In this tutorial, I’ll explain why and how to update Group Policy Definitions (GPOs) in an Active Directory environment.
Before explaining how to do this, we will see why to update the files, for understanding I will start from an example.
You are in an Active Directory environment which is composed of 2 Windows Server 2012R2 domain controllers with a central store. When creating the central store, you used the ADMX and ADML files from one of the domain controllers. Since you have integrated Windows Server 2016/2019 servers, as well as computers with Windows 10 and you realize that you cannot act on certain components of new operating systems such as preventing access to update settings .
This is “normal” because your Group Policy settings are those that apply to Windows 2012R2, Windows 8.1 and below and the updates work to evolve with Windows Server 2016 and Windows 10.
To access the new features, it is not necessary to upgrade your domain controllers, you simply need to update the GPO definition files (ADMX / ADML).
On the screenshot below, a Group Policy setting that does not apply at a minimum to Windows Server 2016 and Windows 10, which is not available on Windows Server 2012R2 by default.
Now we will see how to update the definition of group policies.
The first step is to retrieve the new parameters, for this you have 2 solutions :
- On a Windows 10 or Windows 2016/2019 computer, recover ADMX / ADML files which is located in the following location: C: \ Windows \ PolicyDefinitions
- Download the latest group policy templates from the Microsoft site (since Windows 10, they are updated with each new version)
The second step so that you can use them in GPOs on your domain controllers is going to be to update the central store or each domain controller with the new files.
If you are using a central store, just copy and or replace the files in the central store folder, otherwise you have to update the files for each domain controller by copying them to the C: \ Windows \ PolicyDefinitions folder.
Remember to do this manipulation regularly (once a year) in order to be able to manage the new features of Windows operating systems.