Configuring a Central Store for Group Policy

Configuring a Central Store for Group Policy


In this video from ITFreeTraining, I will look at creating a central store for Group Policy. Although it is not required, a central store can ensure that the company as a whole is using the same version of Group Policy. First, we will take a look at the history of Group Policy so we can get a better understanding of how the central store will work.

Download the PDF handout:

Group Policy History
0:20 – Group Policy is divided into two main sections, “Computer Configuration” and “User Configuration”. These sections are divided in sub-sections, and these are “Software Settings”, “Windows Settings” and “Administrative Templates”. This video will focus on administrative templates.
0:40 – The first version of Group Policy utilized ADM files. These ADM files defined the settings in Group Policy. Each time a new Group Policy was created, the ADM files for that Group Policy were duplicated. This means that every Group Policy that was created had its own set of ADM files.
1:00 – When there are multiple group polices, the same ADM file would be copied multiple times. The group policy and its ADM files are stored in the SysVol folder. In a large corporation, there could be a large number of group policies, with each group policy having its own set of ADM files. The SysVol folder is replicated to every Domain Controller in the domain. This makes the SysVol very large with a lot of duplicate files in it.

ADMX Files
1:34 –ADMX files are different from ADM files in that they are referenced by Group Policy as opposed to being stored by Group Policy. Let’s think about a single Group Policy. You’ll see that the ADMX file would be stored on the local computer or out on the network in the SysVol folder. So the ADMX files are stored locally or centrally within the network, making it easier for the administrator to keep ADMX files current and with a significant reduction in the SysVol folder size. We’ll now switch over to a server running Windows 2012 R2 and take a deeper dive. We’ll review how to centralize the ADMX files and keep them up to date as changes are made.

Demonstration
2:20 – To see where ADMX files are currently being stored, first of all, I will open Server Manager from the quick launch bar.
2:26 – I’ll then select “Group Policy Management” from the “Tools” dropdown.
2:30 – With Group Policy Management open, I’ll right click on the Default Domain group policy and select Edit.
2:40 – Once the Group Policy has opened, I will expand “Policies” and then select “Administrative Templates”. On the right, you will see the text “retrieved from local computer”.
2:50 – Currently the ADMX files are being retrieved from the local computer. Later on, we’ll review placing them in a different, centralized area on the network.
3:00 – Either way, storing ADMX files either locally or on the network is more efficient than the ADM files that were stored with the Group Policy.
3:10 – I’ll now go ahead and open the Windows Explorer to take a look at where ADMX files are stored.
3:16 – I will open the c drive, then the Windows folder followed by the folder “PolicyDefinitions”.
3:25 – Once open, notice that there are a large amount of ADMX files. Each ADMX file contains different settings. Each file contains a different part of the settings found under “Administrative Templates” in Group Policy. Having them separated like this makes them easier to update, manage and expand as required. ADMX files are language independent. Notice the folder EN-US. This contains the English language interface files. Since the language files are independent of the ADMX files, this makes them easy to update. This also makes it easy for the administrator to add additional languages. In contrast, ADM files were language specific which means the administrator had to choose one language. This made it difficult when there were multiple administrators around the world working on the same Group Policy, as they would have to agree on using the one language.
4:20 – Before I centralize the ADMX files, I will first download the latest ones from Microsoft. To do this, I will close some of these Windows and then open Internet Explorer.
4:33 – Once Internet Explorer has opened, I will perform a google search for “ADMX Windows Server 2012 R2”. A link for ADMX Templates for Windows 8.1 will appear, this link will work for Windows Server 2012 R2 as well so I will select it. Even if you are using older operating systems like Windows Server 2008, the newer ADMX files can be used. If the ADMX file contains settings that the operating system does not understand, the operating system will simply ignore them. If you have trouble finding this link, I have included it in the reference part of this video.
5:09 – I will next press the download button and save the file to the desktop. Once the download
has completed, I will close Internet Explorer and then double click on the file that I just saved.
05:25 – The install is a simple one. Once I am past the welcome screen, I will accept the license and accept the default install location. The install does not take too long to complete.
5:36 – Once complete, I will close setup and open Windows Explorer to have a look at the files
that were just copied to the local c drive. The files are located in the folder “Program Files x(86)” and “Microsoft Group Policy”. The next folder down is the highest operating system supported. Remember that ADMX files are backwards compatible so newer ADMX files will work on older operating systems. Once I open this folder, I next will open the folder “PolicyDefinitions”.
6:10 – Notice that there is a separate folder for all the different languages that are available. It is just a matter of the administrator choosing the language file or language files that they want.
6:21 – If I now scroll down to the bottom, notice all the ADMX files. This folder contains the most up to date ADMX files and language files. So I will select all the ADMX files and then select the folder for US English. Once the ADMX files and language folder are selected, I will right click the folder and then select the option copy.
6:45 – Now that the required files have been copied, I will next browse to the location of my domain’s SysVol folder. This is just a matter of entering in double back slash followed by the domain name back slash SysVol. The SysVol folder is stored on each Domain Controller and replicated to all other Domain Controllers. In this folder will be the shortcut for the domain. The next folder contains the folders Policies and Scripts. Policies contains Group Policy and Scripts contains scripts for the domain.
7:17 – Since I am working with Group Policy I will open the folder Policies. Under the Policies folder is a folder for each Group Policy in the domain. Since there are currently two policies in the domain, there are two folders.
7:30 – The ADMX files will be stored in this folder. To do this, I will create a folder called “PolicyDefinitions”. Make sure you get the spelling of this folder correct as it needs to be exact, otherwise Group Policy Management will not be able to access it.
7:47 – I will now open this folder and paste the ADMX and Language folder. If I now go back to the Policies folder, I have the two folders that contain the two Group Policies for the domain. I will select and open the second one. This is the group Policy for the “Default Domain Policy”.
8:07 – There are 3 folders in here. The ADM folder contains the older ADM files. Unless you are
working with old Group Policy, there should not be any ADM files in here. New Group Policy will use the ADMX files. You can see that because each Group Policy contains an ADM folder, using ADM files caused each Group Policy to become quite large. Using ADMX files requires only a single copy of the ADMX files which can be stored either locally or on the network.
8:40 – Below this is the folder Machine. This folder contains all the settings for “Computer Configuration” in Group Policy. The folder User, contains all the settings for “User Configuration” in Group Policy. The file GPT contains the version information for the Group Policy. When changes are made to Group Policy, the version number in this file is incremented. This is how Windows knows the Group Policy has changed and needs to be replicated.
9:08 – I will now close Windows Explorer and go back to Group Policy Management. Just like before, I will right click on “Default Domain Policy” and select edit. You will notice that when I select “Administrative Templates”, on the right hand side is “retrieved from the central store”. The ADMX files are now being retrieved from the network rather than the local computer.
9:34 – ADMX files are the default and any new Group Policy that the administrator creates nowadays will be using ADMX. In this Group Policy there is a legacy ADM file. If I expand “Administrative Templates” and select the container “Classic Administrative Templates (ADM)” this will show any ADM templates that exist in that Group Policy. If there are no ADM files being used in the Group Policy, this container will not appear.
10:04 – This covers how to centralize ADMX files. The process is quite a simple one.

Review
10:10 – Let’s review what was covered in this video. A single Group Policy contains settings. These
are stored in the Machine and User folders located in the SysVol folder. ADM files are the older Group Policy format that are stored in the Group Policy. In contrast, ADMX files are stored in local storage or centrally in the SysVol folder. ADM and ADMX files contain the interface that you see in Group Policy Management. ADMX files are easier to update than ADM files and also support multiple languages. ADMX is backwards compatible with ADM. ADMX is the future of Group Policy and, most likely, if you are using Group Policy you are already using it. Thanks for watching this video on how to centralize ADMX files in Group Policy. This is only one of the free videos in the Group Policy course. For the other videos please see our YouTube channel or webpage. Until next time, thanks for watching.
 

References
“Installing and Configuring Windows Server 2012 R2 Exam Ref 70-410” pages 319
http://www.microsoft.com/en-au/download/details.aspx?id=41193