Skip to content

Step by Step : Configuring Central Store GPO in Windows Server 2012 R2

August 3, 2014

Many big company might have many GPOs with multiple IT administrators that manage them.

When an IT administrator edits a GPO, the template files are pulled from the local workstation.

The central store provides a single folder in SYSVOL that contains all of the templates required to create and edit GPOs.

So what’s the Central Store all about??

If your company has multiple IT Admin workstations, there could be potential issues when editing GPOs.

If you do not have a central store that contains the template files, then the workstation from which you are editing will use the .admx (ADMX) and .adml (ADML) files that are stored in the local PolicyDefinitons folder.

If different IT Admin workstations have different OS or are at different service pack levels, there might be differences in the ADMX and ADML files.

For example, the ADMX and ADML files that are stored on a workstation running Windows 7 with no service pack installed might not be the same as the files that are stored on a domain controller running Windows Server 2012 R2.

This could lead to administrators not seeing the same settings in a GPO.

So, the central store addresses this issue. The central store provides a single point from which IT Admin workstations can download the same ADMX and ADML files when editing a GPO.

The central store is detected automatically by Windows OS (Windows Vista or newer or Windows Server 2008 or newer).

Because of this automatic behavior, the local workstation that the IT administrator uses to perform administration always checks to see if a central store exists before loading the local ADMX and ADML files in the Group Policy Management Editor window.

When the local workstation detects a central store, it then downloads the template files from there.

In this way, there is a consistent administration experience among multiple workstations.

Enough said, no lets go through a step by step how you as IT Admin can implement & configure Central Store in Windows Server 2012 R2…

1 – Log in to your Domain Server, in my case i will be using my OSI-ADDS01 domain server

Open C: drive, and browse to C:\Windows\SYSVOL\sysvol\osi.local\Policies, the create a new folder name PolicyDefinitions


2 – Next, browse to C:\Windows\PolicyDefinitions folder, select the entire contents of the PolicyDefinitions folder and then copy all the contents


3 – paste all the contents that you copy from previous  C:\Windows\PolicyDefinitions folder into C:\Windows\SYSVOL\sysvol\osi.local\Policies\PolicyDefinitions folder


4 – Open Group Policy Management, right-click the Default Domain Policy, and then click Edit


5 – In the Group Policy Management Editor interface, expand Polices, point you cursor to Administrative Templates folder and verify that it reads: “Administrative Templates: Policy definitions (ADMX files) retrieved from the central store.”


6 – next, lets create a new GPO, right-click the Starter GPOs folder, and then click New


7 – In the New Starter GPO dialog box, type OSI IE Restrictions, in the Comment field, you can type any description you prefer @ follow your IT Company Security Policy, and then click OK…

*** In this demo, i will only show how to do restriction in Internet Explorer General Page, you can always spend some time to try other function that available in GPO…


8 – under the Starter GPOs folder, right-click OSI IE Restrictions GPO, and then click Edit


9 – In the Group Policy Management Editor interface, expand User Configuration, Administrative Templates, and then click All Settings, then right-click All Settings, and then click Filter Options


10 – In the Filter Options interface, click Enable Keyword Filters, then in the Filter for word(s) box, type General page, beside Within, untick the Help Text and Comment check boxes, and lastly, beside Filter for word(s) field, click Exact, and then click OK


11 – Double-click the Disable the General page setting…


12 –  in the Disable the General page interface, click Enabled, and then click OK


13 – Next, what we need to do is to create an IE Restrictions GPO from the OSI IE Restrictions starter GPO

right-click the osi.local domain, and then click Create a GPO in this domain, and Link it here…


14 – In the New GPO box, type OSI HQ IE Restrictions, then under Source Starter GPO, click the drop-down box, select OSI IE Restrictions, and then click OK


15 – Open CMD, and type gpupdate /boot /force…


16 – now lets try the GPO, log in to your client PC using any domain user profile…


17 – Open Internet Explorer, then click setting button, and click Internet options


18 – notice that there is no general page listed in the Internet Options interface…


19 – you can also confirm by open control panel, click Network and Internet, then under Internet Options, click Change your homepage, and then read the message box that appears informing you that this feature has been disabled, and then click OK…


20 – now switch back to OSI-ADDS01 domain server, what i’m going to now is to use security filtering to exempt my IT Group from the OSI IE Restrictions policy

In the GPMC, click the OSI HQ IE Restrictions policy, then click the Delegation tab, and then click Advanced button…


21 – In the OSI HQ IE Restrictions Security Settings box, click Add, and then in the Select Users, Computers, Service Accounts, or Groups interface, type IT, and then click OK


22 – In the OSI HQ IE Restrictions Security Settings box, click the IT (OSI\IT) group, next to the Apply group policy permission, select the Deny check box, and then click OK


23 – Click Yes in the Windows Security interface…


24 – to try the policy exemption, on the Client PC, log in as a IT user…


25 – In the IT user profile, open Internet Explorer, go to Internet Options, notice that as a IT department user, you can have your General Page in IE…



Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: