Windows Server 2012 : Planning, implementing, and managing Group Policy (part 3) - Configuring a central store, Using Starter GPOs

Configuring a central store

Prior to Windows Vista and Windows Server 2008, all of the default administrative template files (.adm files) were added to the ADM folder of each GPO on a domain controller. Because GPOs are stored in the SYSVOL folder on domain controllers and each GPO typically occupies about 2 MB of disk space, the more GPOs there were in the environment, the greater the size of the SYSVOL folder was. This condition was sometimes referred to as “SYSVOL bloat.” Furthermore, because the contents of the SYSVOL folder are automatically replicated to all domain controllers in the domain, this problem was multiplied considerably.

Beginning with Windows Vista and Windows 2008, however, this situation has changed in two ways:

• A new XML-based format for administrative template files called ADMX has replaced the earlier ADM format used for defining registry-based policies in GPOs. An associated format called ADML supports the multilingual display of policies.

• All of the policy definition files (.admx and .adml files) for a domain can now be stored in a central store in SYSVOL. This means only one copy of each ADMX template needs to be stored in SYSVOL, instead of storing a copy of each ADM template for every GPO in the domain.

You can create a central store for a domain by performing the following procedure:

1. Create a folder named PolicyDefinitions in the following UNC path on a domain controller in the domain:

   \\domain_name\SYSVOL\domain_name\policies

   For example, for the corp.fabrikam.com domain, you would create the following folder:

   \\corp.fabrikam.com\SYSVOL\corp.fabrikam.com\policies\PolicyDefinitions

2. Copy all of the files from the %systemroot%\PolicyDefinitions folder on a Windows 8– based administrative workstation to the PolicyDefinitions folder on a domain controller. Alternatively, you can download the latest administrative template files for Windows 8 from the Microsoft Download Center and copy them to the PolicyDefinitions folder on a domain controller.

3. Wait for SYSVOL to replicate the changes to all domain controllers in the domain.

Using Starter GPOs

Starter GPOs are basically templates you can use for quickly creating preconfigured GPOs. By creating and configuring a suitable collection of Starter GPOs, you can significantly accelerate the process of implementing Group Policy within a large, distributed environment.

Starter GPOs can be created, edited, imported, exported, backed up, and restored. They can contain only Administrative Template policies and not preferences or other settings, such as security settings.

Before you can use Starter GPOs, you must create the Starter GPOs folder for the domain. You can do this by performing the following steps:

1. Select the Starter GPOs node under a domain node in the Group Policy Management Console (GPMC).

2. Click the Create Starter GPOs Folder button in the details pane.

When you perform the preceding steps, a folder named StarterGPOs is created in the SYSVOL share of the domain controllers in the domain. This folder is initially populated with a collection of read-only System Starter GPOs that provide baseline settings for Enterprise Client (EC) and Specialized Security Limited Functionality (SSLF) environments running older versions of Windows client operating systems.

Note

Getting updated security baselines

For the latest security baselines for Microsoft products, including Windows 8 and Windows Server 2012, download the latest version of the Microsoft Security Compliance Manager from the Microsoft Download Center at http://www.microsoft.com/downloads/.

To create a new Starter GPO, perform the following steps:

1. Right-click on the Starter GPOs node, and select New.

2. Type a descriptive name for your Starter GPO, and add an optional comment if desired.

After you have created a new Starter GPO, you need to configure it by following these steps:

3. Right-click on the Starter GPO, and select Edit to open the Group Policy Starter GPO Editor.

4. Configure the Administrative Template policies as desired.

After you have configured a Starter GPO, you can use it to create new GPOs for the domain. To do this, follow this procedure:

5. Right-click on the Starter GPO, and select New GPO From Starter GPO:

   

6. Type a descriptive name for your new GPO:

   

The new GPO will be created unlinked to any container in Active Directory. By expanding the Group Policy Objects node and selecting the new GPO, you can use the Settings tab to verify that the central store is functioning properly. (See Figure 3.) You can link the new GPO to an OU by dragging it onto the node representing the OU.

Figure 3. The HQ-Desktops GPO has been created.

Note

Verifying the central store

You can also verify that the central store is functioning properly by using Group Policy Management Editor to open any GPO linked in your domain. If you expand the Policies node beneath either Computer Configuration or User Configuration, and you see that the Administrative Templates node has been renamed as Administrative Templates: Policy Definitions (ADMX Files) Retrieved From The Central Store, you know that you have properly configured your central store.