Neil,
Not sure if it is best practice, but what I do
is:-
1. Leave on the Auto upgrade of ADM files. We
assume that Microsoft always adds to ADM files, never changes existing
keys.
2. Always use a different ADM file for your
modifications. Never change the microsoft ones.
3. Leave the Domain GPO alone for security
settings and password policy etc. Create another GPO for the "non
standard" stuff. (Note there was a long discussion on this very point 6
months ago and I think the general conclusion was that there wasn't a lot of
technical reasons for doing so, just easier to understand what was going
on)
4. I also create a GPO applied to a Test OU and
then link it across when it is fully tested. I feel this is just as safe (or
maybe safer) than doing it in a different domain then importing it. Admittedly,
if you are testing complex changes were multiple policies interact, a separate
domain is good since the policies will apply in exactly the same order as your
final implementation.
Alan C
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
|
Title: Updating ADM files - best practices