| Author | Messages | |
JamieNelson
Posts:0
 | | 02/11/2009 7:00 PM |
| I am hoping someone knows an answer to the following question. In my
current position there have been some concerns raised about using
different versions of GPMC for Group Policy modifications. Specifically
that a GPO could potentially get "corrupted" by doing so.
Here's a scenario:
1. I use the Server 2008 / Vista SP1 GPMC console to create a GPO
and define some settings.
2. I go back and edit some of the settings on a Server 2003 or
Windows XP version of GPMC.
The other scenario would be exactly the opposite: create in 2003/XP,
then edit from 2008/Vista.
Obviously I won't be able to see or configure anything specific to
features that are enabled in the newer GPMC (most notably GPP), but are
there any drawbacks to going in and modifying something like a few Admin
Template settings which should be universal to either version of GPMC?
Right now the powers that be have mandated we do all of our GP edits in
Server 2008, which was supposedly in response to feedback from Microsoft
stating this was best practice and that doing otherwise could
potentially corrupt a GPO. I don't necessarily understand how this is
true and am trying to discern if this was just a misinterpretation
within my organization or if it is actually fact. I haven't found
anything on the web suggesting the latter. GPOs are essentially just
files and AD objects, so although GPMC may not be able to see or edit
certain "parts" of a GPO, editing the settings which are exposed should
not be detrimental as far as I can tell.
What is everyone else's experience with this?
Regards,
Jamie Nelson
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged.
If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
| | | |
| PatrickLeathen
Posts:7
| | 02/11/2009 7:19 PM |
|
Hi Jamie,
I am currently working in a very mixed environment and have had to
modify policies on various different systems (XP, Vista, 2k3 Server, 2k8
Server, Windows 7) and so far have never come across any issues
whatsoever, except the obviously that some options are not available on
earlier OS versions. Our new domain is still not in production, so we're
making changes after testing on a very regular basis and have not come
across any form of corruption or problems with making changes using a
different OS than what the Policy may have originally been created
and/or modified with.
I hope this of help.
Regards,
Patrick Leathen
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: Thursday, 12 February 2009 12:54 p.m.
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Editing a GPO in different versions of GPMC
I am hoping someone knows an answer to the following question. In my
current position there have been some concerns raised about using
different versions of GPMC for Group Policy modifications. Specifically
that a GPO could potentially get "corrupted" by doing so.
Here's a scenario:
1. I use the Server 2008 / Vista SP1 GPMC console to create a GPO
and define some settings.
2. I go back and edit some of the settings on a Server 2003 or
Windows XP version of GPMC.
The other scenario would be exactly the opposite: create in 2003/XP,
then edit from 2008/Vista.
Obviously I won't be able to see or configure anything specific to
features that are enabled in the newer GPMC (most notably GPP), but are
there any drawbacks to going in and modifying something like a few Admin
Template settings which should be universal to either version of GPMC?
Right now the powers that be have mandated we do all of our GP edits in
Server 2008, which was supposedly in response to feedback from Microsoft
stating this was best practice and that doing otherwise could
potentially corrupt a GPO. I don't necessarily understand how this is
true and am trying to discern if this was just a misinterpretation
within my organization or if it is actually fact. I haven't found
anything on the web suggesting the latter. GPOs are essentially just
files and AD objects, so although GPMC may not be able to see or edit
certain "parts" of a GPO, editing the settings which are exposed should
not be detrimental as far as I can tell.
What is everyone else's experience with this?
Regards,
Jamie Nelson
________________________________
Confidentiality Warning: This message and any attachments are intended
only for the use of the intended recipient(s), are confidential, and may
be privileged. If you are not the intended recipient, you are hereby
notified that any review, retransmission, conversion to hard copy,
copying, circulation or other use of all or any portion of this message
and any attachments is strictly prohibited. If you are not the intended
recipient, please notify the sender immediately by return e-mail, and
delete this message and any attachments from your system.
--
The information contained in this e-mail message is intended only for the
use of the person or entity to whom it is addressed and may contain
information that is CONFIDENTIAL and may be exempt from disclosure under
applicable laws.
If you read this message and are not the addressee you are notified that
use, dissemination, distribution, or reproduction of this message is
prohibited. If you have received this message in error, please notify us
immediately and delete the original message. You should scan this message
and any attached files for viruses.
Axon accepts no liability for any loss caused either directly or
indirectly by a virus arising from the use of this message or any
attached file.
| | | |
| Darren
Posts:103
| | 02/11/2009 7:28 PM |
| Jamie-
I would concur with Patrick. If you think about how GP works under the
covers (and I do!) there is nothing inherently bad about switching back and
forth. Corruption in the sense that I suspect they are thinking doesn't make
any sense because settings storage, by definition, must be backward
compatible so that clients from Win2K to Vista can read those settings. So
if they modified some setting value in later versions, it would completely
break down-level compatibility. What may change between old and new, and I
have seen this, is that the name of a setting, especially in admin.
templates or security, may change, but the underlying value will not.
Anyway, hope that helps.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Patrick Leathen
Sent: Wednesday, February 11, 2009 4:08 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Editing a GPO in different versions of GPMC
Hi Jamie,
I am currently working in a very mixed environment and have had to modify
policies on various different systems (XP, Vista, 2k3 Server, 2k8 Server,
Windows 7) and so far have never come across any issues whatsoever, except
the obviously that some options are not available on earlier OS versions.
Our new domain is still not in production, so we're making changes after
testing on a very regular basis and have not come across any form of
corruption or problems with making changes using a different OS than what
the Policy may have originally been created and/or modified with.
I hope this of help.
Regards,
Patrick Leathen
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie
Sent: Thursday, 12 February 2009 12:54 p.m.
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Editing a GPO in different versions of GPMC
I am hoping someone knows an answer to the following question. In my current
position there have been some concerns raised about using different versions
of GPMC for Group Policy modifications. Specifically that a GPO could
potentially get "corrupted" by doing so.
Here's a scenario:
1. I use the Server 2008 / Vista SP1 GPMC console to create a GPO and
define some settings.
2. I go back and edit some of the settings on a Server 2003 or Windows
XP version of GPMC.
The other scenario would be exactly the opposite: create in 2003/XP, then
edit from 2008/Vista.
Obviously I won't be able to see or configure anything specific to features
that are enabled in the newer GPMC (most notably GPP), but are there any
drawbacks to going in and modifying something like a few Admin Template
settings which should be universal to either version of GPMC?
Right now the powers that be have mandated we do all of our GP edits in
Server 2008, which was supposedly in response to feedback from Microsoft
stating this was best practice and that doing otherwise could potentially
corrupt a GPO. I don't necessarily understand how this is true and am trying
to discern if this was just a misinterpretation within my organization or if
it is actually fact. I haven't found anything on the web suggesting the
latter. GPOs are essentially just files and AD objects, so although GPMC may
not be able to see or edit certain "parts" of a GPO, editing the settings
which are exposed should not be detrimental as far as I can tell.
What is everyone else's experience with this?
Regards,
Jamie Nelson
_____
Confidentiality Warning: This message and any attachments are intended only
for the use of the intended recipient(s), are confidential, and may be
privileged. If you are not the intended recipient, you are hereby notified
that any review, retransmission, conversion to hard copy, copying,
circulation or other use of all or any portion of this message and any
attachments is strictly prohibited. If you are not the intended recipient,
please notify the sender immediately by return e-mail, and delete this
message and any attachments from your system.
--
The information contained in this e-mail message is intended only for the
use of the person or entity to whom it is addressed and may contain
information that is CONFIDENTIAL and may be exempt from disclosure under
applicable laws.
If you read this message and are not the addressee you are notified that
use, dissemination, distribution, or reproduction of this message is
prohibited. If you have received this message in error, please notify us
immediately and delete the original message. You should scan this message
and any attached files for viruses.
Axon accepts no liability for any loss caused either directly or
indirectly by a virus arising from the use of this message or any
attached file.
| | | |
| adrian
Posts:2
| | 02/11/2009 7:37 PM |
| Right, this makes no sense fundamentally. If the legacy GPO editing
tools can't interpret the information correctly enough to write back to
it, then it would follow that legacy OS's running on workstations
wouldn't be able to parse the GPO. I don't have too much experience with
switching back and forth personally, but it makes logical sense that you
could do it.
Adrian (I'm new here.. go easy on me 
Darren Mar-Elia wrote:
>
> Jamie-
>
> I would concur with Patrick. If you think about how GP works under the
> covers (and I do!) there is nothing inherently bad about switching
> back and forth. Corruption in the sense that I suspect they are
> thinking doesn’t make any sense because settings storage, by
> definition, must be backward compatible so that clients from Win2K to
> Vista can read those settings. So if they modified some setting value
> in later versions, it would completely break down-level compatibility.
> What may change between old and new, and I have seen this, is that the
> name of a setting, especially in admin. templates or security, may
> change, but the underlying value will not.
>
>
>
> Anyway, hope that helps.
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx] *On Behalf Of *Patrick Leathen
> *Sent:* Wednesday, February 11, 2009 4:08 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Editing a GPO in different versions of GPMC
>
>
>
> /Hi Jamie,/
>
> / /
>
> /I am currently working in a very mixed environment and have had to
> modify policies on various different systems (XP, Vista, 2k3 Server,
> 2k8 Server, Windows 7) and so far have never come across any issues
> whatsoever, except the obviously that some options are not available
> on earlier OS versions. Our new domain is still not in production, so
> we’re making changes after testing on a very regular basis and have
> not come across any form of corruption or problems with making changes
> using a different OS than what the Policy may have originally been
> created and/or modified with./
>
> / /
>
> /I hope this of help./
>
> / /
>
> /Regards,/
>
> /Patrick Leathen/
>
> / /
>
> *From:* xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx] *On Behalf Of *Nelson, Jamie
> *Sent:* Thursday, 12 February 2009 12:54 p.m.
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Editing a GPO in different versions of GPMC
>
>
>
> I am hoping someone knows an answer to the following question. In my
> current position there have been some concerns raised about using
> different versions of GPMC for Group Policy modifications.
> Specifically that a GPO could potentially get “corrupted” by doing so.
>
>
>
> Here’s a scenario:
>
>
>
> 1. I use the Server 2008 / Vista SP1 GPMC console to create a
> GPO and define some settings.
>
> 2. I go back and edit some of the settings on a Server 2003 or
> Windows XP version of GPMC.
>
>
>
> The other scenario would be exactly the opposite: create in 2003/XP,
> then edit from 2008/Vista.
>
>
>
> Obviously I won’t be able to see or configure anything specific to
> features that are enabled in the newer GPMC (most notably GPP), but
> are there any drawbacks to going in and modifying something like a few
> Admin Template settings which should be universal to either version of
> GPMC?
>
>
>
> Right now the powers that be have mandated we do all of our GP edits
> in Server 2008, which was supposedly in response to feedback from
> Microsoft stating this was best practice and that doing otherwise
> could potentially corrupt a GPO. I don’t necessarily understand how
> this is true and am trying to discern if this was just a
> misinterpretation within my organization or if it is actually fact. I
> haven’t found anything on the web suggesting the latter. GPOs are
> essentially just files and AD objects, so although GPMC may not be
> able to see or edit certain “parts” of a GPO, editing the settings
> which are exposed should not be detrimental as far as I can tell.
>
>
>
> What is everyone else’s experience with this?
>
>
>
> Regards,
>
> Jamie Nelson
>
> *
> ------------------------------------------------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are
> intended only for the use of the intended recipient(s), are
> confidential, and may be privileged. If you are not the intended
> recipient, you are hereby notified that any review, retransmission,
> conversion to hard copy, copying, circulation or other use of all or
> any portion of this message and any attachments is strictly
> prohibited. If you are not the intended recipient, please notify the
> sender immediately by return e-mail, and delete this message and any
> attachments from your system.
>
> --
> The information contained in this e-mail message is intended only for the
> use of the person or entity to whom it is addressed and may contain
> information that is CONFIDENTIAL and may be exempt from disclosure under
> applicable laws.
>
> If you read this message and are not the addressee you are notified that
> use, dissemination, distribution, or reproduction of this message is
> prohibited. If you have received this message in error, please notify us
> immediately and delete the original message. You should scan this message
> and any attached files for viruses.
>
> Axon accepts no liability for any loss caused either directly or
> indirectly by a virus arising from the use of this message or any
> attached file.
>
>
>
| | | |
| JamieNelson
Posts:0
| | 02/12/2009 10:47 AM |
| Yep, I’m with all of you guys. It didn’t make any sense to me either, as I understand Group Policy at a fairly low level. I would agree that it is probably best practice to use the latest and greatest tools in a mixed environment, but I couldn’t see the harm in doing edits on different platforms.
I think in my organization’s case it was kind of a coincidence that a GPO got corrupted. They interpreted Microsoft’s “best practice” recommendation the wrong way and simply overreacted a little to be on the safe side.
Thanks everyone.
Jamie Nelson | Lead Analyst | BI&T Desktop Management | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 | http://www.dvn.com <http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Adrian Gudas
Sent: Wednesday, February 11, 2009 6:31 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Editing a GPO in different versions of GPMC
Right, this makes no sense fundamentally. If the legacy GPO editing tools can't interpret the information correctly enough to write back to it, then it would follow that legacy OS's running on workstations wouldn't be able to parse the GPO. I don't have too much experience with switching back and forth personally, but it makes logical sense that you could do it.
Adrian (I'm new here.. go easy on me
Darren Mar-Elia wrote:
Jamie-
I would concur with Patrick. If you think about how GP works under the covers (and I do!) there is nothing inherently bad about switching back and forth. Corruption in the sense that I suspect they are thinking doesn’t make any sense because settings storage, by definition, must be backward compatible so that clients from Win2K to Vista can read those settings. So if they modified some setting value in later versions, it would completely break down-level compatibility. What may change between old and new, and I have seen this, is that the name of a setting, especially in admin. templates or security, may change, but the underlying value will not.
Anyway, hope that helps.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Patrick Leathen
Sent: Wednesday, February 11, 2009 4:08 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Editing a GPO in different versions of GPMC
Hi Jamie,
I am currently working in a very mixed environment and have had to modify policies on various different systems (XP, Vista, 2k3 Server, 2k8 Server, Windows 7) and so far have never come across any issues whatsoever, except the obviously that some options are not available on earlier OS versions. Our new domain is still not in production, so we’re making changes after testing on a very regular basis and have not come across any form of corruption or problems with making changes using a different OS than what the Policy may have originally been created and/or modified with.
I hope this of help.
Regards,
Patrick Leathen
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: Thursday, 12 February 2009 12:54 p.m.
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Editing a GPO in different versions of GPMC
I am hoping someone knows an answer to the following question. In my current position there have been some concerns raised about using different versions of GPMC for Group Policy modifications. Specifically that a GPO could potentially get “corrupted” by doing so.
Here’s a scenario:
I use the Server 2008 / Vista SP1 GPMC console to create a GPO and define some settings.
I go back and edit some of the settings on a Server 2003 or Windows XP version of GPMC.
The other scenario would be exactly the opposite: create in 2003/XP, then edit from 2008/Vista.
Obviously I won’t be able to see or configure anything specific to features that are enabled in the newer GPMC (most notably GPP), but are there any drawbacks to going in and modifying something like a few Admin Template settings which should be universal to either version of GPMC?
Right now the powers that be have mandated we do all of our GP edits in Server 2008, which was supposedly in response to feedback from Microsoft stating this was best practice and that doing otherwise could potentially corrupt a GPO. I don’t necessarily understand how this is true and am trying to discern if this was just a misinterpretation within my organization or if it is actually fact. I haven’t found anything on the web suggesting the latter. GPOs are essentially just files and AD objects, so although GPMC may not be able to see or edit certain “parts” of a GPO, editing the settings which are exposed should not be detrimental as far as I can tell.
What is everyone else’s experience with this?
Regards,
Jamie Nelson
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
--
The information contained in this e-mail message is intended only for the
use of the person or entity to whom it is addressed and may contain
information that is CONFIDENTIAL and may be exempt from disclosure under
applicable laws.
If you read this message and are not the addressee you are notified that
use, dissemination, distribution, or reproduction of this message is
prohibited. If you have received this message in error, please notify us
immediately and delete the original message. You should scan this message
and any attached files for viruses.
Axon accepts no liability for any loss caused either directly or
indirectly by a virus arising from the use of this message or any
attached file.
| | | |
|
|