<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Creating the Group Policy Central Store

Published on
14,684 Points
4,884 Views
3 Endorsements
Last Modified:
Awarded
Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available.

Let’s explore our Sysvol for a second. Open an explorer window and navigate to \\DOMAINNAME\sysvol\. Open up any subfolders until you are inside the policies folder. We are now looking the GUID of every Group Policy Object (GPO) in our domain.  The picture below is from our domain.
 
 1
Open up any policy and you should see a few subfolders. The most common are: ADM, Machine, and User.
 
2
By default, your ADM folder will have five ADM files. Each client will also have a copy of these files. Each policy you create will automatically include this ADM folder. Our domain has four domain controllers and 767 group policy objects. Each policy would have a 3.46 MB ADM folder in it. That means that our domain uses 10.4 GB of space to store ADM files! That is a lot of files to replicate!

You have probably already asked – why does every policy need a copy of the ADM files? The clients do not need them because they are located on each client machine. Microsoft gave us a better solution with the Group Policy Central Store.

The Group Policy Central Store allows you to store one copy of ADMX files in your Sysvol and to automatically have any Group Policy Management Console automatically pull its settings from that location. The best thing is – you only need a Vista or later client computer to set up the central store! Your server environment can be 2003 or 2008!

 To create your central store, follow these steps:

1. Browse back to your Policies folder within Sysvol and create a folder named “PolicyDefinitions”.

2. On a Vista/7 or Server 2008/R2 machine, browse to “C:\Windows\PolicyDefinitions\” and copy the entire contents to your Sysvol PolicyDefinitions Folder

3. Close any opened GPMC windows on your Vista+ management machine. Open GPMC again and create a new policy. Navigate to Computer Configuration\Policies\Administrative Templates. Left click on Administrative Templates. In the center of the screen, you should now see: “Administrative Templates: Policy Definitions (ADMX files) retrieved from the Central Store”
3
4. Delete any ADM templates that you did not import yourself. To do so, just search your policies folder for any file with a .ADM extension.

5. Because XP/Server 2003 GPMC will automatically upload ADM files even if a central store exists, it is a best practice to no longer use the GPMC for those operating systems. In a larger environment that has many Group Policy creators, it may be wise to use Software Restriction Policies or File System Security Policies to disable access to the older GPMCs.

You have now successfully created a central store and migrated your local ADMX files over to it. Any Group Policy Management Consoles running on a Vista + OS will automatically open ADMX files from your central store.

Additional Links:

How to Create a Central Store: http://support.microsoft.com/kb/929841

Automatic Central Store Creator: http://www.gpoguy.com/FreeTools/FreeToolsLibrary/tabid/67/agentType/View/PropertyID/88/Default.aspx

Server 2008/Vista GP changes: http://sourcedaddy.com/windows-7/group-policy-windows-vista-and-windows-server-2008.html
3
Comment
0 Comments

Featured Post

Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

Join & Write a Comment

This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month