One of the issues that sometimes made managing group policies difficult in Windows XP and in Windows Server 2003 was the non centralized nature of the group policy template files. For example, Microsoft offers downloadable templates that allow you to manage Microsoft Office via group policy. Even so, these templates are not automatically available from every domain controller.
In Windows Vista and Windows Server
2008, Microsoft decided to make life easier for network administrators by
introducing the concept of centralized group policy storage. This storage
repository, known as a central store, can be created in domains containing
Windows Server 2003 and / or Windows Server 2008 domain controllers. Even
though Windows Server 2003 does not technically support centralized group
policy storage, Windows Vista does, and this allows you to store the central
store on Windows Server 2003 domain controllers if necessary, but manage the
central store through Windows Vista.
How
Does a Central Store Work?
As you may have gathered from the
previous paragraph, there is really nothing special about the central store
itself. It is nothing more than a folder on a server. The reason why a central
store can work the way that it does is because of the way that the store is
used by Windows Vista and Windows Server 2008.
When an administrator attempts to
create or edit a group policy template, Windows checks the domain controller to
which it is connected for the existence of a central store. If a central store
exists, then Windows will use that central store by default. Otherwise, local
copies of the template files are used.
Creating
a Central Store
Creating a central store is actually
a rather simple process. The first thing that you will have to do is to log
onto a computer that is running either Windows Vista or Windows Server 2008. If
you have one particular machine that has all of your group policy template
files installed on it, then that machine is a good candidate.
The next thing that you must do is
to open Windows Explorer, and then go into the C:\Windows folder. Locate
the PolicyDefinitions folder, right click on it, and then choose the Copy
command from the shortcut menu. This will copy the folder and its contents to
the Windows clipboard.
The next step in the process is to
map a network drive letter to the sysvol folder on a domain controller. The
full path that you will need to access on the domain controller is c:\Windows\SYSVOL\domain\Policies.
Finally, copy the PolicyDefinitions folder to the \Windows\SYSVOL\domain\Policies
folder on the domain controller. You can see what this looks like in Figure A.
Figure A Copy the PolicyDefinitions folder to the domain
controller’s \Windows\Sysvol\Domain\Policies folder.
Testing
Your Central Store
In order to gain the maximum benefit
from the central store that you have created, I recommend that you periodically
run tests to make sure that the central store is actually being used.
Fortunately, testing a your central store is even easier to do than
creating the central store was. To do so, open the Group Policy Management
console. Now, navigate through the console tree to Forest | Domains | your
domain | Group Policy Objects | Default Domain Controller Policy. Upon
selecting this policy container, the pane on the right side of the console
should display a series of tabs. Go to the Settings tab, and look at the
Administrative Templates section. It should confirm that the policy
definitions (the ADMX files) have been retrieved from the central store.
One thing that you must keep in mind
about this technique is that you may occasionally run into situations in which
the Settings tab for a particular group policy template does not even contain
an Administrative Templates section, let alone tell you that the template was
retrieved from the central store. The reason why this occasionally happens is
that the Administrative Templates section is only displayed if the group policy
object contains at least one setting.
No comments:
Post a Comment