How to Set Up Windows Server 2016 Group Policy Central Store

The Group Policy Central Store is a centralised repository for Administrative Template files (ADMX and ADML) stored in the SYSVOL of the domain controller. Without a Central Store, each administrator’s workstation loads ADMX files from its local PolicyDefinitions folder, which can lead to inconsistencies when different machines have different versions of templates. By creating a Central Store on Windows Server 2016, you ensure that every administrator sees the same templates regardless of which machine they use to edit Group Policy.

Understanding ADMX and ADML Files

ADMX files contain the policy setting definitions: registry paths, supported values, and default settings. ADML files are language-specific resource files that provide human-readable names and explanations for each setting. The ADMX file is language-neutral; you must include at least one ADML file (e.g., en-US) for the ADMX content to be visible in the Group Policy Management Editor (GPME).

Creating the Central Store

The Central Store is simply a folder named PolicyDefinitions in the domain’s SYSVOL policies directory. Create it on any domain controller; it will replicate to all others via DFSR automatically.

First, determine your domain’s SYSVOL path (typically C:WindowsSYSVOLdomain or accessible via the UNC path \contoso.comSYSVOLcontoso.comPolicies). Create the Central Store folder:

New-Item -ItemType Directory -Path "\contoso.comSYSVOLcontoso.comPoliciesPolicyDefinitions" -Force

Populating the Central Store with Built-In Templates

Copy the built-in Windows Server 2016 ADMX files from the local PolicyDefinitions folder to the Central Store:

Copy-Item -Path "C:WindowsPolicyDefinitions*.admx" `
    -Destination "\contoso.comSYSVOLcontoso.comPoliciesPolicyDefinitions" `
    -Force

Copy the English language files (adjust the locale folder name for your language):

New-Item -ItemType Directory -Path "\contoso.comSYSVOLcontoso.comPoliciesPolicyDefinitionsen-US" -Force

Copy-Item -Path "C:WindowsPolicyDefinitionsen-US*.adml" `
    -Destination "\contoso.comSYSVOLcontoso.comPoliciesPolicyDefinitionsen-US" `
    -Force

Verify the files were copied successfully:

Get-ChildItem "\contoso.comSYSVOLcontoso.comPoliciesPolicyDefinitions" |
    Measure-Object

Adding Microsoft Office and Other Third-Party Templates

Many applications—including Microsoft 365 Apps, Edge, Chrome, and various security products—ship their own ADMX templates. Download the Office 365 ADMX files from the Microsoft Download Center (the Administrative Templates for Microsoft 365 Apps package), extract them, and copy into the Central Store:

Copy-Item -Path "C:TempOfficeADMXadmx*.admx" `
    -Destination "\contoso.comSYSVOLcontoso.comPoliciesPolicyDefinitions" -Force

Copy-Item -Path "C:TempOfficeADMXadmxen-us*.adml" `
    -Destination "\contoso.comSYSVOLcontoso.comPoliciesPolicyDefinitionsen-US" -Force

For Microsoft Edge, download the Edge ADMX package from the Edge Enterprise landing page and copy it the same way.

Verifying the Central Store Is In Use

Open the Group Policy Management Editor and edit any GPO. Navigate to Computer Configuration > Policies > Administrative Templates. At the top of the list you should see the message: “Policy definitions (ADMX files) retrieved from the central store.” If you still see “retrieved from the local machine”, confirm the PolicyDefinitions folder exists in SYSVOL and that at least one ADMX file and the matching ADML subfolder are present.

Keeping the Central Store Up to Date

When you upgrade Windows or add new applications, new ADMX templates become available. Create a script to synchronise from the local PolicyDefinitions folder to the Central Store and schedule it to run after Windows Updates are applied:

$src = "C:WindowsPolicyDefinitions"
$dst = "\contoso.comSYSVOLcontoso.comPoliciesPolicyDefinitions"

# Sync ADMX files
robocopy $src $dst *.admx /R:3 /W:5 /LOG+:C:LogsCentralStoreSync.log

# Sync en-US ADML files
robocopy "$srcen-US" "$dsten-US" *.adml /R:3 /W:5 /LOG+:C:LogsCentralStoreSync.log

Schedule this script to run as a SYSTEM task after Windows Update maintenance windows.

Permissions on the Central Store

By default, SYSVOL inherits permissions allowing Domain Admins to write and all Authenticated Users to read. You do not need to modify these for the Central Store to function. However, if you have hardened SYSVOL permissions, ensure that the group used by administrators editing GPOs has at least Read access to the PolicyDefinitions folder and its contents.

The Central Store is one of the simplest and highest-value Active Directory housekeeping tasks. Its consistent template availability reduces errors and version conflicts in large multi-administrator environments.