Home > Group Policy > how do i create custom .adm / group policy files?

how do i create custom .adm / group policy files?

Update: With thanks to some great help and troubleshooting from Steven we have resolved the line 46 “Categor” error. In order for the adm to parse the ending y in this file an additional two blank lines or “carriage returns” are necessary at the base of the adm file. The download file has been updated, Thanks again Steven.

A .adm file, is a group policy file that specifies policies outside of Microsoft’s default options. Basically they are policies you can put in place that Microsoft in their infinite wisdom forgot to put in before launch.

I had a situation recently where we have external users coming into our network, and using our CAG’s to access the the citrix environment. Once in there they needed access to an internal webpage that we published with internet explorer. The problem therein lied that these users could browse the local lan for resources with the address bar and many other wonderful utilities Microsoft put into internet explorer but failed to lock down efficiently.

All i really cared about (and for the interest of this post) was locking down the address bar in Internet Explorer 6.1. Nowhere could i find an option to do this, and i was getting nowhere fast. Searching internet explorer did bring back a few “helpful” articles on technet that i just couldnt understand, and i did find a piece of software that used to do it for free, until microsoft bought the company, stole its code for server 2008 and stopped people using or downloading the application. nice one microsoft…

I have attached the policy settings and ADM files for reference on how to lock down internet explorer 6 completely, hopefully i will save somebody else 7 hours of their time.

Long story short, no policy existed, no helpful application and because i needed this policy to only affect the users (and not the servers where internal staff use internet explorer too) i had to create the adm file myself.

I opened the word2003 adm file you get with ork 2003 and set about bodgeing the code to suit myself, The below entries disable the address and link bars by using registry entries. Remember you must still lock the toolbar in group policy to restrict these users from changing the tool bars.

CLASS USER

CATEGORY “Internet Explorer Lockdown”
KEYNAME “Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions”
POLICY “Disable internet explorer address bar”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME NoAddressBar
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
POLICY “Disables internet explorer links bar”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME NoLinksBar
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY

and to disable the other lockdowns i required (not covered in group policy…./sigh) disabling the search function, disabling the help bar and disabling mail/news are listed below.

CATEGORY “Internet Explorer Lockdown”
KEYNAME “Software\Policies\Microsoft\Internet Explorer\Restrictions”
POLICY “Disable internet explorer help bar”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME NoHelpMenu
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
POLICY “Disable Mail&News option”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME RestGoMenu
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY
CATEGORY “Internet Explorer Lockdown”
KEYNAME “Software\Microsoft\Windows\CurrentVersion\Policies\explorer”
POLICY “Disable Search Access”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME NoFind
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY

Once i had the above all in one text document, saved it as a .adm file and imported it into group policy. Checked the options and hey presto, users were locked down. It took me over 8 hours to achieve the above (and the other default policy settings) realistically it shouldn’t have taken more than 2.

Files are here:

  1. Todd Plunkett
    May 2, 2008 at 7:52 pm

    This .adm is exactly what I’ve been looking for but I downloaded it and the 02bpp.adm was only 2k. is there another .adm that includes all of the settings found in the IE lockdown.htm file?

    Thanks for your help,

    Todd

  2. andy
    May 22, 2008 at 5:46 pm

    The o2bpp.adm is only for specific features, namely removing address bar. all other options not covered in the .adm are active directory defaults.

  3. Kevin the Mighty
    May 29, 2008 at 12:56 am

    Thanks for putting this together for the rest of us! The download is broken, but cut/paste works just as well.

    Thanks,
    Kevin

  4. Andrew Morgan
    May 29, 2008 at 9:11 am

    Thanks kevin, my host seems to no be paying his bills 🙂

    http://www.4shared.com/file/49478948/c94b090c/Internet_explorer_Lockdown.html

    re shared here:

  5. Steven
    September 29, 2008 at 2:09 pm

    Hey Kevin – I tried to use that .adm file you have available to import it in as a new template and am getting an error: “The following error occurred in [policy path] on line 46: Error 51 Unexpected keyword Found: CATEGOR Expected: CATEGORY The file can not be loaded” – We have IE 7 in our environment, as well as IE6 – does that make a difference? In looking at the file, I do see the complete word “CATEGORY” so not sure why it is throwing that error. Any help appreciated – I really like the idea you have posted here and would love to use it to lock down Inet for some clients. Thanks,- Steven

  6. September 29, 2008 at 8:18 pm

    Hi steven,

    Internet explorer 7 shouldnt make any difference to the adm file, there are custom internet explorer 7 adm files available from microsoft here:http://www.microsoft.com/downloads/details.aspx?familyid=11ab3e81-6462-4fda-8ee5-fcb8264c44b1&displaylang=en

    why you are getting this error i do not know, i will import my template back into group policy tomorrow and test it still works.

    Andy

  7. Steven
    October 15, 2008 at 1:47 pm

    Thanks for the feedback Andy – I’ll take a look at the link – yeah – its kinda puzzling why it won’t work in my environment – thanks for your help-

    SB

  8. Steven
    October 20, 2008 at 9:07 pm

    Looks like I fixed it by adding an additional “Y” to the word “CATEGORY” on line 46…. Now, I get no errors when I load the .adm file, and I’m able to configure the options for the OU – thanks for putting this together – it is EXTREMELY handy!!!!

    SB

  9. October 20, 2008 at 9:37 pm

    Hey steven!

    I’m delighted you got it working man and i’m very sorry for the missing y, this is due to the script missing a blank line or “carriage return”.

    It’s been so long since i wrote this script that i have forgotten most of it 🙂

    I have updated the entry to reflect the needed changes.

    keep up the good work,

    Andy

  10. Ilene
    October 23, 2009 at 3:38 pm

    I’m looking to create a GPO for IE6 to uncheck the Reuse windows for launching shortcuts. Can anyone help?

    • October 23, 2009 at 11:32 pm

      Hi Ilene,

      To do this you need two things, an ADM file and the registry key neccessary to make the change.

      If you provide me with the registry file, I’ll gladly show you how to create your admfile.

      To get the registry key, simply download regshot (http://sourceforge.net/projects/regshot/) and launch it:

      take the first capture
      make the change to IE
      take the second capture.

      the review should give you the registry key, if not send me an email andrew.morgan@o2.ie and I’ll gladly help 🙂

      Kindest regards,

      A

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: