Oh Where, Oh Where Have My Group Policy Options Gone?

You are unable to find specific GPO options such as “Compatibility View” settings for Internet Explorer. One of the first things to look at is: Where are the policy definitions being retrieved from? The default for an Active Directory environment is from the local machine as shown in the image below:

If you’re editing the GPO on a domain controller and have multiple domain controllers that are running different operating system versions, the available options will vary from machine to machine. Setting a GPO option on a machine with newer ADMX files:

And then viewing the report for the same setting on a machine with older ADMX files that are unaware of that particular option will result in it showing as “Extra Registry Settings”:

To have the same options available from any machine you’re editing the GPO from, you’ll need to create a central store for the group policy administrative templates. To create a central store, copy the “C:\Windows\PolicyDefinitions” folder from one of the domain controllers (preferably the one with the newest operating system version on it out of all of your domain controllers) to “\domain.name\sysvol\domain.name\Policies”:

The problem this creates is these policy definitions are not updated automatically as they would be if the local machine ones were being used. You can see the ADMX file for Internet Explorer (inetres.admx) is much newer than the other files in the local machine folder:

This is because it was updated automatically when Internet Explorer 9 was installed.

If you’re missing settings, compare the ADMX files in the central store to the local machine ones in “C:\Windows\PolicyDefinitions”:

You can also download updated ADMX files from Microsoft for newer products such as IE9 that you may not already have an updated ADMX file for. The IE9 ones are part of the Internet Explorer Administration Kit (IEAK). Place them in the central store to make IE9 specific options available when modifying the GPO’s.

Once you have a central store, the GPO will retrieve the policy definitions from it:

You’ll notice that I no longer have a “Compatibility View” folder under “Internet Explorer” in the image above even though this is on the same domain controller as before. That’s because the ADMX files for IE (inetres.admx and .adml) in the Central Store are older and don’t have those particular settings.

There’s a good article on MSDN: “Managing Group Policy ADMX Files Step-by-Step Guide” and another good article from Microsoft Support: “How to create a Central Store for Group Policy Administrative Templates in Windows Vista” on this topic.

µ

3 Comments

  1. Nick Kresz

    This is a great article! I am migrating my domain to a 2012 forest level, and this explained the weird group policy management behavior I have been troubleshooting in between my 2008 R2 and 2012 DCs.

    So, why doesn’t the central store replicate automatically? When you edit an ADMX based group policy object, will that replicate? or is the central store just for older Domain Controllers to get newer Policy definitions?

    Reply
  2. Steven

    Thank you Mike very great post. My IT administrator is relieved and regained it administrative template.

    Reply

Leave a Reply

%d bloggers like this: