My clients domain has various 2012R2, 2016 and 2019 Windows Server versions. Two of the four domain controllers are running Windows 2012R2 and the ADMX files haven't been updated in years. The other two domain controllers are Windows 2019 and they have the FSMO roles assigned to them.
I hope to have all 2012 instances retired for good shortly, including the DC's. Since the ADMX files haven't been updated in years I am unable to apply certain GPO's to the 2016 and 2019 instances which will become a security issue shortly. Since my environment will consist of 2016 and 2019 servers, what is the best policy or method I should use for updating the ADMX files?
From what I've read most people suggest the Central PolicyDefinitions Store option but I wasn't sure if this is a good idea since I'm running multiple OS versions in my environment. Are there any other approaches to updating the ADMX files I should consider considering the make up of my environment?
If I don't use the Central Store option, would I need to download the ADMX files to the C:\Windows\PolicyDefinitions folder locally on each domain controller in order to apply the latest settings to GPO's, or would I have to download ADMX file to C:\Windows\PolicyDefinitions on all domain members/servers in order for servers to receive updated gpo settings?
I've never had to update ADMX files so any advice would be greatly appreciated, thanks!
There's a key thing to understand about Administrative Templates (ADMX):
Updating Administrative Templates will NOT change anything in the GPOs you deployed: ADMX are read by the Group Policy Management Console (or gpresult when you generate a report) to display the settings to a human (showing a list of settings, a description,...). That's it!
Example: consider the following scenario:
You create a new GPO with ADMX templates from 2011 and you deploy this GPO.
Now, imagine you update the ADMX templates to a newer version and let's say Microsoft removed from the newer ADMX files some of the older 2011-era settings you previously set with the older ADMX template files:
The computers/servers will not notice this, because they don't need ADMX to apply the policy.
However, the next time you'll open the Group Policy Management Console and want to edit your GPO, you'll NOT see the settings you set before, BUT they'll be shown under "Extra registry settings" (in the HTML report too)
So, worst case scenario for you: You'll end up with Group Policies deploying "older" settings that Microsoft removed from ADMX and you'll not be able to edit these settings using the Group Policy Console.
=> If you are using Central Store: Backup the current ADMX files, and update the ADMX templates. If needed, you can restore the older ADMX files.
=> If you are not using the Central Store: Note that editing a Group Policy from Server 2019 will use the Server 2019 ADMX files (local), so, if you configured "older" settings that Microsoft removed with Server 2019, they'll show up as "Extra Registry Settings" when viewed from a 2019 server because the policy editor doesn't know how to show you these settings. Opening the Group Policy Console from Server 2012R2 will use the 2012R2 ADMX files (local). (By the way, that's why the Central Store is recommended because you don't want to see different behaviors in the GPO consoles based on "where" you are editing the policies...)
You can take a look at my answer here too, about a similar situation.