?
Solved

Install GPO fpr IE11 on Domain Controller Win2k8

Posted on 2015-01-19
9
Medium Priority
?
329 Views
Last Modified: 2015-01-25
Hi experts,

I am planning a deployment of IE11 in our environment. At the moment we are on IE10.
For testing I would like to install the IE11 amdx and amdl templates on out domain controller.

I found following article about that.
http://www.microsoft.com/en-us/download/details.aspx?id=40905

Would it be safe to install the templates without losing any GPO-functionality?
I would like to get the new IE11-setting but have my old GPOs still working correctly.

Thanks in advance.
0
Comment
Question by:Systemadministration
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 

Author Comment

by:Systemadministration
ID: 40557638
I`m thinking about creating a central store for admx and adml files.
I have a Win2k8 domain and Windows 7 clients. I use a Win2k12 server to edit GPOs.

How can I implement that in my production environment?
I found that copying the whole C:\Windows\PolicyDefinitions from my domain controller to \\FQDN\sysvol\fqdn\policies would be enough.

Will all existing policies be working afterwards?
What if I implemented custom templates or Chrome or Firefox? Will those policies still work?

Any hints?
Thanks in advance!
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40557715
How can I implement that in my production environment?
I found that copying the whole C:\Windows\PolicyDefinitions from my domain controller to \\FQDN\sysvol\fqdn\policies would be enough.
Actually it depends on which DC you copy the ADMX files from. If you copy the files from your 2008 DC then your 2012 DC won't have a problem reading them when you open the Group Policy Management Console.

If you copy the ADMX files from the local store on your 2012 DC to the Central Store then your 2008 DC will throw up error messages when you open the GPMC as it won't understand some of the newer templates introduced in Server 2012.

The idea of a Central Store is to have to central set of ADMX files for Group Policy Management. For example instead of having to load up Microsoft Office templates for each and every policy, the Office policies will automatically appear once  you  copy the Office templates to the Central Store.

If all your DCs were running the same version of Windows then the Central Store works great. It's when you have a mix of different versions of Windows DCs that you have a problem (as mentioned earlier)
Will all existing policies be working afterwards?
What if I implemented custom templates or Chrome or Firefox? Will those policies still work?
Existing policies will also work fine. You can still manually load templates for Chrome and Firefox when you have a Central Store so no issues there either.

To answer your original question though, seeing as you have a 2012 DC you should manage IE11 policies from there. If you were to install the IE11 templates on your 2008 server you may run into some trouble managing machines with IE8 or IE9 still installed (you really shouldn't have these versions of IE though) as the Internet Explorer Maintenance settings were deprecated in IE10. See this link for more info: http://msdn.microsoft.com/en-us/library/dn338129.aspx
0
 

Author Comment

by:Systemadministration
ID: 40557910
I have only 2 settings in an old GPO which are in Internet Explorer Maintenance.
If thos won`t work thats not a problem.
The other settings are in Administrative Templates -> Windows Components -> Internet Explorer
and in
Settings -> System Control Settings -> Internet Settings

Those should still work afterwards, right?

I have 2 DCs Win2k8 and one DC Win2k3. The Win2k12 server ist not a dc. It is only for managing the GPOs for IE 10 and IE11.

Do I have the update the admx file on both Win2k8 DCs if I don`t want to use central store?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 4

Expert Comment

by:Praveen Kumar Bonala
ID: 40558933
It is better to go with WSUS.
Install WSUS in your environment if not already installed, and push IE11 to your client using WSUS.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40558963
I have only 2 settings in an old GPO which are in Internet Explorer Maintenance.
If thos won`t work thats not a problem.
The other settings are in Administrative Templates -> Windows Components -> Internet Explorer
and in
Settings -> System Control Settings -> Internet Settings

Those should still work afterwards, right?
Yep your existing policies will still work, it'll just be managing them which will be a pain if you implement the Central Store. You should also have a read here to see which policy settings have been added and removed in the IE 11 templates: http://msdn.microsoft.com/en-us/library/dn321453.aspx
I have 2 DCs Win2k8 and one DC Win2k3. The Win2k12 server ist not a dc. It is only for managing the GPOs for IE 10 and IE11.

Do I have the update the admx file on both Win2k8 DCs if I don`t want to use central store?
I'd personally leave it as it is. Manage the IE10/IE11 GPO's from your 2012 Server (sorry, didn't realize it wasn't a DC) and leave the 2008 Servers as they are until you have rolled out IE11 across all your PCs.
0
 

Author Comment

by:Systemadministration
ID: 40559403
Hi,

I now recognized that my Windows Server 2012 is the version without R2. That means I can`t install IE11 on Windows server 2012.
I`m also not allowed to copy the amdx and amdl file to the server 2012, because the fikes can only be edited by "TrustedInstaller".

Would it be possible to temporary add my administrative account to "TrustedInstaller" and then copy the files?
Would I then be able to manage to new IE11 settings?

Bes regards!
0
 

Accepted Solution

by:
Systemadministration earned 0 total points
ID: 40559456
I changed ownership of the files "inetres.amdx" and "inetres.amdl" and changed security settings so that that administrators group is allowd to write the files.

Afterwards I was able to copy the new templates and the new settings for IE11 are available.

I don`t know if this is a supported behaviour, but it seams to work.

Try at your own risk...
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 2000 total points
ID: 40559594
Would it be possible to temporary add my administrative account to "TrustedInstaller" and then copy the files?
Just FYI, you'll find that TrustedInstaller is actually the owner on most of your system files, just another security feature introduced by Microsoft.

Glad you managed to get it working.
0
 

Author Closing Comment

by:Systemadministration
ID: 40568994
Found a solution myself
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question