[gptalk] Re: starter GPOs

  • From: "Cruz, Jerome L" <jerome.l.cruz@xxxxxxxxxx>
  • To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 2 Jul 2008 15:53:24 -0700


A new AD-based security group has no "description" text until added. The point 
is that it has a 'placeholder' for it. In the case of GPOs, we'd have to 'build 
it in' using some kind of "Hey script...this OU already has a default Starter 
GPO used for this 'xxx' server, so no need to add it again". As I noted, 
possibly a manually added file in the Starter GPO's SYSVOL location, perhaps 
additional values in the Gpt.Ini file (mmm...that might cause problems for 
Microsoft), or perhaps something in the 'friendly name' could be used. Just 
trying to get creative here and spawn other ideas.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-Elia
Sent: Wednesday, July 02, 2008 2:01 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: starter GPOs

Thanks for the feedback. The way Starter GPOs work today, there is no trace of 
them in the GPO that gets created using them as a template, nor is there any 
notion of a Starter GPO being linked to a container. So it might be pretty 
tough to be able to do some of the things that you want below. But some of the 
other things, like linking GPOs and permissioning GPOs are already handled by 
my GPMC cmdlets. The creation of new GPOs from Starters is what I'm about to 
release in the next version of the GPMC cmdlets. So, all of this should be 
highly do-able from a PowerShell or general automation perspective.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Cruz, Jerome L
Sent: Tuesday, July 01, 2008 11:30 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: starter GPOs

Hi Darren,

Not yet... however we do plan to use them. So I'll give you a 'starter', 
starter GPO. Our Enterprise Multi-user Technology folks have a model where they 
centrally design the standard Windows Terminal Server GPOs. The actual 
consumers (the distributed GPO Admin for the terminal servers) then use that as 
a "starting point" GPO. We plan to use "Starter GPOs" for that.

Considering that many of our server images are based upon selection of a 
scripted Server Role (Base Image + Specific Server role), programmatically 
being able to add the GPO to the correct server OU location would be helpful. 
From that 'scripting' standpoint, other helpful options would be the ability to 
detect whether a starter GPO was  already linked to an OU (and therefore a new 
one would not be required) by one of several attributes (e.g. possibly full 
name or partial GPO Name lookup, possibly the option to look up a special GPO 
SYSVOL file tag-possibly a specific file added to the GPO in SYSVOL indicating 
the specific kind of GPO that exists, perhaps a full or partial text string 
look up in the comments section, etc.). Also the ability to change the default 
"Edit" permissions to that of a security group (which contains the OU level 
'group' of folks which 'should have' access-the point being to eliminate one 
additional manual configuration step).

Let's see if the info above initiates additional ideas.

Bueller here... no, I mean... Jerry Cruz here
Group Policies Product Manager | Boeing IT

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-Elia
Sent: Tuesday, June 24, 2008 3:31 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] starter GPOs

Hey folks-
As many of you know, I have some free PowerShell cmdlets that I provide that 
wrap the GPMC APIs. I'm looking at updating those for some of the new GPMC 
features and am trying to figure out if anyone out there is actually using 
Starter GPOs? Anyone? Bueller? Bueller? :)



Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out 
www.gpoguy.com<http://www.gpoguy.com/>-- the best source for GPO FAQs, video 
training, tools and whitepapers. Also check out the Windows Group Policy 
 the definitive resource for Group Policy information.

Other related posts: