Understanding Group Policy (Part 3 of 3): Webcast (11-20-2006)

 

Here is the link to the Part 3 webcast: Understanding Group Policy (Part 3 of 3)

Here are the questions and answers for Part 3:

Question: Is there some kind of Group Policy settings update, so a Windows 2000 Server can configure GP's for XP and Vista clients, and a windows 2003 server could configure GP's for Vista Clients?
Answer: Yes, there is an msi you can download and install on the Windows 2000 Server. Check out https://www.petri.co.il/download_gpo_adm_files.htm for more information. HOWEVER, another option is you could copy over the adm files from a Windows Vista machine into the %systemroot%\inf folder on the Windows 2000 Server. Then, open your GP editor tool, and load the new adm files that you have copied over. A final option is just to manage your domain group policies from a Windows Vista Workstation. (This works because the built-in Vista GPMC uses the local Vista adm files, therefore, giving you all possible settings to manage.)

Question: I am trying to generate the RSoP using the GMPC wizard from my 2003 server R2. I am trying to do it for another computer and user in the domain. Although I can choose a specific computer I am not able to choose a specific user (the option is grayed out). What could be causing this problem? I am logged on as the server administrator.
Answer: I have some thoughts, but I can't be sure what the problem is in your specific situation. For one thing, you must be logged in as a domain administrator for the domain you are trying to test. Another possible issue is you have the user RSoP setting disabled in group policy: Disallow Interactive Users from generating RSoP data (Computer and User Configuration/Administrative Templates/System/Group Policy). If this setting is enabled, interactive users cannot generate RSoP data. Again, I'm not sure what is going on here exactly. Try Jeremy Moskowitz's website for answers as well. https://www.gpanswers.com/

Question: I have heard the registry is being phased out, is regedit here to stay or not? if it's not then how does this affect our custom created adm files?
Answer: The registry is here to stay (at least for the foreseeable future). I have not heard any internal or external reports of the registry going away. I would feel comfortable spending the time it takes to create custom adm files for my business.

Question: I have seen elsewhere that when creating GPOs to apply to an OU it is recommended to create separate GPOs for computers and users. Is that so? and why? It is confusing to me that when a new GPO is created it has a computer and user part and would make sense to me to create policies for both computers and users there instead of having two separate GPOs
Answer: The separation of user and computer policy settings is generally a good idea for troubleshooting and clarity sake. There is also a small (very small) performance tick in the application of your policies since you can disable the portion of the gpo that you are not processing. (i.e. if it is a computer policy, you could disable the user portion of the policy from being read, and vice versa).

Question: Is there any documentation from MS that details creating custom GPOs?
Answer: Sure! Try this for Microsoft official help: https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/admtgp.mspx#ESNAC
For a non-MS perspective: https://www.gpanswers.com/downloads/4298Web1.pdf

Question: Why does Microsoft allow the ability to deny read to any or all administrators for the GPO? wouldn’t it be sensible to make sure at least one administrator can not have deny read applied?
Answer: We trust you to do the right thing here. But, essentially, there is really never a valid reason to deny read to any administrator for a gpo. However, if Microsoft prevented you from denying the read attribute to every administrator, you can bet someone would complain about that too. :)

Question: How can I setup GP to let users of a multi-user used PC to logon individually instead of sharing a common username and password? For instance GP is set to activate the screen saver password protected but yet another user needs to use the PC and be able to logon in affect logging off the current user so they can use the pc if the previous user has not logged off but instead locked the PC and use the same profile not roaming profile.
Answer: Well, I would recommend creating a separate OU for community workstations. Then, link a new GPO to that OU that prevents users from locking the workstations. Instruct users to logoff when they leave a workstation, or, better yet, give them a smart card that logs them on and automatically logs them off when the pull the smart card and walk away. Most companies today (like hospitals at nursing stations) use the smart card technology to do this today.

Question: How about moving GPO between forests?
Answer: You must use the backup/import functionality to do this. Linking or copying are not options between forests.

Question: Can WMI Filter be used on Windows 2000 Devices.
Answer: Yes, although the WMI options are slightly different. Check msdn.microsoft.com for more information on WMI scripting.