[gptalk] Re: Default Domain and Default DC GPO migration

Correct Darren.  My wording wasn't so great.  Great suggestion about just 
deleting the ADM directory.  I think that'll do the trick.  No custom ADMs in 
the DDP or DDCP (or elsewhere for that matter, I've converted them all to GPP)  
Just wanted to bounce this off the experts.

Thanks,

Scott Klassen


From: Darren Mar-Elia 
Sent: Wednesday, June 18, 2008 4:43 PM
To: gptalk@xxxxxxxxxxxxx 
Subject: [gptalk] Re: Default Domain and Default DC GPO migration


Yea, I must admit that I didn't really have time to read that email yesterday 
but now that I look at it and Alan's response, I agree with Alan. I think what 
you are trying to do Scott is "convert" the DDP and DDCP GPOs to ADMX. But 
really there is nothing much to do to do that. All you would do is delete the 
ADM folder within SYSVOL for both of those GPOs and start editing those two 
GPOs exclusively from Vista or Server 2008. You won't lose any settings, 
because as Alan notes, the settings are not stored in the ADMs but in the 
Registry.Pol file. And, the ADMXs are a superset of the settings that are in 
the 5 default ADMs that MS provides. That being said, the one caveat is if 
you've defined any custom ADMs in those two GPOs. In that case, you don't want 
to delete those but probably want to leave them in place. 

 

Hope that helps.


Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Alan & Margaret
Sent: Wednesday, June 18, 2008 2:34 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default Domain and Default DC GPO migration

 

Hi Scott,

 

I am a little confused by your question "will the GPO's be recreated as ADMX or 
ADM". I may be missing something, but there is no such thing as an ADMX GPO or 
an ADM GPO.

 

Basically a GPO holds the Administrative Template Settings in the Registry.POL 
File.

 

If you use a Windows 2000 workstation to view or modify these settings in GPMC 
it will load the ADM files present in the GPO to interpret the settings. If 
there is no ADM file for those settings, the setting will not be exposed for 
you to change. 

 

If you use a Vista machine to view or modify these settings in GPMC it will 
load the ADMX files (stored if PolicyDefinitions) and the ADM files present in 
the GPO to interpret the settings. This would suggest that if an ADM file and 
an ADMX file were present for the same setting you would see both. However 
there is a "Supersedes" setting in an ADMX file which effectively says "please 
ignore a particular ADM file if it exists". The default Microsoft ADMX files 
have settings to Supersede all of the Microsoft ADM files. However it is still 
possible to add an ADM file to a Policy and it will be used by both the VISTA 
and WINDOWS machines.

 

Now I haven't tested what you are doing, nor do I fully understand the process 
as to why you need to run GPOfix /IgnoreSchema. By reading 
http://support.microsoft.com/kb/932445  it suggests that the parameter is used 
when you are restoring a GPO with an old schema. But I don't see how the SCHEMA 
used will affect adm and ADMX files. Maybe Darren can explain!

 

Having said all of that I would strongly recommend that you test it all first 
just to confirm what it does in your environment. In fact I would test a 
migration and fallback... There is nothing worse than having no AD after a 
problem with the conversion especially if your only defense is "It should have 
worked".

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml

 

 

 

 


--------------------------------------------------------------------------------

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of SCOTT KLASSEN
Sent: Wednesday, 18 June 2008 1:32 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Default Domain and Default DC GPO migration

 

Here's a question for either those more knowledgeable or with a more robust 
testing infrastructure.

 

I'm at the start of migrating my environment to Server 2008.  Although not 
necessary, I've spent some time converting most of my GPOs to the ADMX format 
for the decrease in space usage and bandwidth usage during replication.  I now 
only have the default domain and default dc GPOs left.  I know that after the 
migration, these two will remain as ADM files.  Here's my question:  After I 
have my DC's upgraded to 2008, if I then run dcgpofix /ignoreschema, will the 
GPO's be recreated as ADMX or ADM?  My other idea was to create a temporary 
test domain with a single 2008 VM DC, just to back up these two in ADMX format, 
then delete the original ADM ones from my production domain, restoring the ADMX 
ones from the test domain.  If anyone has a better plan for switching these 
without messing up the special properties associated with them, I'm open to 
suggestions.

 

Scott Klassen

Other related posts: