none
Windows 7 clients on 2003 domain / group policy

    Question

  • Hi,
    Is there adm(x) extensions for Windows 2003 domain for windows 7? Or how is group policy handled in W2K3 domain for Win 7 machines?
    Wednesday, December 02, 2009 7:58 AM

Answers

  • Of course a lot of the settings that you can use with Windows 2003 do also work for Win 7 clients.
    But yes, some do not, some are replaced by new settings and and others are completely new for Win 7.
    You will not be able to manage these changed or new settings by using a Windows 2003 GPMC.
    But as you speak of "Windows 2003 domain", the answer is:
    You can keep your domain, the domain level and your DCs as is.
    Just add one Windows 2008 R2 or Windows 7 (+RSAT) machine to you domain as GPO management station.
    This will enable you to configure Win 7 specific settings.
    It can be a good idea to create exclusive GPOs for Win 7 machines only.
    User filtering or other mechanisms (e.g. OU design) to target only the desired machines.
    There are different approaches for that and there is no "this way" or "that way". It just depends...
    Patrick
    • Marked as answer by Wilson Jia Monday, December 07, 2009 2:21 AM
    Wednesday, December 02, 2009 9:33 AM
  • Hello WiiWoo,

     

    Gotsch-it is correct. Generally speaking, Group Policies to support Windows7 can be configured and enabled from a Windows 7 client with RSAT feature installed in a Windows Server 2003 R2 domain. Before you deploy the GPO to your Windows 7 client, you may need to copy all the ADMX / ADML files from Windows 7 to your DC.

     

    You may refer to How to deploy group policy using Windows Vista: http://technet.microsoft.com/en-us/library/cc766208(WS.10).aspx

     

    However, if you'd like to use the GPOs to define the feature like DFSR read-only replication function in Windows 7 and Windows Server 2008 R2. You need to upgrade your domain to Windows Server 2008 R2 to extend Schema version. 

     

    Hope it helps.

     

    Best Regards,

    Wilson Jia


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Edited by Wilson Jia Friday, December 04, 2009 5:51 AM
    • Marked as answer by Wilson Jia Monday, December 07, 2009 2:20 AM
    Wednesday, December 02, 2009 9:39 AM

All replies

  • Of course a lot of the settings that you can use with Windows 2003 do also work for Win 7 clients.
    But yes, some do not, some are replaced by new settings and and others are completely new for Win 7.
    You will not be able to manage these changed or new settings by using a Windows 2003 GPMC.
    But as you speak of "Windows 2003 domain", the answer is:
    You can keep your domain, the domain level and your DCs as is.
    Just add one Windows 2008 R2 or Windows 7 (+RSAT) machine to you domain as GPO management station.
    This will enable you to configure Win 7 specific settings.
    It can be a good idea to create exclusive GPOs for Win 7 machines only.
    User filtering or other mechanisms (e.g. OU design) to target only the desired machines.
    There are different approaches for that and there is no "this way" or "that way". It just depends...
    Patrick
    • Marked as answer by Wilson Jia Monday, December 07, 2009 2:21 AM
    Wednesday, December 02, 2009 9:33 AM
  • Hello WiiWoo,

     

    Gotsch-it is correct. Generally speaking, Group Policies to support Windows7 can be configured and enabled from a Windows 7 client with RSAT feature installed in a Windows Server 2003 R2 domain. Before you deploy the GPO to your Windows 7 client, you may need to copy all the ADMX / ADML files from Windows 7 to your DC.

     

    You may refer to How to deploy group policy using Windows Vista: http://technet.microsoft.com/en-us/library/cc766208(WS.10).aspx

     

    However, if you'd like to use the GPOs to define the feature like DFSR read-only replication function in Windows 7 and Windows Server 2008 R2. You need to upgrade your domain to Windows Server 2008 R2 to extend Schema version. 

     

    Hope it helps.

     

    Best Regards,

    Wilson Jia


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Edited by Wilson Jia Friday, December 04, 2009 5:51 AM
    • Marked as answer by Wilson Jia Monday, December 07, 2009 2:20 AM
    Wednesday, December 02, 2009 9:39 AM
  • However, if you'd like to use the GPOs to define some new features in Windows 7 and Windows Server 2008 R2 which are required Windows Server 2008 R2 schema version. Eg: Direct Access..You need to upgrade you domain to Windows Server 2008 R2 to extend Schema version. 

     

     


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Wilson,

    Can you elaborate on you above statement? Are you referring to features like Direct Access and Branch Cache?  Are you saying this requires a AD to be at the 2008 level?  It was my understanding that to utilize these features, you will need a 2008 R2 server, but not dependant on 2008 AD?   

    Bob

    Friday, December 04, 2009 3:24 AM
  • Hi Bob,

    I'm sorry that I made a wrong example. The actual new feature is DFSR read-only replication function which needs a Window Server 2008 AD. The DA and Branch Cache feature do not need a Windows 2008 AD.

    Thank you for your clarification.

    Best Regards,
    Wilson Jia
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, December 04, 2009 5:49 AM
  • It is still not working for me. Windows 7 machines in the Windows 2003 domain still dont see Windows 7 specific settings.

    I have already:

    1. installed RSAT on a Win 7 machine
    2. Copied all admx and adml files to the central store [as instructed in the technet doc mentioned above]
    3. edited a GPO from the Win 7 machine [logged on as domain admin] and changed a win vista+ setting

    I have tried running gpupdate on the Win 7 clients many times.

    What else needs to be done?
    Tuesday, February 23, 2010 4:13 PM
  • It is still not working for me. Windows 7 machines in the Windows 2003 domain still dont see Windows 7 specific settings.

    I have already:

    1. installed RSAT on a Win 7 machine
    2. Copied all admx and adml files to the central store [as instructed in the technet doc mentioned above]
    3. edited a GPO from the Win 7 machine [logged on as domain admin] and changed a win vista+ setting

    I have tried running gpupdate on the Win 7 clients many times.

    What else needs to be done?

    I too have done all these steps and haven't been able to get certain settings to work (hiding specific control panels, changing wallpaper).  I read somewhere that I may have to extend the schema, but I'm not exactly sure how to do that.  I don't have a 2008 server to get adprep from and I'm not even sure if that's what I'd have to do...  is there a version of adprep on my Windows 7 media?
    Monday, August 02, 2010 5:03 PM
  • You can download the Windows 2008 R2 trial DVD from Microsoft (2.3gb--takes a while), which has the correct ADPREP version needed to being the schema up to date.
    Friday, September 24, 2010 7:20 PM
  • Hello,

     

     

    I have a GP called "Standard User"  its applied to all my users. Till now they all have been XP Pro users   but now of course Window 7 is emerging . I have noticed some of the settings that I have implelented do not work the same on the WIN7 computers.  The 1st one I notice is my control panel restrictions. The existing GPO is set to only show DESK and TIMEDATE  applets ( using XP lingo)    

    but now on WIN7 workstations  this seems to completely restrcit the conrol panel....its like its empty.....

    so   what to do ?   are the applets named differently ?   I see above they suggest using  +rsat

    but  isnt that a toll just to do administrative work on the server ( My server = 2003 r2)   I user RDp to "go onto" my serverto do admin work.....so I dont need RSAT right ?

     

    as far as DESK.CPL     goes   classically I have permitted  users to do all but the SETTINGS tab  so they can change their svreen save and wallpaper.... we dont permit user to change mcuh ...but we do  let them do this stuff......I would like to still let users access these things ( appearanceand personalization) 

     

    any advice is appreciated

    Wednesday, March 30, 2011 12:44 PM
  • Hi all,

    I have pretty much the same problem in my 2003 domain. I am pushing out Win7 PCs but I have not way to control all of the policies that I had setup woth the Win2003 server to WinXP ADM.

    I found out that there are tons of things that either do not work at all, or they are not taking effect on the Win7 PCs the same way.

    I have asked this same question many times to Microsoft, but as of yet I have no answer. The answer above in this same post is the best clue I have heard so far, but it has it's drawbacks. To install a Windows 2008 server in my domain will mean that I will have to leave the Native 2003 mode? If not, how would the policies for the Win7 machine be implemented in the native 2003 domain if there is no AD controller that can push these policies to them?

    Any one out there knows of an answer?

     


    Wednesday, April 20, 2011 3:14 PM
  • I dont know why  all these old comments have got pasted into my thread here ....

     

    It sounds like if I have a server 2003 domain  that I  cannot use my current  standard Group policies  on  Windows 7 pc that have been joined to my domain....

    you some how need the assisstance of Server 2008 somewhere in the mix , or you have to employ local  policies on the WIN7 computer ????

     

    doesnt sound right   it sounds like a very awkward way to use your stadard tried and true policies that worked just fine on XP machines who are members of the 2003 domain..... 

    Tuesday, May 03, 2011 6:14 PM
  • For a 2003 forest, you will need to extend the schema in order to introduce new attributes into your domain to fully support Windows 7.  Once the adprep commands are complete in your domain and the schema is extended, upgrade or build one 2008 R2 domain controller.  A folder named "policydefinitions" should be created in the Sysvol\Policies share that will hold .admx files that the Windows 7 systems will look for from a GPO configuration.  This will replicate to all 2003 domain controllers available when Windows 7 systems authenticate, can pick up the GPO settings.

    Make sure to perform system state backups of the FSMO role holders at the forest and domain levels prior to any upgrade.  Also need to make sure to perform an AD health check on your environment prior to any schema updates.  The preparation is most important to make sure the schema update goes smoothly.  You can operate your forest/domains in a mixed mode with both 2003 and 2008 domain controllers.  In the past, I have also stopped replication on the domain controller I performed the schema update to let the change take place isolated from the rest of the network.  Once did some basic checks, then opened up the replication.  Another option is to change the replication interval for one site to 3 hrs or so, again in the event a major prob occurred, would give you opportunity to recover using that isolated DC.

    One of the other items to note, is that some DOS based commands such as dcdiag /test:dns will show alerts and failures that are not really present.  Due to the difference between 2003 and 2008, there are new event ids along with other improvements that will skew these results.  

     

    Wednesday, May 11, 2011 12:40 PM
  • I am stll lost in limbo on this ..you see how long ago I  placed  this question.....not that I have dived right in and followed every reply posted so far ..

    It seems to me that me havingto do stuff onthe local win7 computer  makes not sence ..I am in a domain and linked policies in active directory should work..... I cant go to each new WIN7 computers and   develop policies

    Friday, May 13, 2011 12:36 PM
  • I havent found any Microsoft document supporting Windows 7 or Office 2010 policies under Windows Server 2003.

    I suggest you make VM a lab and make the step by step to see exactly what happens.

    DuthcRJV pointed out the main ideias.

    1 Windows 7ADMX files on sysvol, backup the fsmo and extend your schema.

    2 Windows 7 machine with RSAT to edit and configure windows 2003 Policies. Create w7 policies on OU made for w7 users and w7 computers.

    Good luck.

     

    Tuesday, May 17, 2011 10:17 PM
  • Dsousa,

    To support Windows 7 & office 2010:

    Win7:

    1) Get a server 2008 r2 disc
    2) Login to a Windows 7 SP1 or 2008 R2 SP1 system as your domain admin account (must have schema admin permission)
    3) Extend the schema & domain (http://technet.microsoft.com/en-us/library/cc771461%28WS.10%29.aspx)
    4) Dedicate a workstation or server for the sole purpose of managing the Windows 7 / 2008 R2 GPOs
    5)  Install the RSAT Tools for Win7 SP1 (http://www.microsoft.com/download/en/details.aspx?id=7887) OR Use 2008R2 SP1's Server Manager and install RSAT tools from there
    6) You can now manage Windows 7 / Server 2008 GPO objects for your domain.  These policies *MUST* be created & managed by this machine until you install Server 2008 R2 domain controllers

    Office 2010:

    1) On that dedicated machine, download the Office 2010 admin templates (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18968) -- NOTE:  If you use 32-bit office, download the 32-bit templates.  If you use the 64-bit office, download the 64-bit templates.
    2) Extract the files to a folder on the desktop
    3) Open Group Policy Management
    4) Depending on how you do your GPO structure, create a new GPO for Office 2010 or open an existing GPO you wish to add the files to
    5) On either the computer or user configuration (doesn't matter which) Right-Click on "Administrative Templates" and add templates -> navigate to the folder on the desktop, select all of the templates in the *ADM* folder
    6) The .adm files will be uploaded into the policy folder under that policy's GUID in \\domain.corp\sysvol\domain.corp\policies\{GUID}\Adm
    7) You'll now find Office 2010 policy options in this specific GPO
    8) IF YOU INTEND ON MANAGING OFFICE 2010 IN MULTIPLE GPOs, you must import the templates into every GPO you use them in

    As you upgrade to Server 2008 R2, you can later store ADMX policy templates in a centralized location where all GPOs can see them (\\domain.corp\sysvol\domain.corp\policies\policydefinitions) - and note I said ADMX, not ADM.  There is a procedure to do this that I won't outline here.  In this scenario, when you upgrade your domain, you're more likely to create new GPOs rather than try to 'pull out' the ADM templates - it's less work to start over than miss something (accidentally delete something) and troubleshoot.


    • Proposed as answer by sklamo Tuesday, May 15, 2012 11:45 AM
    Wednesday, July 06, 2011 7:58 PM
  • My issue is a little different. I have a 2003 domain. I just installed a 2008 R2 machine to be a RDS host for a single application. I moved it into the TS OU. There is a domain TS lockdown policy for the present 2003 TSs. When run on the R2box , the GPOs in the  TS lockdown policy are spotty at best, even working intermittently. With things like PowerShell and Server Manager, that policy doesnt know what those things are. I moved it out of the TS OU and back to the member server OU and it still hangs on to some of those GPOs. Am I understanding correctly that if I add a Windows 7 machine with RSAT on it to the domain I would be able to 'patch up the holes' so to speak so the domain TS lockdown policy would run correctly on the RDS host?
    Monday, November 07, 2011 5:58 AM
  • HI,

     

    we have a win 2003 DC with a mixture of WIN XP and WIN 7 PC's i have created the Policy Definitions folder under %root%Windows\SYSVOL\domain\policies and copied the admx files to it. I have installed RSAT on a WIn 7 PC to edit the admx files.

     

    Question is. What happens to the XP machines when they log on. Do they still use the old adm files?

    Also do i have to recreate all the policies for the WIN 7 PC's in the admx files?

     

    thanks

     

    Gareth

    Tuesday, November 15, 2011 4:31 PM
  • I also heard that you can simply copy the admx files from any win 2008 server and put them into the same folder as the admx files on the win2003 svr.

    Then when you open GPO you simply see all the additional Win vista/7 GPOs.

    I wonder if this is true, I have not tried myself.

     

    Any comments??


    Also, try http://www.thetechgroup.com.au/forum/1/, it worked for me!
    _____________________________________________________
    Real Engineers, Real Problems, Real Solutions
    www.thetechgroup.com.au
    Tuesday, November 29, 2011 11:23 PM
  • Here's a big question that has been bugging me.  Do you need Windows Server 2008 R2 to be able to manage Windows 7?  I have Windows Server 2008 Enterprise boxes running SP2, but they aren't R2 boxes.  In my case would I still have to setup a Windows 7 GPO management station?

    -Dan

    Monday, February 06, 2012 10:06 PM
  • Am 06.02.2012 23:06, schrieb Dan_F:
    >
    > Here's a big question that has been bugging me.  Do you need Windows
    > Server 2008 R2 to be able to manage Windows 7?  I have Windows Server
    > 2008 Enterprise boxes running SP2, but they aren't R2 boxes.  In my
    > case would I still have to setup a Windows 7 GPO management station?
    >
     
    Hi, Dan. You don't need a Server, the client (Win7) with RSAT is sufficient.
    sincerely, Martin
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Tuesday, February 07, 2012 4:18 PM
  • From the article above, linked by Wilson Jia:

    "New Windows Vista–based or Windows Server 2008–based policy settings can be managed only from Windows Vista–based or Windows Server 2008–based administrative computers running the GPMC and the Local Group Policy Editor. Such policy settings are defined only in ADMX files and are not exposed on the Windows Server 2003, Windows XP, or Windows 2000 versions of these tools. An administrator will need to use the GPMC and the Local Group Policy Editor from a Windows Vista–based or Windows Server 2008–based administrative computer to configure new Windows Vista–based Group Policy settings."

    From Travis McIT above:

    "Win7:

    1) Get a server 2008 r2 disc
    2) Login to a Windows 7 SP1 or 2008 R2 SP1 system as your domain admin account (must have schema admin permission)
    3) Extend the schema & domain (http://technet.microsoft.com/en-us/library/cc771461%28WS.10%29.aspx)
    4) Dedicate a workstation or server for the sole purpose of managing the Windows 7 / 2008 R2 GPOs
    5)  Install the RSAT Tools for Win7 SP1 (http://www.microsoft.com/download/en/details.aspx?id=7887) OR Use 2008R2 SP1's Server Manager and install RSAT tools from there
    6) You can now manage Windows 7 / Server 2008 GPO objects for your domain.  These policies *MUST* be created & managed by this machine until you install Server 2008 R2 domain controllers"

    Based on this information could someone confirm the following for me. Our orginization has three DCs, all Server 2003. There are 10 Server 2008 servers used as Remote Desktop Servers. The environment is setup that most users log onto these servers via this clients and a RD Connection Broker. I want to be able to apply several settings with GPO to the user sessions, notably mapping shares and network printers. If I use the method outlined by Travis McIT, will the GPO(s) I set up be implemented when users start a seesion on one of the RD servers?


    • Edited by Zharkov Thursday, April 05, 2012 1:14 PM
    Thursday, April 05, 2012 1:13 PM