Home » Microsoft, Windows 7, Windows Server

Supporting Windows 7 Group Policy Settings with Windows Server 2003 Domain Controllers

Author: Mark Menges 16 March 2010 25,043 views 25 Comments
Tags:

Recently, I was asked the following question: “We plan to implement Windows 7 in our network very soon. We want to use Windows 2003 Domain Controllers for the next couple of years. Can we make the hundreds of new Group Policy setting available to Windows 7 Windows Server 2003 DCs?”

This is not an unusual situation. Some organizations find they need to replace their desktop computers immediately because of age or obsolescence and others wish to upgrade to Windows 7 because of its superior security and performance. But there may be no budget or desire to upgrade to Windows 2008 or 2008 R2. Luckily, it is not difficult to adapt Server 2003 to work with Windows 7.

Group Policy settings are edited through the use of ADM and ADMX template files. These files are accessed though the Group Policy Management Console (GPMC) or the Group Policy Object Editor (GPOE). As settings are configured in the editing tools a Registry.pol is created. The Registry.pol file is made available to client computers in the Group Policy Object Container on the Domain Controller. Client computers process the Registry.pol file to receive their Group Policy settings. The ADM/ADMX files are needed only by computers running the editing tools. Editing Group Policies using ADMX templates requires that the editing tools be run only on Microsoft Vista, Server 2008 or Windows 7. ADM templates can be edited on Windows XP or Server 2003. ADMX files use XML-based markup language that includes no language specific comments or descriptions. The ADMX file references sADML files in a sub-folder  such as EN-US (for English) or FR (for French) that give the ADMX file appropriate language support. Multi-national organizations will only have to deploy one set of ADMX files and can add  ADML files for each language spoken by its administrators.

One of the chief benefits ADMX and ADML files is that they can be made available through the use of a Central Store on the Domain Controllers. Windows Server 2003 can host a Central Store as easily as Server 2008. To create a Central Store simply create a PolicyDefinitions folder in the SYSVOL with a path of  %WINDIR%\SYSVOL\domain\Policies\PolicyDefinitions. Copy the ADMX templates from a Windows 7 computer into the SYSVOL location. Window 7 keeps a copy of the ADMX and ADML files in its own PolicyDefinitions folder located in the Windows folder. Once it is placed in the Central Store, the File Replication Service on Server 2003 will replicate the PolicyDefinitions folder to all Domain Controllers in the Domain so that the templates are available for use by the editing tools. An ADMX/ADML Central Store requires much less space on the SYSVOL than ADM files and will reduce replication costs.

–Mark

Related Courses

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services (M6425)

Implementing and Administering Windows 7 in the Enterprise (M50292)

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services (M6425)

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading ... Loading ...

25 Comments »

  • Ruben said:

    Hello Mark,

    When you copy the PolicyDefinitions folder to the sysvol share, does it affect your WinXp and Server2003 policies ?

    Regards,

    Ruben Schmidt

    # 31 May 2010 at 6:34 AM
  • timatgk said:

    Hi Ruben,
    Your existing GPOs will be fine. They are stored in the Sysvol\Domain\Policies Folder with unique Guids to identify them. Additionally , the new ADMX files include all the old settings for Windows XP and 2003 so you can create new GPOs as needed for those OSs. Just be sure to run the Group Policy Management console on Windows 7 to see all the settings. And be sure to backup your environment before you switch to ADMX.
    Mark

    # 2 June 2010 at 3:09 PM
  • Simon said:

    Hi,

    This is all fine but when you come to assign domain groups to win7 policies meaning admx files where and how do you do that? In order to see the admx files you need a win7 client but in order to apply these say to an OU would this have to be done on a 2008 server or could this be done in some way from a Win2k3 Server?

    Considering win2k3 has no idea of admx or adml files how would you see these on a 2k3 server?

    Thanks.

    Simon

    # 12 August 2010 at 8:51 AM
  • Simon said:

    Hi

    Thank you for your response. I do already understand all that you sent and specified. My original question is still not answered.

    After I have done my policy editing how do I say apply to a group in AD? Of course i cannot use the GPMC in win2003 server but is there one I can use in Win 7? That is all I am asking.

    If I use the win7 gpmc then will that show me the new settings or templates that I can then assign to various domain OUs, users and groups.

    Thank you.

    # 13 August 2010 at 1:24 AM
  • Mark Menges said:

    You can install the Remote Server Administrator Tools (RSAT.msi) on Windows 7 or Vista. It will have the GPMC with all the latest settings.   http://​www​.microsoft​.com/​d​o​w​n​l​o​a​d​s​/​d​e​t​a​i​l​s​.​a​s​p​x​?​d​i​s​p​l​a​y​l​a​n​g​=​e​n​&​a​m​p​;​F​a​m​i​l​y​I​D​=​7​d​2​f​6​a​d​7​-​6​5​6​b​-​4​3​1​3​-​a​0​0​5​-​4​e​3​4​4​e​4​3​997d  

    # 13 August 2010 at 10:13 AM
  • Natalie said:

    Mark,

    I don’t understand why I would copy the .admx/adml files to server 2k3 if the server gp editor can’t read them and therefore attach them to a gpo and assign them to an ou.

    Or are you saying to make local policy changes on a win7 client and THEN copy the admx/adml files to the server 2k3? How do these files replicate to all the win7 clients if they aren’t attached to a gpo and then an ou?

    So then how do I attach these admx/adml (once they are in the central store) to a specific ou if the gp editor on server 2k3 can’t see them?

    Thanks.
    Natalie

    # 29 September 2010 at 9:29 AM
  • Mark Menges said:

    Hi, You must use gpedit from a Vista, 2008 Server or Windows 7 machine to edit admx-based settings. Server 2003 can replicate the ADMX files placed in its Sysvol share to all of the other domain controllers using FRS.. By default the group policy editor in the Group Policy Management Console will connect to the PDC emulator role holder on the domain. All edits made will be replicated by FRS. If an updated admx is uploaded to the central repository it is not necessary to import it into each GPO. There is a terrific white paper for Micosoft on this topic and I am attaching it to this email.   Mark..

    # 30 September 2010 at 12:45 PM
  • Bill S said:

    Mark,

    I would like to read the whitepaper as well. Can you connect me too? I tried to find it on my own but could only guess at the content.

    # 6 October 2010 at 6:55 AM
  • Mark Menges said:

    Here is the link for this an other Windows 7 white papers: http://​www​.microsoft​.com/​d​o​w​n​l​o​a​d​s​/​e​n​/​d​e​t​a​i​l​s​.​a​s​p​x​?​F​a​m​i​l​y​I​D​=​1​8​c​9​0​c​8​0​-​8​b​0​a​-​4​9​0​6​-​a​4​f​5​-​f​f​2​4​c​c​2​0​3​0​f​b​&​a​m​p​;​d​i​s​p​l​a​y​l​a​n​g=en

    # 6 October 2010 at 1:03 PM
  • Adrian said:

    Hi

    this is abit off topic but i couldnt find anything on it, but this is similar to what i have to ask.

    is it possible to manage group policy for a 2008 r2 server on a 2008 standard server? is so how

    Thank you

    # 14 July 2011 at 2:19 AM
  • Usman Ali said:

    hi,

    When you copy the PolicyDefinitions folder to the sysvol share,
    does it affect your WinXp and Server2003 policies?

    Regards,

    Usman Ali

    # 15 July 2011 at 12:46 AM
  • Mark Menges said:

    Adrian,

    The best choice may be to install the RSAT tools on Windows 7.You can download the latest version of the Remote server Administration tools (rsat.msi] from Microsoft downloads.

    http://​www​.microsoft​.com/​d​o​w​n​l​o​a​d​/​e​n​/​d​e​t​a​i​l​s​.​a​s​p​x​?​i​d​=​7887

    Mark

    # 15 July 2011 at 9:45 AM
  • Mark Menges said:

    Usman,

    The older XP and 2003 Server adm policies are not affected. The Admx templates include all of the settings from all of the ADM microsoft has released in the past as well as windows 7 and server 2008 settings. You can continue to import custom ADM templates into the Administrative Templates node of a GPO.

    Mark

    # 16 July 2011 at 8:16 AM
  • saji said:

    Hi all,

    i have 2003 ent sever i had installed CSE for to get GPP but after the installation i am not able to find out group policy and preference at Gpeditor.
    if anybody can help me out for this .…
    thanks

    # 4 August 2011 at 5:39 AM
  • Mark Menges said:

    Saji,

    You need to install the latest version of the Remote Server Administration tools to be able to see the Preferences settings. The RSAT tools can be downloaded from Microsoft downloads and installed on Vista, Windows 7 or Server 2008 only.

    # 4 August 2011 at 9:04 AM
  • Mark D said:

    Hi Mark

    i have installed Group Policy Management console on or 2008 memebr server which is on our 2003 domain.

    If i copy the Policy Definitions folder into a sub folder of our SYSVOL\Policies how does the server know where to find them? Do i have to point the 2008 GPOs i create to this seperate repository somehow??

    # 22 August 2011 at 10:35 AM
  • Mark M said:

    Mark,

    When you open the Group Policy Managment Tool and edit a GPO the Administrative Templates node in the editor should say that the template are from the central store on the server. Gpedit looks to the server that runs the PDC emulator role. You should be running the new version of the RSAT tools that are found on Server 2008. The best way to copy the admx and adml files is to follow the procedure at http://​support​.microsoft​.com/​k​b​/​9​2​9841

    Mark

    # 22 August 2011 at 1:15 PM
  • Brian said:

    Hi Mark,

    So in a nutshell– is this all about storage and replication of ADMX files from on domain controller to another? It’s more of a redundancy process, — a step one would take to avoid losing the GPO or GPP settings for a Windows 7 PC, correct?

    Please explain further if I am wrong but that’s all I am seeing that this copy is for(not being negative– I am just wondering why else whould I do this?). Because I still have to control group policies and preferences for windows 7 and Vista from the Group policy management Console from a Windows 7 PC.

    I would a appreciate your help on this.

    thank you,
    Brian

    # 11 October 2011 at 11:23 AM
  • MARK said:

    Brian,

    You are correct in your assumption. When you create a central store for ADMX any group policy editor opened on a computer in the domain will use the templates on the store. To update the template for the domain simply add the templates to the store on one of the domain controllers and Sysvol replication will take care of the rest.

    Mark M

    # 18 October 2011 at 2:57 PM
  • hadi said:

    hi
    I install windows server 2008 R2 Enterprise and install active directory. I have a problem:
    I install windows 7 on the clients and join clients to domain controller and group policy setting on windows server2008 but this active not on the clients but active on the server 2008.
    please help me

    # 20 October 2011 at 4:51 AM
  • hadi said:

    hi
    I can apply group policy windows server 2008 on the windows 7 from domain controller ?
    please help me.

    # 20 October 2011 at 5:03 AM
  • David said:

    Great help! Thank you.

    Two questions:

    1. Clarification: I typically use gpmc on my 2008r2 dc to roll out policies. I am hoping that adding the admx / adml files to my 2003 servers will allow win7 clients attached to those 2003 dcs to get the 2008r2 only gps (desktop shortcuts: they don’t seem to right now). Correct?

    2. Question: How do my 2008r2 gpmc modifications update those in the central store or do I need to point my 2008r2 gpmc to those files?

    Thanks much!

    # 8 December 2011 at 4:17 PM
  • MARK said:

    David,

    Once you have created a central repository of admx and adml templates in the Sysvol the Group Policy Editor in the GPMC will automatically point to it. Just make sure you are using the version of GPMC that is included in the RSAT tools for Windows Server or Windows 7. If you have a customized admx just upload it to the repository and it will replicate to all of the DCs using Sysvol replication. The editor will by default point to the Sysvol on the PDC emulator role holder which makes it the best place to update your templates.

    Mark

    # 9 December 2011 at 5:37 PM
  • Andy said:

    Hi,
    So in an enviournment consisting of multiple 2003 DC’s and one 2008 DC the updates to the cental repository of admx files will be automatically done if polices are edited on the 2008 DC but not if updated on a windows 7 workstation. These customized admx files if done on a windows 7 workstation would need to be manually copied to the sysvol folder, then frs would replicate to the rest of DC’s.

    # 18 January 2012 at 7:18 AM
  • MARK said:

    Andy,

    That is correct.

    Mark

    # 19 January 2012 at 10:10 AM

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.