Questions on ADMX in Windows XP and Windows 2003 environments

We had a question a couple of days ago about the usage of ADMX template formats in Windows XP/Server 2003 environments. Essentially the question was:

“…What’s the supported or recommended way of getting W2k8 ADMX templates applying in a W2k3 domain with or with no W2k8 DCs. What I’ve done in test is, created a central store in the /Sysvol/domain/policies folder on the 2k3 DC (PDC) and created and edited a GPO using GPMC from the W2k8 member server applying to a W2k8 machine and it seems to work just fine. Is this the right way to do it?…”

The answer is Yes. Again this is one of those things that confuse people. The template format has nothing to do with the policy file that’s created. Its just used to create the policy by the administrative tool itself. In the case of GPMC on Windows XP and Windows Server 2003 and previous – this tool used the ADM file format. These ADM files were copied into every policy object on the SYSVOL, which represents about 4MB of duplicated bloat per policy. This was one of the areas that caused major problems with an issue called SYSVOL bloat.

In Vista and Server 2008 this template format changed to ADMX. This was a complete change towards a new XML based format that aimed to eliminate SYSVOL bloat. It doesn’t copy itself into every policy object but relies on a central or local store of these templates (Note that even in the newer tools you can still import custom ADM files for stuff like Office etc).

In the question above, the person wanted to know if copying the local store, located under c:/windows/policydefinitions, could be copied into a Windows Server 2003 domain environment as the central store and referenced by the newer admin tools. Again the domain functional mode has little to do with Group Policy. I talked about that one before. The things that we care about are the administrative tools and the client support for the policy functions. So of course it can.

Here’s the confusion-reducing scoop – Group Policy as a platform only relies on two main factors. Active Directory to store metadata about the policy objects and to allow client discoverability for the location of the policy files. The other is the SYSVOL to store the policy files. So at its core that’s LDAP and SMB file shares. Specific extensions on top of the policy platform may require certain domain functionality but that’s very specific to that extension. Examples are the new Wireless policy and BitLocker extensions in Vista SP1. They require schema updates – not GP itself. So if you don't currently use them then you don't have to update schema.

So provided you’re using Windows Vista SP1 with RSAT or Windows Server 2008 to administer the policies you get all the benefits to manage downlevel clients. That means eliminating SYSVOL bloat. That means all the joys of Group Policy Preferences. Honestly – it amazes us the amount of IT Pros that still haven’t discovered GPP…especially with the power it has to practically eliminate logon scripts!

As a last point – IT Pros also ask us when we will be producing an updated GPMC version for Windows XP to support all the new stuff. The answer is that we are not producing any updated GPMC versions for Windows XP and Server 2003. All the new administrative work is being done on the newer platforms. So get moving ahead! There are some really good benefits in the newer tools and very low impact to your current environment. You only need a single Windows Vista SP1 machine to start!