none
Creating a GPO Central Store

    Question

  • Hi,
     We're using an AD environment which is a 2008 R2 forest functional level and has 2012 R2 DCs. We have 10,000 users and 20 DCs. I want to create a central policy store for GPOs as it'll reduce SYSVOL replication (once I remove the older unused ADM templates) and it'll mean that each time a GPMC is opened it'll automatically get the latest tools.

    Is it just a matter of creating the PolicyDefinitions folder in the following location and then copying the relevant ADMX templates over?
    \\FQDN\SYSVOL\FQDN\policies

    If so, that seems a bit too easy, what are the risks this can bugger up GPOs for the entire estate?

    Just making sure I'm setting myself up for a fall....

    Thanks
    Monday, February 27, 2017 7:28 PM

Answers

  • Hi Peter,

    Is it just a matter of creating the PolicyDefinitions folder in the following location and then copying the relevant ADMX templates over?
    \\FQDN\SYSVOL\FQDN\policies

    >>>Yes, create PolicyDefinitions folder under the path \\<domain name>\SYSVOL\<domain name>\Policies. And copy all files from the PolicyDefinitions folder on a source computer to the PolicyDefinitions folder on the domain controller.

     what are the risks this can bugger up GPOs for the entire estate?

    >>>Here is a known issue about copy Windows 10 .admx templates to SYSVOL central store.

    How to create and manage the Central Store for Group Policy Administrative Templates in Windows

    https://support.microsoft.com/en-us/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows

    In addition, ADMX files are read from the central store of the domain in which the GPO was created. Reading ADMX files from the central store may have an impact on the speed of the Group Policy tools response if the domain's domain controllers are located in a site separated by WAN links from the administration machine.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 28, 2017 2:35 AM
    Moderator

All replies

  • Hi Peter,

    Is it just a matter of creating the PolicyDefinitions folder in the following location and then copying the relevant ADMX templates over?
    \\FQDN\SYSVOL\FQDN\policies

    >>>Yes, create PolicyDefinitions folder under the path \\<domain name>\SYSVOL\<domain name>\Policies. And copy all files from the PolicyDefinitions folder on a source computer to the PolicyDefinitions folder on the domain controller.

     what are the risks this can bugger up GPOs for the entire estate?

    >>>Here is a known issue about copy Windows 10 .admx templates to SYSVOL central store.

    How to create and manage the Central Store for Group Policy Administrative Templates in Windows

    https://support.microsoft.com/en-us/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows

    In addition, ADMX files are read from the central store of the domain in which the GPO was created. Reading ADMX files from the central store may have an impact on the speed of the Group Policy tools response if the domain's domain controllers are located in a site separated by WAN links from the administration machine.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 28, 2017 2:35 AM
    Moderator
  • Thanks Jay,

     Would you know if I edited the central store whether I would be able to modify old ADM templates for 2003/XP clients if needed?

     I believe I can still enable the files by forcing the GPMC to look at the local store if I install this hotfix on my GPMC server:

    https://sdmsoftware.com/group-policy-blog/tips-tricks/override-the-group-policy-admx-central-store/

    Cheers

    Tuesday, February 28, 2017 1:10 PM
  • Hi,

    You could try to install the hotfix.

    But Windows server 2003 has ended support, I suggest you try to upgrade your OS.

    In addition, if the reply above has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 09, 2017 9:03 AM
    Moderator
  • If so, that seems a bit too easy, what are the risks this can bugger up GPOs for the entire estate?

    No risk whatsoever, since templates are only used when creating/editing/viewing via GPMC/GPME, and, when using gpresult/RSoP.

    The template files are not referenced when *applying* GP (because, applying GP is done at the client, and the client doesn't need the templates to *apply* GP settings)

    Implementing a CS is really very easy.

    But, these days, with Win10, and if you have various builds of Win10 in your environment, you may need different versions of the templates (version-specific templates) because MSFT are adding/changing/removing features from build-to-build in Win10 and so you may have a need to use different templates so that you can manage the various settings. eg, you have Win10-1511 in your environment, and you load the Win10-1511 templates into your CS, and you create some GPO settings for the deferupgrades feature. MSFT release Win10-1607 and this brings a change to the deferupgrades feature and accordingly the Win10-1607 templates are changed to suit the feature change. The new templates no longer expose the settings for Win10-1511, and so you now have no way to remove/disable/modify/unconfigure that feature. You need a machine which has the "old" 1511 templates, but, your CS exists so all computers with GPMC/GPME are forced to use the CS.

    So, you are kind of stuck, until you find out that you *can* use a registry setting to force a particular machine to ignore the CS and instead refer to it's local \PolicyDefinitions\ folder for templates. You just have to remember or figure that out. Or, stick with not-using a CS. Which kind of sucks.

    I read a blog about this scenario quite recently but can't find that blog post just now.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, March 09, 2017 10:07 AM
  •  Would you know if I edited the central store whether I would be able to modify old ADM templates for 2003/XP clients if needed?

     I believe I can still enable the files by forcing the GPMC to look at the local store if I install this hotfix on my GPMC server:

    https://sdmsoftware.com/group-policy-blog/tips-tricks/override-the-group-policy-admx-central-store/

    Cheers

    The CS doesn't deal with ADM templates at all, the CS only deals with ADMX/ADML.

    If you still have some products that use ADM, and, there is no equivalent ADMX/ADML, your CS doesn't matter, and you don't derive the CS benefit for those ADM templates.

    You can have a mixture of ADM and ADMX/ADML, either with or without CS, just note that ADM files will still behave the bad-old-way no matter how well-behaved the ADMX/ADML files are :)

    You can use ADMX/ADML files to create/manage GPO settings which apply to older platforms like WinXP/WS2003 - because the templates are not actually used for applying GP to clients.

    The templates are used by GPMC/GPME to build/compose/compile the registry.POL files, and the registry.POL file sits in SYSVOL, and it is the registry.POL file which is pulled down by the client machine and the CSE DLLs apply the registry.POL file onto the client. The templates, regardless if ADM or ADMX/ADML, are not used by the CSE during Apply-GP at all.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, March 09, 2017 10:13 AM
  • I read a blog about this scenario quite recently but can't find that blog post just now.

    https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, March 13, 2017 9:05 AM
  • Hi,

    If the above reply has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 14, 2017 2:43 PM
    Moderator
  • Just an update, for anyone looking to force a Windows 2012 R2 GPMC console to point to the local store, set the registry key below (I didn't need to install a hotfix)

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\EnableLocalStoreOverride

    https://support.microsoft.com/en-gb/help/2917033/an-update-is-available-to-enable-the-use-of-local-admx-files-for-group-policy-editor

    Wednesday, March 15, 2017 9:24 AM
  • Thanks for your share.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 15, 2017 9:31 AM
    Moderator