I'd totally agree with you Laura. Look at how Apple has approached the backwards compatibility issue with Mac OS X. Or rather, how they haven't. Want to stay compatible with an older version? Stay on that version. Pretty simple. I'm not saying that is 100% the right way to go, but they avoid a lot of problems that way. Out of the 50 million lines of code in Vista, I'm sure at least half of that is to provide backwards compatibility. In any event, like you say, Laura, there's no point editing Vista GPOs if you're not running Vista. And if you need to set up Vista policy, then why not run on it yourself and just do the editing from there? Or is this the case of the tech who says, "I don't need no stinkin' eye candy, you can't make me run it"?
One other thing that I really hate to hear is a complaint about how something works, with the comment that Microsoft "forces people to do things they way Microsoft wants people to do them." That's a pretty naïve comment - I hear it more from kids on the public newsgroups though. I'm surprised hearing it in the context of not logging into a DC to edit GPOs though. Are there any MVPs here who really think logging into a DC for GPO editing (or for anything else that can be done remotely, for that matter) is a good practice? So if Microsoft did force people to use a workstation to do configuration tasks such as GPO editing, that would be enforcement of what most experts agree is best practice - yet they don't force this. The issue is that they released Vista [client] before Server is out, and they enhanced things in Vista beyond the previous OS (I say hooray for them), and there has not been a new release of any prior OS service pack since Vista's release. In fact, Vista is barely out there now. But IMHO, Microsoft does not come up with ways to do things, generally, that are some attempt to force people into doing things in some manner that has, as their ultimate goal, to 'try and take over the world.' [1] Rather, they try to adhere to best practices and most requested features in their software design, when they can, as determined by various industry experts - not by some idea that they can make people do this or that if they cut this feature. At least, I believe this to be the case most of the time. [1] if you think that, maybe you watched too much Pinky and the Brain ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I love the smell of red herrings in the morning" - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 1:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, "enable" its customers to run their businesses. I mean, refrain from "dictating" its wishes. You know? Because at the end of the day, it is the "clueless customers" that actually write the checks that add up to those billions in the vault. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com <x-excid://32770000/uri:http:/www.akomolafe.com> - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO >>> People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the "ideal" is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com <x-excid://32770000/uri:http:/www.akomolafe.com> - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I love the smell of red herrings in the morning" - anonymous -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren Darren Mar-Elia CTO & Founder www.sdmsoftware.com [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 6:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't actually heard that. ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I love the smell of red herrings in the morning" - anonymous -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Vista introduces a new Admin Template format called ADMX. These are found on Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by earlier versions of Windows. That is you must manage Vista GP from Vista. Darren -----Original Message----- From: "Za Vue" <[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org Sent: 12/14/2006 1:18 PM Subject: Re: [ActiveDir] Vista GPO Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: > Maybe he may be referring to the location of any possible new ADM files > included with Vista. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia > Sent: Thursday, December 14, 2006 10:34 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Vista GPO > > What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, > unless you mean the LDIF files that are in sources\adprep on the Vista > CD? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue > Sent: Thursday, December 14, 2006 9:57 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Vista GPO > > Anyone know what and where the GPO plugin for Win2003 on the Vista DVD > is called and located? > > -Z.V. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.