Group Policy Template Behavior in Windows Server 2003 (316977)

SUMMARY

In Enterprise environments, there may be hundreds of Group Policy objects that you want to deploy in a domain. Each Group Policy object is stored in the Sysvol share of each domain controller. By default, a copy of the Administrative Templates (.adm) files are copied to each policy object in the file path:

%systemroot%\sysvol\domainname\Policies\POLICYGUID\Adm

In Windows Server 2003, the size of the Administrative Templates has grown. As a result, the set of Administrative Templates has grown to almost 1.75 MB. When you multiply this size by each Policy that Sysvol contains, you can see that much space is devoted to these templates.

Based on these facts, Administrators may want to use two Group Policy settings that reduce some of the strain that this Sysvol size growth causes. You must make sure that you set the settings correctly. If you do not, you may not be able to manage the Administrative Templates settings on some Group Policy objects. The two settings are Always use local ADM files for Group Policy Editor and Turn off automatic update of ADM files.

To locate these settings, in Group Policy expand Computer Configuration, expand Administrative Templates, expand System, and then expand Group Policy. Complete descriptions of these settings are included in the "More Information" section of this article.

The following list of scenarios describes how Group Policy behaves after you modify the settings:

Scenario 1:

Turn off Automatic Update of ADM files is enabled:
Always use local ADM files for Group Policy Editor is enabled:
- Local Administrative Template files (.ADM files) are not copied to SYSVOL.
- Displays the settings in Group Policy by using the local .adm files in %systemroot%\inf.
Scenario 2:

Turn off Automatic Update of ADM files is enabled:
Always use local ADM files for Group Policy Editor is disabled:
- Local copies of .adm files are not copied to SYSVOL.
- Displays the settings based on the .adm files located in SYSVOL
On this setting, if the SYSVOL copies of the .adm files are deleted, then you cannot view or edit the Administrative Templates section of Group Policy. If the copies of the .adm files in SYSVOL are Windows 2000 versions, new settings are not available in the policy.
Scenario 3:

Turn off Automatic Update of ADM files is disabled:
Always use local ADM files for Group Policy Editor is enabled:
- Local copies of the .adm files are copied to SYSVOL.
- Displays the settings based on the .adm files located in the %Systemroot%\inf folder.
Scenario 4:

Turn off Automatic Update of ADM files is disabled:
Always use local ADM files for Group Policy Editor is disabled:
- Local copies of the .adm files present in the %Systemroot%\inf folder are not copied to SYSVOL
- Copies of the .adm files in SYSVOL determine policy
In this scenario, the automatic method of upgrading policy templates is disabled, but the client continues to reference SYSVOL for the .adm files. If you must upgrade a template, you must do so manually.

MORE INFORMATION

When you define these settings, make sure that you consider the method the computer uses to determine whether to upgrade the copy of .adm files that are contained in the SYSVOL ADM folder. When the computer does this, it checks for timestamp and size. By default, if a client has a version of the .adm files that has a more recent timestamp than the server's version, and if the size of the file is different from what is already in place, the client copies the .adm files from the local computer to the SYSVOL share.

It is not important what operating system the client uses. Therefore, a client that runs Windows 2000 or Windows XP can upgrade, and therefore overwrite, an .adm file from Windows Server 2003. This is especially true if a Service Pack has been applied to the Windows 2000 or Windows XP computer that makes the timestamp on the .adm files more recent than the timestamp of the Windows Server 2003 .adm file.