Do I need to update my server to support new policies? When do I need to separate policies?

I just blogged about this very question over on my blog. Essentially the question we hear a lot is do I need to update Schema/Active Directory/Servers/functional modes etc to support a new client OS version. I wont revisit that

Sometimes theres a need to separate policies for specific OS functions but not to "update" them. Which begs the question then....

When do I need to separate policies?

When Vista came along it introduced new functions that radically changed how some things were managed. Examples of this, though not exhaustively listed are:

1. Firewall

2. IPSEC

3. Wireless config

4. Auditing

In these instances you really need to separate out the policies as older settings that were designed for XP/2003 can have an unpredicatable effect on Vista/2008 and it can be difficult to diagnose the overlap in the application of settings. Think about IPSEC being applied to the client through both the older method of IPSEC policy and Vista's newer method!

The best practice here is to make sure you separate out your XP/2003 policies from your Vista ones. You can use WMI filters (assuming you have no Windows 2000 left in your network) or ACL's with groups (Read/Apply method) or even separating into different OU's.

Michael Kleef

Program Manager