re: Hi, my name is Susan and I edit GP right on the domain

Chris Knight — Tue, 25 Sep 2007 06:14:44 GMT

The only reason it's recommended to always build a new GPO than edit an existing one is that the Group Policy team decided (or had it decided for them) that configuration management exensions such as versioning and change control weren't important.

Thankfully, Desktop Standard rose to the challenge and provided this capability with GPOVault and GPOVault Enterprise.

Someone at Microsoft also thought this was a good idea, bought out Desktop Standard and now the GPOVault Enterprise product can be found as the Advanced Group Policy Management component of the Microsoft Desktop Optimization Pack for Software Assurance.

A pity, because for a single domain controller Desktop Standard provided GPOVault for free. Sadly gone forever now.

Thankfully there are alternatives. NetIQ's Group Policy Guardian, Quest's Group Policy Manager and NetPro's GPOADmin are a few that spring to mind.

Interestingly, there's only two Best Practice documents referred to at www.microsoft.com/grouppolicy. That's in the FAQ and the first points to technet.microsoft.com/.../bb735163.aspx - which is Microsoft IT's documentation on their experience of leveraging Group Policy within Microsoft. The second paragraph clearly states that this document is prescriptive guidance only and not procedural guidance.

The second document points to technet2.microsoft.com/.../5ae8da2a-878e-48db-a3c1-4be6ac7cf7631033.mspx - which is Group Policy with Vista.

re: Hi, my name is Susan and I edit GP right on the domain

AdamV — Mon, 24 Sep 2007 14:10:26 GMT

No matter where you use GPMC, you are connecting to the domain and editing them directly there. I used to sometimes do this on my admin machine, or sometimes by remoting to the server.

Like you I have started doing this on my Vista box to gain access to the extended policies for Vista, and just got used to always doing this even if I don't need a Vista-only setting.

I think it will be a shame to lose the GPMC out of Vista, although I am begining to think I started a storm in a teacup with my discussion here:

veroblog.wordpress.com/.../gpmc-will-be-removed-when-you-install-vista-service-pack-1

(some useful feedback from Darren there too)

If the enhanced version is available for install at the same time as sp1, then I have no axe to grind.

A couple more thoughts:

The safest way to create a new policy is to start in the Group Policy Objects container, create the policy object but don't link it anywhere yet. Complete the settings you want and the link it to a Test OU with a Test object in (ideally you would do all of this in a sandbox test domain if you have one or can afford the time to set one up, maybe in a VM). Once done, then you link it to the real live OU (or site or domain etc). Aside: did you know you can create new OUs directly from inside GPMC?

A few things won't work that way, such as domain password policies which have to be linked at the domain level, but the same idea of create first, then link, still applies.

The wrong way is to open ADUC rather than GPMC and go to an OU and use "Create and link a policy here", which means while you are fiddling, users are getting a varying experience of what the policy does.

If you really need a proper change controlled environment with audit trail, delegation of tasks, rollback and a sandbox to create policies which are not enabled (until approved), you need Advanced Group Policy Management (pdf datasheet here: http://tinyurl.com/2y8xkv )

This was previously Desktop Standard's GPO Vault before they were acquired by MS. It is available as part of the Desktop optimisation Pack which has a cost per seat and is for Software Assurance customers.

Probably not going to suit smaller SBS customers, but useful to know about all the same.