02.24.10

More on Group Policy Backups and Version Compatibility

Posted in GPMC at 6:35 pm by Administrator

As a follow-on to my last blog post, here’s another interesting Group Policy Backup scenario to keep in mind. A user emailed that they were having problems importing a GPO backup that was created on a test Server 2008-R2 AD domain, into a Server 2003 AD domain. Theoretically this should work ok, but the user was getting non-descript errors about directory attributes not being found when they tried the import. I  scratched my head for a bit on this one and then it hit me! I asked the following question, “Are you using Wired or Wireless Policy within that GPO on the 2008-R2 domain?”. His answer was a resounding “YES”, and then I knew where the problem was.

Microsoft makes decisions about where to store GP settings for each policy area (e.g. registry, security, folder redirection, etc.) based on the amount and type of data they need to store. In some cases, like registry policy, the settings are stored in files in the SYSVOL part of the GPO, called the Group Policy Template, or GPT. In other cases, liked the new Wired and Wireless policies that were first introduced in Server 2008, those settings are stored in the AD part of the GPO, called the Group Policy Container, or GPC. In order to store these settings in AD, Microsoft often introduces new schema classes and attributes to AD to accomodate the setting types. In fact, that is exactly what was happening here.

The user was creating the GPO settings in a version of AD that contained these newer schema extensions, and then tried importing those backed-up GPOs into a version of AD that did not. The result was the failure they saw. All it took to resolve was to update the Server 2003 AD schema to at least the Server 2008 version, and the import worked. There was no need to upgrade their DCs to accomodate the newer settings–all that was needed was the proper schema extensions and all was well (of course, they still need clients that can process those newer settings–in this case Vista and greater).

Problem solved!

Darren

02.05.10

GPMC Backups from Downlevel Systems

Posted in General Stuff at 3:24 pm by Administrator

I had a question recently that I thought was worth blogging. The question was, “if I create a GPO using Windows 7, Server 2008 or similar newer platform”, then backup that GPO using XP or Server 2003, will it back up everything?”.  The answer, not surprisingly, is “it depends”. GPMC Backup only backs up the “policy areas” that it knows about. For example, if I set some policy settings within Administrative Templates policy on Server 2008 and then backup that GPO using GPMC running on XP, those Admin. Template settings will be backed up just fine, because the Admin Templates policy area exists on both versions of Windows.

But lets say I create a GPO from GPMC using Windows 7, and set some GP Preferences settings or some of the new “Advanced Audit Configuration” options, then try to backup that GPO from XP or Server 2003’s GPMC. In that case, neither the GP Preferences nor the Audit settings will be backed up because those policy areas do not exist in XP or Server 2003 (from a GPMC perspective–its true that XP and Server 2003 can process GP Preferences settings, but they cannot manage them).

The bottom line is, as always, if you introduce newer versions of Windows into an environment and plan to leverage newer policy areas, its always best to manage GP from those newer versions of GPMC, since GPMC is backwards-compatible but not forwards-compatible!

Darren