[gptalk] Re: Default Domain and Default DC GPO migration

  • From: "SCOTT KLASSEN" <klas9574@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 18 Jun 2008 19:23:04 -0500

Sorry, poor verbiage on my part.  Basically I'm in the throws of getting rid of 
all of the ADM files in my Sysvol.

Scott Klassen

From: Alan & Margaret 
Sent: Wednesday, June 18, 2008 4:33 PM
To: gptalk@xxxxxxxxxxxxx 
Subject: [gptalk] Re: Default Domain and Default DC GPO migration

Hi Scott,


I am a little confused by your question "will the GPO's be recreated as ADMX or 
ADM". I may be missing something, but there is no such thing as an ADMX GPO or 


Basically a GPO holds the Administrative Template Settings in the Registry.POL 


If you use a Windows 2000 workstation to view or modify these settings in GPMC 
it will load the ADM files present in the GPO to interpret the settings. If 
there is no ADM file for those settings, the setting will not be exposed for 
you to change. 


If you use a Vista machine to view or modify these settings in GPMC it will 
load the ADMX files (stored if PolicyDefinitions) and the ADM files present in 
the GPO to interpret the settings. This would suggest that if an ADM file and 
an ADMX file were present for the same setting you would see both. However 
there is a "Supersedes" setting in an ADMX file which effectively says "please 
ignore a particular ADM file if it exists". The default Microsoft ADMX files 
have settings to Supersede all of the Microsoft ADM files. However it is still 
possible to add an ADM file to a Policy and it will be used by both the VISTA 
and WINDOWS machines.


Now I haven't tested what you are doing, nor do I fully understand the process 
as to why you need to run GPOfix /IgnoreSchema. By reading 
http://support.microsoft.com/kb/932445  it suggests that the parameter is used 
when you are restoring a GPO with an old schema. But I don't see how the SCHEMA 
used will affect adm and ADMX files. Maybe Darren can explain!


Having said all of that I would strongly recommend that you test it all first 
just to confirm what it does in your environment. In fact I would test a 
migration and fallback... There is nothing worse than having no AD after a 
problem with the conversion especially if your only defense is "It should have 


Alan Cuthbertson



 Policy Management Software:-



ADM Template Editor:-



Policy Log Reporter(Free)







From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Sent: Wednesday, 18 June 2008 1:32 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Default Domain and Default DC GPO migration


Here's a question for either those more knowledgeable or with a more robust 
testing infrastructure.


I'm at the start of migrating my environment to Server 2008.  Although not 
necessary, I've spent some time converting most of my GPOs to the ADMX format 
for the decrease in space usage and bandwidth usage during replication.  I now 
only have the default domain and default dc GPOs left.  I know that after the 
migration, these two will remain as ADM files.  Here's my question:  After I 
have my DC's upgraded to 2008, if I then run dcgpofix /ignoreschema, will the 
GPO's be recreated as ADMX or ADM?  My other idea was to create a temporary 
test domain with a single 2008 VM DC, just to back up these two in ADMX format, 
then delete the original ADM ones from my production domain, restoring the ADMX 
ones from the test domain.  If anyone has a better plan for switching these 
without messing up the special properties associated with them, I'm open to 


Scott Klassen

Other related posts: