- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
If you’ve managed Group Policy inside of an Active Directory domain for any amount of time, you’ve probably had to install ADMX files at some point to support a new or updated application. If you’re in a small environment or only have a handful of Group Policy admins, the update process is fairly easy: copy the new ADMX files to the C:\Windows\PolicyDefinitions\ folder on your management station, copy the ADML files to the correct language sub-folder, and you’re done. Then, if you have other Group Policy admins, make sure the files are circulated to them. If you’re using a jump box as a central place to manage Group Policy, update the files there and you’re done.
The problem is that keeping the ADMX and ADML files updated across just a very small handful of systems is difficult. If you’ve got a lot of people managing Group Policy, it’s pretty much impossible. Even if you’re just dealing with one management station, forgetting to copy the contents of the PolicyDefinitions folder to your new PC can result in seeing the dreaded “Extra Registry Settings” list the next time you need to modify a Group Policy Object (GPO) because the Group Policy Management Console (GPMC) can’t find the ADMX and ADML files it needs to correctly display the settings.
A Group Policy Object on a management station missing ADMX files shows “Extra Registry Settings” for the settings it doesn’t recognize.
This is where the Group Policy Central Store can be of value to you and your organization. The Central Store is a repository of ADMX and ADML files that are stored inside the SYSVOL folder of your domain. When the Central Store is configured for a domain, management stations use the PolicyDefinitions folder of the Central Store instead of their local copy of ADMX/ADML files in C:\Windows\PolicyDefinitions\. This gives you one location to keep updated and ensures that all Group Policy admins are using the same set of ADMX/ADML files without having to distribute the updates to multiple computers or servers.
Creating the Group Policy Central Store ^
To create the Central Store, we’ll need to create a new folder on a Domain Controller (DC). Technically, it doesn’t matter which DC you use; however, if you have a lot of Group Policy admins, or if some DCs are slow to replicate, you might want to consider performing this on the PDC Emulator because the GPMC likes to connect to it by default when editing Group Policy.
On the DC, we’ll need to make a new folder in SYSVOL called PolicyDefinitions using the following command:
Note: If you’ve stored your SYSVOL folder on a different volume, you’ll need to adjust the above command accordingly to reference where you’re storing SYSVOL.
Next, we’ll need to copy all of our ADMX and ADML files to the Central Store. In my lab, I performed this on a fully updated DC that was running Windows Server 2012 R2, but you can also run this from a management station running a desktop edition of Windows:
xcopy /s c:\Windows\PolicyDefinitions\* %LogonServer%\sysvol\%UserDNSDomain%\Policies\PolicyDefinitions\
Once we’ve copied the AMDX and AMDL files, we can edit a GPO in the GPMC to verify that we’re using the Central Store. In the Group Policy Management Editor, the Administrative Templates section should show “Policy definitions (ADMX files) retrieved from the central store.”
Group Policy Management Editor showing that the Administrative Templates (ADMX files) were pulled from the Central Store.
If you aren’t using the Central Store, the Administrative Templates section will show “Policy definitions (ADMX files) retrieved from the local computer.”
Group Policy Management Editor showing that the ADMX files were pulled from the local computer.
Keeping the Central Store updated ^
Now that you’re storing all of your ADMX and ADML files centrally, you’ll have to ensure that the files stay updated in the Central Store. Unlike your local copy of ADMX/ADML files in C:\Windows\PolicyDefinitions\, the Central Store copy of PolicyDefinitions will need to be updated by you. You can take the updated files from the local PolicyDefinitions on an updated management station and copy those files to the Central Store, or you can download current copies if you can’t immediately apply updates to your management stations for whatever reason.
Microsoft makes downloadable copies of current ADMX files available so that they’re easy to download and install. Here are a few of the most common I like to keep handy:
- Windows 8.1 Update and Windows Server 2012 R2 Update
- Internet Explorer
- Microsoft Office 2013
- Microsoft Office 2010
- Microsoft Desktop Optimization Pack