how do i create custom .adm / group policy files?

 

Update: With thanks to some great help and troubleshooting from Steven we have resolved the line 46 “Categor” error. In order for the adm to parse the ending y in this file an additional two blank lines or “carriage returns” are necessary at the base of the adm file. The download file has been updated, Thanks again Steven.

A .adm file, is a group policy file that specifies policies outside of Microsoft’s default options. Basically they are policies you can put in place that Microsoft in their infinite wisdom forgot to put in before launch.

I had a situation recently where we have external users coming into our network, and using our CAG’s to access the the citrix environment. Once in there they needed access to an internal webpage that we published with internet explorer. The problem therein lied that these users could browse the local lan for resources with the address bar and many other wonderful utilities Microsoft put into internet explorer but failed to lock down efficiently.

All i really cared about (and for the interest of this post) was locking down the address bar in Internet Explorer 6.1. Nowhere could i find an option to do this, and i was getting nowhere fast. Searching internet explorer did bring back a few “helpful” articles on technet that i just couldnt understand, and i did find a piece of software that used to do it for free, until microsoft bought the company, stole its code for server 2008 and stopped people using or downloading the application. nice one microsoft…

I have attached the policy settings and ADM files for reference on how to lock down internet explorer 6 completely, hopefully i will save somebody else 7 hours of their time.

Long story short, no policy existed, no helpful application and because i needed this policy to only affect the users (and not the servers where internal staff use internet explorer too) i had to create the adm file myself.

I opened the word2003 adm file you get with ork 2003 and set about bodgeing the code to suit myself, The below entries disable the address and link bars by using registry entries. Remember you must still lock the toolbar in group policy to restrict these users from changing the tool bars.

CLASS USER

CATEGORY “Internet Explorer Lockdown”
KEYNAME “SoftwarePoliciesMicrosoftInternet ExplorerToolbarsRestrictions”
POLICY “Disable internet explorer address bar”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME NoAddressBar
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
POLICY “Disables internet explorer links bar”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME NoLinksBar
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY

and to disable the other lockdowns i required (not covered in group policy…./sigh) disabling the search function, disabling the help bar and disabling mail/news are listed below.

CATEGORY “Internet Explorer Lockdown”
KEYNAME “SoftwarePoliciesMicrosoftInternet ExplorerRestrictions”
POLICY “Disable internet explorer help bar”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME NoHelpMenu
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
POLICY “Disable Mail&News option”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME RestGoMenu
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY
CATEGORY “Internet Explorer Lockdown”
KEYNAME “SoftwareMicrosoftWindowsCurrentVersionPoliciesexplorer”
POLICY “Disable Search Access”
PART “Check to enforce setting on; uncheck to enforce setting off” CHECKBOX
VALUENAME NoFind
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY

Once i had the above all in one text document, saved it as a .adm file and imported it into group policy. Checked the options and hey presto, users were locked down. It took me over 8 hours to achieve the above (and the other default policy settings) realistically it shouldn’t have taken more than 2.

Files are here:

Related Posts

Controlling the creation of Libraries in Windows 7... Following on from my previous post about libraries, I have found you can actually control library creation, but there is a two fairly large caveats I'...
Problems using Group Policy to set a mandatory pro... Here's a weird one i came across this week while configuring a mandatory profile, I was using my local laptop to configure group policy over the domai...

11 Comments About “how do i create custom .adm / group policy files?

  1. Todd Plunkett

    This .adm is exactly what I’ve been looking for but I downloaded it and the 02bpp.adm was only 2k. is there another .adm that includes all of the settings found in the IE lockdown.htm file?

    Thanks for your help,

    Todd

    Reply
  2. andy

    The o2bpp.adm is only for specific features, namely removing address bar. all other options not covered in the .adm are active directory defaults.

    Reply
  3. Kevin the Mighty

    Thanks for putting this together for the rest of us! The download is broken, but cut/paste works just as well.

    Thanks,
    Kevin

    Reply
  4. Steven

    Hey Kevin – I tried to use that .adm file you have available to import it in as a new template and am getting an error: “The following error occurred in [policy path] on line 46: Error 51 Unexpected keyword Found: CATEGOR Expected: CATEGORY The file can not be loaded” – We have IE 7 in our environment, as well as IE6 – does that make a difference? In looking at the file, I do see the complete word “CATEGORY” so not sure why it is throwing that error. Any help appreciated – I really like the idea you have posted here and would love to use it to lock down Inet for some clients. Thanks,- Steven

    Reply
  5. Steven

    Thanks for the feedback Andy – I’ll take a look at the link – yeah – its kinda puzzling why it won’t work in my environment – thanks for your help-

    SB

    Reply
  6. Steven

    Looks like I fixed it by adding an additional “Y” to the word “CATEGORY” on line 46…. Now, I get no errors when I load the .adm file, and I’m able to configure the options for the OU – thanks for putting this together – it is EXTREMELY handy!!!!

    SB

    Reply
  7. Andrew Morgan

    Hey steven!

    I’m delighted you got it working man and i’m very sorry for the missing y, this is due to the script missing a blank line or “carriage return”.

    It’s been so long since i wrote this script that i have forgotten most of it :)

    I have updated the entry to reflect the needed changes.

    keep up the good work,

    Andy

    Reply
    1. Andrew Morgan

      Hi Ilene,

      To do this you need two things, an ADM file and the registry key neccessary to make the change.

      If you provide me with the registry file, I’ll gladly show you how to create your admfile.

      To get the registry key, simply download regshot (http://sourceforge.net/projects/regshot/) and launch it:

      take the first capture
      make the change to IE
      take the second capture.

      the review should give you the registry key, if not send me an email andrew.morgan@o2.ie and I’ll gladly help :)

      Kindest regards,

      A

      Reply

Leave a Reply