Adm to Admx GPO conversion

Really depends on what is in your GPO's for your existing XP machines. If you are using IE or User profile policies then yes you probably need to.

So if I have a generic GPO for something like disabling the users ability to configure Automatic Updates which happens to be located at Computer Configuration>Admin Templates>Windows Components then I'll have to convert this to an admx template ?

No, you don't have to do that. The ADM or ADMX templates are merely a means for managing the group policies. The only difference between the two is that the .ADMX templates have settings in them that the .ADM templates don't contain, because there are some new features and settings for Vista/Win7 that can only be managed from the .ADMX templates. As long as the policies themselves are stored on the DCs in the right format (which is different for XP and Vista/Win7) then you don't need to do any conversion of settings.  If you are managing your group policies from a Win7 or Win2008 server machine, then you shouldn't have any worries, particularly if all your workstations are Win7.

Yes, they're all in the sysvol share under the policies folder

So all the policies currently applied to my OU's that were configured for XP with the adm template will work for the new Win7 systems ?  All these policies were most likely created by a DA using an XP system.

Any new poicies created from a Win7 system will be admx and work with those systems (win7) and not XP correct ?

Not exactly. When you edit a group policy, whether from a Win2003/XP machine or from a Win2008/Win7 machine, that applies to the older operating system, it will change the settings for both OS's. In other words, you can edit group policies for both OS's from a newer OS (Win2008 or Win7) and any changes you make that apply to the older OS will be applied correctly to the XP or Win2003 machines. If you edit the group policies from one of the older OS's, you won't see the newer policy settings.

So, to summarize, you want to be editing all of your group policies from the newer OS from now on to be sure that you are editing both the old and new settings.

1.) So all I have to do is open the existing GPO's from a Win7 system using GPMC and edit them and then apply the settings and that should take of my current XP systems and any new Win7 machines I put on the domain?

2.) Dumb question.  Why don't I see the admx file in the sysvol share when I create a gpo from a windows 7 system.  When you create it from an XP system it copies that adm to the policies folder along with the generic system.adm, inetres.adm, conf.adm, wmplayer.adm and wuau.adm. When I open the policy folder and sort by modified date I see the new policy but the only folders under this policy are (Machine, User, and GPT.INI)

you have to copy this
"C:\Windows\PolicyDefinitions" folder to
this location
"C:\Windows\SYSVOL\sysvol\yourdomain.com\Policies"
on one of your 2008 servers. Afterwards you will have server based policy to work with.
(one central admx store)
When I first did it, I deleted all the old adm templates from the policies which reduced the size of a backup from 150MB to 15MB.

If you're working from a Win7 PC, then you need to follow the steps described by mkuenhngoe to put the policy definitions on the server side.  I'm not absolutely sure, but I think that if you edit the policies directly from a Windows 2008 DC, you can skip that step, but you'd have to double-check since I've never done it that way.

Once the PolicyDefinitions folder is in place, then any group policy editing you do from a Win7 machine (it has to be joined to your domain of course) or Windows 2008 DC will update both sets of policies - the XP ones and the Win7 ones.

You have to copy the policy definitions. Unfortunately they are not going the way by their own (unfortunately). And I think it is best to edit the GPOs on the server. :)

Here's what I did. I followed hypercat's suggestion.  I created a test OU and moved my machine (XP) and user account into it.  Next I created a simple GPO from my XP machine using GPMC that enabled automatic updates at a certain time.  I forced the policy on my machine using gpupdate /force. As expected it worked.

Next I moved a Win7 VM into the OU and logged in. No joy on the policy being applied.  So, I installed the RSAT for windows 7 on the VM ( http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=en)

I launched the GPMC from the Win7 VM and modified the GPO (changed it to disable automatic updates) as hypercat suggested and forced the policy ( gpupdate /force) on the Windows 7 machine. The new policy was applied successfully to the Windows 7 system. So, I moved back to the XP system and forced the new policy on that system.  Low and Behold the new policy had been applied there as well.  

Exactly what I wanted to see ... So Hypercat's recommendation worked ... excellent advice.

I didn’t create the PolicyDefinitions folder that Mkuehngoe suggested. Should I ?  It seemed to work without it.

that´s what is does if you copy the folder from your server´s windows folder :)

ok, as long as you haven´t a 2008R2 it´better to copy the foolder from a windows 7 machine.

Since I have 03 and 08 DC's does it matter which server the new PolicyDefinition folder gets copied to as long as it's copied to sysvol\domainname\policies ?

I would prefer the one with the pdc role

By the way, how many DCs are you running?

I don't see an Administrative Templates folder when I open GPMC. I see a User Templates

I have 3 DC's in this domain

so, where do you open your GPMC? Try on the server.

big domain? I had a lot of trouble with NTFRS in the past few years. If there is no particular reason for more than 1 DC I would depromote the rest.

I completely disagree - you want at least 2 DCs in any domain, unless it's so small that you only have one server. There are lots of reasons having nothing to do with the file replication service to have more than one DC. And, mkuehngoe, if you're having trouble with the replication service, then you need to troubleshoot that and fix it. Maybe if you try posting on EE when you experience issues, someone with expertise in that area can help you figure out what's going on. But that's irrelevant to this thread.

Anyway, it doesn't matter which DC you copy it to. As long as it's in the right place, it will replicate just like all the other group policies. If it doesn't replicate, then something is wrong.

Oh, and to answer your post #34167739, I was referring to the following set of folders, either under User Configuration or Computer Configuration:

[User or Computer] Configuration/Policies/Administrative Templates

You have to actually click on the Administrative Templates folder to see the description I mentioned above.

I copied the PolicyDefinitions folder to the following location \sysvol\domain.com\policies on my PDC.  I gave it a few minutes to replicate and checked a few other DC's and the file was there. I opened the GPMC on the DC and I still didn't see an Administrative Templates folder.

I chaged the GPO from the server to and then forced an update on my XP machine. The policy was applied.

I see the Admin template folder and it does day "retrieved from the central store".  I took me a minute to realize you were talking about opening the GPO and drilling down.

Everything looks like it's working.

Heh - I usually try to describe complete steps on those things, but I guess I was a little too brief that time. Glad you found it and everything is working now.

Cheers!

Good post, I found this very useful.