GPO Question

  • Thread starter Thread starter Ken B
  • Start date Start date
K

Ken B

Here's one for the group.... I have a 2000 domain, with a good mix of 2000
and XP clients. I want to take advantage of the XP adm files so I can
policify those more closely. I know to copy the adm files from an XP
workstation to the server, but the only things holding me up on it is that I
have policies already set up.

If I change the ADM files on the server, will I lose the configuration
that's been done to those policies already?

If I don't lose the configured policies, will I still be able to edit said
policies down the road, or would I have to re-create them if I want to edit?

Would I be _REQUIRED_ to edit GP's from an XP workstation, or would I be
able to still edit them on a 2000 DC?

TIA---you'll be saving me a ton of time and making life easier!

Ken
 
Here's one for the group.... I have a 2000 domain, with a good mix of 2000
and XP clients. I want to take advantage of the XP adm files so I can
policify those more closely. I know to copy the adm files from an XP
workstation to the server, but the only things holding me up on it is that I
have policies already set up.

If I change the ADM files on the server, will I lose the configuration
that's been done to those policies already?

If I don't lose the configured policies, will I still be able to edit said
policies down the road, or would I have to re-create them if I want to edit?

Would I be _REQUIRED_ to edit GP's from an XP workstation, or would I be
able to still edit them on a 2000 DC?

TIA---you'll be saving me a ton of time and making life easier!

Ken
Click to expand...
Install the Windows Server Adminpak.msi file on XP and administer from there.

See tip 6598 in the 'Tips & Tricks' at http://www.jsiinc.com

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
Um, Jerold, that doesn't really answer the question. Installing the adminpak
doesn't really address this issue. Ken, the issue really is how do you
upgrade and edit your GPOs going forward. Let's say you have XP, SP2
installed and you want to update existing GPOs with the new ADMs that come
with SP2. The default behavior is that if you create a new GPO or open one
of your existing domain-based GPOs from an XP, SP2 workstation using the GP
Editor, the newer ADMs are automatically copied up to the SYSVOL portion of
that GPO and the GPO is "updated". Now, if you have existing policy settings
in that GPO, chances are they are still supported in the newer ADM templates
and so you'll still see them. If for some reason the new ADMs don't include
an old setting that you had implemented, then that setting will be
"orphaned", but you will see it under the "Extra registry settings" section
if you view the settings of that GPO using GPMC.

Now, going forward, my rule of thumb is that once you start updating your
GPOs to the latest version, I think its easiest if you can always edit them
using that version of the OS, but in some cases that may not be feasible.
So, what I would recommend is that, on any Windows 2000 systems, you enable
the policy that prevents automated updating of ADMs, just in case somehow a
newer ADM gets onto one of your Win2K systems. This policy is available on
both Win2K and XP and is found under User Configuration|Admin
Templates|System|Group Policy|Turn off Automatic Update of ADM files

Hope that helps. Let me know if you have questions.
 
Thanks Darren-

That makes sense to me... just one other question, so I'll know what to
expect. What would happen if I did update the ADM files on the DC to XP2...
would I be able to create/edit new GP's on the DC, or would I be forced to
update from an XP workstation?

Thanks again

Ken
 
Ken-
You can continue to create and edit GPOs from Win2K. If you create a GPO on
Win2K, it will have Win2K ADMs so as soon as it is opened by an XP, SP2
machine, the GPO will be updated. One thing to keep in mind is that there is
an issue with editing GPOs that have been updated with SP2 from non-SP2
machines. There is a hotfix you should apply to your Win2K boxes. Its
described at http://support.microsoft.com/default.aspx?kbid=842933
 
Cool... thanks for your help, Darren--- very much appreciated!

Now the next step is explaining to the boss why I want to do this.

Thanks again!

Ken


Darren Mar-Elia said:
Ken-
You can continue to create and edit GPOs from Win2K. If you create a GPO on
Win2K, it will have Win2K ADMs so as soon as it is opened by an XP, SP2
machine, the GPO will be updated. One thing to keep in mind is that there is
an issue with editing GPOs that have been updated with SP2 from non-SP2
machines. There is a hotfix you should apply to your Win2K boxes. Its
described at http://support.microsoft.com/default.aspx?kbid=842933

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Ken B said:
Thanks Darren-

That makes sense to me... just one other question, so I'll know what to
expect. What would happen if I did update the ADM files on the DC to
XP2...
would I be able to create/edit new GP's on the DC, or would I be forced to
update from an XP workstation?

Thanks again

Ken


Um, Jerold, that doesn't really answer the question. Installing the adminpak
doesn't really address this issue. Ken, the issue really is how do you
upgrade and edit your GPOs going forward. Let's say you have XP, SP2
installed and you want to update existing GPOs with the new ADMs that
come
with SP2. The default behavior is that if you create a new GPO or open
one
of your existing domain-based GPOs from an XP, SP2 workstation using
Click to expand...
the
GP
Editor, the newer ADMs are automatically copied up to the SYSVOL
Click to expand...
portion
of
that GPO and the GPO is "updated". Now, if you have existing policy settings
in that GPO, chances are they are still supported in the newer ADM templates
and so you'll still see them. If for some reason the new ADMs don't include
an old setting that you had implemented, then that setting will be
"orphaned", but you will see it under the "Extra registry settings" section
if you view the settings of that GPO using GPMC.

Now, going forward, my rule of thumb is that once you start updating your
GPOs to the latest version, I think its easiest if you can always edit them
using that version of the OS, but in some cases that may not be feasible.
So, what I would recommend is that, on any Windows 2000 systems, you enable
the policy that prevents automated updating of ADMs, just in case
Click to expand...
somehow
a
newer ADM gets onto one of your Win2K systems. This policy is available
on
both Win2K and XP and is found under User Configuration|Admin
Templates|System|Group Policy|Turn off Automatic Update of ADM files

Hope that helps. Let me know if you have questions.
Click to expand...
Click to expand...
Click to expand...
 
Ken,

That should be the easy part. ;-)

Cary


Ken B said:
Cool... thanks for your help, Darren--- very much appreciated!

Now the next step is explaining to the boss why I want to do this.

Thanks again!

Ken


Darren Mar-Elia said:
Ken-
You can continue to create and edit GPOs from Win2K. If you create a GPO on
Win2K, it will have Win2K ADMs so as soon as it is opened by an XP, SP2
machine, the GPO will be updated. One thing to keep in mind is that
Click to expand...
there
is
an issue with editing GPOs that have been updated with SP2 from non-SP2
machines. There is a hotfix you should apply to your Win2K boxes. Its
described at http://support.microsoft.com/default.aspx?kbid=842933
Click to expand...
forced
to
Click to expand...
Click to expand...
 
Back
Top