none
Windows 7 group policy management

    Question

  • We are introducing Windows 7 workstations into a Windows 2003 domain. The active directory has been updated to a Windows 2008 schema, but we do not have a Windows 2008 domain controller on this domain. All of the previously existing workstations are Windows XP.

    I am trying to do group policy management from a Windows 7 machine to add the appropriate group policies for the new workstations. I have installed the GPMC and can connect to domain policies with no problem.  Then, I followed the instructions for deploying group policies (ADMX files) to the domain that I used for Vista - basically, I copied all of the files/folders from the Windows 7 Policy Definitions folder to a domain controller at Sysvol\domain\Policies\Policy Definitions. The copy worked fine, the files are there and the permissions appear to be correct. However, when I open the GPMC on my Windows 7 machine and go to the Administrative Templates portion it says "Administrative Templates: Policy Definitions (ADMX files) retrieved from the local machine." How do I get the GPMC on my workstation to retrieve the ADMX files from the DC instead of from the local machine? This seemed to work automatically on my Vista workstations (on a different domain, of course).
    Deb
    Wednesday, January 20, 2010 6:04 PM

Answers

  • From the domain controller with IP address 10.0.0.3:

    C:\Windows\Sysvol\sysvol\[domainname.local]\Policies\Policy Definitions NTFS permissions for Authenticated Users are: Read and Execute, List Folder Contents and Read. These are inherited.

    C:\Windows\Sysvol\sysvol share permissions for Authenticated Users are: Full Control.

    Seems fine to me.

    I think I figured out what the problem was though - this is a really silly one!! I named the folder "Policy Definitions" with a space, instead of "PolicyDefinitions" without any space.  I'll bet that's what the whole problem was!  I will post back after I'm sure - I can't test it out right now because I don't have access to the Windows 7 machine.


    Deb
    Friday, January 22, 2010 6:24 PM

All replies

  • Hi Deb,
     GPMC automatically prefers the central store if it can find it and access it. I would verify that you have access to both the ADMX and ADML folders and files in the central store and that the folders have replicated to all DCs in the domain.

    Thanks,
    Guy
    Wednesday, January 20, 2010 7:34 PM
  • Also be aware that Windows XP will not use ADMX files... this will only work with Windows Vista or above.
    Alan Burchill http://www.grouppolicy.biz
    Wednesday, January 20, 2010 10:38 PM
  • Hi,

    As Guy explained, GPMC by default use Central Store if it can find and access one. Please make sure you have copied the en-US folder too.

    If the issue persists, to troubleshoot your problem, I suggest we monitor the GPMC network traffic accessing DC.

    Download Microsoft Network Monitor on Windows 7.
    http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en  

    1. Run Network Monitor and start capturing.
    2. Open GPMC, try to edit a GPO, click Administrative Template node, when "Policy definitions (ADMX files) retrieved from local" appears,

    3. Stop the capturing, save the result and use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file. If you would like other community member to analyze the report, you can paste the link here, if not, you can send the link to tfwst@microsoft.com.
     
    For your reference:
    Windows 7, Windows Server 2008 R2 and the Group Policy Central Store
    http://blogs.technet.com/askds/archive/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, January 21, 2010 7:24 AM
  • I'm sending you the file via email.  Thanks!
    Deb
    Thursday, January 21, 2010 7:22 PM
  • Hi Deb,

    Thank you for update. From the log file, we can find there is "STATUS_OBJECT_NAME_NOT_FOUND" error when trying to find \DomainName.local\Policies\PolicyDefinitions. Please double-click the \DomainName.local\Policies\PolicyDefinitions folder NTFS and share permission. Make sure Authenticated User has proper permission.

    5242 28.953651  {SMB:84, TCP:13, IPv4:3} 10.0.0.251 10.0.0.3 SMB SMB:C; Transact2, Query Path Info, Query File Basic Info, Pattern = \DomainName.local\Policies\PolicyDefinitions
    5243 28.953651  {SMB:84, TCP:13, IPv4:3} 10.0.0.3 10.0.0.251 SMB SMB:R; Transact2, Query Path Info - NT Status: System - Error, Code = (52) STATUS_OBJECT_NAME_NOT_FOUND

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, January 22, 2010 3:07 AM
  • From the domain controller with IP address 10.0.0.3:

    C:\Windows\Sysvol\sysvol\[domainname.local]\Policies\Policy Definitions NTFS permissions for Authenticated Users are: Read and Execute, List Folder Contents and Read. These are inherited.

    C:\Windows\Sysvol\sysvol share permissions for Authenticated Users are: Full Control.

    Seems fine to me.

    I think I figured out what the problem was though - this is a really silly one!! I named the folder "Policy Definitions" with a space, instead of "PolicyDefinitions" without any space.  I'll bet that's what the whole problem was!  I will post back after I'm sure - I can't test it out right now because I don't have access to the Windows 7 machine.


    Deb
    Friday, January 22, 2010 6:24 PM
  • YES! That was it - just a silly space in the wrong place....Thanks for your help on this, Mervyn - the trace did show me the error of my ways by pointing out the correct folder name.
    Deb
    Friday, January 22, 2010 7:01 PM
  • Hi Deb,

    Glad to hear you have resolved the problem. If you have more questions in the future, you’re welcomed to this forum.

    Thanks


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, January 26, 2010 2:07 AM