This is a short post to highlight something I stumbled across the other day.
One of our customers has been bought out by a much larger company and the new parent company is in the process of transitioning my customer’s systems into the parent company’s infrastructure. One of the parent company’s sysadmins was working in my customer’s AD trying to build some GPO’s and he ran into problems. He called me to see if I could offer any insight. Together we went digging. What we found was interesting.
He was trying to build a simple GPO but the “normal” things that you would see on a policy (being built from the default templates) seemed to be missing.
A number of the items inside the green circle above simply weren’t there. I was stumped. But we did notice that there were some GPO’s that had been created that had Office templates associated with them and they seemed to display correctly.
I gave it a bit of thought and recalled that a fellow that had worked for us for a short period of time had played with Office GPO’s on the customer domain to try and solve a weird issue we had with default file locations for Office documents. As the Office templates are not a “default” part of the GPO templates I went digging on the DC and discovered a folder in SYSVOL:
There were all of the .admx and .adml files that made up the Office templates in that folder and its subfolders. Hmmmmm. Further investigation also showed that all of the GPO’s listed templates as follows:
Hmmmm, again. Looking at a DC at another customer and the GPO’s listed as follows:
Doing a little Google search came back with instructions on how to create a “Central Store” for GPO template files and, as it turns out, the Central Store is none other than the “Policy Definitions” folder that I discovered in SYSVOL!
In a “vanilla” AD installtion, the GPO template files are pulled from each DC’s local template store which is “C:WindowsPolicyDefinitions”. As soon as you create the Policy Definitions folder in your SYSVOL the system (meaning ALL DC’s) will start looking for ALL template files in the Central Store. Therefore, you must copy the contents of your C:WindowsPolicyDefinitions into your C:WindowsSYSVOLdomainPoliciesPolicyDefinitions folder. If you do NOT then you’ll hit the same problem that I have been describing as GPO Management will think the templates are “missing”.
Not a hard thing to fix, thankfully, and already established GPO’s aren’t adversely affected BUT it is a real pain when you want to create new GPO’s.
And, actually, it points to something that bears some thought: it probably is a GOOD idea to create a Central Store if you are doing anything with GPO templates that is above and beyond the “vanilla” basics. That way you won’t end up with issues caused by mismatched templates on your DC’s. Definitely worth consideration!