none
Don't understand ADM central store for Group Policy

    Question

  • I am deploying an Enterprise Mode GPO to all clients so that IE11 machines can access Enterprise Mode. However, only some machines are receiving the settings. Not all machines have an updated inetres.adml template that includes "Enterpirse mode." Is this adml template supposed to come down from the central store (we have the central store set up and the settings are set up in the administrative templates section for Internet Explorer)? Or do the local admx/adml files under C:\Windows\PolicyDefinitions get updated via Windows Updates? I'm not sure if they are supposed to copy down from the central store or what. We have various GPOs that have the local inetres adm templates added to them and I wasn't sure if that was causing an issue using the central store or not. Please let me know.
    Friday, October 2, 2015 4:36 PM

Answers

  • The central store is primarily used for updating the GPMC and is replicated to other DCs. Essentially whoever updates the GPO, the central store ensures all admins are using the same template so you don't have to distribute the templates manually.

    For clients not processing the settings, the central store has no bearing on that. Have you verified that the GPO has applied using gpresult? What else is recorded in the logs and event log?

    This article is useful to understand the central store:

    http://blogs.technet.com/b/askpfeplat/archive/2011/12/12/how-to-implement-the-central-store-for-group-policy-admin-templates-completely-hint-remove-those-adm-files.aspx

    Friday, October 2, 2015 6:19 PM
  • Hello,

    the Central Store is pretty simple, as stated by zxxzxx. I just want to clarify a few things here. The Central Store is only for providing the admin experience to those who are managing Group Policy settings. The ADMX/ADML files have nothing to do with the settings that are actually sent to the policy clients. Those settings are stored in the registry.pol file.

    so, admin opens GP editor and navigates to 'Administrative Templates'. The GP Editor shows if the policy definitions are coming from local machine (c:\windows\policydefinitions) or the central store (\\dc\sysvol\centralstore\policydefinitions). Once an edit is made that 'setting' is written to \\dc\sysvol\domain\policies\guid\machine (or user)\registry.pol. That registry.pol file is grabbed by the policy client during a policy refresh cycle and processed into their local registry... HKLM or HKCU.

    It seems like you are saying that the 'local inetres adm' file is the 'various GPOs'. Just to clarify here... central store is for ADMX/ADML only. Old school ADM files are always stored in the GPOs themselves.

    Kevin


    Kevin Sullivan - Program Manager

    Friday, October 2, 2015 7:05 PM
    Owner
  • I am deploying an Enterprise Mode GPO to all clients so that IE11 machines can access Enterprise Mode. However, only some machines are receiving the settings.

    Is the GPO/settings showing in the gpresult for an example machine/user?
    If not, then you need to check why the machine/user is not getting that.
    If it is showing in gpresult, then it may be that the machine does not have the necessary Windows Updates for IE11 (EM was introduced after the release of IE11, so the relevant updates for IE must be present for EM to function).

    Don

    Friday, October 2, 2015 10:14 PM

All replies

  • The central store is primarily used for updating the GPMC and is replicated to other DCs. Essentially whoever updates the GPO, the central store ensures all admins are using the same template so you don't have to distribute the templates manually.

    For clients not processing the settings, the central store has no bearing on that. Have you verified that the GPO has applied using gpresult? What else is recorded in the logs and event log?

    This article is useful to understand the central store:

    http://blogs.technet.com/b/askpfeplat/archive/2011/12/12/how-to-implement-the-central-store-for-group-policy-admin-templates-completely-hint-remove-those-adm-files.aspx

    Friday, October 2, 2015 6:19 PM
  • Hello,

    the Central Store is pretty simple, as stated by zxxzxx. I just want to clarify a few things here. The Central Store is only for providing the admin experience to those who are managing Group Policy settings. The ADMX/ADML files have nothing to do with the settings that are actually sent to the policy clients. Those settings are stored in the registry.pol file.

    so, admin opens GP editor and navigates to 'Administrative Templates'. The GP Editor shows if the policy definitions are coming from local machine (c:\windows\policydefinitions) or the central store (\\dc\sysvol\centralstore\policydefinitions). Once an edit is made that 'setting' is written to \\dc\sysvol\domain\policies\guid\machine (or user)\registry.pol. That registry.pol file is grabbed by the policy client during a policy refresh cycle and processed into their local registry... HKLM or HKCU.

    It seems like you are saying that the 'local inetres adm' file is the 'various GPOs'. Just to clarify here... central store is for ADMX/ADML only. Old school ADM files are always stored in the GPOs themselves.

    Kevin


    Kevin Sullivan - Program Manager

    Friday, October 2, 2015 7:05 PM
    Owner
  • I am deploying an Enterprise Mode GPO to all clients so that IE11 machines can access Enterprise Mode. However, only some machines are receiving the settings.

    Is the GPO/settings showing in the gpresult for an example machine/user?
    If not, then you need to check why the machine/user is not getting that.
    If it is showing in gpresult, then it may be that the machine does not have the necessary Windows Updates for IE11 (EM was introduced after the release of IE11, so the relevant updates for IE must be present for EM to function).

    Don

    Friday, October 2, 2015 10:14 PM