How to Create a Custom Administrative Template for Group Policy

Administrative templates in Group Policy allow you to manage registry-based settings across computers in an Active Directory domain. While Windows includes hundreds of built-in templates, you may need custom templates to manage settings for third-party applications or your own internal software. This guide covers both the legacy ADM format and the modern ADMX/ADML format.

Understanding Administrative Templates

Administrative templates define registry-based policy settings that the Group Policy Editor displays in a structured, user-friendly interface. When an administrator enables a policy setting, Group Policy writes the corresponding registry value to the target computer or user profile during the next policy refresh cycle.

Key Concepts

• ADMX files: XML-based template files that define the policy settings, registry keys, and UI elements. These are language-neutral.
• ADML files: Language-specific resource files that provide the display strings (names, descriptions, help text) for the settings defined in ADMX files.
• Policies key: Settings written under HKLM\SOFTWARE\Policies or HKCU\SOFTWARE\Policies are true Group Policy settings that are enforced and removed when the policy no longer applies.
• Preferences (tattoo settings): Settings written outside the Policies key persist in the registry even after the GPO is removed.

The Central Store

Before creating custom templates, set up the Central Store so that all administrators use the same template files.

Creating the Central Store

1. On a domain controller, navigate to \\<domain>\SYSVOL\<domain>\Policies\.
2. Create a folder named PolicyDefinitions.
3. Copy all ADMX files from C:\Windows\PolicyDefinitions\ on a Windows machine into this folder.
4. Copy the language subfolders (for example, en-US) with their ADML files as well.

# Create Central Store and copy templates
$sysvolPath = "\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions"
New-Item -Path $sysvolPath -ItemType Directory -Force

# Copy ADMX files
Copy-Item "C:\Windows\PolicyDefinitions\*.admx" -Destination $sysvolPath

# Copy language files
$langPath = Join-Path $sysvolPath "en-US"
New-Item -Path $langPath -ItemType Directory -Force
Copy-Item "C:\Windows\PolicyDefinitions\en-US\*.adml" -Destination $langPath

Once the Central Store exists, the Group Policy Editor automatically loads templates from it instead of the local machine.

Creating a Custom ADMX Template

Here is a complete example of a custom ADMX file that manages application settings.

ADMX File (MyAppPolicy.admx)

<?xml version="1.0" encoding="utf-8"?>
<policyDefinitions
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    revision="1.0"
    schemaVersion="1.0"
    xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">

  <policyNamespaces>
    <target prefix="myapp" namespace="MyCompany.Policies.MyApp" />
    <using prefix="windows" namespace="Microsoft.Policies.Windows" />
  </policyNamespaces>

  <resources minRequiredRevision="1.0" />

  <categories>
    <category name="MyApp" displayName="$(string.MyApp_Category)">
      <parentCategory ref="windows:System" />
    </category>
    <category name="MyApp_Security" displayName="$(string.MyApp_Security_Category)">
      <parentCategory ref="MyApp" />
    </category>
  </categories>

  <policies>
    <!-- Enable or disable automatic updates -->
    <policy name="AutoUpdate"
            class="Machine"
            displayName="$(string.AutoUpdate_Name)"
            explainText="$(string.AutoUpdate_Help)"
            key="SOFTWARE\Policies\MyCompany\MyApp"
            valueName="EnableAutoUpdate">
      <parentCategory ref="MyApp" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <enabledValue><decimal value="1" /></enabledValue>
      <disabledValue><decimal value="0" /></disabledValue>
    </policy>

    <!-- Configure update server URL -->
    <policy name="UpdateServer"
            class="Machine"
            displayName="$(string.UpdateServer_Name)"
            explainText="$(string.UpdateServer_Help)"
            presentation="$(presentation.UpdateServer_Presentation)"
            key="SOFTWARE\Policies\MyCompany\MyApp">
      <parentCategory ref="MyApp" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <elements>
        <text id="UpdateServerURL" valueName="UpdateServerURL" required="true" />
      </elements>
    </policy>

    <!-- Configure session timeout -->
    <policy name="SessionTimeout"
            class="User"
            displayName="$(string.SessionTimeout_Name)"
            explainText="$(string.SessionTimeout_Help)"
            presentation="$(presentation.SessionTimeout_Presentation)"
            key="SOFTWARE\Policies\MyCompany\MyApp">
      <parentCategory ref="MyApp_Security" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <elements>
        <decimal id="TimeoutMinutes" valueName="SessionTimeoutMinutes"
                 minValue="5" maxValue="480" />
      </elements>
    </policy>

    <!-- Configure logging level dropdown -->
    <policy name="LogLevel"
            class="Machine"
            displayName="$(string.LogLevel_Name)"
            explainText="$(string.LogLevel_Help)"
            presentation="$(presentation.LogLevel_Presentation)"
            key="SOFTWARE\Policies\MyCompany\MyApp">
      <parentCategory ref="MyApp" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <elements>
        <enum id="LogLevelDropdown" valueName="LogLevel">
          <item displayName="$(string.LogLevel_Error)">
            <value><decimal value="1" /></value>
          </item>
          <item displayName="$(string.LogLevel_Warning)">
            <value><decimal value="2" /></value>
          </item>
          <item displayName="$(string.LogLevel_Info)">
            <value><decimal value="3" /></value>
          </item>
          <item displayName="$(string.LogLevel_Debug)">
            <value><decimal value="4" /></value>
          </item>
        </enum>
      </elements>
    </policy>
  </policies>
</policyDefinitions>

ADML File (en-US/MyAppPolicy.adml)

<?xml version="1.0" encoding="utf-8"?>
<policyDefinitionResources
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    revision="1.0"
    schemaVersion="1.0"
    xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">

  <displayName>My Application Policy</displayName>
  <description>Administrative template for managing My Application settings.</description>

  <resources>
    <stringTable>
      <string id="MyApp_Category">My Application</string>
      <string id="MyApp_Security_Category">Security Settings</string>
      <string id="AutoUpdate_Name">Enable automatic updates</string>
      <string id="AutoUpdate_Help">Controls whether the application checks for and installs updates automatically.

If you enable this setting, the application will check for updates on startup.
If you disable this setting, automatic updates are turned off.
If you do not configure this setting, the user can choose.</string>
      <string id="UpdateServer_Name">Configure update server URL</string>
      <string id="UpdateServer_Help">Specifies the URL of the internal update server.

If you enable this setting, the application will check the specified server for updates instead of the default public server.</string>
      <string id="SessionTimeout_Name">Configure session timeout</string>
      <string id="SessionTimeout_Help">Sets the session timeout in minutes. The user will be logged out after this period of inactivity.

Valid range: 5 to 480 minutes.</string>
      <string id="LogLevel_Name">Configure logging level</string>
      <string id="LogLevel_Help">Sets the verbosity of application logging.

Error: Only errors are logged.
Warning: Errors and warnings are logged.
Info: General information, warnings, and errors are logged.
Debug: All messages including debug details are logged.</string>
      <string id="LogLevel_Error">Error</string>
      <string id="LogLevel_Warning">Warning</string>
      <string id="LogLevel_Info">Information</string>
      <string id="LogLevel_Debug">Debug</string>
    </stringTable>
    <presentationTable>
      <presentation id="UpdateServer_Presentation">
        <textBox refId="UpdateServerURL">
          <label>Update Server URL:</label>
        </textBox>
      </presentation>
      <presentation id="SessionTimeout_Presentation">
        <decimalTextBox refId="TimeoutMinutes" defaultValue="30">
          Timeout (minutes):
        </decimalTextBox>
      </presentation>
      <presentation id="LogLevel_Presentation">
        <dropdownList refId="LogLevelDropdown" defaultItem="0">
          Logging Level:
        </dropdownList>
      </presentation>
    </presentationTable>
  </resources>
</policyDefinitionResources>

Deploying the Custom Template

To the Central Store

1. Copy MyAppPolicy.admx to \\<domain>\SYSVOL\<domain>\Policies\PolicyDefinitions\.
2. Copy MyAppPolicy.adml to \\<domain>\SYSVOL\<domain>\Policies\PolicyDefinitions\en-US\.

To a Local Machine (for Testing)

1. Copy MyAppPolicy.admx to C:\Windows\PolicyDefinitions\.
2. Copy MyAppPolicy.adml to C:\Windows\PolicyDefinitions\en-US\.

Testing the Custom Template

1. Open the Group Policy Editor (gpedit.msc for local or through GPMC for domain policies).
2. Navigate to Computer Configuration > Administrative Templates (or User Configuration for user-scoped policies).
3. Find your custom category (“My Application” in the example above).
4. Open a policy setting and verify that the description, options, and help text display correctly.
5. Enable the setting and verify that the registry value is created:

# Verify the registry value was set
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\MyCompany\MyApp" -Name "EnableAutoUpdate"

Legacy ADM Format

For environments still using Windows Server 2003 or managing legacy templates, here is a simple ADM example:

CLASS USER
CATEGORY "Desktop Settings"
  KEYNAME "SOFTWARE\Policies\System"
  POLICY "Disable Autoplay Feature"
    EXPLAIN "This policy disables the autoplay feature on selected drives."
    PART "Disable autoplay on" DROPDOWNLIST REQUIRED
      VALUENAME "NoDriveTypeAutoRun"
      ITEMLIST
        NAME "CD-ROM drives" VALUE NUMERIC 181 DEFAULT
        NAME "All drives" VALUE NUMERIC 255
      END ITEMLIST
    END PART
  END POLICY
END CATEGORY

Save as a .adm file and add it through the Group Policy Editor by right-clicking Administrative Templates and selecting Add/Remove Templates.

Best Practices

• Always use the Policies key path (SOFTWARE\Policies\...) so settings are removed when the GPO is unlinked.
• Use ADMX/ADML format for new templates. The legacy ADM format is deprecated.
• Use the Central Store for consistency across all administrators.
• Include thorough explain text so other administrators understand what each setting does.
• Version your templates by incrementing the revision attribute when making changes.
• Test in a lab before deploying to production OUs.

Summary

Custom administrative templates extend Group Policy to manage registry-based settings for any application. The modern ADMX/ADML format uses XML to define policy settings (ADMX) and localized display strings (ADML). Deploy templates to the Central Store in SYSVOL for domain-wide availability, or to the local PolicyDefinitions folder for testing. Always write settings under the Policies registry key so they are properly enforced and removed by Group Policy, and test templates thoroughly before deploying them to production environments.