Configuration and Policy Deployment through Group Policy Objects
Updated: June 29, 2012
Applies To: Windows Server 2008, Windows Server 2008 R2
Group Policy Objects (GPO) are an efficient solution for deploying registry settings to Windows clients. This is especially useful when configuring the AD RMS client, where all the client side configurations are done through registry overrides.
In order to deploy configurations to clients through GPO, a group policy must be created describing those changes. While a GPO can be defined manually, a much easier way to do it is through policy templates, which are files that define a series of configurations, their possible values and explanations for those values to be set through the GPO editor user interface.
Traditionally the templates were provided in the form of ADM files. Windows Vista and Windows Server 2008 introduce a new format for configuring registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category in the Group Policy Object Editor) are now defined using a standards-based, XML file format known as ADMX files.
In order to be able to create and edit domain-based GPOs with the latest Group Policy settings using ADMX files, the following configuration is necessary:
A working Windows Server 2008, Windows Server 2003, or Windows 2000 domain using name resolution through a DNS server.
A Windows Vista or Windows 2008 computer to view policy settings from ADMX files while editing the domain-based GPO.
Microsoft has developed an ADMX file that includes the most commonly used configuration parameters for the AD RMS client. While the ADMX file can only be used in Windows Vista and Windows Server 2008 systems, the resulting GPOs can be used to apply configuration changes to Windows 2000 clients and above. A sample ADMX file that can be used to deploy client configuration to AD RMS clients is included in Appendix A of this document.
The central store for ADMX files allows all administrators editing domain-based GPOs to access the set of ADMX files. By default the ADMX files are stored locally in %systemroot%\policyDefinitions. For domain-based GPOs, a central store location of ADMX files is created and accessible by anyone with permission to create or edit GPOs. To configure GPOs using centrally stored ADMX files, complete these tasks in order:
- Create a Central Store
- Populate the Central Store with ADMX Files
- Edit the Administrative Template Policy Settings
The central store is a folder structure created in the Sysvol directory on the domain controllers in each domain in your organization. You will need to create the central store only once on a single domain controller for each domain in your organization. The File Replication service then replicates the central store to all domain controllers in a domain. Group Policy Management Console and Group Policy Object Editor can use ADMX files more quickly because Group Policy tools connect to the primary domain controller by default.
The central store consists of the following:
A root-level folder, which contains all language-neutral ADMX files.
Subfolders, which contain the language-specific ADMX resource files.
To create the central store:
- Create the root folder for the central store on your domain controller:
- Create a subfolder of %systemroot%\sysvol\domain\policies\PolicyDefinitions for each language your Group Policy administrators will use. Each subfolder is named after the appropriate ISO-style Language/Culture Name. For a list of ISO-style Language/Culture Names, go to the Locale Identifiers page. For example, to create a subfolder for United States English, create the subfolder:
There is no user interface for populating the central store in Windows Vista or Windows 2008. The following procedure shows how to populate the central store using command line syntax from the domain controller.
To populate the central store:
- Open a command window: Press the Windows logo key + R, and then type cmd.
- To copy all language-neutral ADMX files (.admx) from your Windows Vista administrative workstation to the central store on your domain controller using the copy command, type:
copy %systemroot%\PolicyDefinitions\* %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions\
- To copy all ADMX language-specific resource files (.adml) from your Windows Vista administrative workstation to the central store on your domain controller using the copy command, type:
copy %systemroot%\PolicyDefinitions\[MUIculture]\* %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions\[MUIculture]\
Tip For example, to copy all United States English .adml files, type the following: copy %systemroot%\PolicyDefinitions\EN-US\* %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions\EN-US\
You must perform this procedure on a Windows Vista-based computer. You will only be able to display new Windows Vista-based policy settings in GPOs with Group Policy tools using ADMX files on a Windows Vista-based computer, even though the GPO can be applied to all supported platforms.
To edit administrative template policy settings using ADMX files:
- To open Group Policy Management Console on a Windows Vista machine, press the Windows logo key + R, and then type GPMC.msc.
- To create a new GPO to edit, right-click the Group Policy Objects node and select New.
- Type a name for the GPO and click OK.
- Expand the Group Policy Objects node.
- Right-click the name of the GPO you created and click Edit.
- Group Policy Object Editor automatically reads all ADMX files stored in the central store. After the central store has been created the Group Policy tools will use the ADMX files only from the central store, ignoring any ADMX files stored locally on the Windows Vista administrative machine.
For additional information on Group Policy and ADMX files see: Managing Group Policy ADMX Files Step-by-Step Guide