GPOs that are created and edited exclusively on Vista or Server 2008 and joined to a Win2K or Server 2003 domain where this folder is present will have a GPT without an ADM folder. Figure 2 shows the Administrative Templates node in the Group Policy Management Editor where a central store for .admx files has been detected. To add an .admx template to the central store, you must copy the file directly to the PolicyDefinitions folder on a DC. Once the store has been created, you can secure the administrative templates in the store and the GPOs separately. You can still right-click the Administrative Templates node in the Group Policy Management Editor and add an .adm template, which will appear under the Classic Administrative Templates (ADM) node, but you should avoid this by converting .adm files to .admx format.

Migrating to the .admx Format
If you want to take full advantage of the central store, you can convert your .adm files to the new format, delete the old .adm templates from each GPT on the server, and upload the converted .admx files to the central store. To convert .adm files to .admx, you’ll need to download the free ADMX Migrator tool from www.microsoft.com/downloads/details.aspx?familyid=0f1eec3d-10c4-4b5f-9625-97c2f731090c. Install the tool on an admin workstation and follow these instructions to convert each .adm file to .admx:

1. Open ADMX Editor selecting All Programs, FullArmor, FullArmor ADMX Migrator from the Start menu.

2. In the left-hand pane, right-click ADMX Editor and select Generate ADMX from ADM on the menu.

3. Select the .adm file you want to convert and click Open.

4. The conversion process will take a few seconds and you’ll be presented with a summary of any errors that were encountered in the Conversion Results dialog box that Figure 3, shows. Click Close.

5. You’ll then be given the opportunity to load the new .admx file into the editor. Click Yes. The new template will now appear in the central pane in the Template box.

6. Double-click ADMX Templates under ADMX Editor in the left-hand pane, right-click the template, and select Save As from the menu to save a copy of the new template in a convenient temporary location.

Continue to page 2