Minimizing the Growth of DC System Volume Folders
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The policy settings information in GPOs is stored in two locations: in Active Directory and in the Sysvol folder of domain controllers. The Active Directory container is also known as a Group Policy container, and the Sysvol folder contains the Group Policy template. The Group Policy container contains attributes that are used to deploy GPOs to the domain, to OUs, and to sites within the domain. The Group Policy container also contains a link to the Group Policy template, where most Group Policy settings are stored.
Information stored in the Sysvol folder includes security settings, script files, information for deploying applications that are available for Group Policy Software Installation, and Administrative Template–based Group Policy settings. Administrative Templates (.adm files) provide Group-Policy setting information for the items that appear under the Administrative Templates item in the Group Policy Object Editor.
Limiting the size of stored Group Policy information is important largely because the two storage locations use different replication mechanisms, which can cause replication conflicts. Replication conflicts are discussed in "Specifying a Domain Controller for Editing Group Policy," earlier in this chapter.
By default, when you open the Group Policy Object Editor snap-in to edit a new or existing GPO (or when you click Edit after right-clicking a GPO in GPMC), the administrative computer’s .adm files for that GPO are sent to the domain controller and placed in a folder associated with the new GPO. The .adm files stored are the ones that are included with the operating system for the administrative computer (such as System.adm, Inetres.adm, Conf.adm, and Wmplayer.adm), as well as any .adm files that are added or removed by the administrator by using the Add/Remove Templates shortcut menu.
When an existing GPO is edited, a comparison is made of the timestamps of the local .adm files and the versions in the Sysvol folder. If the local timestamp is more recent, those files are sent to the domain controller where they are stored in the Sysvol GPO folder.
Benefits of Storing .Adm Files in the Sysvol Folder
Storing copies of .adm files in the Sysvol folder provides a consistent experience for administrators across computers. For example, if a specific set of .adm files is selected when you edit a GPO using the Group Policy Object Editor on one computer (by using Add/Remove Templates), these same .adm files are also included when the GPO is edited on another computer. The selected .adm files need not be installed on the second computer, because the files are retrieved from the domain controller. The list of selected .adm files is stored in the Sysvol GPO folder in the Admfiles.ini file.
Drawbacks of Storing .Adm Files in the Sysvol Folder
Each GPO stores its own copy of the .adm files selected for it. Because some .adm files can be large — more than 1Mb— it is possible that the Sysvol GPO folder can grow large, especially when you have a large number of GPOs.
An additional problem occurs if administrators use different language versions of the operating system. In this case, the .adm with the newest timestamp is uploaded to the Sysvol folder on the domain controller, regardless of language. This is important because non-U.S. English .adm files typically have a later timestamp than the U.S. English versions. This occurs because simply opening Administrative Templates in the Group Policy Object Editor on a non-U.S. English administrative computer results in the Group Policy templates being updated with the local language version of the .adm files, even if you do not actually edit any settings.
Group Policy Settings to Control Treatment of .Adm Files
To provide administrators with control how .adm files are treated, you can use the following policy settings: Always use local ADM files for Group Policy Editor and Turn off automatic updates of ADM files.
Always use local ADM files for Group Policy Object Editor
This policy setting forces the Group Policy Object Editor to use the local computer .adm files in the systemroot\inf directory. To access this Group Policy setting, in the Group Policy Object Editor snap-in, navigate to Computer Configuration\Administrative Templates\System\Group Policy. This setting is not available in the Windows 2000 family.
This setting does not alter the default treatment of .adm files when you edit a newly-created GPO: The local .adm files are always used and are copied to the Sysvol GPO folder. When you edit an existing GPO, any .adm files stored in the GPO folder on the Sysvol are ignored. When this setting is used, the Group Policy Object Editor always uses only the .adm files from the local computer (including any custom .adm files). If an .adm file is not found, the corresponding Group Policy settings are not available. This Group Policy setting can be used to ensure that language-specific versions of the .adm files on the administrative computer are used, rather than any other language version stored in the GPO folder.
Turn off automatic update of .Adm files
Enabling this policy setting prevents the system from automatically updating the .adm files in the Sysvol folder when you open the Group Policy Object Editor. This policy setting is available in the Group Policy Object Editor snap-in under User Configuration\Administrative Templates\System\Group Policy.
When this Group Policy setting is enabled and you edit a new GPO, no .adm files are copied from the local computer to the Sysvol GPO folder on the domain controller. Similarly, when you edit an existing GPO, no local .adm files are sent to the domain controller. This means that the Group Policy Object Editor presents only the .adm files found on the local computer, and no .adm files are copied to the domain controller.