The Group Policy Central Store has two big benefits for every Windows Administrator. First, it allow you (plus anyone else with the GPMC) to have the latest Group Policy administrative templates available. Second, creating a central store will significantly reduce the amount of storage being used on your domain controllers! In this article, we are going to create/update our Group Policy Central Store. We will make the Windows 8.1/Server 2012R2, Office 2013, and a few other ADMX files available to our entire IT department.
To get an idea of how the Group Policy Central Store works, explore your Sysvol for a second. Open an explorer window and navigate to \\DOMAINNAME\sysvol\. Open up any subfolders until you are inside the policies folder. We are now looking the GUID of every Group Policy Object (GPO) in our domain. Open up any policy and you should see a few subfolders. The most common are: ADM, Machine, and User.
By default, your ADM folder will contain five ADM files. Each client will also have a copy of these files. Every policy that you create will automatically include this ADM folder. Our domain has four domain controllers and 767 group policy objects. Each policy would have a 3.46 MB ADM folder in it. That means that our domain uses 10.4 GB of space to store ADM files! Imagine how much space is being wasted in your sysvol.
The great thing about creating the Group Policy Central Store is this will have zero impact on your client machines! Each client already has a local copy of any Administrative Template and the GPMC will simply use the Central Store to pull its available Administrative Templates.
Three Steps to Create the Group Policy Central Store
If you are just updating your Group Policy Central Store, skip to the download links below and replace any file that you are prompted to overwrite.
If you are creating your Central Store, browse back to your Policies folder within Sysvol and create a new folder named “PolicyDefinitions”.
Download the following ADMX templates to populate your Central Store. You will need the first download. The rest are optional.
- Windows 10 ADMX Templates (compatible with earlier versions of Windows – grab latest version – compatible with latest Windows Server release).
- Office 2016 ADMX Templates
- Office 2013 ADMX Templates
- Office 2010 ADMX Templates
- Office 2007 ADMX Templates
- HP Universal Print Driver ADMX Template (gets rid of that annoying Print Notification popup)
- Mozilla FireFox ADMX Templates
- Google Chrome ADMX Templates
Extract the files into your .\Policies\PolicyDefinitions Folder. The ADMX files should be put into the root of this folder. The language folder (ex: en-us) should also be in the root. All ADML files should be within the language folder.
Close any opened GPMC windows on your management machine. Open GPMC again and create a new policy. Navigate to Computer Configuration\Policies\Adm
Cleaning Up the ADM Remains
Your Group Policy Central Store is working and you are already getting the first huge benefit! Every management machine has the exact same set of ADMX files. The second benefit, mentioned above, is a much smaller SYSVOL.
To get your SYSVOL smaller, you will need to delete any ADM templates that you did not import yourself. Search your policies folder for any file with a .ADM extension. In Windows search, you can query “*.ADM” to retrieve all of the ADM files. When searching, you might also want an easy way to convert GPO GUIDs to GPO names. This PowerShell method will help.
You can safely delete the 5 built-in ADM files. They are:
- conf.adm
- inetres.adm
- system.adm
- wmplayer.adm
- wuau.adm
You might still have some ADM files left. You will want to get rid of these as well. First, decide if you still need some of the ADM file. For example, you might have Office 2003 ADM files in SYSVOL even though you are no longer using Office 2003. In my environment, I had Office 2007 ADM files within specific GPOs plus Office 2007 ADMX files in my Central Store. Deleting the Office 2007 ADM files straightened out that problem.
If you still have ADM files that do not have an ADMX equivalent, contact the software maker first. If they are unable to provide ADMX files, you can try to convert the ADM to an ADMX format. Microsoft has released a free ADM to ADMX convertor. It can be found on the Tools page.
Preventing a Second Spill and Additional Links
I know you always use the latest GPMC. Your coworkers might not be as up to date as you (I bet they don’t subscribe to this blog either). But why is using the XP GPMC so bad?
The XP/Server 2003 GPMC isn’t Central Store aware. It will automatically upload ADM files back into an edited GPO. Because of this, it is a best practice to no longer use the GPMC on those operating systems. In a larger environment that has many Group Policy creators, it might be wise to use Software Restriction Policies or File System Security Policies to disable access to the older GPMCs.
And that is it! You’ve created a central store, loaded the latest ADMX files, and cleared out some SYSVOL bloat. The links below list a few tools that might also help.
- How to Create a Central Store: http://support.microsoft.c
om/kb/9298 41 - PowerShell Method to Clean Central Store: http://gallery.technet.microsoft.com/scriptcenter/Removing-ADM-files-from-b532e3b6
- Automatic Central Store Creator: http://www.gpoguy.com/Free
Tools/Free ToolsLibra ry/tabid/6 7/ agentTyp e/View/Pro pertyID/88 /Default.a spx
I have two DCs, primary with 2008 R2 and secondary with 2012 R2. I am running Forefront Identity Manager on my primary DC. We are having client machine OS as 8.1 and windows 10. can you answer the below
1. When I try to create a new policy I am unable to view Personalization Folder under Computer Configuration — Policies — Administrative Templates — Control Panel. Due to this am unable to change many settings which are under this folder. How can I get this folder?
2. Can I upgrade my primary DC from 2008 R2 to 2012 R2 without affecting my forefront identity manager settings which are being used for office 365 synchronization?
Awaiting your kind response.
1. You may try copying in the ADMX files again. Sounds like you are missing one or two.
2. I’m not sure. Let me know what you find out.
Central Store Access
– Windows 2012 domain created as Windows 2012 domain
Issue:
When attempting to access sysvol using UNC \\FQDN\Sysvol\FQDN\Policies we were unable to update/rename/delete the ADMX or ADML files. We were using our Domain Admin accounts and still were denied access.
Fix action:
Use File Manager to browse to Sysvol\sysvol\FQDN\Policies. We were then able to update the ADMX/ADML files as necessary.
If you update your ADMX files be sure you update the ADML file.
By file manager, you mean file explorer?
Never mind. Thank you for this tip! You meant the old school File Manager. Thanks!
No problem at all!
Thanks for explaining that solution!
I have Server 2008 and I cannot get this to work.
Great article! Thanks for posting!
We’re a little late to the party; We’re currently putting the Central Store in place (DCs are 2008R2) using the WIN10 ADMX templates.
Once GPMC starts using these templates from the Central Store:
1. Is it absolutely necessary to remove the old ADM files outside of the Central Store? Just wanted to confirm they can coexist.
2. If we don’t remove the ADM files will we still be able to create GPOs specifically for WIN10?
1. No
2. Yes
removing the ADMs just makes your SYSVOL replication more efficient in the future.
What’s up, of course this piece of writing is genuinely good and I have learned lot of things from it concerning blogging.
thanks.
Hi Joseph,
I upgraded majority of the PCs to windows 10 in my organization. Does this template work with Windows 7 as I still have some Windows 7 PCs in my environment.
The new templates will still work for older OSs. If you set a newer setting (ex: prevent Microsoft accounts), an older OS simply ignores the configuration because it can’t understand it.
Hi,
i followed the instructions and added the files but the settings did not work due to different OS I still have on the domain. Now i’m trying to deploy an shortcut using Microsoft Edge and it is not working. The shortcut got created but it won’t open the target link i set it to. Any help would be appreciate, thank you very much.
Derek
Did you get this figured out?
great article, question though. i have the win10 template, current environment is 08r2,12r2,w7 with central store gpo’s in effect. the w10 admx templates are the same names as the older o/s (unlike office2016 which has 16 appended at the end, smart move). will overwriting these files cause issues? obviously i dont want to break anything.
Replacing the files won’t cause any issues.
Great guide – Thank you.
I have one question though which I have read conflicting answers for…
We are using a central store. We have WIndows 7 clients and Windows Server 2003/2008/2008R2 servers. We will soon be upgrading the Servers to 2012 R2 so want to install the relevant admx files to control 2012R2 policies.
Which set of ADMX files should I install? You seem to say Windows 10 (as they are compatible with earlier versions of Windows), but I have read that I will need to make any edits to the GPO’s on the ‘highest’ version of Windows which the ADMX templates are designed for (e.g. Windows 10).
Is this correct?
Install the Windows 10 (1511) ADMX templates.
You would want to use the highest RSAT version to manage group policy as you will get additional tools (like replication testing, remote gpupdate, etc).
Hi Thanks for this well written and informative article.
I have one template that a previous admin has imported for a piece of software that we still use. Can I leave this one where it is or maybe move it to the centralized store?
Yep – a few extra MBs in your Sysvol won’t kill you.
Hi, I know this is a little old by now but, How does it works when my main DC and GPMC is on Server 2012 and secondary on 2008….?
THanks
Any machine with the GPMC will look to the folder in sysvol for its policy definitions. Always load this folder with the latest ADMX templates and you will be fine.
but right now this folder has adm files, can they coexist?
Yes!
Hi. Thanks for the very informative blog.
So with the new ADMX format, when you create a new GPO, it will still create a new GUID subfolder, but with much less files in it? Would that be right?
Thanks, Dave.
That is correct! It would not contain the ADMX/ADM files from the local machine.
I just installed the Win2k12/Win8.1 admx files on my domain. When going back to begin creating a new policy for my new Win 8 machines, I am getting an error – encountered error while parsing group policy. Looking at the path the to the Central Store, it is looking at my Win2k3 server as the store. I installed this on my Win2k8R2 server. My Win2k3 box is the “PDC”
1. Is it ok just to copy all the admx/adml files from the MSU to the PolicyDefinitions folder on my Win2k3?
2. Should I change which over role that is controlling the Central Store to my Win2k8R2 server?
1. It is.
2. That is a little bit harder of a question to answer without seeing your environment. If you have nothing that limits your migrations to a 2008 R2 domain, I would say to upgrade!
1. I took the chance and copied it and all is well.
2. I just want to move the role that controls the Group Policy store, not all the roles from the Win2k3 server. Do you know which role that is?
You will need to upgrade your domain to a 2008 R2 domain first.
Think I have a similar question to Martin, I currently have 2008 R2 domain controllers and using 2008 R2 admin templates from a central store. OU admins use windows 7 to manage GPOs and access admin templates. I would like to install the latest 2012 R2/windows 8.1 admin templates into my central store. Will the OU admins that use windows 7 have any problems seeing some of the newer settings in the new Admin templates? I have done some testing in a lab and it looks like the Windows 7 client can see and manage the latest template settings, at least the settings I have looked at. Just looking to confirm Windows 7 clients should not have issues when using the new admin templates. Thanks.
Upgrading your central store will have zero impact on your clients. The central store templates are solely used by the Group Policy Management Console.
Each client has their own local copy of these settings. If you set a windows 8 setting, your clients won’t be able to understand that setting and will promptly ignore it.
Thanks for the reply Joseph, I do understand that the clients will not have any issues reading the admin template settings. My concern was with OU administrators that still use a Windows 7 client to manage GPMC and the new admin templates in the central store. I do realize the latest version of the GPMC should be used, but in the case of some OU admins that still use the older Windows 7 client to manage group policy, will they see any issues doing so when the new admin templates are installed. As I said, my testing showed that Windows 7 client GPMC can see and manage settings in the newer admin templates, but I only looked at several settings during my testing.
Thanks much for your time.
It should not cause any issues with down-level GPMCs!
Sorry for digging this up. It’s a great article and helped me a lot!
I have one question though:
Can i override the existing (windows 7) admx files?
Again great article!
Thanks Martin!
Explain your question a little more and explain what exactly you are wanting to accomplish.
Very nice info and right to the point.