[gptalk] Re: GPO Processing in VISTA - the whole new can of worms....no adms, now just admx files
- From: "Mills, Mark" <Mark.Mills@xxxxxxxxxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 15 Sep 2006 10:28:04 -0500
I went back and removed all GPO's applied to the OU's that the Vista
User and computer were in. I then moved the Computer Object and
Computer Object into a production OU that my current domain PC and user
are in.
In this all my assigned GPO's seemed to work this time - I have no idea
why. In my previous test I had a vista pc moved to a production
computer OU and the domain user who logged into that box kept his same
GPO's for his user.
So it indeed looks as if you are correct in my second time the Vista box
did correctly process GPO's originally used for XP usrs/clients
Mark Mills
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, September 14, 2006 5:10 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Processing in VISTA - the whole new can of
worms....no adms, now just admx files
Comments below
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mills, Mark
Sent: Thursday, September 14, 2006 2:59 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Processing in VISTA - the whole new can of
worms....no adms, now just admx files
Darren - thanks for your input. Only a few of my existing GPO's worked
- I haven't made a list of which ones did and did not work yet. But I
can tell you that I do not have any filters pertaining to the OS. For
now I just know that my mapped drives and printers didn't take. I also
know that the RSOP showed that the policies were applied when in reality
they he didn't get the mapped drives or printers. (not until I created a
new separate Vista based policy)
[Darren] I'm guessing this is more a function of the new security stuff
in Vista rather than GP. I'll bet Vista is blocking those scripts from
running. Also remember RSOP doesn't tell you something ran successfully.
It only tells you GP did what it was supposed to do--deliver settings :)
Also I noticed that due to MS security it would not install the printers
silently - The user was faced with a screen asking them to confirm if
they wanted the drivers to the printers on the network installed to
their pc, and then were forced to enter a password for a user account
that had local admin privileges on the pc. I know you can set up
automatic Group Policy application installations to install with
elevated privileges - can you do this with printer ( or device) install
scripts?
[Darren] You should be able to add drivers that are "trusted", but I
don't remember where that is off hand. Otherwise UAC kicks in and you
get that nice prompt which CAN NOT BE TURNED OFF :)
Another thing I think I dislike is that the Group Policy Management
Console (GPMC.msc) can be run on any client pc. When I created a user
with not Domain Group Association other than Domain Users, that user was
able to browse the entire Group Policy Structure by default. A basic
user who has not been locked down from running gpmc from the "search
for" box seems to have a lot of "default" access. I'm sure that there
must be a way just to lock down a client running GPMC.MSC without
deleteing the file, removing the "DOS", "Run", "Task Mgr Run" and
"Search For" dialog boxes from the user, as an admin will I be force to
create a GP to block a user from running GPMC.msc ? I feel that if I
delete or rename the file that a hotfix or future service pack would
just reinstall it - your thoughts?
[Darren] I agree. This is a concern for me as well. I wrote a whitepaper
recently on the security vulnerabilities inherent in GP and this was one
that I did not like. Its not exactly an exploit, but essentially because
you have to be able to read GPs to process them, any user can fire up
GPMC and see what you're doing. They can even backup GPOs to their local
HD! But, the good news is that you can use the MMC snap-in restriction
policy in GP to simply disallow that snap-in from running on all but
your admins desktops.
Mark Mills, Sr. Network Engineer
Desktop Assistance, LP
14405 Walters Road, Suite 650
Houston, Texas 77346
Office Phone: 281-444-2300 x113
Email: mark.mills@xxxxxxxxxxxxxxxxxxxxxx
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, September 14, 2006 3:59 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Processing in VISTA - the whole new can of
worms....no adms, now just admx files
Mark-
The bottom line is that you should not have to recreate any GPOs once
Vista hits. The ADMXs that ship with Vista are a super-set of the
current ADMs and support all of the XP and 2003 (and Win2K) settings in
addition to the new Vista ones. Now, in terms of things like logon
scripts, if the scripts are targeted at a particular OS version, then
you would either need to test for OS version in your script or have
separate GPOs that are filtered by OS version (or security group). But
that is not inherent in the Vista changes--that's just a function of
what you're trying to do.
BTW, in case anyone is interested and is planning on attending, I'm
doing a session at the upcoming WinConnections show in Vegas in November
on managing GP in a Vista world.
Darren
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mills, Mark
Sent: Thursday, September 14, 2006 1:07 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO Processing in VISTA - the whole new can of
worms....no adms, now just admx files
My question: Do I have to create a duplication of every Windows 2003
policy used for my WinXP Clients and place it in the new "Central Store"
used by Vista Clients for Group Policies. (The "Central Store" is a new
directory you have to manually create on your domain controller at
%systemroot%\sysvol\domain\policies\PolicyDefinitions, which also has a
subfolder "en-us)
I was successfully able to create the new "Central Store" and copied the
new .ADMX files over to it from my VISTA RC1 pc. (note- Vista does not
use .ADM files) Since all VISTA clients now have the Group Policy
Management Editor installed by default I fired up GPMC.msc on my Vista
RC1 pc, at which point it automatically connects to the Primary Domain
Controller of a domain.
I had created a new OU called Vista Test, with sub OU's of Vista User,
and Vista Computer. Since most of my Win2k3 \ WinXP Group policies
would not work correctly on the VISTA pc I created a new "User -Mapped
drives- Logon script" Group Policy Object (using the same logon script
that I currently use for my 2003\XP environment) and applied it to
the "Vista User" OU, I then created a new "user - Assign Printers to
specific computers" Group Policy that uses loop back processing and
applied it to the Vista Computer OU. Now my Vista Box and its
associated user get both the mapped drives and assigned printers.
Bottom line is that I had to re-create 2 existing GPO's. Do I have to
recreate all GPO's for any future Vista clients? Is there any problem
with 1)linking a GPO for mapping drives on a XP PC and also 2) linking a
GPO for mapping drives on a Vista PC...TO THE SAME OU? Because I don't
plan on creating separate OU's exclusively for Vista pc's.
If you haven't heard about the changes in Vista Group Policy you may
want to review:
Microsoft's Step by Step Guide for Vista Group Policy: (this is a must
read! Do it now if you administer GP)
http://www.microsoft.com/technet/windowsvista/library/1494d791-72e1-484b
-a67a-22f66fbf9d17.mspx
Lab walk through of setting up Vista Group Policy
http://203.147.133.54/chass/hol/CLIHOL206.pdf
Mark Mills
Other related posts:
