Creating a Group Policy Central Store

One of the issues that sometimes made managing group policies difficult in Windows XP and in Windows Server 2003 was the non centralized nature of the group policy template files. For example, Microsoft offers downloadable templates that allow you to manage Microsoft Office via group policy. Even so, these templates are not automatically available from every domain controller.

In Windows Vista and Windows Server 2008, Microsoft decided to make life easier for network administrators by introducing the concept of centralized group policy storage. This storage repository, known as a central store, can be created in domains containing Windows Server 2003 and / or Windows Server 2008 domain controllers. Even though Windows Server 2003 does not technically support centralized group policy storage, Windows Vista does, and this allows you to store the central store on Windows Server 2003 domain controllers if necessary, but manage the central store through Windows Vista.

How Does a Central Store Work?

As you may have gathered from the previous paragraph, there is really nothing special about the central store itself. It is nothing more than a folder on a server. The reason why a central store can work the way that it does is because of the way that the store is used by Windows Vista and Windows Server 2008.

When an administrator attempts to create or edit a group policy template, Windows checks the domain controller to which it is connected for the existence of a central store. If a central store exists, then Windows will use that central store by default. Otherwise, local copies of the template files are used.

Creating a Central Store

Creating a central store is actually a rather simple process. The first thing that you will have to do is to log onto a computer that is running either Windows Vista or Windows Server 2008. If you have one particular machine that has all of your group policy template files installed on it, then that machine is a good candidate.

The next thing that you must do is to open Windows Explorer, and then go into the C:\Windows folder. Locate the PolicyDefinitions folder, right click on it, and then choose the Copy command from the shortcut menu. This will copy the folder and its contents to the Windows clipboard.

The next step in the process is to map a network drive letter to the sysvol folder on a domain controller. The full path that you will need to access on the domain controller is c:\Windows\SYSVOL\domain\Policies. Finally, copy the PolicyDefinitions folder to the \Windows\SYSVOL\domain\Policies folder on the domain controller. You can see what this looks like in Figure A.

 

Figure A Copy the PolicyDefinitions folder to the domain controller’s \Windows\Sysvol\Domain\Policies folder.

Testing Your Central Store

In order to gain the maximum benefit from the central store that you have created, I recommend that you periodically run tests to make sure that the central store is actually being used. Fortunately, testing a your central store is even  easier to do than creating the central store was. To do so, open the Group Policy Management console. Now, navigate through the console tree to Forest | Domains | your domain | Group Policy Objects | Default Domain Controller Policy. Upon selecting this policy container, the pane on the right side of the console should display a series of tabs. Go to the Settings tab, and look at the Administrative Templates section. It should confirm that the policy definitions (the ADMX files) have been retrieved from the central store.

One thing that you must keep in mind about this technique is that you may occasionally run into situations in which the Settings tab for a particular group policy template does not even contain an Administrative Templates section, let alone tell you that the template was retrieved from the central store. The reason why this occasionally happens is that the Administrative Templates section is only displayed if the group policy object contains at least one setting.

Conclusion

As you can imagine, keeping group policy templates in a central location can be a significant management issue for companies. However, Windows Server 2008’s (and Windows Vista’s) ability to create a central store greatly simplified the process of keeping track of the various group policy objects that are in use within your company.

Recent Windows Server 2008 Forum threads

Got a question? Post it on our Windows Server 2008 forums!