none
Using GPO and Office 2003/7/10/13/16 adm templates in win2003 AD domain to avoid Ransomware malware

    Question

  • I am seeking help for Windows 2003, a product not supported. But please see if you can help.

    We have a Domain whose forest and domain functionality is still at Windows 2003 Native.
    There are 2 servers acting as Domain Controllers, both Windows 2003.
    The reason we have not upgraded is because of many legacy applications in the network, which work only on Windows 2003 servers and there is no way to upgrade them.

    Most of our users use Windows 7, 8.1, and some Windows 10. All these machines have office 2007 or 2010 or 2013. 
    There are few Windows XP and Windows 2003 Terminal Servers where we have Office 2003 deployed.

    With the new CryptoLocker, Locky and Petya threats, We want to secure our domain by deploying office administrative templates. 
    Our intention is to force applications like Word/Excel to never auto-run macros etc.

    With the mixed versions of office and the fact that our Domain is Windows 2003 based.
    How can we install all the templates for all office versions for every OU? 

    Some Articles told me that, If I have Windows 2003 DC, then I have to go to EACH individual Group Policy's ADM folder and copy the ADM files there... But where do I copy the ADMX files? When I copied ADMX files, the Group Policy Object Editor complains saying "

    ---------------------------
    Administrative Templates
    ---------------------------
    The following error occurred in \\domain.local\sysvol\domain.local\Policies\{31B6F340-016D-16D2-945F-00C04FB984F9}\Adm\access12.admx on line 1:
    Error 51  Unexpected keyword
    Found: <?xml
    Expected: CLASS, CATEGORY, [strings]
    The file can not be loaded.
    ---------------------------
    OK   
    ---------------------------

    Am I doing something wrong?

    Should I be creating the PolicyDefinitions folder instead and putting ADMX files there? Or is that valid only for Domain 2008 or above?


    konkani

    Monday, April 04, 2016 7:13 PM

Answers

  • Thank you for your reply. 

    Based on those and other articles that I read, this is what I plan to do.

    On the Domain controllers themselves, for a specific OU, I will create a new group policy.
    I can then find out the unique name for it for example...it could be {31B6F340-016D-16D2-945F-00C04FB984F9}.
    And then in that I will copy the word 2003 or word 2007 ADM file. 
    The group policy will then show those administrative templates and I can make the necessary security changes.

    I do see that MS continued to provide ADM and also ADMX versions for 2007 and 2010 versions.
    So I could continue using ADM files through the windows 2003 AD DC servers.

    Now since our users are also using office 2013 and since MS supplies only ADMX versions for it, I will create a directory called PolicyDefinitions at this location.
    \\domain.local\sysvol\domain.local\Policies\PolicyDefinitions\
    And I will copy all the required ADMX files in that folder. This folder will act as a Central repository.
    Using the Windows 2003 AD DC based Group policy management software, I wont be able to see these files.

    So I will use a minimum Vista or in my case I will use a Windows 7 machine, install RSAT (remote server administration tools) on it. That will provide me programs like "AD users and computers, or Group Policy Management etc). 
    On that PC I will log in as a domain adminstrator and then run GPM.
    GPM will then connect to the domain automatically and when I select a OU and create a new GP, in a section called policies it will show me all the policies which it pulls from the central repository. So it will show me anything related to office 2013 admx files I put in the repository. 
    I will then make a change to security settings etc. 
    And this software will copy the necessary registry settings into the specific new GP i just created, instead of copying the ADMX file.

    In essence only 1 instance of the ADMX will be kept on the network, which will be in that PolicyDefinitions folder.... and copy the specific policy changes will be stored into each policy. Kinda saving me space unlike ADM files which are to be copied into each policy folders.

    Basically I will keep using Windows 2003 AD Dc servers to manage ADM related policies. and the Windows 7 to manage any ADMX related policies.

    Hope I am correct and you agree?




    konkani

    Tuesday, April 05, 2016 7:03 PM
  • Hi,

    You are correct. We should use RAST to manage group policy on Windows 7 computer. To do so:
    a. Install Remote Server Administration Tools (RSAT) below on Windows 7
    Remote Server Administration Tools for Windows 7
    Download details: Remote Server Administration Tools for Windows 7
    b. Go to Control Panel -> Programs -> Turn Windows Feature on or off.
    c. Expand Remote Server Administration Tools -> Feature Administration Tools, check Group Policy Management Tools.
    d. Logon as domain administrator on Windows 7, search Group Policy Management and open it. Now you can management all group policies.

    Also, you don't need to do anything on Windows 2003 DC, although those settings cannot be read from Group Policy management console, they are existing (in SYSVOL folder). When Windows 7 computer applying group policy, they will read the appropriate information and apply group policy without problem.

    Managing Group Policy ADMX Files Step-by-Step Guide

    https://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by konkani Wednesday, April 06, 2016 1:24 PM
    • Unmarked as answer by konkani Wednesday, April 06, 2016 1:26 PM
    • Marked as answer by konkani Thursday, April 07, 2016 1:07 PM
    Wednesday, April 06, 2016 7:36 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    Basically , Windows 2003 servers store the ADM files under:
    C:\WINDOWS\SYSVOL\sysvol\DOMAIN.LOCAL\Policies

    While Vista and 2008 stores the policy files under:
    C:\windows\PolicyDefinitions

    Windows 2003 machines cannot be used to manage ADMX files and related settings. In order for us to do that, we have to use a 2008 or Vista machine in order to manage domain-wide settings

    Please refer to the following articles to get more information:

    Maintaining and Managing .Adm Files

    https://technet.microsoft.com/en-us/library/cc759535(v=ws.10).aspx

    Questions on ADMX in Windows XP and Windows 2003 environments

    https://blogs.technet.microsoft.com/grouppolicy/2008/12/17/questions-on-admx-in-windows-xp-and-windows-2003-environments/

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by konkani Wednesday, April 06, 2016 1:25 PM
    • Unmarked as answer by konkani Wednesday, April 06, 2016 1:26 PM
    Tuesday, April 05, 2016 3:30 AM
    Moderator
  • Thank you for your reply. 

    Based on those and other articles that I read, this is what I plan to do.

    On the Domain controllers themselves, for a specific OU, I will create a new group policy.
    I can then find out the unique name for it for example...it could be {31B6F340-016D-16D2-945F-00C04FB984F9}.
    And then in that I will copy the word 2003 or word 2007 ADM file. 
    The group policy will then show those administrative templates and I can make the necessary security changes.

    I do see that MS continued to provide ADM and also ADMX versions for 2007 and 2010 versions.
    So I could continue using ADM files through the windows 2003 AD DC servers.

    Now since our users are also using office 2013 and since MS supplies only ADMX versions for it, I will create a directory called PolicyDefinitions at this location.
    \\domain.local\sysvol\domain.local\Policies\PolicyDefinitions\
    And I will copy all the required ADMX files in that folder. This folder will act as a Central repository.
    Using the Windows 2003 AD DC based Group policy management software, I wont be able to see these files.

    So I will use a minimum Vista or in my case I will use a Windows 7 machine, install RSAT (remote server administration tools) on it. That will provide me programs like "AD users and computers, or Group Policy Management etc). 
    On that PC I will log in as a domain adminstrator and then run GPM.
    GPM will then connect to the domain automatically and when I select a OU and create a new GP, in a section called policies it will show me all the policies which it pulls from the central repository. So it will show me anything related to office 2013 admx files I put in the repository. 
    I will then make a change to security settings etc. 
    And this software will copy the necessary registry settings into the specific new GP i just created, instead of copying the ADMX file.

    In essence only 1 instance of the ADMX will be kept on the network, which will be in that PolicyDefinitions folder.... and copy the specific policy changes will be stored into each policy. Kinda saving me space unlike ADM files which are to be copied into each policy folders.

    Basically I will keep using Windows 2003 AD Dc servers to manage ADM related policies. and the Windows 7 to manage any ADMX related policies.

    Hope I am correct and you agree?




    konkani

    Tuesday, April 05, 2016 7:03 PM
  • Hi,

    You are correct. We should use RAST to manage group policy on Windows 7 computer. To do so:
    a. Install Remote Server Administration Tools (RSAT) below on Windows 7
    Remote Server Administration Tools for Windows 7
    Download details: Remote Server Administration Tools for Windows 7
    b. Go to Control Panel -> Programs -> Turn Windows Feature on or off.
    c. Expand Remote Server Administration Tools -> Feature Administration Tools, check Group Policy Management Tools.
    d. Logon as domain administrator on Windows 7, search Group Policy Management and open it. Now you can management all group policies.

    Also, you don't need to do anything on Windows 2003 DC, although those settings cannot be read from Group Policy management console, they are existing (in SYSVOL folder). When Windows 7 computer applying group policy, they will read the appropriate information and apply group policy without problem.

    Managing Group Policy ADMX Files Step-by-Step Guide

    https://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by konkani Wednesday, April 06, 2016 1:24 PM
    • Unmarked as answer by konkani Wednesday, April 06, 2016 1:26 PM
    • Marked as answer by konkani Thursday, April 07, 2016 1:07 PM
    Wednesday, April 06, 2016 7:36 AM
    Moderator
  • Thank you for your help. Really appreciate it!
    I will now mark this as resolved.

    konkani

    Wednesday, April 06, 2016 1:26 PM