[gptalk] Re: "Always use local ADM files..." setting oddness

  • From: <bart.schillebeeks@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 5 Apr 2007 11:07:40 +0200

Hi tony, or tom if you preferr :-)
 
         ADM files are not copied up to the GPO in SYSVOL for new GPOs unless I 
explicitly add them using Add/Remove Templates in GPEDIT.  
 
That's because your using a windows 2003 machine to administer your gpo's.

I'm using an XP workstation with the admintools + gpmc installed, and the ADM 
templates in a windows/inf upgraded to the latest windows2003 sp1 version.
on creation of a new gpo with this the standard adm's 
(conf,system,inetres,inetset,wua) are copied up to the sysvol.  
When i do the same on the DC itself i need to add the templates manually same 
as you. 
 
Why this behaviour differs is unknown to me as both gpmc's are the same install 
version through the same kit with the same settings ? . 
 
Maybe Darren can shed some light on this. 
 

Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Small and Departmental Systems - NT Systems Fortis Bank
Bart.schillebeeks@xxxxxxxxxxxxxx
AD Internet Consulting BVBA

Disclaimer:
Any views expressed in this message are those of the individual sender, except 
where the message states otherwise and the sender is authorised to state them 
to be the views of any such entity.This Message is in no way legally binding 
and has to be viewed as a personal opinion of the sender. This message reflects 
in no way the views of FORTIS BANK and its associates and AD internet 
Consulting BVBA and its associates. Unless otherwise stated, any pricing 
information given in this message is indicative only, is subject to change and 
does not constitute an offer to deal at any price quoted. Any reference to the 
terms of executed transactions should be treated as preliminary only and 
subject to our formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal ON:0470419019 
www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx


 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Tony Murray [HIQ]
Sent: Thursday, April 05, 2007 1:27 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness



Hi Alan and Bart

 

I guess I'm Tom and Tony?  :-)  Oh well, at least with schizophrenia you're 
never alone...

 

So, what I think I hear you saying is that I should disable "Always use local 
ADM files for Group Policy editor" and enable "Turn off automatic updates of 
ADM files" instead?

 

When I do this I see some behaviour that I was not expecting, namely:

 

*         ADM files are not copied up to the GPO in SYSVOL for new GPOs unless 
I explicitly add them using Add/Remove Templates in GPEDIT.  

*         When I create a new GPO it loads all the ADM files from the local 
%windir%\inf.  I can remove the ADMs I don't need by using Add/Remove Templates 
in GPEDIT, but I first need to add them.

 

Is this what you would expect?  If so, it gives me a workaround but seems 
kludgy.

 

Cheers

Tony

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Alan & Margaret
Sent: Wednesday, 04 April 2007 23:00
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness

 

Hi Bart,

 

I would accept "similar" :-)

 

I would just like to get it back to the old way it worked before Microsoft 
tried to make it better! Only use the ADM files that sit within the policy and 
never automatically update them.

 

Alan Cuthbertson

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of bart.schillebeeks@xxxxxxxxxx
Sent: Wednesday, 4 April 2007 6:34 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness

 

Isn't that the same as what i've said, alan ? :-) 

 

Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Small and Departmental Systems - NT Systems Fortis Bank
Bart.schillebeeks@xxxxxxxxxxxxxx
AD Internet Consulting BVBA

Disclaimer:
Any views expressed in this message are those of the individual sender, except 
where the message states otherwise and the sender is authorised to state them 
to be the views of any such entity.This Message is in no way legally binding 
and has to be viewed as a personal opinion of the sender. This message reflects 
in no way the views of FORTIS BANK and its associates and AD internet 
Consulting BVBA and its associates. Unless otherwise stated, any pricing 
information given in this message is indicative only, is subject to change and 
does not constitute an offer to deal at any price quoted. Any reference to the 
terms of executed transactions should be treated as preliminary only and 
subject to our formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal ON:0470419019 
www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Alan & Margaret
Sent: Wednesday, April 04, 2007 10:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness

Hi Tom & Tony

 

My take on this is slightly different. I prefer to disable  "automatic Updates 
of ADM files" and disable the "always use Local ADM Files for Group Policy 
Editor" but only have those Templates in the Policy that you want to use. This 
has the following advantages:_

*       Limited bloat since there aren't many ADM files in the Policies 
*       Everyone sees the same thing on all machines 
*       You can have different versions of the same ADM file in different 
policies 
*       Minimal display inside GPEDIT 
*       Other people cannot accidentally change your ADM files 

 

Of course you don't have multi language support though.

 

When you look at ADMX files it moves in the direction of a single set of ADMX 
files used by all policies on the domain. You can't load a subset for each 
policy. This will give you Tom's problem of a very cluttered display. It also 
means if you have one domain and a central store of ADMX files, it is a bit 
difficult to test ADMX files, since if you get one wrong, no one can look at 
any admx settings until you fix it. Perhaps Darren could tell us if there is a 
registry setting to select a different location for ADMX files for testing. But 
then, everyone does there testing in a separate domain ....

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml

 

 

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of bart.schillebeeks@xxxxxxxxxx
Sent: Wednesday, 4 April 2007 5:56 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness

 

Hi tom, 

 

How is it going down under :-)

 

Normal behaviour since the editor just reads all the adm's it finds. In the 
sysvol it's only the assigned templates in the gpo, Locally it's all of them 
you have stocked. 

 

Best thing to do according to me is to 

 

*       "Turn off automatic updates of ADM files"  this will thus not overwrite 
any sysvol adm templates with local versions. 
*       "When group policy is selecting a DC it should use PRIMARY DOMAIN 
CONTROLLER"  this makes sure you always attach to your PDC role. 
*       Disable ADM in NTFRS replication by setting a filter on the sysvol 
replication "*.adm" in the registry , this will exclude *.adm files from 
replicating. (you can find this also in a KB somewhere, lost the KB nr which it 
was :-( ) 

You have thus a system that only allows ADM on the PDC , to which you only 
connect to, your sysvol bloat is gone etc...

 

You now only need to maintain your local ADM files on your GPO administration 
workstation to make sure they are the latest versions, of course if you have 
multiple administrators you need to make sure they have the same ADM's. 

 

This way you will select adm for the PDC's sysvol , in a normal manner, and 
only see those that you've assigned. 

 

Oh yeah Don't change PDC roles , as you will have to re-assing all adm's again 
(or copy them over first) 

 

Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Small and Departmental Systems - NT Systems Fortis Bank
Bart.schillebeeks@xxxxxxxxxxxxxx
AD Internet Consulting BVBA

Disclaimer:
Any views expressed in this message are those of the individual sender, except 
where the message states otherwise and the sender is authorised to state them 
to be the views of any such entity.This Message is in no way legally binding 
and has to be viewed as a personal opinion of the sender. This message reflects 
in no way the views of FORTIS BANK and its associates and AD internet 
Consulting BVBA and its associates. Unless otherwise stated, any pricing 
information given in this message is indicative only, is subject to change and 
does not constitute an offer to deal at any price quoted. Any reference to the 
terms of executed transactions should be treated as preliminary only and 
subject to our formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal ON:0470419019 
www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Tony Murray [HIQ]
Sent: Wednesday, April 04, 2007 5:58 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] "Always use local ADM files..." setting oddness

Hi all

 

I'm attempting to implement the recommendations for managing ADM files as shown 
in the following KB article:

 

http://support.microsoft.com/kb/816662

 

I've got a management workstation for managing GPOs (actually a VM running W2K3 
SP1) and have implemented the policy "Always use local ADM files for Group 
Policy editor".    All seems to be ok, but for the fact that GPEDIT now loads 
all of the ADM templates from %windir%\inf whenever I open a GPO for editing.  
As we have quite a number of custom and other ADMs this creates a very busy 
view.   The "Always use local ADM files for Group Policy editor" setting 
appears to make the Add/Remove Templates option redundant.

 

Is there any way to have the "Always use local ADM files for Group Policy 
editor" setting in place and selectively add in the ADMs that I want to use for 
each GPO?   Put another way, can I have my cake and eat it?

 

Thanks

Tony

 

 

 

 

 
 
 
 



________________________________



 
 
 
 
 

This email or attachment(s) may contain confidential or legally privileged 
information intended for the sole use of the addressee(s). Any use, 
redistribution, disclosure, or reproduction of this message, except as 
intended, is prohibited. If you received this email in error, please notify the 
sender and remove all copies of the message, including any attachments. Any 
views or opinions expressed in this email (unless otherwise stated) may not 
represent those of HealthIntelligence (HIQ Ltd). 

http://www.healthintelligence.org.nz <http://www.healthintelligence.org.nz>  

(1H_S1) 

No Viruses were detected in this message.
 
 
 
 



________________________________



 
 
 
 
HealthIntelligence <http://www.healthintelligence.org.nz>  eMail Filter Service



________________________________



 
No Viruses were detected in this message.



________________________________



HealthIntelligence <http://www.healthintelligence.org.nz>  eMail Filter Service

________________________________


No Viruses were detected in this message.
________________________________

HealthIntelligence <http://www.healthintelligence.org.nz>  eMail Filter Service

= = = = = = = = = = = = = = = = = = = = = = = = =
Fortis disclaimer :
http://www.fortis.be/legal/disclaimer.htm

Privacy policy related to banking activities of Fortis:
http://www.fortisbank.be/legal/privacy_policy.htm
= = = = = = = = = = = = = = = = = = = = = = = = =

Other related posts: