Where Are Those Group Policies?

Not so long ago I was looking at implementing BitLocker in our organisation to replace a Symantec product that was causing us lots of issues – and simply wasn’t worth the price we were paying for it (turned out to be another acquisition by Symantec that was pretty much abandoned as soon as they bought it).

I was reading articles on what BitLocker GPO settings I could apply to our machines, however every time I looked for the settings I could not find any on our domain controllers.

I looked and looked but could not find them… maybe it was because our DC’s were corrupt in some shape or form… maybe because they were running 2008 and not R2 or above… maybe the forest/functional levels needed to be greater than 2008… these were the thoughts going through my head at the time.

I put the project on hold (a premature move in hindsight as I had just assumed it was a problem with the DCs) and brought forward the domain upgrade project.
After a successful upgrade of the domain controllers and upgrading the domain and forest functional levels, I STILL couldn’t see the damn BitLocker policies! Was I going crazy?

No. I just didn’t understand Group Policies as well as I thought I did.

Turns out that group policies (at a high level) are just a bunch of .admx files in an XML structured format and if you don’t update them then you can’t take advantage of the latest and greatest GPO settings.

In a typical scenario the ADMX files give you the capabilities to modify policies for Windows Server and Client operating systems however there are also custom ADMX files you can obtain which allow you (the administrator) to modify policies and settings for custom applications. For example, there are Microsoft Office and Google Chrome ADMX files which allow you to push out policies specific to those applications. Take a look if you haven’t already – it’s pretty cool stuff.

You can either place these locally on the domain controller or in the central store. It is recommended and best practice to keep the ADMX files in the central store so that all domain controllers have access to the same files (otherwise you’ll get issues trying to open a custom/newer group policy on a DC that can’t see the new ADMX files) and so that an administrator can edit the same GPO settings on any domain controller… plus it just makes sense to have a central store for these files.

The location of the central store is \\FQDN\SYSVOL\FQDN\policies

You can download the latest ADMX files by searching the Microsoft download centre however there is a good resource online which helpfully groups the downloads together.

Simply download the latest ADMX files for Windows 8.1, Server 2012 R2 and any other applications you wish (like Microsoft Office), take a backup of the existing ADMX files in the central store and overwrite the existing ADMX files with the new ones you downloaded.

That’s it! You’ll now get to play with deploy the latest group policy settings in your organisation!

I hope this was helpful – leave your comments below if I got anything wrong or if you want me to discuss anything in particular.