In this article I will show you how to install Group Policy Management Console and Create a Central Store for storing Group Policy Files. GPMC was first introduced in Windows Server 2003 and it hasn’t changed much with Windows Server 2008. If you are running Active Directory within your organization, it’s most likely that you are going to use GPO to manipulate your workstations across the network. GPMC is a powerful and centralized tool for creating/deleting and interacting with Group Policy Objects. With GPMC you can automate management tasks for all Users and Computers within the network. Windows Server 2008 uses ADMX (Administrative Template files with XML format) files to store registry settings. Group Policy Objects can be applied on OU (Organizational Units) and they can also be inherited from parent OUs.
I won’t describe each Policy Object because there are so many that even multiple articles will not cover them all. Instead, I will let you discover them by browsing in the Group Policy Management Console. You’ll see how easy it is to add this feature to Windows Server 2008. Of course, you won’t be able to memorize all of them, but you should at least learn the categories available in GPMC and get a general idea on how this tool can make your life easier. Note that you can also create custom policies by creating your own ADMX files. To achieve this you’ll need to create a Central Repository, and this is what will be covered in today’s article.
To install GPMC, you will need to open Server Manager Console and navigate to the Features section and click on the Add Features button:
From the available Features list you’ll need to select Group Policy Management and proceed with the installation:
Note that I’ve previously installed this feature this is why I get the Installed grayed message.
Once the feature has been installed, you can open it either by using mmc and adding the GPMC snap-in or by typing GPMC.MSC in run:
You can now explore the available policies and the new features introduced with Windows Server 2008.
Clients can determine what GPO they should apply by checking a specific attribute (gPLink) within Active Directory. They will receive a list containing all GPOs and in what order they should be applied. To apply a policy, clients will first need to determine what the latest version of each GPO is. If a GPO has been applied previously, the client will know if changes have occurred by checking this specific attribute. To view the version of a GPO, you’ll need to expand the forest and domain section and select one of your policies. Now go on the Details section of our GPO and you will be able to see User Version and Computer Version:
As you can see, there are two version parameters available: User version and Computer Version. By comparing these two values, clients will know what and where the changes occurred and if the policy was ever applied to the workstation. Besides determining what GPOs have been changed and what policy settings to apply, the Client will determine if he can reach any Domain Controller. Once this phase is complete, the client will pull all Group Policy setting and place them in the right category (for example, Policies, Windows Settings, Administrative Templates, etc.). For each category there is a Client-Side Extension (CSE) which is nothing more than a file that can interpret and process settings within a GPO (usually a DLL).
On a Client computer you can view what CSE have been loaded by checking the registry. Open regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions:
Within a CSE you will see where the GPO will be applied, what’s the DLL file responsible for processing settings, etc.
ADMX files were introduced with Windows Server 2008 replacing the old ADM formats. ADMX files are used to create custom policies by adding registry based settings in an XML format. These files can be placed in a central repository which is accessible by Administrators responsible for creating Group Policy Objects. By creating a central Store for your ADMX files, you reduce the storage space required for your GPOs because ADMX are read from a single Domain Controller and it’s not necessary to copy them for each GPO. ADMX files are divided into two categories: language specific resources (.adml files)
and language-neutral resources (.admx files). The user interface, is modified based on these language settings.
Note that by default, the central store is not created and you will have to add it manually. Open Windows Explorer, navigate to C:\Windows\SYSVOL\domain\Policies and create a new folder named PolicyDefinitions. Within this folder create another directory named en-us (location for .adml files). We will need to get some .adml and .admx files. Note that you’ll need to RDP to a client computer that is part of your AD domain and search for these files. In my testing environment I’ve installed a Windows 7 machine and added it to my domain. Once the workstation is added to a domain, all .admx and .adml files that are applied to the host, are copied from the Domain Controller:
Copy one .adml file in C:\Windows\SYSVOL\domain\Policies\en-us and one .admx in C:\Windows\SYSVOL\domain\Policies. You can now explore the contents of the files. Note that you can download the ADMX schema using the following link from Microsoft’s website
. When building specific files, you will need to make sure that the schemas are configured correctly. Working with ADMX files is a bit risky because they modify registry settings and thus you can end up messing up your network. Always test your files before applying them in a production environment.
I hope this helps you understand how to install GPMC and configure a central Store file for your policy objects. I’ve also tried explaining the process of applying a GPO to an Active Directory client. Note that I haven’t been experimenting much with custom ADMX files, so I’m still in the process of learning how to customize them to achieve best results for my network. You can try installing the ADMX schema and then play a bit with a custom rule. If you have any questions, or are confused with any part of this process, don’t hesitate to post a comment in our dedicated section. Wish you all the best and stay tuned for the following articles.
