Avoiding Group Policy Bloat

Group Policy is a great tool for managing the configurations and security of your desktop computers, but in very large environments there can be some performance problems with it. Specifically, let’s say you have a large company with thousands or workers and a complex administrative structure but with only a single Active Directory domain deployed. This means you may literally have hundreds of organizational units (OUs) in your domain, with OUs nested within other OUs to several levels. Then let’s say you’ve linked Group Policy Objects (GPOs) to most of these OUs, some perhaps with several GPOs linked, so you can satisfy all the security requirements of your organization.

The problem that now arises is that each GPO is stored in the SYSVOL share of each domain controller in your domain. These GPOs can be found at %systemroot%\sysvol\domainname\Policies\POLICYGUID where POLICYGUID is the globally unique identifier of the GPO. Now Group Policy has grown considerably in power and flexibility since it was first released for Windows 2000, and that’s fine but it also means that you can now manage several thousand policy settings using it. That means the ADM files for Group Policy have also grown, and are now at the point where they occupy almost 2 MB of disk space. Now these ADM files are also copied to each GPO on each domain controller and are stored in the folder %systemroot%\sysvol\domainname\Policies\POLICYGUID\Adm. This means that every GPO in your domain occupies at least 2 MB of disk space in the SYSVOL share EVEN IF there are no actual policy settings configured in that GPO! Think of what this can mean regarding (a) disk utilization on your domain controllers and (b) file replication of the SYSVOL share between domain controllers.

Fortunately, Windows Server 2003 provides you with some flexibility in this matter by configuring two (you guessed it) the Group Policy setting “Always use local ADM files for Group Policy Object Editor” which is found under Computer Configuration, Administrative Templates, System, Group Policy. By enabling this policy you can prevent ADM files from being stored in GPOs on SYSVOL and save disk space. If you enable this policy setting then also enable the setting “Turn off Automatic Update of ADM files” which is found under User Configuration, Administrative Templates, System, Group Policy as that way the Group Policy Object Editor can use the local ADM files stored in the %windir%\inf folder on the machine where you are running the GPMC.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top