Creating a GPO Central Store in Windows Server 2012 R2
Group Policy Objects (GPOs) are a collection of thousands of various user and computer-specific settings that can be centrally managed by an administrator in an Active Directory environment.
Since the days of Windows Server 2000 and 2003, when you created a GPO, its settings were stored in the SYSVOL folder of the domain controllers (DCs), which is replicated between the DCs in the domain. However, because GPOs are essentially a collection of many settings that are combined together, these settings’ files, also called “Administrative Templates,” were also stored in the GPO folders on the SYSVOL share.
In Windows Server 2000 and 2003, these settings were in form of .ADM files and were all located in five files: Conf.adm, Inetres.adm, System.adm, Wmplayer.adm, and Wuau.adm.
But in Windows 2008 a new concept was introduced that separated the Administrative Templates into tens and hundreds of separate files that are now written in a different format and are made of two files for each section of the GPO: ADMX files that contain the settings themselves and language-specific ADML files that contain the localized explanation of what these settings do.
The fact that the Administrative Templates are separated into two files means that global organizations with branch offices in multiple countries can use localized versions of their GPOs, allowing editing of a GPO by a German administrator, in German, and by a different administrator in the US, in English without affecting each other’s language settings.
So far so good. However another challenge existed — where will these Administrative Templates be stored? Using the old method of Windows Server 2000/2003 means that each time a new GPO was created, all the Administrative Templates files would be copied to that GPO’s folder in SYSVOL and replicated across all the DCs. For a large organization, this means that the GPOs would greatly increase the size of the SYSVOL folder, unnecessarily duplicating all the Administrative Templates files over and over again.
This changed in Windows Vista and Windows Server 2008 and naturally continues in Windows Server 2012/R2 and now the upcoming Windows Server 2016. Microsoft decided to make life easier for network administrators by introducing the concept of centralized group policy storage. This storage repository, known as the “Central Store,” needs to be manually created on domain controllers. Once it’s in place, the GPO Administrative Templates replication issue is immediately solved. This is because of the way the Group Policy Editor processes the GPOs when they are open for editing. When an administrator attempts to create or edit a group policy template, Windows checks the DC in which their computer is connected for the existence of a central store. If the central store is found on the DC, the Group Policy Editor will use the central store by default. Otherwise, local copies of the template files are used.
Note: There are differences between the various Windows operating systems in terms of the number and type of ADMX/ADML files. Choose the ones that you’ll be using in your environment, and if you’re using multiple versions of Windows, always update the central store with the latest version of the files from the latest edition of Windows:
Windows Server 2012 R2:
The issue is that, by default, the central store does not exist. As noted above, you have to manually create it once. So how do you do it? Follow these steps:
1. Log onto a computer that is running Windows 10 or Windows Server 2012 R2.
2. On that machine, open Windows Explorer, and then go into the “C:\Windows\PolicyDefinitions” folder.
3. Copy the folder.
4. Connect to the SYSVOL share on one of your domain controllers. I would suggest using one that is located in the same local area network as you are on, just to speed up the file copy.
5. Paste the “PolicyDefinitions” folder to the “SYSVOL\<your domain>\Policies” folder on the domain controller.
Done. Now, wait a few moments or more, depending on your Active Directory topology, for the SYSVOL share to finish replicating across your network to all your DCs.
Next time you open a Group Policy for edit, no matter which computer you’re connected to when performing this task, will pull the ADMX/ADML files from the central store and will not use its local copy. Additionally, when creating a new GPO, the Administrative Templates will not be copied all over again to the SYSVOL share, as they are already found there.
More in Windows Server 2012
Microsoft Acknowledges New Netlogon Issues On Windows Server Machines
Feb 25, 2022 | Rabia Noureen
How to Fully Patch the PrintNightmare Vulnerability
Jul 9, 2021 | Brad Sams
Understanding Windows Server 2016’s Disaster Recovery Features
Aug 29, 2018 | Michael Otey
What Are Shared Virtual Hard Disk Sets on Windows Server 2016 Hyper-V?
May 26, 2017 | Aidan Finn
What Is the Storage Resiliency of Windows Server 2016?
May 25, 2017 | Aidan Finn
SCARY: “Atom Bomb” Windows Security Hole said to be Unfixable
Oct 31, 2016 | Richi Jennings
Most popular on petri