[gptalk] Re: "Always use local ADM files..." setting oddness

  • From: "Tony Murray [HIQ]" <Tony.Murray@xxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Tue, 10 Apr 2007 11:55:18 +1200

Thanks Darren (and Bart and Alan).

 

That's interesting - it's certainly not well explained in the Microsoft
documentation.

 

I've done some further testing and here's what I found with the
following settings.

 

---------

Always use local ADM files for Group Policy editor:  Not configured /
Disabled

Turn off automatic updates of ADM files : Enabled

 

Running GPMC on XP workstation:  

*         ADM files are copied up to SYSVOL upon creation. 

*         Only the standard ADMs appear in GPEDIT.

 

Running GPMC on Windows 2003 member server:

*         No ADM files are copied up to SYSVOL upon creation.

*         All ADMs from the local %windir%\inf appear in GPEDIT.

----------

 

I guess the difference arises in the way that XP handles the use of
local ADMs.  Note that in my test the Always use local ADM files for
Group Policy editor policy setting was set to Not Configured.   I would
have expected that the behaviour to be the same for both machines upon
GPO creation.    Instead, the GPMC will use local ADM files even when
the Always use local ADM files for Group Policy editor  is Not
Configured on W2K3, but the GPMC running on XP will always use the
SYSVOL ADMs.

 

I guess my confusion partly arose from this statement in KB816662:

 

Group Policy Management Console

By default, the Group Policy Management Console (GPMC) always uses local
ADM files, regardless of their time stamp, and never copies the ADM
files to the Sysvol. If an ADM file is not found, GPMC looks for the ADM
file in the GPT. Also, the GPMC user can specify an alternative location
for ADM files. If an alternative location is specified, this alternative
location takes precedence.

 

This should probably be updated to read as follows:

 

Group Policy Management Console

By default, the Group Policy Management Console (GPMC) when running on a
Windows Server 2003 machine always uses local ADM files, regardless of
their time stamp, and never copies the ADM files to the Sysvol. If an
ADM file is not found, GPMC looks for the ADM file in the GPT. Also, the
GPMC user can specify an alternative location for ADM files. If an
alternative location is specified, this alternative location takes
precedence.

 

Tony

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, 06 April 2007 09:35
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness

 

Couple of things here. The "always use local ADMs" policy does indeed
only effect you when you are editing GPO from a 2003 box. XP does not
use this policy at all. Strange, I know, but they never back-ported it
to XP.  So, if you are using this policy in conjunction with the don't
auto-update ADM policy, then the behavior described below is as
expected. You do need to explicitly add (or remove ADMs) to/from a given
GPO when you create it using these settings. I guess if your ultimate
goal is to always keep ADMs out of SYSVOL, then this combination of
settings works ok as long as you never edit GPOs from XP (or Win2K). But
if you do, then  one of two things will happen. If the ADMs are not in
SYSVOL, then XP and 2K will choke because they don't respect the "always
use local" policy and expect to find them in SYSVOL. The alternative is
that you don't have the auto-update policy set on users of those XP and
2K machines and then they will go ahead and populate SYSVOL with ADMs. I
like the approach of preventing replication of ADMs and just using the
PDCe as the system of record, but it does require a little extra
management.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of bart.schillebeeks@xxxxxxxxxx
Sent: Thursday, April 05, 2007 2:08 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness

 

Hi tony, or tom if you preferr :-)

 

         ADM files are not copied up to the GPO in SYSVOL for new GPOs
unless I explicitly add them using Add/Remove Templates in GPEDIT.  

 

That's because your using a windows 2003 machine to administer your
gpo's.

I'm using an XP workstation with the admintools + gpmc installed, and
the ADM templates in a windows/inf upgraded to the latest windows2003
sp1 version.
on creation of a new gpo with this the standard adm's
(conf,system,inetres,inetset,wua) are copied up to the sysvol.  

When i do the same on the DC itself i need to add the templates manually
same as you. 

 

Why this behaviour differs is unknown to me as both gpmc's are the same
install version through the same kit with the same settings ? . 

 

Maybe Darren can shed some light on this. 

 

Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Small and Departmental Systems - NT Systems Fortis Bank
Bart.schillebeeks@xxxxxxxxxxxxxx
AD Internet Consulting BVBA

Disclaimer:
Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorised
to state them to be the views of any such entity.This Message is in no
way legally binding and has to be viewed as a personal opinion of the
sender. This message reflects in no way the views of FORTIS BANK and its
associates and AD internet Consulting BVBA and its associates. Unless
otherwise stated, any pricing information given in this message is
indicative only, is subject to change and does not constitute an offer
to deal at any price quoted. Any reference to the terms of executed
transactions should be treated as preliminary only and subject to our
formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal
ON:0470419019 www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Tony Murray [HIQ]
Sent: Thursday, April 05, 2007 1:27 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness

Hi Alan and Bart

 

I guess I'm Tom and Tony?  :-)  Oh well, at least with schizophrenia
you're never alone...

 

So, what I think I hear you saying is that I should disable "Always use
local ADM files for Group Policy editor" and enable "Turn off automatic
updates of ADM files" instead?

 

When I do this I see some behaviour that I was not expecting, namely:

 

*         ADM files are not copied up to the GPO in SYSVOL for new GPOs
unless I explicitly add them using Add/Remove Templates in GPEDIT.  

*         When I create a new GPO it loads all the ADM files from the
local %windir%\inf.  I can remove the ADMs I don't need by using
Add/Remove Templates in GPEDIT, but I first need to add them.

 

Is this what you would expect?  If so, it gives me a workaround but
seems kludgy.

 

Cheers

Tony

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Alan & Margaret
Sent: Wednesday, 04 April 2007 23:00
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness

 

Hi Bart,

 

I would accept "similar" :-)

 

I would just like to get it back to the old way it worked before
Microsoft tried to make it better! Only use the ADM files that sit
within the policy and never automatically update them.

 

Alan Cuthbertson

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of bart.schillebeeks@xxxxxxxxxx
Sent: Wednesday, 4 April 2007 6:34 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness

 

Isn't that the same as what i've said, alan ? :-) 

 

Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Small and Departmental Systems - NT Systems Fortis Bank
Bart.schillebeeks@xxxxxxxxxxxxxx
AD Internet Consulting BVBA

Disclaimer:
Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorised
to state them to be the views of any such entity.This Message is in no
way legally binding and has to be viewed as a personal opinion of the
sender. This message reflects in no way the views of FORTIS BANK and its
associates and AD internet Consulting BVBA and its associates. Unless
otherwise stated, any pricing information given in this message is
indicative only, is subject to change and does not constitute an offer
to deal at any price quoted. Any reference to the terms of executed
transactions should be treated as preliminary only and subject to our
formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal
ON:0470419019 www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Alan & Margaret
Sent: Wednesday, April 04, 2007 10:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness

Hi Tom & Tony

 

My take on this is slightly different. I prefer to disable  "automatic
Updates of ADM files" and disable the "always use Local ADM Files for
Group Policy Editor" but only have those Templates in the Policy that
you want to use. This has the following advantages:_

*       Limited bloat since there aren't many ADM files in the Policies 
*       Everyone sees the same thing on all machines 
*       You can have different versions of the same ADM file in
different policies 
*       Minimal display inside GPEDIT 
*       Other people cannot accidentally change your ADM files 

 

Of course you don't have multi language support though.

 

When you look at ADMX files it moves in the direction of a single set of
ADMX files used by all policies on the domain. You can't load a subset
for each policy. This will give you Tom's problem of a very cluttered
display. It also means if you have one domain and a central store of
ADMX files, it is a bit difficult to test ADMX files, since if you get
one wrong, no one can look at any admx settings until you fix it.
Perhaps Darren could tell us if there is a registry setting to select a
different location for ADMX files for testing. But then, everyone does
there testing in a separate domain ....

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml

 

 

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of bart.schillebeeks@xxxxxxxxxx
Sent: Wednesday, 4 April 2007 5:56 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness

 

Hi tom, 

 

How is it going down under :-)

 

Normal behaviour since the editor just reads all the adm's it finds. In
the sysvol it's only the assigned templates in the gpo, Locally it's all
of them you have stocked. 

 

Best thing to do according to me is to 

 

*       "Turn off automatic updates of ADM files"  this will thus not
overwrite any sysvol adm templates with local versions. 
*       "When group policy is selecting a DC it should use PRIMARY
DOMAIN CONTROLLER"  this makes sure you always attach to your PDC role. 
*       Disable ADM in NTFRS replication by setting a filter on the
sysvol replication "*.adm" in the registry , this will exclude *.adm
files from replicating. (you can find this also in a KB somewhere, lost
the KB nr which it was :-( ) 

You have thus a system that only allows ADM on the PDC , to which you
only connect to, your sysvol bloat is gone etc...

 

You now only need to maintain your local ADM files on your GPO
administration workstation to make sure they are the latest versions, of
course if you have multiple administrators you need to make sure they
have the same ADM's. 

 

This way you will select adm for the PDC's sysvol , in a normal manner,
and only see those that you've assigned. 

 

Oh yeah Don't change PDC roles , as you will have to re-assing all adm's
again (or copy them over first) 

 

Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Small and Departmental Systems - NT Systems Fortis Bank
Bart.schillebeeks@xxxxxxxxxxxxxx
AD Internet Consulting BVBA

Disclaimer:
Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorised
to state them to be the views of any such entity.This Message is in no
way legally binding and has to be viewed as a personal opinion of the
sender. This message reflects in no way the views of FORTIS BANK and its
associates and AD internet Consulting BVBA and its associates. Unless
otherwise stated, any pricing information given in this message is
indicative only, is subject to change and does not constitute an offer
to deal at any price quoted. Any reference to the terms of executed
transactions should be treated as preliminary only and subject to our
formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal
ON:0470419019 www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Tony Murray [HIQ]
Sent: Wednesday, April 04, 2007 5:58 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] "Always use local ADM files..." setting oddness

Hi all

 

I'm attempting to implement the recommendations for managing ADM files
as shown in the following KB article:

 

http://support.microsoft.com/kb/816662

 

I've got a management workstation for managing GPOs (actually a VM
running W2K3 SP1) and have implemented the policy "Always use local ADM
files for Group Policy editor".    All seems to be ok, but for the fact
that GPEDIT now loads all of the ADM templates from %windir%\inf
whenever I open a GPO for editing.  As we have quite a number of custom
and other ADMs this creates a very busy view.   The "Always use local
ADM files for Group Policy editor" setting appears to make the
Add/Remove Templates option redundant.

 

Is there any way to have the "Always use local ADM files for Group
Policy editor" setting in place and selectively add in the ADMs that I
want to use for each GPO?   Put another way, can I have my cake and eat
it?

 

Thanks

Tony

 

 

 

 

 
 
 
 
 
 
 
 
 
 



________________________________



 
 
 
 
 
 
 
 
 
 
 

This email or attachment(s) may contain confidential or legally
privileged information intended for the sole use of the addressee(s).
Any use, redistribution, disclosure, or reproduction of this message,
except as intended, is prohibited. If you received this email in error,
please notify the sender and remove all copies of the message, including
any attachments. Any views or opinions expressed in this email (unless
otherwise stated) may not represent those of HealthIntelligence (HIQ
Ltd). 

http://www.healthintelligence.org.nz
<http://www.healthintelligence.org.nz>  

(1H_S1) 

No Viruses were detected in this message.
 
 
 
 
 
 
 
 
 
 



________________________________



 
 
 
 
 
 
 
 
 
 
HealthIntelligence <http://www.healthintelligence.org.nz>  eMail Filter
Service
 
 
 
 
 
 



________________________________



 
 
 
 
 
 
 
No Viruses were detected in this message.
 
 
 
 
 
 



________________________________



 
 
 
 
 
 
HealthIntelligence <http://www.healthintelligence.org.nz>  eMail Filter
Service
 
 
 
 



________________________________



 
 
 
 
 
No Viruses were detected in this message.
 
 
 
 



________________________________



 
 
 
 
HealthIntelligence <http://www.healthintelligence.org.nz>  eMail Filter
Service
 
 



________________________________



 
 
 
No Viruses were detected in this message.
 
 



________________________________



 
 
HealthIntelligence <http://www.healthintelligence.org.nz>  eMail Filter
Service


No Viruses were detected in this message.
HealthIntelligence eMail Filter Service

Other related posts: