none
Windows 7 Group Policy and windows server 2003

    Question

  • hello guys,

    we have active directory running on windows server 2003 environment (two DC's) also we have more than 300 client computers currently running windows vista-x86 .

    I configured mandatory profile for all users also configured a tons of group policy to customize and deploy software's for those vista clients things are working as a charm to this point

    I have been told to add another 100 windows seven machines to the same environment and must be tuned just like windows vista clients .

    I joined a couple of windows seven machines for testing I have some problem when I tried to administer them by group policy I found I can not control most of the settings because they are not available in group policy on my domain controllers .

    for example settings for internet explorer 10 are not available on windows server 2003 group policy by default so I downloaded this http://www.microsoft.com/en-us/download/details.aspx?id=37009 tried to copy it into %WINDIR%\inf\

    but it says file already exist !! my question is If I replace it will this change affect the old group policy currently I have ?

    or somebody tell me how to administer windows seven machines from windows server 2003  ?

    best regards

    Friday, July 26, 2013 6:39 PM

Answers

  • To setup Windows 7 GPO's (or at least those bits specific to Windows 7) on a 2003 network you need to install RSAT on one of the client machines, configure the GPO on there, and then copy the relevant policy files over to your AD controller. There's more specific detail and discussion of the process here http://social.technet.microsoft.com/Forums/windowsserver/en-US/846e1ccb-c9ba-474f-81ee-7106be104d39/windows-7-clients-on-2003-domain-group-policy and there are several guides to it, for instance http://www.monkeydust.net/2010/01/25/how-to-create-and-edit-group-policy-for-vista-and-windows-7/
    Friday, July 26, 2013 6:59 PM
  • Well it's been quite a while since I last had to do this, and I don't have a 2003 test AD server to check on, but if I remember correctly...

    While editing the windows 7 policy within the 2003 GPM isn't recommended, the order they're looked at (and therefore which takes precedence) is still handled in 2003, so it depended entirely on where it comes in the link order, just like any policies you had previously.

    From memory I don't think so, and certainly if you haven't had any errors come up I'd say that suggests the two can function side by side without any problems, it's just that 2003 can't write to the new format which is why it needs to be edited on 7. The existing policies for your older kit should continue as before.

    I'm not 100% certain, but your probably best off updating old policies in 2003 and the new ones in 7. 2003 definitely can't edit 7 policies, but I'm not sure if editing 2003 policies in 7 would cause them to be updated and therefore make them unreadable on older kit. In any case, in order to edit the old policies in 7 you'd have to copy them over, edit them, and then copy them back, which would seem a bit pointless when you could just edit them locally on 2003.

    • Marked as answer by Shad Qadir Sunday, July 28, 2013 7:54 PM
    Sunday, July 28, 2013 7:28 PM

All replies

  • To setup Windows 7 GPO's (or at least those bits specific to Windows 7) on a 2003 network you need to install RSAT on one of the client machines, configure the GPO on there, and then copy the relevant policy files over to your AD controller. There's more specific detail and discussion of the process here http://social.technet.microsoft.com/Forums/windowsserver/en-US/846e1ccb-c9ba-474f-81ee-7106be104d39/windows-7-clients-on-2003-domain-group-policy and there are several guides to it, for instance http://www.monkeydust.net/2010/01/25/how-to-create-and-edit-group-policy-for-vista-and-windows-7/
    Friday, July 26, 2013 6:59 PM
  • thank you Keith Langmead,

    your information was really helpful ,I did test above procedure in a virtual environment and it was successful ,but still there are some aspects not clear to me like:

    • witch policy will apply first ? "the policy created on GPMC on windows 7 using ADMX file retrieved from central store" OR "the policy created by windows server 2003 gpo console" ? considering all my clients are windows 7 and Vista ?
    • do I have to re-create all current policies using GPMC on windows 7 in order to be available in new format "using ADMX file retrieved from central store" or the old format ADM will continue working beside the new one ?
    • do I have to administrator each policy using its own console ? windows 2003 gpo console and GPMC on windows 7

    thanks for your help again

    shad

    Sunday, July 28, 2013 7:03 PM
  • Well it's been quite a while since I last had to do this, and I don't have a 2003 test AD server to check on, but if I remember correctly...

    While editing the windows 7 policy within the 2003 GPM isn't recommended, the order they're looked at (and therefore which takes precedence) is still handled in 2003, so it depended entirely on where it comes in the link order, just like any policies you had previously.

    From memory I don't think so, and certainly if you haven't had any errors come up I'd say that suggests the two can function side by side without any problems, it's just that 2003 can't write to the new format which is why it needs to be edited on 7. The existing policies for your older kit should continue as before.

    I'm not 100% certain, but your probably best off updating old policies in 2003 and the new ones in 7. 2003 definitely can't edit 7 policies, but I'm not sure if editing 2003 policies in 7 would cause them to be updated and therefore make them unreadable on older kit. In any case, in order to edit the old policies in 7 you'd have to copy them over, edit them, and then copy them back, which would seem a bit pointless when you could just edit them locally on 2003.

    • Marked as answer by Shad Qadir Sunday, July 28, 2013 7:54 PM
    Sunday, July 28, 2013 7:28 PM
  • thank you Keith Langmead

    this thread took much than I expected , appreciate your help

    I did add the "policydefinitions" folder to PDC emulator DC on one of my domains now I can do almost every thing "thanks for your help" but I have another question:

    I'm trying to lock down internet explorer 10 on some windows 7 machines ,I tried to use filter functionality on GPMC to locate IE10 specific policies but I realized latest version of IE is Version 8 inside my policies ,how can I add internet explorer 10 policies to my domain ?

    or in general how can I keep my policy definition folder updated ?

    thank you very much

    shad

    Sunday, August 04, 2013 10:04 AM
  • Not sure to be honest. I'd suggest your best option for that question is to start a new thread, since there's then more chance of someone other than me seeing it.
    Sunday, August 04, 2013 10:42 AM
  • Oh, and you probably want to post it in http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverGP since that's the Group Policy forum rather than the general Windows Server forum.
    Sunday, August 04, 2013 10:44 AM
  • thanks

    I will

    shad

    Sunday, August 04, 2013 1:36 PM