GPO software takes two reboots Win2k takes one. Why?

  • Thread starter Thread starter .:mmac:.
  • Start date Start date
M

.:mmac:.

Win2ksvr A/D domain:
When I add software to my GPO, the win2k clients will install at the first
reboot. The win XP clients will have to be rebooted twice, Why is that? Can
I fix it?
 
..:mmac:. said:
Win2ksvr A/D domain:
When I add software to my GPO, the win2k clients will install at the first
reboot. The win XP clients will have to be rebooted twice, Why is that? Can
I fix it?
Click to expand...
Hi,

This issue and how to fix it is discussed here:

Description of the Windows XP Professional Fast Logon Optimization
feature
http://support.microsoft.com/kb/305293
 
Thanks, How can I apply that policy from my win2k domain controller? the
policy doesn't exist there.I really don't want to walk to each one of the
winXP machines to set that policy locally. Can this policy be added to the
DC's policies?
 
If you edit the GPO that you want to "upgrade" from the GP Editor running on
an XP workstation, it will automatically copy up the XP ADMs to that GPO,
thus upgrading it.


--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
 
It will copy the setting from the XP workstation to the GPO on the 2k DC and
then apply it to all the other workstations??? Really?? That sounds
dangerous.
 
It will copy the .adm files from the %windir%\inf folder on the XP machine
to the SYSVOL portion of the GPO you are editing if they are newer than the
ADMs stored in SYSVOL on the PDC (usually the focus for GP editor). From
there, they replicate to the other DCs in your environment, but just for
that GPO that you edited, not all GPOs in your environment.

No settings are applied to the workstations unless you actually enable them.
Copying ADMs is different than enabling settings. The newer ADMs give you
more options to enable but don't have any effect on the clients if you don't
enable those new options. In general, the XP ADMs are a superset of the
Win2K ones, and in some cases don't apply to Win2K at all. I of course
encourage you to test this before rolling it out in your environment but
that is the standard approach for updating ADMs. MS also has a VBScript that
you can use to pre-copy the ADM files up to the DCs if you wish. You can
find a reference to that script on my site at
http://www.gpoguy.com/resources.htm#MS Resources

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
 
Excellent, thank you so much.

Darren Mar-Elia said:
It will copy the .adm files from the %windir%\inf folder on the XP machine
to the SYSVOL portion of the GPO you are editing if they are newer than
the ADMs stored in SYSVOL on the PDC (usually the focus for GP editor).
From there, they replicate to the other DCs in your environment, but just
for that GPO that you edited, not all GPOs in your environment.

No settings are applied to the workstations unless you actually enable
them. Copying ADMs is different than enabling settings. The newer ADMs
give you more options to enable but don't have any effect on the clients
if you don't enable those new options. In general, the XP ADMs are a
superset of the Win2K ones, and in some cases don't apply to Win2K at all.
I of course encourage you to test this before rolling it out in your
environment but that is the standard approach for updating ADMs. MS also
has a VBScript that you can use to pre-copy the ADM files up to the DCs if
you wish. You can find a reference to that script on my site at
http://www.gpoguy.com/resources.htm#MS Resources

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information
Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
Click to expand...
 
Ummm, the disclaimer on the ADM files download from MS says that it is not
recommended that I replace the ADM's in the winnt/system/(etc.) with the
ones in this package.If I take that at face value then what are they good
for??? Or is that just a CYA policy?
Specifically, how do I get this one policy from the XPsp2 workstation
into the Win2k DC and then to propagate the setting to the other
workstations? I set it on my XP workstation but I don't see a change on the
DC's policies. Did I misunderstand about how this gets to the sysvol?
 
If you are updating GPOs from an XP, SP2 machine, then you should not need
to download the files from MS--they will already be in c:\windows\inf on the
SP2 machine. If you do download them, then simply copy them to the
C:\windows\inf (or winnt if appropriate) folder on the client where you plan
to edit the GPO. I'm not sure what winnt\system would have to do with it,
frankly.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
 
Sorry for the confusion, I had the directory wrong.
What I was trying to do was import the GPO's from the XPSp2 workstation into
the Win2kSP4 domain controller. If DC is Win2k Server but the client is XP
Pro, can I still import the gpo from the XP workstation into the 2k DC? Are
they are compatible?
 
You're actually not importing the GPO. All you are doing is updating the ADM
files stored with the GPO on your domain controllers. And, yes, you can edit
a GPO stored on a Win2K DC from an XP workstation just fine.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
 
lost4 said:
Ummm, the disclaimer on the ADM files download from MS says
that it is not
recommended that I replace the ADM's in the
winnt/system/(etc.) with the
ones in this package.If I take that at face value then what
are they good
for??? Or is that just a CYA policy?
Specifically, how do I get this one policy from the XPsp2
workstation
into the Win2k DC and then to propagate the setting to the
other
workstations? I set it on my XP workstation but I don't see a
change on the
DC's policies. Did I misunderstand about how this gets to the
sysvol?

"Darren Mar-Elia" <[email protected]>
wrote in message

&nbsp;>> It will copy the setting from the XP workstation to
the GPO on the 2k DC
&nbsp;>> and then apply it to all the other workstations???
Really?? That sounds
&nbsp;>> dangerous.
&nbsp;>>
&nbsp;>> "Darren Mar-Elia"
&lt;[email protected]&gt; wrote in
&nbsp;>> message &nbsp;&nbsp;>>> If you edit the GPO that you want to "upgrade"
from the GP Editor
&nbsp;&nbsp;>>> running on an XP workstation, it will
automatically copy up the XP ADMs
&nbsp;&nbsp;>>> to that GPO, thus upgrading it.
&nbsp;&nbsp;>>>
&nbsp;&nbsp;>>>
&nbsp;&nbsp;>>> --
&nbsp;&nbsp;>>> Darren Mar-Elia
&nbsp;&nbsp;>>> MS-MVP-Windows Server--Group Policy
&nbsp;&nbsp;>>> Check out http://www.gpoguy.com -- The Windows
Group Policy Information
&nbsp;&nbsp;>>> Hub:
&nbsp;&nbsp;>>> FAQs, Whitepapers and Utilities for all things
Group Policy-related
&nbsp;&nbsp;>>>
&nbsp;&nbsp;>>>
&nbsp;&nbsp;>>>
&nbsp;&nbsp;>>> ".:mmac:." &lt;lost@sea&gt; wrote in message
&nbsp;&nbsp;>>>
&nbsp;&nbsp;>>>> Thanks, How can I apply that policy from my
win2k domain controller?
&nbsp;&nbsp;>>>> the policy doesn't exist there.I really don't
want to walk to each one
&nbsp;&nbsp;>>>> of the winXP machines to set that policy
locally. Can this policy be
&nbsp;&nbsp;>>>> added to the DC's policies?
&nbsp;&nbsp;>>>>
&nbsp;&nbsp;>>>> "Torgeir Bakken (MVP)"
&lt;[email protected]&gt; wrote in message
&nbsp;&nbsp;>>>> &nbsp;&nbsp;>>>>> .:mmac:. wrote:
&nbsp;&nbsp;>>>>>
&nbsp;&nbsp;>>>>>> Win2ksvr A/D domain:
&nbsp;&nbsp;>>>>>> When I add software to my GPO, the win2k
clients will install at the
&nbsp;&nbsp;>>>>>> first reboot. The win XP clients will have
to be rebooted twice, Why
&nbsp;&nbsp;>>>>>> is that? Can I fix it?
&nbsp;&nbsp;>>>>> Hi,
&nbsp;&nbsp;>>>>>
&nbsp;&nbsp;>>>>> This issue and how to fix it is discussed
here:
&nbsp;&nbsp;>>>>>
&nbsp;&nbsp;>>>>> Description of the Windows XP Professional
Fast Logon Optimization
&nbsp;&nbsp;>>>>> feature
&nbsp;&nbsp;>>>>> http://support.microsoft.com/kb/305293
&nbsp;&nbsp;>>>>>
&nbsp;&nbsp;>>>>>
&nbsp;&nbsp;>>>>> --
&nbsp;&nbsp;>>>>> torgeir, Microsoft MVP Scripting and WMI,
Porsgrunn Norway
&nbsp;&nbsp;>>>>> Administration scripting examples and an
ONLINE version of
&nbsp;&nbsp;>>>>> the 1328 page Scripting Guide:
&nbsp;&nbsp;>>>>>
http://www.microsoft.com/technet/scriptcenter/default.mspx
&nbsp;&nbsp;>>>>
&nbsp;&nbsp;>>>>
&nbsp;&nbsp;>>>
&nbsp;&nbsp;>>>
&nbsp;>>
&nbsp;>>
Click to expand...

Hi,

I always manually update my ADM’s. You can either Download them from
MS or copy them from the C:\Windows\inf folder on any XP machine
running SP2.

Copy them into the C:\Winnt\inf or C:\Windows\inf folders on ALL
your DC’s and any workstations running adminpak.msi

If you want you can backup the old ADM’s. However, I have never had a
need to use them. I am running the newest ADM’s without issue.

Cheers,

Lara
 
Please forgive me if this is redundant, but let me see if I understand what's
going on. Because server 2000 has no idea that XP exists, GPO settings-wise, you
need to let that server know there is a fast logon switch to disable on the XP
clients. Therefore you need to get a copy of the .adm files that are on the XP
box onto the 2000 server.

I know this has been covered, but please forgive me. To clarify--

In order to apply the setting that will overcome the fast logon option on all XP
machines in your environment *without* having to do so with scripts or manually at
each machine, you need to get the settings to show up on the domain controller.
The DC can then push those settings via a group policy to those XP machines.

The administrative templates on the server hold all the settings that come with
server2000. Since XP has new things that can be managed via group policy, the
powers that be made certain that copies of administrative templates that contain
the new settings were added to the XP machine operating system out of the box.

In order to get those new administrative templates (which are identical in most
ways to the original ones on the server except for XP specific settings) up onto
the DC in order for them to be applied domain wide, you can do a little trick-- if
you open an AD users and computers console on an XP box to make changes to the GPO
that will affect the XP machines, the newer copies of the administrative templates
will automatically be copied over from the XP client to the server. Otherwise you
can just copy the .adm files over from the XP machine to the server.

If you are going to do this from an XP client that has had SP2 installed there is
a caveat-- there are some extended strings or something in the SP2 templates that
2000 cannot read properly. That means that you use an XP SP2 machine to add the
new administrative templates to the 2000 server it works fine, but then try to
manage GPOs from anything *but* the XP SP2 machine, and you will get a repeated
error concerning truncated strings because the older version of group policy
editor can't read the longer strings that XP SP2 requires. To overcome this read
kb842933, download and install the fix.

Sorry if this was too wordy, but I wanted to be clear.
 
Now that was clarity! Thank you.
I was just seeing that "strings" message and was about to post when I read
yours. Perfect timing!
One thing... I did make changes to a winXP sp2 machine connected to a win2k
DC but I never saw the change propagate to the DC. I look at my XP machine
and the change is there and it works, but nothing is different on my win2k
DC. I can certainly copy the files over easily enough, but I'm curious why
they wouldnt do what you say they should.
 
Now that was clarity! Thank you.
I was just seeing that "strings" message and was about to post when I
read yours. Perfect timing! One thing... I did make changes to a winXP
sp2 machine connected to a win2k DC but I never saw the change
propagate to the DC. I look at my XP machine and the change is there
and it works, but nothing is different on my win2k DC. I can certainly
copy the files over easily enough, but I’m curious why they
wouldnt do what you say they should.
Click to expand...

Hi,

ADM files are located in two separate spots. They are in the
C:\Windows\inf folder on all XP/2000/2003 machines and are also
copied into the SYSVOL\Policies\ folder inside each GUID for each
Group Policy.

When a group policy is opened on the machine, the machine "updates"
the ADM’s in the SYSVOL\Policies folder with the ones from the
C:\Windows\inf folder if the ones in the inf folder are newer.

Therefore your SYSVOL\Policies have been updated to the newest ADM’s
if you have opened the Group Policies up on the Windows XP SP2
machines. However, this doesn’t update ADMs in the C:\Windows\inf
folders on the DC’s or other adminpak machines.

Personally, I prefer to just copy all the newest ADM’s into all the
C:\Windows\inf folders on all my DC’s and adminpak machines. I
actually customize my system.adm to add extra settings for my domain.

Manually is the best way to do it to ensure you have the latest
installed.

Cheers,

Lara
 
Thank you all, works like a charm!
I wish the ADM's would propagate between controllers by themselves but it's
a small annoyance.
 
They do. They use NTFRS Sysvol replication to do that.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
 
They do. They use NTFRS Sysvol replication to do that.

Yes, but only the ADM’s in the Sysvol are replicated. Not the ADM’s
located in the C:\Windows\inf folder which is where you have to
update manually.

Cheers,

Lara
 
Back
Top