[gptalk] Re: GPO Processing in VISTA - the whole new can of worms....no adms, now just admx files

  • From: "Mills, Mark" <Mark.Mills@xxxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 14 Sep 2006 16:59:06 -0500

Darren - thanks for your input.  Only a few of my existing GPO's worked
- I haven't made a list of which ones did and did not work yet. But I
can tell you that I do not have any filters pertaining to the OS. For
now I just know that my mapped drives and printers didn't take.  I also
know that the RSOP showed that the policies were applied when in reality
they he didn't get the mapped drives or printers. (not until I created a
new separate Vista based policy)


Also I noticed that due to MS security it would not install the printers
silently - The user was faced with a screen asking them to confirm if
they wanted the drivers to the printers on the network installed to
their pc, and then were forced to enter a password for a user account
that had local admin privileges on the pc.  I know you can set up
automatic Group Policy application installations to install with
elevated privileges - can you do this with printer ( or device) install


Another thing I think I dislike is that the Group Policy Management
Console (GPMC.msc) can be run on any client pc.  When I created a user
with not Domain Group Association other than Domain Users, that user was
able to browse the entire Group Policy Structure by default. A basic
user who has not been locked down from running gpmc from the "search
for"  box seems to have a lot of "default" access.   I'm sure that there
must be a way just to lock down a client running GPMC.MSC without
deleteing the file, removing the "DOS", "Run", "Task Mgr Run" and
"Search For" dialog boxes from the user, as an admin will I be force to
create a GP to block a user from running GPMC.msc ? I feel that if I
delete or rename the file that a hotfix or future service pack would
just reinstall it - your thoughts?


Mark Mills, Sr. Network Engineer

Desktop Assistance, LP

14405 Walters Road, Suite 650

Houston, Texas 77346


Office Phone:  281-444-2300 x113

Email: mark.mills@xxxxxxxxxxxxxxxxxxxxxx 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, September 14, 2006 3:59 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Processing in VISTA - the whole new can of
worms....no adms, now just admx files



The bottom line is that you should not have to recreate any GPOs once
Vista hits. The ADMXs that ship with Vista are a super-set of the
current ADMs and support all of the XP and 2003 (and Win2K) settings in
addition to the new Vista ones. Now, in terms of things like logon
scripts, if the scripts are targeted at a particular OS version, then
you would either need to test for OS version in your script or have
separate GPOs that are filtered by OS version (or security group). But
that is not inherent in the Vista changes--that's just a function of
what you're trying to do.


BTW, in case anyone is interested and is planning on attending, I'm
doing a session at the upcoming WinConnections show in Vegas in November
on managing GP in a Vista world.







From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mills, Mark
Sent: Thursday, September 14, 2006 1:07 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO Processing in VISTA - the whole new can of
worms....no adms, now just admx files

My question:  Do I have to create a duplication of every Windows 2003
policy used for my WinXP Clients and place it in the new "Central Store"
used by Vista Clients for Group Policies. (The "Central Store" is a new
directory you have to manually create on your domain controller at
%systemroot%\sysvol\domain\policies\PolicyDefinitions, which also has a
subfolder "en-us)


I was successfully able to create the new "Central Store" and copied the
new .ADMX files over to it from my VISTA RC1 pc.  (note- Vista does not
use .ADM files) Since all VISTA clients now have the Group Policy
Management Editor installed by default I fired up GPMC.msc on my Vista
RC1 pc, at which point it automatically connects to the Primary Domain
Controller of a domain. 


I had created a new OU called Vista Test, with sub OU's of Vista User,
and Vista Computer.  Since most of my Win2k3 \ WinXP Group policies
would not work correctly on the VISTA pc I created a new "User -Mapped
drives- Logon script" Group Policy Object (using the same logon script
that I currently use for my  2003\XP environment)   and applied it to
the "Vista User"  OU, I then created a new "user - Assign Printers to
specific computers"  Group Policy that uses loop back processing and
applied it to the Vista Computer OU.  Now my Vista Box and its
associated user get both the mapped drives and assigned printers.


Bottom line is that I had to re-create 2 existing GPO's.  Do I have to
recreate all GPO's for any future Vista clients? Is there any problem
with 1)linking a GPO for mapping drives on a XP PC and also 2) linking a
GPO for mapping drives on a Vista PC...TO THE SAME OU?  Because I don't
plan on creating separate OU's exclusively for Vista pc's.


If you haven't heard about the changes in Vista Group Policy you may
want to review:


Microsoft's Step by Step Guide for Vista Group Policy: (this is a must
read! Do it now if you administer GP) 



Lab walk through of setting up Vista Group Policy 



Mark Mills


Other related posts: