[gptalk] Re: GPO Processing in VISTA - the whole new can of worms....no adms, now just admx files

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 14 Sep 2006 15:10:16 -0700

Comments below


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Mills, Mark
Sent: Thursday, September 14, 2006 2:59 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Processing in VISTA - the whole new can of
worms....no adms, now just admx files

Darren - thanks for your input.  Only a few of my existing GPO's worked - I
haven't made a list of which ones did and did not work yet. But I can tell
you that I do not have any filters pertaining to the OS. For now I just know
that my mapped drives and printers didn't take.  I also know that the RSOP
showed that the policies were applied when in reality they he didn't get the
mapped drives or printers. (not until I created a new separate Vista based


[Darren] I'm guessing this is more a function of the new security stuff in
Vista rather than GP. I'll bet Vista is blocking those scripts from running.
Also remember RSOP doesn't tell you something ran successfully. It only
tells you GP did what it was supposed to do--deliver settings :)



Also I noticed that due to MS security it would not install the printers
silently - The user was faced with a screen asking them to confirm if they
wanted the drivers to the printers on the network installed to their pc, and
then were forced to enter a password for a user account that had local admin
privileges on the pc.  I know you can set up  automatic Group Policy
application installations to install with elevated privileges - can you do
this with printer ( or device) install scripts? 


[Darren] You should be able to add drivers that are "trusted", but I don't
remember where that is off hand. Otherwise UAC kicks in and you get that
nice prompt which CAN NOT BE TURNED OFF :)



Another thing I think I dislike is that the Group Policy Management Console
(GPMC.msc) can be run on any client pc.  When I created a user with not
Domain Group Association other than Domain Users, that user was able to
browse the entire Group Policy Structure by default. A basic user who has
not been locked down from running gpmc from the "search for"  box seems to
have a lot of "default" access.   I'm sure that there must be a way just to
lock down a client running GPMC.MSC without deleteing the file, removing the
"DOS", "Run", "Task Mgr Run" and "Search For" dialog boxes from the user, as
an admin will I be force to create a GP to block a user from running
GPMC.msc ? I feel that if I delete or rename the file that a hotfix or
future service pack would just reinstall it - your thoughts? 


[Darren] I agree. This is a concern for me as well. I wrote a whitepaper
recently on the security vulnerabilities inherent in GP and this was one
that I did not like. Its not exactly an exploit, but essentially because you
have to be able to read GPs to process them, any user can fire up GPMC and
see what you're doing. They can even backup GPOs to their local HD! But, the
good news is that you can use the MMC snap-in restriction policy in GP to
simply disallow that snap-in from running on all but your admins desktops.




Mark Mills, Sr. Network Engineer

Desktop Assistance, LP

14405 Walters Road, Suite 650

Houston, Texas 77346


Office Phone:  281-444-2300 x113

Email: mark.mills@xxxxxxxxxxxxxxxxxxxxxx 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, September 14, 2006 3:59 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Processing in VISTA - the whole new can of
worms....no adms, now just admx files



The bottom line is that you should not have to recreate any GPOs once Vista
hits. The ADMXs that ship with Vista are a super-set of the current ADMs and
support all of the XP and 2003 (and Win2K) settings in addition to the new
Vista ones. Now, in terms of things like logon scripts, if the scripts are
targeted at a particular OS version, then you would either need to test for
OS version in your script or have separate GPOs that are filtered by OS
version (or security group). But that is not inherent in the Vista
changes--that's just a function of what you're trying to do.


BTW, in case anyone is interested and is planning on attending, I'm doing a
session at the upcoming WinConnections show in Vegas in November on managing
GP in a Vista world.







From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Mills, Mark
Sent: Thursday, September 14, 2006 1:07 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO Processing in VISTA - the whole new can of worms....no
adms, now just admx files

My question:  Do I have to create a duplication of every Windows 2003 policy
used for my WinXP Clients and place it in the new "Central Store" used by
Vista Clients for Group Policies. (The "Central Store" is a new directory
you have to manually create on your domain controller at
%systemroot%\sysvol\domain\policies\PolicyDefinitions, which also has a
subfolder "en-us)


I was successfully able to create the new "Central Store" and copied the new
.ADMX files over to it from my VISTA RC1 pc.  (note- Vista does not use .ADM
files) Since all VISTA clients now have the Group Policy Management Editor
installed by default I fired up GPMC.msc on my Vista RC1 pc, at which point
it automatically connects to the Primary Domain Controller of a domain. 


I had created a new OU called Vista Test, with sub OU's of Vista User, and
Vista Computer.  Since most of my Win2k3 \ WinXP Group policies would not
work correctly on the VISTA pc I created a new "User -Mapped drives- Logon
script" Group Policy Object (using the same logon script that I currently
use for my  2003\XP environment)   and applied it to the "Vista User"  OU, I
then created a new "user - Assign Printers to specific computers"  Group
Policy that uses loop back processing and applied it to the Vista Computer
OU.  Now my Vista Box and its associated user get both the mapped drives and
assigned printers.


Bottom line is that I had to re-create 2 existing GPO's.  Do I have to
recreate all GPO's for any future Vista clients? Is there any problem with
1)linking a GPO for mapping drives on a XP PC and also 2) linking a GPO for
mapping drives on a Vista PC.TO THE SAME OU?  Because I don't plan on
creating separate OU's exclusively for Vista pc's.


If you haven't heard about the changes in Vista Group Policy you may want to


Microsoft's Step by Step Guide for Vista Group Policy: (this is a must read!
Do it now if you administer GP) 



Lab walk through of setting up Vista Group Policy 



Mark Mills


Other related posts: