Centralizing Group Policy with Central Store

You’ve probably heard of the Group Policy Central Store, but didn’t know what it does, or where to start.

Kind of like Dorothy’s ruby slippers, it was right under your nose, the whole time, waiting for you to use it. So, before we get into that, let’s explore first what the Central Store tries to solve and where it was born from.

Microsoft had a format to describe “what’s possible” in Group Policy using a formatted, simple language called ADM files. ADM files were great because they were simple, quite readable plain text files. They described the policy setting, what the general parameters when edited, and what registry setting to control.

Microsoft shipped a handful of these in the box with Windows XP, and added more with utilities like Office and some others.

Group Policy Template and ADM Files

Let’s explore the “physics” of what would happen with Windows XP and ADM files. Let’s assume you created a new GPO from scratch:

You’d fire up the GPMC on Windows XP.

You’d click to create a new GPO.

When you edited a GPO, it would look in your Windows XP’s \windows\inf directory for ADM files.

It would push up those ADM files into the GPO

Now, to be clear, those ADM files are never downloaded to the user stations. Those are only there for editing purposes.

Now, let’s explore what happens when an updated ADM file came out:

You’d copy the ADM files to your \windows\inf directory.

You’d try to copy the ADM files to all the other administrators’ \windows\inf directory

Let’s pretend that one administrator, Jane, had the latest ADM files, but Fred didn’t.

When Jane clicks edit on the GPO, her latest ADMs are copied on top of the existing ADM files inside the GPO. Now, when Fred goes to edit the GPO (with his inferior ADMs) he simply won’t see these new options that Jane has when she edits.

What a nightmare !

So, to clear up these problems (and others), the Central Store enables us to move the “latest / greatest” Group Policy template files (now XML-ified) as ADMX and ADML files to, well, a Central Store!

Now, Jane on her Windows 7 machine and Fred on his Windows 7 machine don’t have to worry about “who has the latest files.” Now everyone does !

Here, you can see a domain’s default configuration, where there is no Central Store in place. All GPOs, when you hover over the words Administrative Templates, will show that the policy definitions are retrieved locally, meaning there is not yet a central store.

Figure 1: All GPOs use local definitions until there is a Central Store

Creating a Central Store

Creating the Central Store is easy to do. First, you need to find SYSVOL location that stores the GPOs themselves on one of your Domain Controllers. Usually it’s found in C:\Windows\SYSVOL\sysvol\\Policies. Now, within the Policies folder, you’re going to copy up one Windows 7 or Windows Server 2008 R2’s c:\Windows\policydefinitions folder – lock stock and barrel.

You can see me doing this in Figure 2.

Figure 2: Creating the Central Store is as easy as copying a directory.

If you ever need to add more languages, just use the language files from other instances of Windows’ c:\windows\policydefintiions folder. Just copy them at the same level of the existing en-US folder, and, you’re golden.

So, creating the central store is easy. And the result can be seen in Figure 3.

Figure 3: The Central Store

Creating the central store doesn’t have to be a difficult procedure. Just one drag-and-drop later, and .. boom! You’re done !