Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1353
  • Last Modified:

Adm to Admx GPO conversion

I have a mixed environment of 03 and 08 Domain Controllers. We are migrating from XP to Win7. My question is this.  Is there any reason to convert existing ADM template to ADMX if they aren't custom ?  Won't the existing GPO's I have in place for XP work with the Win7 machines. I don't think the Admx migrator tool  http://www.microsoft.com/downloads/en/details.aspx?FamilyId=0F1EEC3D-10C4-4B5F-9625-97C2F731090C&displaylang=en  is necessary.  

Am I wrong or do I need to convert the old ADM templates ?  

0
jrobison
Asked:
jrobison
  • 9
  • 8
  • 8
  • +2
1 Solution
 
ShareefHuddleCommented:
Really depends on what is in your GPO's for your existing XP machines. If you are using IE or User profile policies then yes you probably need to.
0
 
jrobisonAuthor Commented:
So if I have a generic GPO for something like disabling the users ability to configure Automatic Updates which happens to be located at Computer Configuration>Admin Templates>Windows Components then I'll have to convert this to an admx template ?
0
 
Hypercat (Deb)Commented:
No, you don't have to do that. The ADM or ADMX templates are merely a means for managing the group policies. The only difference between the two is that the .ADMX templates have settings in them that the .ADM templates don't contain, because there are some new features and settings for Vista/Win7 that can only be managed from the .ADMX templates. As long as the policies themselves are stored on the DCs in the right format (which is different for XP and Vista/Win7) then you don't need to do any conversion of settings.  If you are managing your group policies from a Win7 or Win2008 server machine, then you shouldn't have any worries, particularly if all your workstations are Win7.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
jrobisonAuthor Commented:
Yes, they're all in the sysvol share under the policies folder

So all the policies currently applied to my OU's that were configured for XP with the adm template will work for the new Win7 systems ?  All these policies were most likely created by a DA using an XP system.

Any new poicies created from a Win7 system will be admx and work with those systems (win7) and not XP correct ?
0
 
Hypercat (Deb)Commented:
Not exactly. When you edit a group policy, whether from a Win2003/XP machine or from a Win2008/Win7 machine, that applies to the older operating system, it will change the settings for both OS's. In other words, you can edit group policies for both OS's from a newer OS (Win2008 or Win7) and any changes you make that apply to the older OS will be applied correctly to the XP or Win2003 machines. If you edit the group policies from one of the older OS's, you won't see the newer policy settings.
0
 
Hypercat (Deb)Commented:
So, to summarize, you want to be editing all of your group policies from the newer OS from now on to be sure that you are editing both the old and new settings.
0
 
jrobisonAuthor Commented:
1.) So all I have to do is open the existing GPO's from a Win7 system using GPMC and edit them and then apply the settings and that should take of my current XP systems and any new Win7 machines I put on the domain?

2.) Dumb question.  Why don't I see the admx file in the sysvol share when I create a gpo from a windows 7 system.  When you create it from an XP system it copies that adm to the policies folder along with the generic system.adm, inetres.adm, conf.adm, wmplayer.adm and wuau.adm. When I open the policy folder and sort by modified date I see the new policy but the only folders under this policy are (Machine, User, and GPT.INI)





0
 
mkuehngoeCommented:
you have to copy this
"C:\Windows\PolicyDefinitions" folder to
this location
"C:\Windows\SYSVOL\sysvol\yourdomain.com\Policies"
on one of your 2008 servers. Afterwards you will have server based policy to work with.
(one central admx store)
When I first did it, I deleted all the old adm templates from the policies which reduced the size of a backup from 150MB to 15MB.
0
 
Hypercat (Deb)Commented:
If you're working from a Win7 PC, then you need to follow the steps described by mkuenhngoe to put the policy definitions on the server side.  I'm not absolutely sure, but I think that if you edit the policies directly from a Windows 2008 DC, you can skip that step, but you'd have to double-check since I've never done it that way.

Once the PolicyDefinitions folder is in place, then any group policy editing you do from a Win7 machine (it has to be joined to your domain of course) or Windows 2008 DC will update both sets of policies - the XP ones and the Win7 ones.
0
 
mkuehngoeCommented:
You have to copy the policy definitions. Unfortunately they are not going the way by their own (unfortunately). And I think it is best to edit the GPOs on the server. :)
0
 
jrobisonAuthor Commented:
Here's what I did. I followed hypercat's suggestion.  I created a test OU and moved my machine (XP) and user account into it.  Next I created a simple GPO from my XP machine using GPMC that enabled automatic updates at a certain time.  I forced the policy on my machine using gpupdate /force. As expected it worked.

Next I moved a Win7 VM into the OU and logged in. No joy on the policy being applied.  So, I installed the RSAT for windows 7 on the VM ( http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=en)

I launched the GPMC from the Win7 VM and modified the GPO (changed it to disable automatic updates) as hypercat suggested and forced the policy ( gpupdate /force) on the Windows 7 machine. The new policy was applied successfully to the Windows 7 system. So, I moved back to the XP system and forced the new policy on that system.  Low and Behold the new policy had been applied there as well.  

Exactly what I wanted to see ... So Hypercat's recommendation worked ... excellent advice.

I didn’t create the PolicyDefinitions folder that Mkuehngoe suggested. Should I ?  It seemed to work without it.
0
 
Hypercat (Deb)Commented:
It worked without out from the XP point of view, but unless you create the PolicyDefinitions folder on your domain controllers, the Win7 policy will remain local. IOW, in order for the Win7 policies to be global and replicated to all of your DCs, you need to copy that folder from your Win7 machine where you've been experimenting up to one of your DCs as described. Close the GPMC on your Win7 machine, copy the folder to the DC, wait for replication, and then reopen the GPMC on the Win7 machine. You'll see that when you open the Administrative Templates folder it now reads:

Administrative Templates: Policy definitions (ADMX files) retrieved from central store.
0
 
mkuehngoeCommented:
that´s what is does if you copy the folder from your server´s windows folder :)
0
 
mkuehngoeCommented:
ok, as long as you haven´t a 2008R2 it´better to copy the foolder from a windows 7 machine.
0
 
jrobisonAuthor Commented:
Since I have 03 and 08 DC's does it matter which server the new PolicyDefinition folder gets copied to as long as it's copied to sysvol\domainname\policies ?

0
 
mkuehngoeCommented:
I would prefer the one with the pdc role
0
 
mkuehngoeCommented:
By the way, how many DCs are you running?
0
 
jrobisonAuthor Commented:
I don't see an Administrative Templates folder when I open GPMC. I see a User Templates
0
 
jrobisonAuthor Commented:
I have 3 DC's in this domain
0
 
mkuehngoeCommented:
so, where do you open your GPMC? Try on the server.
0
 
mkuehngoeCommented:
big domain? I had a lot of trouble with NTFRS in the past few years. If there is no particular reason for more than 1 DC I would depromote the rest.
0
 
Hypercat (Deb)Commented:
I completely disagree - you want at least 2 DCs in any domain, unless it's so small that you only have one server. There are lots of reasons having nothing to do with the file replication service to have more than one DC. And, mkuehngoe, if you're having trouble with the replication service, then you need to troubleshoot that and fix it. Maybe if you try posting on EE when you experience issues, someone with expertise in that area can help you figure out what's going on. But that's irrelevant to this thread.

Anyway, it doesn't matter which DC you copy it to. As long as it's in the right place, it will replicate just like all the other group policies. If it doesn't replicate, then something is wrong.
0
 
Hypercat (Deb)Commented:
Oh, and to answer your post #34167739, I was referring to the following set of folders, either under User Configuration or Computer Configuration:

[User or Computer] Configuration/Policies/Administrative Templates

You have to actually click on the Administrative Templates folder to see the description I mentioned above.
0
 
jrobisonAuthor Commented:
I copied the PolicyDefinitions folder to the following location \sysvol\domain.com\policies on my PDC.  I gave it a few minutes to replicate and checked a few other DC's and the file was there. I opened the GPMC on the DC and I still didn't see an Administrative Templates folder.

I chaged the GPO from the server to and then forced an update on my XP machine. The policy was applied.
0
 
jrobisonAuthor Commented:
I see the Admin template folder and it does day "retrieved from the central store".  I took me a minute to realize you were talking about opening the GPO and drilling down.

Everything looks like it's working.
0
 
Hypercat (Deb)Commented:
Heh - I usually try to describe complete steps on those things, but I guess I was a little too brief that time. Glad you found it and everything is working now.

Cheers!
0
 
BerryGardensCommented:
Good post, I found this very useful.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 8
  • 8
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now