{"id":2448,"date":"2014-07-08T10:50:45","date_gmt":"2014-07-08T15:50:45","guid":{"rendered":"http:\/\/www.poweradmin.com\/blog\/?p=2448"},"modified":"2015-04-24T16:06:08","modified_gmt":"2015-04-24T21:06:08","slug":"gpmc-and-group-policy-store-in-windows-server-2008","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/gpmc-and-group-policy-store-in-windows-server-2008\/","title":{"rendered":"GPMC & Group Policy Store in Server 2008"},"content":{"rendered":"

In this article I will show you how to install Group Policy Management Console and Create a Central Store for storing Group Policy Files. GPMC was first<\/span> introduced in Windows Server 2003 and it hasn\u2019t changed much with Windows Server 2008. If you are running Active Directory<\/a> within your<\/span> organization, it\u2019s most likely that you are going to use GPO to manipulate your workstations across the network. GPMC is a powerful and centralized tool<\/span> for creating\/deleting and interacting with Group Policy Objects. With GPMC you can automate management tasks for all Users and Computers within the<\/span> network. Windows Server 2008 uses ADMX (Administrative Template files with XML format) files to store registry settings. Group Policy Objects can be <\/span>applied on OU (Organizational Units) and they can also be inherited from parent OUs.<\/span><\/p>\n

I won\u2019t describe each Policy Object because there are so many that even multiple articles will not cover them all. Instead, I will let you discover them by<\/span> browsing in the Group Policy Management Console. You\u2019ll see how easy it is to add this feature to Windows Server 2008. Of course, you won\u2019t be<\/span> able to memorize all of them, but you should at least learn the categories available in GPMC and get a general idea on how this tool can make your life<\/span> easier. Note that you can also create custom policies by creating your own ADMX files. To achieve this you\u2019ll need to create a Central Repository, and this <\/span>is what will be covered in today\u2019s article.<\/span><\/p>\n

To install GPMC, you will need to open Server Manager Console<\/em> and navigate to the Features<\/em> section and click on the Add Features <\/em><\/span>button:<\/span><\/p>\n

\"Server<\/span><\/p>\n

From the available Features<\/em> list<\/em> you\u2019ll need to select Group Policy Management<\/em> and proceed with the installation:<\/span><\/p>\n

\"Group<\/span><\/p>\n

Note that I\u2019ve previously installed this feature this is why I get the Installed<\/em> grayed message.<\/span><\/p>\n

Once the feature has been installed, you can open it either by using mmc<\/em> and adding the GPMC snap-in or by typing GPMC.MSC in run:<\/span><\/p>\n

\"Open<\/p>\n

You can now explore the available policies and the new features introduced with Windows Server 2008.<\/span><\/p>\n

Clients can determine what GPO they should apply by checking a specific attribute (gPLink<\/em>) within Active Directory. They will receive a list<\/span> containing all GPOs and in what order they should be applied. To apply a policy, clients will first need to determine what the latest version of each GPO<\/span> is. If a GPO has been applied previously, the client will know if changes have occurred by checking this specific attribute. To view the version of a GPO,<\/span> you\u2019ll need to expand the forest<\/em> and domain<\/em> section and select one of your policies. Now go on the Details<\/em> section of our GPO <\/span>and you will be able to see User Version<\/em> and Computer Version<\/em>:<\/span><\/p>\n

\"GPMC<\/p>\n

As you can see, there are two version parameters available: User version and Computer Version. By comparing these two values, clients will know what and where<\/span> the changes occurred and if the policy was ever applied to the workstation. Besides determining what GPOs have been changed and what policy settings<\/span> to apply, the Client will determine if he can reach any Domain Controller. Once this phase is complete, the client will pull all Group Policy setting and<\/span> place them in the right category (for example, Policies, Windows Settings, Administrative Templates, etc.). For each category there is a Client-Side <\/span>Extension (CSE) which is nothing more than a file that can interpret and process settings within a GPO (usually a DLL).<\/span><\/p>\n

On a Client computer you can view what CSE have been loaded by checking the registry. Open regedit<\/em> and navigate to <\/span>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions:<\/span><\/p>\n

\"GPMC<\/p>\n

Within a CSE you will see where the GPO will be applied, what\u2019s the DLL file responsible for processing settings, etc.<\/span><\/p>\n

ADMX files were introduced with Windows Server 2008 replacing the old ADM formats. ADMX files are used to create custom policies by adding registry based<\/span> settings in an XML format. These files can be placed in a central repository which is accessible by Administrators responsible for creating Group Policy<\/span> Objects. By creating a central Store for your ADMX files, you reduce the storage space required for your GPOs because ADMX are read from a single Domain<\/a><\/span> Controller<\/a> and it\u2019s not necessary to copy them for each GPO. ADMX files are divided into two categories: language specific resources<\/em> (.adml files)<\/span>
\n and language-neutral resources<\/em> (.admx files). The user interface, is modified based on these language settings.<\/span><\/p>\n

Note that by default, the central store is not created and you will have to add it manually. Open Windows Explorer<\/em>, navigate to C:\\Windows\\SYSVOL\\domain\\Policies<\/em> and create a new folder named PolicyDefinitions<\/em>. Within this folder create another directory named<\/span> en-us (location for .adml files). We will need to get some .adml and .admx files. Note that you\u2019ll need to RDP to a client computer that is part of your AD<\/span> domain and search for these files. In my testing environment I\u2019ve installed a Windows 7 machine and added it to my domain. Once the workstation is added to <\/span>a domain, all .admx and .adml files that are applied to the host, are copied from the Domain Controller:<\/span><\/p>\n

\"Add<\/p>\n

Copy one .adml file in C:\\Windows\\SYSVOL\\domain\\Policies\\en-us and one .admx in C:\\Windows\\SYSVOL\\domain\\Policies. You can now explore the contents of the<\/span> files. Note that you can download the ADMX schema using the following link from Microsoft\u2019s website<\/a>. When building specific files, you will need to make<\/span> sure that the schemas are configured correctly. Working with ADMX files is a bit risky because they modify registry settings and thus you can end up <\/span>messing up your network. Always test your files before applying them in a production environment.<\/span><\/p>\n

I hope this helps you understand how to install GPMC and configure a central Store file for your policy objects. I\u2019ve also tried explaining the process of applying<\/span> a GPO to an Active Directory client. Note that I haven\u2019t been experimenting much with custom ADMX files, so I\u2019m still in the process of learning how to<\/span> customize them to achieve best results for my network. You can try installing the ADMX schema and then play a bit with a custom rule. If you have any questions, or are confused with any part of this process,<\/span> don\u2019t hesitate to post a comment <\/span>in our dedicated section. Wish you all the best and stay tuned for the following articles.<\/span><\/p>\n

\"Tweet<\/a><\/p>\n

\"Share<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

In this article I will show you how to install Group Policy Management Console and Create a Central Store for storing Group Policy Files. GPMC was first introduced in Windows Server 2003 and it hasn\u2019t changed much with Windows Server 2008. If you are running Active Directory within your organization, it\u2019s most likely that you […]<\/p>\n","protected":false},"author":4,"featured_media":2455,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,5,9,8],"tags":[],"class_list":["post-2448","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general-it","category-how-to","category-technical","category-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/2448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=2448"}],"version-history":[{"count":5,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/2448\/revisions"}],"predecessor-version":[{"id":3481,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/2448\/revisions\/3481"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/2455"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=2448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=2448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=2448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}