Microsoft has stated from the very beginning that Windows Vista and Longhorn Server are going to be designed to be the most secure versions of Windows ever to be released. One way that Microsoft is delivering on this promise is by greatly extending the capabilities of group policies. I have not heard an official count of how many new group policy object settings are available in Longhorn and Vista, but I can tell you from my own experience that the number has got to be huge.
If you have done much work with Group Policies in Windows Server 2003, then you know that group policies are stored in the .ADM file format. In Windows Vista and Longhorn Server, this file format has been replaced by .ADMX file format. The .ADMX file format it is based on XML, whereas .ADM files used their own proprietary file format.
There are several major differences between the way that .ADMX files and .ADM files are implemented. One major difference is that while .ADM files were all encompassing, there are actually two different files used by their .ADMX counterparts. ADMX files are divided into language neutral files and language specific files. This allows .ADMX files to be used in a variety of different languages. The language neutral file contains the actual policy components. The language specific file simply provides the text associated with the policy in various localizations. For example, you could have English, French, and Japanese language specific files that all apply to the same language neutral file.
The location in which these files are stored has also changed. In Windows Server 2003, ADM files were stored in the %systemroot%\inf folder. In Windows Vista and in Longhorn Server, the language neutral .ADMX files are stored in the %systemroot%\policyDefinitions folder. The language specific files are stored in a subfolder whose name reflects the files’ localization. For example, language specific files for the English-language are stored in the %systemroot%\policyDefinition\en-us folder.
Issues with ADMX File Coexistence
As I have already explained, there are a lot more group policy object settings available in Windows Vista and then Longhorn Server than there were in Windows XP or in Windows Server 2003. The problem is that Windows Vista and Longhorn Server are designed to coexist with Windows Server 2003 and Windows XP. Being that the group policy file format has changed and that there are a lot of new group policy objects settings, there are naturally going to be some things that aren’t going to be supported by Windows XP or by Windows Server 2003. It is important to understand how these new settings and new file formats are going to impact your existing servers and workstations before you implement them.
The first thing that you need to be aware of is that the group policy file format has changed from .ADM to .ADMX. As such, these new policy files can only be managed from computers that are running Longhorn Server or Windows Vista. The reason for this is that the group policy related management tools that ship with Windows Server 2003 and Windows XP do not know how to read the new file format.
As you can imagine, Longhorn Server and Windows Vista come with new versions of the Group Policy Object Editor and the Group Policy Management Console. These new versions are necessary in order to read the new .ADMX file format. What’s important to know is that these new versions are backward compatible with any other version of Windows that supports the use of group policy. The Longhorn Server and Windows Vista versions of the group policy tools can be used to manage group policies on machines running Longhorn Server, Windows Vista, Windows Server 2003, Windows XP, and Windows 2000. Even custom .ADM files stored within an existing group policy objects will be supported by the new tools.
A Central Store
One of the primary benefits of this new file format is the ability to create a centralized store for ADMX files. Unlike previous versions of Windows, Longhorn Server and Windows Vista will no longer copy ADM and ADMX files to each edited group policy object. Instead, you can create a centralized repository for ADMX files. This central store can store ADMX files that came with Windows or custom ADMX files. The advantage of creating a central store is that all of the domain controllers within a domain will share the same central store. This makes it easy to keep ADMX consistent across the domain.
Creating a Central Store
Now that I have talked a bit about the benefits of creating a central store, it’s time to create one. Technically, you can create a central store on any domain controller in a domain, but it’s best to create it on the primary domain controller if possible, because this is the domain controller that the Group Policy Objet Editor and the Group Policy Management Console look to by default.
If for some reason you can’t create the central store on your primary domain controller, it isn’t a huge deal. The file replication service should replicate the central store to all of the domain controllers in the domain.
The first thing that you will have to do is to create the folder structure that will be used by the central store. To do so, create the following folders:
Now that you have created the necessary file structure, it’s time to copy the policy files to their new home within the central store. By default, Longhorn Server stores the language neutral files in \%systemroot%\PolicyDefinitions\. The Language specific files are stored in \%systemroot%\PolicyDefinitions\EN-US. As such, populating the central store is simply a matter of copying the files from these folders into the folder tree that we have just created. You can do so by opening a Command Prompt window and entering the following commands:
Xcopy %systemroot%\PolicyDefinitions\* %systemroot%\sysvol\domain\policies\PolicyDefinitions\
Xcopy %systemroot%\PolicyDefinitions\en-us\* %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us
Now it’s time to create a new Group Policy Object based on the collection of objects found in our central store. Remember that the group policy objects found in the central store control which options will be available in a new group policy object. Therefore, if you create a new group policy object, Windows should read the various available group policy settings from the central store and incorporate them into the new group policy object.
To try this out, enter the GPMC.MSC command at the Windows Run prompt. This will cause Windows to open the Group Policy Management console. When the console opens, navigate through the console tree to Group Policy Management | your forest | Domains | your domain | Group Policy Objects. Now, right click on the Group Policy Objects container and select the New command from the resulting shortcut menu. You will now be prompted to enter a name for the new group policy object that you are creating. Click OK, and the new group policy object will be listed beneath the Group Policy Objects container. Now, just right click on the new group policy object and select the Edit command from the resulting shortcut menu. Doing so will open the new group policy object within the Group Policy Object Editor. The settings that are available within the editor should reflect which ADMX files are present in the central store.
In this article, I have explained that in Longhorn Server and Windows Vista, Microsoft has replaced the ADM file format with the ADMX file format. I then went on to show you how to create a central repository for ADMX files.