Question about a GPO central store in a forest.

  • 588 Views
  • Last Post 26 July 2018
Smita posted this 25 July 2018

I am familiar with a central GPO store in a single domain forest, but cannot find information about a central store for a multi-domain forest.

Do you create a central store for each domain?

Or can I create a central store in the root domain for the whole forest? And if I do what are the pros and cons?   If there are any links out there that point to this information please point me to them.   Thanks,     Smita Carneiro GCWN, CISSP Consultant – Active Directory 463-221-8480 Eli Lilly and Company Email: Carneiro_smita@xxxxxxxxxxxxxxxx|Web : http://www.lilly.com  

Order By: Standard | Newest | Votes
bdesmond posted this 25 July 2018

You have to create the store on a per-domain basis.

 

Thanks,


Brian

 

show

Smita posted this 25 July 2018

That’s good to know. Thanks Brian.

 



Smita Carneiro GCWN, CISSP

Consultant – Active Directory

463-221-8480

Eli Lilly and Company

Email:

Carneirosmita@xxxxxxxxxxxxxxxx|Web : http://www.lilly.com



 

show

darren posted this 26 July 2018

Frankly, you might consider not creating a Central Store. It sort of depends upon how many folks you have editing GP but Microsoft has now sufficiently borked the

maintenance of ADMX files from one version of Win10 to another than you can no longer guarantee backward compatibility of newer versions of ADMX. As a result, there’s value in being able to maintain multiple “stores” locally to keep control over which versions

you use for a given set of GPOs (but only if you don’t have many hands in the pie of GP Editing). I’ve never liked the Central Store idea because it is all or nothing for a given domain.

 

Darren

 

show

Smita posted this 26 July 2018

Darren,

 

When you say “multiple ‘stores’ locally’, are you referring to the old way in which each GPO had its template in its own folder, or are you referring to the url

below?

https://blogs.technet.microsoft.com/askds/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store/

 



Smita Carneiro GCWN, CISSP

Consultant – Active Directory

463-221-8480

Eli Lilly and Company

Email:

Carneirosmita@xxxxxxxxxxxxxxxx|Web : http://www.lilly.com



 

show

darren posted this 26 July 2018

Well, yes and no. Ned’s article is still a good one but there is also a newer way to “have your cake and eat it to”, as you can selectively override the use of the Central

Store on a per-machine basis as needed. I described this a bit ago in a blog post:



https://sdmsoftware.com/group-policy-blog/tips-tricks/managing-admx-files-in-a-windows-10-world/

 

The point is really to put some release management around ADMX files just like you would any software. In other words, you don’t just automatically stuff every new set of ADMXs

that MS delivers into your Central Store and call it a day. You could have a “dev” and “staging” machines that uses the CentralStore Override that allows you to test and ensure that new ADMXs don’t break anything prior to deploying them to the Central Store.

Or you could approach it as Ned does by not having a central store at all and using a “management RDS” box that holds the gold copy locally, and you can still have separate dev and staging boxes for them. Again a lot of this depends upon how many people you

have managing GP. The more people there are, the more you need to ensure that there is a central place everyone goes to get their ADMXs—Central Store or otherwise.

 

Darren

 

show

Smita posted this 26 July 2018

That is a really nifty way to protect oneself against newer admx files.

 

Thanks Darren!

 



Smita Carneiro GCWN, CISSP

Consultant – Active Directory

463-221-8480

Eli Lilly and Company

Email:

Carneirosmita@xxxxxxxxxxxxxxxx|Web : http://www.lilly.com



 

show

Close