Adding Adminstrator Approved Controls to Group Policy

Step by step directions on how to add ActiveX controls to be available as Administrator Approved Controls.

Joshua Cantara
Last Revised: September 9th, 2004

Summary

This document will cover in a step by step fashion how to add all the ActiveX controls of your choosing to be available in Group Policy as "Administrator Approved Controls". The Group Policy templates that ship with Windows 2000, XP and 2003 have a limited number of built-in controls available for use with this great feature and documentation from Microsoft on how to add more is shoddy at best. With these instructions you can quickly and easily add new controls in less time than it would take to download and install the IEAK, which is the supported but more difficult method.
Armed with your own list of approved controls you can use complentary security zone policies to down the internet zone and deny all ActiveX controls except for those you specify. This way your users will be able to load the Flash and Adobe Reader plugins while not allowing media playing or worse, spyware/toolbar installing controls to load.

Index

Getting the details for the controls you wish to add
Creating a new Group Policy template
Using your new template

Getting the details for the controls you wish to add

Every ActiveX control has a unique ClassID assigned to it. It's this ClassID that Internet Explorer uses to load it and is also what allows Group Policy to control which ones are allowed. A list of approved ClassIDs are kept in the registry and IE is only allowed to load ones that match an entry in the approved list. Thusly the first step in approving a control is to determine what its ClassID is.

The ActiveX control you wish to approve must be installed on your system, so visit a website that will load it or download the setup program to get it installed.
Browse to the location of your "Downloaded Program Files" folder. It's usually C:\Windows\Downloaded Program Files.
Inside the folder are a list of all the ActiveX Controls installed on your sytem, so find the one you're interested in, right click it and go to Properties.
The ClassID is already highlighted, so you just need to copy it!
Repeat this process for as many ClassIDs as you need. Keep a document of each ID and what control it represents.

Creating a new Group Policy template

Now that we have the ClassID(s) we need to use them in conjunction with a Group Policy Template in order to turn them in to available Administrator Approved Controls. Fortunately Group Policy Templates are nothing more than text files that spell out what registry keys should be created and what values they should be set to so creating one is not difficult.

Download the starter template that I have made. It contains all the basic framework of an add-on Group Policy Template.
Open it in your preferred text editor and give it a good looking over. The format is not XML but it is structured clearly enough for you to make out the flow.
In the center is an example control. If you're familar with text config files of any kind the next steps will probably become all too clear and you can skip directly to the next section. Otherwise follow along with the next steps.
Copy everything inside the rows of hash marks and paste it below the bottom line of hash marks, but above the END CATEGORY lines.
Remove the semicolons from the start of the lines.
Each policy block (denoted by POLICY and END POLICY lines) allows you to list many controls, however it's best to keep them organized. If you have two similar controls (such as flash and shockwave controls, or multiple controls for the same media player) you may wish to make them all under a single heading, but otherwise make a single policy item for each control. This sample block has one PART block in it, which is fine for adding multiple unrelated controls. You would simply add more PART blocks to group multiple controls under a single Group Policy list item.
You may copy the block with the semicolons removed and past it many times, once for each Group Policy list item you wish you create. The following steps will cover editing a single block but you can simply repeat them for as many as you need.
There are several things inside each POLICY block that need changing. The first is right after the word POLICY. This is the short name that the policy will show up as in the list of all available Administrator Approved Controls. Replace Test Control with the name of whatever control you are adding. In my case it is Adobe Reader 5 and 6. Ensure that it stays inside the double quotes.
Next is the EXPLAIN definition which is on the following line. This is where you would put a lengthy description of what this control really is. In my case I would say something along the lines of The Adobe Reader ActiveX Control allows PDFs to be viewed inside of Internet Explorer..
The final descriptor we need to change is between the words PART and CHECKBOX. This is the name that will appear next to the checkbox inside the Group Policy Properties dialog that comes up when you go to change a Group Policy item. This is less important when you only have a single control per Group Policy Item, but if you had multiple controls inside an item this is how you distinguish between them. In my case I'm just going to put Adobe Reader to keep it short and to the point.
Finally, the last thing to change is the long string of 0s which represent the ClassID. Remove the fake ClassID and replace it with the one that corresponds to control you are creating. Ensure that the braces ({ and }) remain around the ClassID. My line looks like VALUENAME {CA8A9780-280D-11CF-A24D-444553540000}
Save the file, renaming it as you wish. I recommend storing it somewhere on one of your Domain Controllers for safe keeping.

Using your new template

Pop open the Group Policy Management Console (or Active Directory Users and Computers) and create a new Group Policy Object. Open it for editing.
Right click Administrative Templates and click Add/Remove Templates.
Select all the templates and click Remove. Click Add and navigate to the saved template you just worked on. Add it to the list. Return to the Group Policy main screen when done.
Note: You can also add this control into an existing GPO, it will play nicely with all the standard GPOs, such as conf.adm, inetres.adm and so forth.
Navigate as follows: Config -> Windows Components -> Internet Explorer -> Administrator Approved Controls
Your newly added controls will appear in the list, along side the Microsoft provided controls.
Note: If you received an error adding the .adm template into the group policy, you introduced a syntax error into the file. Re-read the second section of this document to make sure you followed the directions exactly. The slightest typo or a missing character and the template will not load correctly.

Conclusion

Now that your work is complete, you can create another template to add more, re-edit the existing template and then remove and re-add it to this group policy; whatever you desire. By preparing this list of approved controls you can gain a tighter control of your company's web surfing and protect your users from browser-based ActiveX attacks.