Life of an IT Pro Advisor @ Microsoft Canada : Group Policy

New Blog from a colleague - "No Spin Architecture"

rclaus — Mon, 21 Nov 2005 18:36:00 GMT

For those developers that happen to read my blog (I know you are out there…) you might be interested in a newly hired colleague of mine on the developer side of the house – Mohammad Akif. He’s an Architect that came to us from SUN and is VERY well versed in J2EE and our .NET platform. He sits on the Microsoft Architecture Editorial Board for the new Architecture certifications and has written a number of publications and technical documents.

His new blog is called “No Spin Architecture” and can be found here. (http://blogs.msdn.com/mohammadakif)
As an infrastructure guy, I mainly look after putting up the servers and services required to support these architectures, but once in a while I need to understand a bit more about the dev platform in order to get the job done. Mohammad is one of the guys I can talk to and understand what he’s talking about.

As an aside, we’re both presenting to the Canadian Federal Strategic Architect Forum here in Ottawa tomorrow. He’s covering off the developer side of the house whereas I will be talking about “Core Server futures with R2 and beyond”. I love presenting to this group as they are a lively bunch that enjoys some active round table discussion.

As-tu des problèmes avec un erreur « [strings] section is too long » quand tu travailles avec un GPO?

rclaus — Wed, 16 Feb 2005 20:20:00 GMT

J’avais beaucoup de questions dans mon courriel électronique au sujet d’intégrer les nouveaux *.ADM fichier qui sont en place avec Windows XP SP2 dans une environnement Active Directory. Peut-être j’aurai beaucoup d’autre question maintenant que les personnes travaillent avec Windows Server 2003 SP1. Les deux systèmes changes la longueur des « strings » au point qu’ils sont incompatibles avec un MMC qui est utilisé sur un system au niveau précédent de Windows XP SP2.

J’ai déjà écrit un article qui explique la méthode que les *.ADM fichier se mis a niveau automatiquement dans un environnement d’Active Directory et comment tu as besoin d’évaluer et choisir la procédure qui est correct pour votre environnement. (La manière défaut fonctionne pour presque tous les gents)

Pour essayer de répondre au question la plus simple et le plus court que possible :
Si tu crée ou change un GPO avec un MMC sur un system de Windows XP SP2 ou Windows Server 2003 SP1, la réaction défaut est que les fichiers seront télécharger au Domain Controllers et en effet remplace les versions plus ancienne. Pour éviter les erreurs de « [strings] too long », toutes les systèmes utilisés pour gérer les GPO a besoin d’un patch pour mettre a niveau un DLL qui est utiliser par le MMC.

(Cette réponse est simple et court?)

Regarder l’article KB842933. Il est trouvé ici. Tu n’as pas besoin beaucoup d’analyse pour cette patch. Les systèmes n’ont pas besoin d’être redémarré après l’application du patch si tu fermes le MMC avant de commencer. Seulement les systèmes utilisés pour gérer les GPO on a besoin du patch. Les systèmes au niveau de :

Windows XP sans SP2
Tous les systèmes Windows 2000 Professional
Windows Server 2003 sans SP1
Tous les systèmes Windows 2000 Server

Si tu décide de ne pas appliquer le patch – c’est OK – tu ne casse pas ton GPO si tu les changes avec un MMC plus ancien. Tu dois tous simplement « clicker » un vingtaine fois sur le « ok » bouton. ;-)

Perplexed with a "[strings] section is too long" error when editing a GPO?

rclaus — Fri, 11 Feb 2005 16:23:00 GMT

I've had a number of questions around the *.ADM templates that come with a Windows XP Service Pack 2 machine and what they do to the GPOs in an Active Directory Domain. With people using Server 2003 SP1 systems, I might get more questions being asked. Both systems increase the length of strings beyond what the MMC console can take on a older OS (by older I mean PRE-XP-SP2).

I've already wirtten an article outlining the ADM template update process, how they get copied up to the domain controllers AND about how you need to choose the right process for your organization - default works great for almost all situations.

To make a long blog post shorter and to come to the point:
If you edit a GPO with an XP-SP2 or Server 2003 SP1 management console with the updated *.ADM templates, the default action is that the templates will be copied up to the Domain Controllers and overwrite the old ones. As a result of this action - all admin workstations (and servers) that are NOT XP-SP2 or Server 2003 SP1 need to be patched with the appropriate patch if they are going to be used to manage GPOs.

(that was short?)

You might want to read the details contained in Knowledge Base article 842933. It can be found here. Not to worry - no major testing require of this patch. No reboots are required (unless the GPO MMC or GPMC is open at the time of the patch - in which case, close it and patch again). Only the systems used to manage GPOs need to be patched. They apply to workstations that are running:

Windows XP PRIOR to Service Pack 2
All Windows 2000 Pro systems
Windows Server 2003 PRIOR to SP1
All Windows Server 2000 systems

If you don't patch them - don't worry - you won't "break" your GPO by editing it with an older version of the console. You'll just have to be proficient at clicking 20 or so times on the OK button. ;-)

Follow up to some questions regarding XP-SP2 .ADM template files

rclaus — Sat, 20 Nov 2004 05:33:00 GMT

I’ve gotten a number of requests for the location of the ADM templates that I use in the XP-SP2 sessions I deliver. I’ve posted on this before – but I thought it would be worth posting this information a second time….

First off – you’ll probably need to apply a patch to your servers / systems that you use to manage GPOs. Make sure to read the following Q article to get the right patch for the operating system you are using.

http://support.microsoft.com/default.aspx?scid=KB;[LN];842933

This will prevent the following nasty looking error message

"The following entry in the [strings] section is too long and has been truncated" error message when you try to modify or to view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000."

Once you are patched up, you can simply launch your group policy editor of choice from an XP-SP2 system. It should have the proper ADM files installed as part of the service pack. if you prefer to be absolutely sure you have the latest ones - you can download them manually from here and then copy them into the %windir%\inf directory of the system you use to manage group policy. The default behaviour of the group policy console is to check the date/time stamp of the local ADM files and compare it to the server copy. If the local is newer, it is used and copied up to the server.

Have you edited the original .ADM templates? As a best practice, you should always leave the original ones alone and create your own. This will prevent the long hard work you spent customizing the template from going down the drain when it gets overwritten by a newer .ADM template with the same name being copied up to the server automatically.

As I mention in my sessions - no worries about older versions of OSs using the latest version (XP-SP2) of the .ADM files - everything is cumulative. You won't be damaing your Windows 2000 gpo setting when you use the newer ADM templates.

Happy GPO editing!

.ADM templates for XP-SP2 GPO settings

rclaus — Wed, 06 Oct 2004 18:28:00 GMT

One of the questions that came up at last night’s TechNet session was .ADM template files and where to get them. JohnM from EDS pointed me to the download page for current ADM templates. Thanks for making my job easier John!

Here’s the link
http://www.microsoft.com/downloads/details.aspx?FamilyId=92759D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en#filelist

Some related information about ADM templates for managing group policy also turned up in my research. Before you download these files and start using them, you should be aware of the impact they might have in your environment first.

Hun? Impact? They’re just files, what impact can they have? Replication my friend is blowing in the wind. The .adm files are 3.17 megs in size. Updated files = replication using FRS to all your DCs = WAN traffic.

Check out this KB article 816662 (http://support.microsoft.com/default.aspx?scid=kb;en-us;816662) To summarize the major points:

The default behaviour for .adm templates and GPEDIT.MSC (group policy MMC) is to use the local admin workstation copy from %windir%\inf.
If the local copy is newer then the copy on the SYSVOL GPT (GroupPolicyTemplate) then it is copied up to the GPT folder on the server.
It uses the Date and Timestamp of the adm file to determine which one is newer. Because of this, if you want to modify the ADM template, it is recommended that you create your own NEW one for your specific settings – leave the system ones alone.
Entries are Cumulative. If you have W2K SP4 and bring in Win XP-SP2, a bunch of .adm files will be updated. This will NOT mess up your W2K SP4 settings.
You can turn off the auto-upload process if you want to manage your own version of files on local admin workstations.

That last statement is powerful. Why would you want to do that? Have you thought about language? If your co-worker works with a French admin workstation (which is quite possible in our bilingual culture here in Canada), his/her adm templates will upload overtop of the server based ones if they have a newer date and time stamp. You can prevent this from happening if you establish a policy (human policy, not Group Policy <g>) that states all ADM templates are stored in a central location and should be copied down to the local admin workstation (or server) where GPEdit is launched. That way you can control which templates are used and what versions / language you want to work in.

Have a good read of that KB816662… It’s worth the time to investigate your options and establish a proper .adm template process. This is something that you might have overlooked in your planning exercise for managing AD.

Lastly, here is a link to the Windows 2003 Online technical reference that deals with Administrative Template Extension Technical Reference. It has links to three areas of information on ADM template and how they work in the GPO process. It also has some additional planning excel spreadsheets for GPO settings. It's a good read.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/resources/documentation/windowsServ/2003/all/techref/en-us/W2K3TR_gpadm_intro.asp