server 2003 gp templates in 2000 domain

[wyocowboy]

I recently added a svr2003 as an additional domain controller to a win2000
domain that consisted of a single DC and a mix of win2k and xp workstations.
I now want to use a high security gp template instead of the default domain
and DC policies. While comparing the default DC GP on the svr2003 and svr
2000 I noticed that there are quite a few additional policy elements on the
svr2003 side.

I suspect that this would be seen in the templates as well, so the question
is, can I use the high security template from the svr2003, and if I do, how
does this play on the svr2000? Or should I stick with the win2k template
until I upgrade the win2k server to svr2003?

As part of adding the svr2003 to the win2k domain, I had to use the svr2003
version of adprep on the win2k server to extend its schema to make it 2003
compatible, but it is not clear from anything I've read that it made it able
to properly use the 2003 GP templates.

 

[Florian Frommherz [MVP]]

Howdie!

I suspect that this would be seen in the templates as well, so the question
is, can I use the high security template from the svr2003, and if I do, how
does this play on the svr2000? Or should I stick with the win2k template
until I upgrade the win2k server to svr2003?

As a general rule of GP administration, you should have a management
station with the most current OS with the current SP and GPMC installed
and manage your GPs from there.

In your specific case, I suggest you manage the security settings from
the Server 2003 machine. As far as legacy clients "understand" the
security settings (if there isn't anything specific to Server 2003),
they'll apply it happily. Settings legacy clients don't know, won't be
applied (although the overall policy gets applied).

As part of adding the svr2003 to the win2k domain, I had to use the svr2003
version of adprep on the win2k server to extend its schema to make it 2003
compatible, but it is not clear from anything I've read that it made it able
to properly use the 2003 GP templates.

If I remember correctly, when using Win2000 to manage a Server 2003
security policy, you simply won't see 2003-specific policies.

Cheers,
Florian

 

[Florian Frommherz [MVP]]

Howdie!

I suspect that this would be seen in the templates as well, so the question
is, can I use the high security template from the svr2003, and if I do, how
does this play on the svr2000? Or should I stick with the win2k template
until I upgrade the win2k server to svr2003?

As a general rule of GP administration, you should have a management
station with the most current OS with the current SP and GPMC installed
and manage your GPs from there.

In your specific case, I suggest you manage the security settings from
the Server 2003 machine. As far as legacy clients "understand" the
security settings (if there isn't anything specific to Server 2003),
they'll apply it happily. Settings legacy clients don't know, won't be
applied (although the overall policy gets applied).

As part of adding the svr2003 to the win2k domain, I had to use the svr2003
version of adprep on the win2k server to extend its schema to make it 2003
compatible, but it is not clear from anything I've read that it made it able
to properly use the 2003 GP templates.

If I remember correctly, when using Win2000 to manage a Server 2003
security policy, you simply won't see 2003-specific policies.

Cheers,
Florian

 

[wyocowboy]

Howdie!

I suspect that this would be seen in the templates as well, so the question
is, can I use the high security template from the svr2003, and if I do, how
does this play on the svr2000? Or should I stick with the win2k template
until I upgrade the win2k server to svr2003?

As a general rule of GP administration, you should have a management
station with the most current OS with the current SP and GPMC installed
and manage your GPs from there.

In your specific case, I suggest you manage the security settings from
the Server 2003 machine. As far as legacy clients "understand" the
security settings (if there isn't anything specific to Server 2003),
they'll apply it happily. Settings legacy clients don't know, won't be
applied (although the overall policy gets applied).

As part of adding the svr2003 to the win2k domain, I had to use the svr2003
version of adprep on the win2k server to extend its schema to make it 2003
compatible, but it is not clear from anything I've read that it made it able
to properly use the 2003 GP templates.

If I remember correctly, when using Win2000 to manage a Server 2003
security policy, you simply won't see 2003-specific policies.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Thanks for the advice!

 

[wyocowboy]

Howdie!

I suspect that this would be seen in the templates as well, so the question
is, can I use the high security template from the svr2003, and if I do, how
does this play on the svr2000? Or should I stick with the win2k template
until I upgrade the win2k server to svr2003?

As a general rule of GP administration, you should have a management
station with the most current OS with the current SP and GPMC installed
and manage your GPs from there.

In your specific case, I suggest you manage the security settings from
the Server 2003 machine. As far as legacy clients "understand" the
security settings (if there isn't anything specific to Server 2003),
they'll apply it happily. Settings legacy clients don't know, won't be
applied (although the overall policy gets applied).

As part of adding the svr2003 to the win2k domain, I had to use the svr2003
version of adprep on the win2k server to extend its schema to make it 2003
compatible, but it is not clear from anything I've read that it made it able
to properly use the 2003 GP templates.

If I remember correctly, when using Win2000 to manage a Server 2003
security policy, you simply won't see 2003-specific policies.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Thanks for the advice!