[gptalk] Re: Default Domain and Default DC GPO migration
- From: "SCOTT KLASSEN" <klas9574@xxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 18 Jun 2008 19:28:01 -0500
Correct Darren. My wording wasn't so great. Great suggestion about just
deleting the ADM directory. I think that'll do the trick. No custom ADMs in
the DDP or DDCP (or elsewhere for that matter, I've converted them all to GPP)
Just wanted to bounce this off the experts.
Thanks,
Scott Klassen
From: Darren Mar-Elia
Sent: Wednesday, June 18, 2008 4:43 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default Domain and Default DC GPO migration
Yea, I must admit that I didn't really have time to read that email yesterday
but now that I look at it and Alan's response, I agree with Alan. I think what
you are trying to do Scott is "convert" the DDP and DDCP GPOs to ADMX. But
really there is nothing much to do to do that. All you would do is delete the
ADM folder within SYSVOL for both of those GPOs and start editing those two
GPOs exclusively from Vista or Server 2008. You won't lose any settings,
because as Alan notes, the settings are not stored in the ADMs but in the
Registry.Pol file. And, the ADMXs are a superset of the settings that are in
the 5 default ADMs that MS provides. That being said, the one caveat is if
you've defined any custom ADMs in those two GPOs. In that case, you don't want
to delete those but probably want to leave them in place.
Hope that helps.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan & Margaret
Sent: Wednesday, June 18, 2008 2:34 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default Domain and Default DC GPO migration
Hi Scott,
I am a little confused by your question "will the GPO's be recreated as ADMX or
ADM". I may be missing something, but there is no such thing as an ADMX GPO or
an ADM GPO.
Basically a GPO holds the Administrative Template Settings in the Registry.POL
File.
If you use a Windows 2000 workstation to view or modify these settings in GPMC
it will load the ADM files present in the GPO to interpret the settings. If
there is no ADM file for those settings, the setting will not be exposed for
you to change.
If you use a Vista machine to view or modify these settings in GPMC it will
load the ADMX files (stored if PolicyDefinitions) and the ADM files present in
the GPO to interpret the settings. This would suggest that if an ADM file and
an ADMX file were present for the same setting you would see both. However
there is a "Supersedes" setting in an ADMX file which effectively says "please
ignore a particular ADM file if it exists". The default Microsoft ADMX files
have settings to Supersede all of the Microsoft ADM files. However it is still
possible to add an ADM file to a Policy and it will be used by both the VISTA
and WINDOWS machines.
Now I haven't tested what you are doing, nor do I fully understand the process
as to why you need to run GPOfix /IgnoreSchema. By reading
http://support.microsoft.com/kb/932445 it suggests that the parameter is used
when you are restoring a GPO with an old schema. But I don't see how the SCHEMA
used will affect adm and ADMX files. Maybe Darren can explain!
Having said all of that I would strongly recommend that you test it all first
just to confirm what it does in your environment. In fact I would test a
migration and fallback... There is nothing worse than having no AD after a
problem with the conversion especially if your only defense is "It should have
worked".
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
--------------------------------------------------------------------------------
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of SCOTT KLASSEN
Sent: Wednesday, 18 June 2008 1:32 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Default Domain and Default DC GPO migration
Here's a question for either those more knowledgeable or with a more robust
testing infrastructure.
I'm at the start of migrating my environment to Server 2008. Although not
necessary, I've spent some time converting most of my GPOs to the ADMX format
for the decrease in space usage and bandwidth usage during replication. I now
only have the default domain and default dc GPOs left. I know that after the
migration, these two will remain as ADM files. Here's my question: After I
have my DC's upgraded to 2008, if I then run dcgpofix /ignoreschema, will the
GPO's be recreated as ADMX or ADM? My other idea was to create a temporary
test domain with a single 2008 VM DC, just to back up these two in ADMX format,
then delete the original ADM ones from my production domain, restoring the ADMX
ones from the test domain. If anyone has a better plan for switching these
without messing up the special properties associated with them, I'm open to
suggestions.
Scott Klassen
Other related posts:
