Home » Microsoft, Windows 7, Windows Server

Supporting Windows 7 Group Policy Settings with Windows Server 2003 Domain Controllers

Author: Mark Menges 16 March 2010 101,073 views 34 Comments
Tags:

Recently, I was asked the following question: “We plan to implement Windows 7 in our network very soon. We want to use Windows 2003 Domain Controllers for the next couple of years. Can we make the hundreds of new Group Policy setting available to Windows 7 Windows Server 2003 DCs?”

This is not an unusual situation. Some organizations find they need to replace their desktop computers immediately because of age or obsolescence and others wish to upgrade to Windows 7 because of its superior security and performance. But there may be no budget or desire to upgrade to Windows 2008 or 2008 R2. Luckily, it is not difficult to adapt Server 2003 to work with Windows 7.

Group Policy settings are edited through the use of ADM and ADMX template files. These files are accessed though the Group Policy Management Console (GPMC) or the Group Policy Object Editor (GPOE). As settings are configured in the editing tools a Registry.pol is created. The Registry.pol file is made available to client computers in the Group Policy Object Container on the Domain Controller. Client computers process the Registry.pol file to receive their Group Policy settings. The ADM/ADMX files are needed only by computers running the editing tools. Editing Group Policies using ADMX templates requires that the editing tools be run only on Microsoft Vista, Server 2008 or Windows 7. ADM templates can be edited on Windows XP or Server 2003. ADMX files use XML-based markup language that includes no language specific comments or descriptions. The ADMX file references sADML files in a sub-folder  such as EN-US (for English) or FR (for French) that give the ADMX file appropriate language support. Multi-national organizations will only have to deploy one set of ADMX files and can add  ADML files for each language spoken by its administrators.

One of the chief benefits ADMX and ADML files is that they can be made available through the use of a Central Store on the Domain Controllers. Windows Server 2003 can host a Central Store as easily as Server 2008. To create a Central Store simply create a PolicyDefinitions folder in the SYSVOL with a path of  %WINDIR%\SYSVOL\domain\Policies\PolicyDefinitions. Copy the ADMX templates from a Windows 7 computer into the SYSVOL location. Window 7 keeps a copy of the ADMX and ADML files in its own PolicyDefinitions folder located in the Windows folder. Once it is placed in the Central Store, the File Replication Service on Server 2003 will replicate the PolicyDefinitions folder to all Domain Controllers in the Domain so that the templates are available for use by the editing tools. An ADMX/ADML Central Store requires much less space on the SYSVOL than ADM files and will reduce replication costs.

–Mark

Related Courses

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services (M6425)

Implementing and Administering Windows 7 in the Enterprise (M50292)

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services (M6425)

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...Loading...

34 Comments »

  • Ruben said:

    Hello Mark,

    When you copy the PolicyDefinitions folder to the sysvol share, does it affect your WinXp and Server2003 policies ?

    Regards,

    Ruben Schmidt

  • timatgk said:

    Hi Ruben,
    Your existing GPOs will be fine. They are stored in the Sysvol\Domain\Policies Folder with unique Guids to identify them. Additionally , the new ADMX files include all the old settings for Windows XP and 2003 so you can create new GPOs as needed for those OSs. Just be sure to run the Group Policy Management console on Windows 7 to see all the settings. And be sure to backup your environment before you switch to ADMX.
    Mark

  • Simon said:

    Hi,

    This is all fine but when you come to assign domain groups to win7 policies meaning admx files where and how do you do that? In order to see the admx files you need a win7 client but in order to apply these say to an OU would this have to be done on a 2008 server or could this be done in some way from a Win2k3 Server?

    Considering win2k3 has no idea of admx or adml files how would you see these on a 2k3 server?

    Thanks.

    Simon

  • Simon said:

    Hi

    Thank you for your response. I do already understand all that you sent and specified. My original question is still not answered.

    After I have done my policy editing how do I say apply to a group in AD? Of course i cannot use the GPMC in win2003 server but is there one I can use in Win 7? That is all I am asking.

    If I use the win7 gpmc then will that show me the new settings or templates that I can then assign to various domain OUs, users and groups.

    Thank you.

  • Natalie said:

    Mark,

    I don’t understand why I would copy the .admx/adml files to server 2k3 if the server gp editor can’t read them and therefore attach them to a gpo and assign them to an ou.

    Or are you saying to make local policy changes on a win7 client and THEN copy the admx/adml files to the server 2k3? How do these files replicate to all the win7 clients if they aren’t attached to a gpo and then an ou?

    So then how do I attach these admx/adml (once they are in the central store) to a specific ou if the gp editor on server 2k3 can’t see them?

    Thanks.
    Natalie

  • Mark Menges said:

    Hi, You must use gpedit from a Vista, 2008 Server or Windows 7 machine to edit admx-based settings. Server 2003 can replicate the ADMX files placed in its Sysvol share to all of the other domain controllers using FRS.. By default the group policy editor in the Group Policy Management Console will connect to the PDC emulator role holder on the domain. All edits made will be replicated by FRS. If an updated admx is uploaded to the central repository it is not necessary to import it into each GPO. There is a terrific white paper for Micosoft on this topic and I am attaching it to this email.   Mark..

  • Bill S said:

    Mark,

    I would like to read the whitepaper as well. Can you connect me too? I tried to find it on my own but could only guess at the content.

  • Adrian said:

    Hi

    this is abit off topic but i couldnt find anything on it, but this is similar to what i have to ask.

    is it possible to manage group policy for a 2008 r2 server on a 2008 standard server? is so how

    Thank you

  • Usman Ali said:

    hi,

    When you copy the PolicyDefinitions folder to the sysvol share,
    does it affect your WinXp and Server2003 policies?

    Regards,

    Usman Ali

  • Mark Menges said:

    Adrian,

    The best choice may be to install the RSAT tools on Windows 7.You can download the latest version of the Remote server Administration tools (rsat.msi] from Microsoft downloads.

    http://​www​.microsoft​.com/​d​o​w​n​l​o​a​d​/​e​n​/​d​e​t​a​i​l​s​.​a​s​p​x​?​i​d​=​7887

    Mark

  • Mark Menges said:

    Usman,

    The older XP and 2003 Server adm policies are not affected. The Admx templates include all of the settings from all of the ADM microsoft has released in the past as well as windows 7 and server 2008 settings. You can continue to import custom ADM templates into the Administrative Templates node of a GPO.

    Mark

  • saji said:

    Hi all,

    i have 2003 ent sever i had installed CSE for to get GPP but after the installation i am not able to find out group policy and preference at Gpeditor.
    if anybody can help me out for this .…
    thanks

  • Mark Menges said:

    Saji,

    You need to install the latest version of the Remote Server Administration tools to be able to see the Preferences settings. The RSAT tools can be downloaded from Microsoft downloads and installed on Vista, Windows 7 or Server 2008 only.

  • Mark D said:

    Hi Mark

    i have installed Group Policy Management console on or 2008 memebr server which is on our 2003 domain.

    If i copy the Policy Definitions folder into a sub folder of our SYSVOL\Policies how does the server know where to find them? Do i have to point the 2008 GPOs i create to this seperate repository somehow??

  • Mark M said:

    Mark,

    When you open the Group Policy Managment Tool and edit a GPO the Administrative Templates node in the editor should say that the template are from the central store on the server. Gpedit looks to the server that runs the PDC emulator role. You should be running the new version of the RSAT tools that are found on Server 2008. The best way to copy the admx and adml files is to follow the procedure at http://​support​.microsoft​.com/​k​b​/​9​2​9841

    Mark

  • Brian said:

    Hi Mark,

    So in a nutshell– is this all about storage and replication of ADMX files from on domain controller to another? It’s more of a redundancy process, — a step one would take to avoid losing the GPO or GPP settings for a Windows 7 PC, correct?

    Please explain further if I am wrong but that’s all I am seeing that this copy is for(not being negative– I am just wondering why else whould I do this?). Because I still have to control group policies and preferences for windows 7 and Vista from the Group policy management Console from a Windows 7 PC.

    I would a appreciate your help on this.

    thank you,
    Brian

  • MARK said:

    Brian,

    You are correct in your assumption. When you create a central store for ADMX any group policy editor opened on a computer in the domain will use the templates on the store. To update the template for the domain simply add the templates to the store on one of the domain controllers and Sysvol replication will take care of the rest.

    Mark M

  • hadi said:

    hi
    I install windows server 2008 R2 Enterprise and install active directory. I have a problem:
    I install windows 7 on the clients and join clients to domain controller and group policy setting on windows server2008 but this active not on the clients but active on the server 2008.
    please help me

  • hadi said:

    hi
    I can apply group policy windows server 2008 on the windows 7 from domain controller ?
    please help me.

  • David said:

    Great help! Thank you.

    Two questions:

    1. Clarification: I typically use gpmc on my 2008r2 dc to roll out policies. I am hoping that adding the admx / adml files to my 2003 servers will allow win7 clients attached to those 2003 dcs to get the 2008r2 only gps (desktop shortcuts: they don’t seem to right now). Correct?

    2. Question: How do my 2008r2 gpmc modifications update those in the central store or do I need to point my 2008r2 gpmc to those files?

    Thanks much!

  • MARK said:

    David,

    Once you have created a central repository of admx and adml templates in the Sysvol the Group Policy Editor in the GPMC will automatically point to it. Just make sure you are using the version of GPMC that is included in the RSAT tools for Windows Server or Windows 7. If you have a customized admx just upload it to the repository and it will replicate to all of the DCs using Sysvol replication. The editor will by default point to the Sysvol on the PDC emulator role holder which makes it the best place to update your templates.

    Mark

  • Andy said:

    Hi,
    So in an enviournment consisting of multiple 2003 DC’s and one 2008 DC the updates to the cental repository of admx files will be automatically done if polices are edited on the 2008 DC but not if updated on a windows 7 workstation. These customized admx files if done on a windows 7 workstation would need to be manually copied to the sysvol folder, then frs would replicate to the rest of DC’s.

  • MARK said:

    Andy,

    That is correct.

    Mark

  • Kevin said:

    Hi there,

    We have mixed-environment 2003/2008 R2 domain. And there were *.adml files exist in \\domain\SYSVOL\domain\Policies\PolicyDefinitions\ already. I downloaded the admx template at http://​www​.microsoft​.com/​e​n​-​c​a​/​d​o​w​n​l​o​a​d​/​d​e​t​a​i​l​s​.​a​s​p​x​?​i​d​=​6243 ran it on my local machine then I will copy all of them to \\domain\SYSVOL\domain\Policies\PolicyDefinitions\ (overwrite if needed). The question is: if I do that, any potental issues happen? Our current GPO’s settings will be lost? We still have some PC running XP.

    Please advise,
    Thanks

  • Elizabeth Rainwater said:

    Hi Kevin–

    I checked with Mark. He said that it should be no problem for xp, but back up your gpos to be safe.

  • Kevin said:

    Thanks Elizabeth. Appreciated it.

    Kevin

  • Scott said:

    I have a windows SBS 2003 R2 based Domain with a Windows 2008 standard server (32 bit) as a secondary DC. I have installed RSAT on a Windows 7 professional 64 bit machine and copied the PolicyDefinitions folder to the sysvol on the 2008 server and verified replication to the SBS Server. I have verified permissions for the Sysvol and PolicyDefinitions folder, Share is open to everyone, NTFS permissions to Read, Read & execute, and List folder contents are granted to authenticated users.

    I have run adprep /forestprep, adprep/domainprep and adprep /domainprep gpprep commands successfully.

    Even when gpresult /R shows that the policies applied to the workstation are coming from the 2008 server, none of the Windows 7 policies that have been configured are applied or even listed as denied.

    SOLUTION:

    http://​technet​.microsoft​.com/​e​n​-​u​s​/​l​i​b​r​a​r​y​/​c​c​7​8​4​0​6​2​(​v​=​w​s.10).aspx

    Account Policies are only processed for domain user accounts if they are applied at the Domain level. Account Policies configured elsewhere, such as at the Site or OU level, are ignored. All settings found under Account Policies under Security Settings in Group Policy should only be configured at the domain level. If you are having trouble applying a Security Setting that is found under Account Policies, ensure that you have configured the setting only at the domain level.

    Moving the policies and editing the WMI Filters fixed the problem and managed the scope to apply only to Windows 7 computers.

    WMI Filter: select * from Win32_OperatingSystem where Version like “6.1%” and ProductType=“1”

    I am posting this here because this forum led me to the part of the answer to my situation.

  • Susan said:

    I hope I didn’t mess things up.

    I am running a windows sever 2008 r2 sp1 DC.. I had a number of policies set in advanced Group policy management.. but saw that I was not using a central stores.

    I attempted to but I know now in my windows 7 policy object I do not have any setting now in …administrative template: policy definitions

    Did I lose all of my settings? how can I get them back?

    Funny I got central stores workng…only I don’t have the policies I had set up.…the name are there but…it does not have all the settings.

  • Danielle Beavers said:

    Hi Susan -
    Mark believes this link might help you http://​support​.microsoft​.com/​k​b​/​5​5​5218

  • Susan said:

    some did not work like fde.dll module was loaded but the entry-point dll registryserver was not found

    certmgr.dll register service has stopped working a problem caused it to stop please close program

    rigpsnap.dll,wsecedit.dll, appmgr.dll not found make sure the binary is stored at the specified path

  • cc said:

    consulta, utilizando el RSAT, que me recomendas hacer con las ADM? sigo utilizando el DC 2003, en modo mixto, y no nativo. puedo solo utilizar las admx a pesar de tener modo mixto y workstation XP, y ahora Windows 7

    Me gustaria si me podes responder? y que recomendacion tenes con respecto a la performance de trafico sobre las admx a traves del sysvol PolicyDefinitions

    Saludos,

    CC

  • Leah Kirby said:

    Translation:

    I have a question, using RSAT, how do I use ADM? I’m using a 2003 domain controller in mixed mode, non-native. But I can only use admx despite using mixed mode with XP and Windows 7.

    I’d like to know if you can answer me and what recommendation you have with respect to traffic performance over admx using sysvol policy definitions.

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.