I suspect this thread is creeping ever-so-close to the heralded "beaten-to-death" status, but let me add a line of thought here that I alluded to earlier.
Deji, as I mentioned, there is nothing technically hard in allowing 2003 or XP systems to edit Administrative Template policy for Vista machines. The ADMX is, in simplified terms, ADM in XML. So, if enough people wanted it, I or someone could probably write a parser that would take all the ADMXs and convert them back to ADM and Microsoft wouldn't have to do a thing about it, because ADMs are just ADMs. However, let's say I did that. Vista doesn't just add new Administrative Template settings. It also adds new Client Side Extensions built on new OS capabilities. So, backporting ADMXs only now suddenly makes administration of Group Policy more complex (regardless of where you do it), because now you've got GPOs that are meant for XP and 2003 being administered from those platforms, you've got GPOs meant for Vista, administered from Vista and showing all the new functionality and then GPOs with some Vista functionality (i.e backported ADMXs) but not all administered from downlevel platforms . I hope you would agree, that this would be extremely confusing. Ok, so now lets take the next logical and say to Microsoft, "hey Microsoft, you need to backport all that new Vista GP stuff to XP and 2003 because we want to manage it from there". Well, a lot of that new functionality in GP is built on core OS components that don't exist or are updated for Vista. So now, instead of just backporting a bunch of XML files, you've also got to backport those Client Side Extensions and the core OS functionality they are dependent upon. So now, instead of Vista shipping in November of 2006, it gets pushed to 2010, because, hey, Group Policy isn't the only area that wants the new stuff on the old platforms, so does XYZ feature. And suddenly, we all get angry at MS for never shipping their stuff they keep promising. I would submit that this is just a hard one to please everyone with, and they are taking the best possible approach to be able to ship a new OS to the umpteen-million people that use it. I am very cognizant of the fact folks like Susan supports in the SBS world, or just regular customers sometimes don't do things optimally. And, they will absolutely have to deal with this issue and likely many others as Vista gets deployed. I think the best thing we, as technology professionals in our various expertises, can do is to help folks understand what the best practices are and explain to them what happens when they don't follow those, so at least they know what to expect. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 1:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Since many of us are in the habit of expressing various opinions, perhaps we should refrain from characterizing those with which we disagree as "the height of professional arrogance" and "misinformed". See, if we start doing that, I might express the opinion that referring to Microsoft's customers as "clueless" and insisting that Microsoft should accommodate "cluelessness" at the expense of new product development, security and code review (which is exactly what the expense is to devote resources to doing nothing but backporting new features) is the height of professional inexperience, myopia and lack of exposure to sophisticated IT environments. But I won't. :-) Laura _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Tim, it is the height of professional arrogance to think that anyone who don't/can't/won't do things the way you think they should be done (best practices) are "lazy and uninformed". I know you said that it is just your opinion, and, if I were like you, I would hazard that it is a misinformed opinion. But I won't. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com <x-excid://32770000/uri:http:/www.akomolafe.com> - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _____ From: Tim Vander Kooi Sent: Fri 12/15/2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO They won't do it if Microsoft makes it so they CAN'T do it. I feel Microsoft should be applauded for forcing admins to do their jobs correctly for a change, instead of giving in to the lazy or uninformed amongst us. Just my opinion, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO >>> People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the "ideal" is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com <x-excid://32770000/uri:http:/www.akomolafe.com> - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _____ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I love the smell of red herrings in the morning" - anonymous -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren Darren Mar-Elia CTO & Founder www.sdmsoftware.com [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 6:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't actually heard that. ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I love the smell of red herrings in the morning" - anonymous -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Vista introduces a new Admin Template format called ADMX. These are found on Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by earlier versions of Windows. That is you must manage Vista GP from Vista. Darren -----Original Message----- From: "Za Vue" <[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org Sent: 12/14/2006 1:18 PM Subject: Re: [ActiveDir] Vista GPO Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: > Maybe he may be referring to the location of any possible new ADM files > included with Vista. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia > Sent: Thursday, December 14, 2006 10:34 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Vista GPO > > What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, > unless you mean the LDIF files that are in sources\adprep on the Vista > CD? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue > Sent: Thursday, December 14, 2006 9:57 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Vista GPO > > Anyone know what and where the GPO plugin for Win2003 on the Vista DVD > is called and located? > > -Z.V. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM
