What is a Group Policy Central Store?
The Group Policy Central Store is a repository of ADMX and ADML files that are stored in the SYSVOL folder of your domain.
Why use a Central Store?
If like me you have managed Group Policy inside of an Active Directory domain you probably have had to install ADMX files at some point, be it because of a new OS or new application. In a small environment, you could get away without a Central Store and just copy the new ADMX files to the C:\Windows\PolicyDefinitions\ folder on each of your DC’s and the ADML files to the correct language sub-folder.
If you have a bigger environment with a lot of DC’s and Group Policy admins, keeping all local stores updated and in sync becomes nearly impossible. This can cause issues for Group Policy admins if they do not have the same ADMX files needed in a policy they will get the dreaded “Extra Registry Settings”. To save yourself and your Group Policy Admins from this, having a Central Store is the solution, as it gives you one location to keep updated without having to distribute the updates to multiple computers or servers.
How to create a Central Store
To create a Central store, first, connect to a DC. It does not matter which DC, but I always use the PDC Emulator because GPMC likes to connect to it by default when editing Group Policy.
ON the DC, we will need to create a new folder in the SYSVOL called PolicyDefinitions. This can be done via the GUI by browsing to C:\Windows\SYSVOL\%UserDNSDomain%\Policies\ and create the new folder, or you can just open up a CMD window as an administrator and run the following code:
|
1 |
mkdir C:\Windows\SYSVOL\sysvol\%UserDNSDomain%\Policies\PolicyDefinitions\ |
Next, we will need to copy all of our ADMX and ADML files to the new Central Store. I would normally do this via the most up to date DC in my environment. You can do this via the GUI by browsing to C:\Windows\PolicyDefinitions and copying all the content to \\%logonServer%\sysvol\UserDNSDomain%\Policies\PolicyDefinitions\ or you can just open up a CMD window as an administrator and run the following code:
|
1 |
xcopy /s C:\Windows\PolicyDefinitions\* %LogonServer%\sysvol\%UserDNSDomain%\Policies\PolicyDefinitions\ |
Now, this has all been done we can verify that we are using the Central store by editing a GPO in the GPMC. In the Group Policy Management Editor, the Administrative Templates section should show “Policy definitions (ADMX files) retrieved from central store.”
Central Store Maintenance
So we have a Central Store and everything is working well, but Microsoft has released a new update to the ADMX and ADML files. Unlike with the local copy of the ADMX and ADML files, the central store does not update automatically and you will need to update it manually. The way I do this is to download the updates from Microsoft install/extract the ADMX and ADML files to my local computer and then copy them to the Central Store using the same method as above.
1 Comment
MS15-011: Hardened UNC Path - Pixel Robots. · February 20, 2018 at 2:18 pm
[…] To do this I first made sure I had a central store for my Group Policies. Follow this guide to create a central store. […]