[gptalk] Re: One Vista Client to admin all domain Vista GPO's ?

  • From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 21 Jun 2007 09:25:56 +1000

Hi Mark,

 

All GPO's still exist on the Domain Controller, so you can update them from
any of your Vista machines on the domain. 

 

As to updating all policies from a Vista machine, I would have thought this
is was not necessary. I would have thought you can still see and update the
non Vista components of these policies from non Vista machines, you just
wont see the new features. One issue surrounds ADMX files. When you create a
policy from a VISTA machine, it will use ADMX files to interpret the
Administration  information In the policy. When you look at the Policy from
a Non Vista machine, it will upload the ADM templates to the GPO. This has
the advantage that at least some of the ADM settings become visible (those
that existed in the pre VISTA ADM templates) but will mean that you get back
to SYSVOL bloat from the ADM files being copied to each GPO.  

 

As mentioned on other recent posts, ADMX files can be held on the Vista
workstations or on the domain, although the domain would seem more sensible
so that all Vista machines see the same set of ADMX files.

 

This does raise the question (which Darren can probably answer) as to when
does the central store of ADMX/ADML files get updated? I presume it follows
the pre Vista rules and if your Vista machine has later copies of the ADMX
files, it will automatically update the central repository. I also presume
it honors the Policy setting under User/System/Group Policy to turn off
Automatic update of the ADM templates. 

 

Alan Cuthbertson

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml

 

 

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jakob H. Heidelberg
Sent: Wednesday, 20 June 2007 5:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: One Vista Client to admin all domain Vista GPO's ? 

 

Hi there,

 

You can create a Central Store in the SYSVOL (shared among Domain
Controllers) - no Windows Vista client is Single-Point-of-Failure! However,
all GP management should be performed from a Vista client as soon as you
introduce Vista in the domain.

 

You can read about the Central Store right here:

http://www.windowsecurity.com/articles/Managing-Windows-Vista-Group-Policy-P
art1.html

 

Regards

/Jakob H. Heidelberg

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Mills, Mark
Sent: 19. juni 2007 21:27
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] One Vista Client to admin all domain Vista GPO's ? 

 

I'm trying to recall if I read something that stated -  in a Windows
2003\XP\Vista  environment you need to create all Vista GPO's on one
specific Vista client.  Then that Vista Client serves as the central
repository for all VISTA Group Policies.   

 

Is that right?  I'm fairly certain I read something close to that?  But I
have a hard time thinking that the Vista Group Policy files (ADML\ADMX) on
the domain controllers wouldn't be updated?  Plus you would have one point
of failure if your Administrative Vista client died.   Can anyone clear my
head on this one. 

 

Thanks,

Mark Mills 

 

Other related posts: