| Author | Messages | |
GuidoG
Posts:58
 | | 12/21/2006 4:39 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
There are also a few technical reasons, some of which were
pointed out in the thread – the GPO editor on your DCs don’t understand the
ADMX GPO-templates from Vista, so tough luck if you want to use them to manage
Vista settings…
But it’s not only Vista related: if you want to manage a service
that runs on your clients but not on your DCs, you’ll have an issue managing
GPO settings (such as startup or security) of the service from a DC, since it won’t
be listed in the services node. Note that the same thing could be why you must
edit other GPOs on your DC => try managing a GPO to configure the DNS Server
service using a client workstation…
/Guido
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matt Hargraves
Sent: Donnerstag, 21. Dezember 2006 17:24
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Vista GPO
So basically the reasons are:
1) To keep the stupid people from being too terribly stupid (keep them off of
DCs, where they might do something like open up a website or open their e-mail
and open up a vb script or something equally stupid).
2) To keep from making changes without testing them, which is more of a process
issue than a "Where you edit it" issue. No matter where I edit
a GPO from, it's live as soon as I edit it - doesn't matter whether I'm editing
it on a DC or on my workstation, they're communicating with the master GPO in
the same way. If I'm not testing a GPO first, it's going to be in the
same situation no matter where I edit it from.
In the end the reason really is: We are all stupid and need to protect our
companies (or customers) from our stupidity.
I don't disagree, that we shouldn't log into DCs to edit GPOs, but that's more
from a 'general practices', don't do anything on a server that you can do from
your workstation, standpoint.
On 12/20/06, Tim Vander Kooi
wrote:
Well, you did just give one
valid reason for not editing GPOs from your DC, or any other server, security.
As was mentioned by MBS on one of the Exchange lists just within the past day,
some companies don't allow local logon to servers, because it is a security
risk. Perhaps not huge, but a risk none the less.
What I haven't seen so far is a
single good argument for why you SHOULD do GPO editing from a server instead of
from a workstation. If there is even just one good reason for doing it one way
vs. none for the other, that is how best practices are born.
Just an opinion.
Tim
From: ActiveDir-owner@mail.activedir.org
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Matt Hargraves
Sent: Wednesday, December 20, 2006 10:52 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Vista GPO
I'm not too terribly suprised, I think that
there are GP-like items in Linux also.
However, that still leaves my other question unanswered:
What is the really compelling reason to not edit GPOs on a DC as opposed to a
workstation, other than the fact that you really shouldn't bother logging into
any server for something that you can do from your workstation? People
point to 'best practices', but I don't know if there is any justification
beyond the fact that you shouldn't bother hopping onto a DC just to edit a GPO
that you could edit from your workstation.
Does anyone have an answer to that?
On 12/19/06, Darren Mar-Elia > wrote:
The Mac does have something
akin to GP, though the name eludes me at the moment and its not quite the same.
And of course, folks like Centrify have created a GP client for the Mac that
integrates into Windows GP as well.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Matt Hargraves
Sent: Tuesday, December 19, 2006 8:49 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Vista GPO
Also, since we're talking about GPOs, while I
haven't managed a Mac in several years, I don't remember them offering this
functionality, so I'm not even sure how that's relevant to this discussion.
On 12/19/06, Matt Hargraves wrote:
While the only GPOs I've edited at the DC/server side have been the GPOs for
my sister's SBS box, which I connect to from around 1400 miles away, I don't
generally do it as a rule - too cumbersome and a waste of my time normally.
I guess the real question for me is "Why not?". It's just an
MMC snap-in. Nothing huge in there that's going to trash the box.
Nothing that is going to compromise security... If there is something in that
MMC that I shouldn't be doing from a server/DC, then it's probably something I
shouldn't be doing from my workstation too.
I guess the real question should be "Why, other than the fact that there's
no reason to waste the steps to pull up the RDP client and login to a remote
server, shouldn't I edit GPOs from the PDC Emulator?" The GPOs are
going to be edited there anyway (or at least that's where your GPMC is going to
connect to) and then distribute from there. I can only think of one
reason and that's "Don't login to a DC unless you need to".... but
that goes for any box... or do you just run around your environment randomly
logging in through RDP to all kinds of servers for no reason other than you
have nothing better to do? There are very few things that you really need
to do at any box, whether it's a DC, a file server, SQL or even Exchange box.
Hell, you don't even need to login locally to reboot it unless you've defined
that by GPO.
Like I said before, there is only 1 box that I do that for and that's because
that box is 1400 miles away and I can't vpn into their network yet (hope to get
that setup in the next year, when I visit sometime - *if* I visit sometime :(
). I don't really do it much, but I also can't think of a really good
reason to actually avoid doing it either (example - I have to do a dcdiag on
the PDC, then someone requests a GPO change - should I really disconnect from
that box just to do the same thing from another?).
As for backward compatability, many companies are still running NT boxes in
their environments and have been for many years now, because they don't have
much of a choice - the server apps aren't being produced any more and there
isn't an upgrade path that would take less than 6 months of hard work, not to
mention having to retrain potentially hundreds (if not more) of
employees. I don't think that it should be necessary to include all of
the features from Vista in old versions... that's part of why you upgrade...
that's why it's called an 'upgrade'. Apple is in a rather unique position
though, they can break 90% of their backward compatability and their users will
still buy their products. Why? They're fiercely loyal. If
they're upgrading next year, then they'll upgrade next year, even if it breaks
an app, they only run like 7 apps anyway (that's about the largest number of
'real' apps that I've seen a user load on a Mac - not counting things like AV
software or an internet browser) and as long as they're upgrading their
machine, they're probably going to upgrade their apps at the same time.
People who use MS software will just stay with the older version. They
can, particularly if upgrading means that it's going to cost them $millions in
retraining and software replacement. The comparison between a Mac and PC
might seem appropriate, but it's really not. I don't know of a single
medium sized corporation that runs their business on Macs. I don't know
of a single company that had to replace thousands of machines and spend nearly
as much to upgrade software versions at the same time because Apple decided to
not provide backward compatability (not that anyone's going to do that for MS
either). It's like comparing.... well... apples to oranges (no pun
intended).
On 12/19/06, Rich Milburn <
rich.milburn@applebees.com> wrote:
I'd totally agree with you
Laura. Look at how Apple has approached the backwards compatibility issue with
Mac OS X. Or rather, how they haven't. Want to stay compatible with an older
version? Stay on that version. Pretty simple. I'm not saying that is 100% the
right way to go, but they avoid a lot of problems that way. Out of the 50
million lines of code in Vista, I'm sure at least half of that is to provide
backwards compatibility. In any event, like you say, Laura, there's no point
editing Vista GPOs if you're not running Vista. And if you need to set up Vista
policy, then why not run on it yourself and just do the editing from there? Or
is this the case of the tech who says, "I don't need no stinkin' eye
candy, you can't make me run it"?
One other thing that I really
hate to hear is a complaint about how something works, with the comment that
Microsoft "forces people to do things they way Microsoft wants people to
do them." That's a pretty na�ve comment – I hear it more from kids on
the public newsgroups though. I'm surprised hearing it in the context of not
logging into a DC to edit GPOs though. Are there any MVPs here who really think
logging into a DC for GPO editing (or for anything else that can be done
remotely, for that matter) is a good practice? So if Microsoft did force people
to use a workstation to do configuration tasks such as GPO editing, that would
be enforcement of what most experts agree is best practice – yet they don't
force this. The issue is that they released Vista [client] before Server is
out, and they enhanced things in Vista beyond the previous OS (I say hooray for
them), and there has not been a new release of any prior OS service pack since
Vista's release. In fact, Vista is barely out there now. But IMHO, Microsoft
does not come up with ways to do things, generally, that are some attempt to
force people into doing things in some manner that has, as their ultimate goal,
to 'try and take over the world.' Ώ] Rather, they try to adhere to best
practices and most requested features in their software design, when they can,
as determined by various industry experts – not by some idea that they can make
people do this or that if they cut this feature. At least, I believe this to be
the case most of the time.
Ώ] if you think that, maybe
you watched too much Pinky and the Brain
-----------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
----------------------------------------------------------------------
"I love the smell
of red herrings in the morning" - anonymous
From: ActiveDir-owner@mail.activedir.org
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Laura A. Robinson
Sent: Friday, December 15, 2006 1:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
And it's the clueful customers who
(rightly) become angry when something in a product that exists purely for
backward compatibility opens a security hole. Now, I'm not saying that all
security holes are due to backward compatibility, and I'm not saying that every
bit of code that comes out of Redmond is perfect. However, I have said for
years that many of the things that people don't like about Microsoft's products
are the result of backward compatibility, not bad coding or a lack of
consideration on the part of Microsoft's programmers. As somebody else (Darren?
Richard?) said, there is a point where a line has to be drawn in the sand. I
personally don't see anything dictatorial about requiring a Vista+ machine to
edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that
would imply that you're using Vista machines, and if you're using Vista
machines, what is the issue with using one of those Vista machines as your
editing workstation? I think that that *IS* a very pragmatic, realistic
approach.
Sorry, I just don't follow your
logic on this one.
That said, my opinions are purely
my own, do not represent those of my employer, are not intended to represent
those ofmy employer and for all I know, may even pi$$ off my employer.
:-)
Laura
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
I wouldn't put it in those words.
But, yeah, I would expect Microsoft to be... shall we say...pragmatic,
realistic. Something like, "enable" its customers to run their
businesses. I mean,refrain from "dictating" its wishes. You
know? Because at the end of the day, it is the "clueless customers"
that actually write the checks that add up to those billions in the vault.
Sincerely,
_____
(, / |
/)
/) /)
/---| (/_ ______ ___// _
// _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
(/
Microsoft MVP - Directory
Services
www.akomolafe.com-
we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: Laura A. Robinson
Sent: Fri 12/15/2006 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
So Microsoft should encourage
their bad practices?
Laura
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 12:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
>>> People don't seem to
have a problem with that concept when it comes to game consoles :)
Bad analogy. Go stand in the corner, no wii
for you :)
When people start running their businesses on
game consoles, then you can come back and compare. For now, it's just plain incomprehensible
that you can't manage ADMX from anything but Vista. Yeah, ideally we would want
to encourage clients to NOT manage things directly from servers, and to ensure
that IF they are going to introduce Vista, the IT folks' machines should be doing
the dog-fooding, but realistically, the "ideal" is always the
exception in this field. Microsoft should know that. People will insist on
managing GPO directly from the DCs, best practices be damned.
Sincerely,
_____
(, / |
/)
/) /)
/---| (/_ ______ ___// _
// _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
(/
Microsoft MVP - Directory
Services
www.akomolafe.com-
we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: Darren Mar-Elia
Sent: Fri 12/15/2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
I hear you Rich. I had a long discussion with someone on the GP newsgroupswho thought that the fact that XP and 2003 couldn't read Vista GP settingswas an abomination and a scandal of the highest order and that MS should bebeaten for their insolence (I'm paraphrasing :-)). But, yes, we should allbe used to the fact that sometimes, you have to adopt the new stuff to getthe new toys. People don't seem to have a problem with that concept when itcomes to game consoles :)Darren-----Original Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rich MilburnSent: Friday, December 15, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista GPOSorry, I understand it's different, what I meant was merely that we hadsome growing pains like this when XP first came out.� Our practice thenbecame to use only XP desktops for GP management.� I think there's atendency to think this is such a terrible thing, thisbackwards-incompatibility, and we might forget that Vista is not newwith this, we had similar issues before.� And who remembers theteeth-pulling to get people to move to Active Directory??-----------------------------------------------------------------------Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819----------------------------------------------------------------------"I love the smell of red herrings in the morning" - anonymous-----Original Message-----From: ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-EliaSent: Friday, December 15, 2006 10:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista GPOThis is actually a little different because if you view a GPO that wascreated with Vista, using XP or 2003, none of the ADMX settings canactuallybe read at all, because they are a completely new format that GPEditororGPMC on those older platforms don't understand. In fact, those XP or2003will happily copy up the ADMs into the Vista GPO like they used to do,andyou're back to each GPO storing ADMs in SYSVOL. What I've beenrecommendingto folks is that once you introduce Vista desktops into yourenvironment,use Vista for all your ongoing GP management. The Vista ADMXs are asupersetof the latest and greatest ADMs (i.e. they include 2003, XP and Vistasettings) so you can happily manage Vista and non-Vista targeted GPsettingsfrom a Vista machine.DarrenDarren Mar-EliaCTO & Founderwww.sdmsoftware.comdarren@sdmsoftware.com-----Original Message-----From: ActiveDir-owner@mail.activedir.org[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rich MilburnSent: Friday, December 15, 2006 6:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista GPOYou may recall, there was a similar case when XP came out too - ifmemory serves, you had to manage XP GPO settings from an XP box - if youopened them on Win2K, there were problems (I can't recall now exactlywhat those problems were... it would corrupt the policy? Lose thesettings?) anyway so there are tons more settings (+ side) and you haveto use Vista for now (- side, sorta).� I wouldn't be too surprised ifthey fix that with the next server and XP SP... but I haven't actuallyheard that.-----------------------------------------------------------------------Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819----------------------------------------------------------------------"I love the smell of red herrings in the morning" - anonymous-----Original Message-----From: ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-EliaSent: Thursday, December 14, 2006 4:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista GPOVista introduces a new Admin Template format called ADMX. These arefound on Vista in C:\windows\policydefinitions and, unfortuately cannotbe consumed by earlier versions of Windows. That is you must manageVista GP from Vista.Darren-----Original Message-----From: "Za Vue" To: ActiveDir@mail.activedir.orgSent: 12/14/2006 1:18 PMSubject: Re: [ActiveDir] Vista GPOSorry. Exactly what Ben wrote.Thanks..-Z.V.WATSON, BEN wrote:> Maybe he may be referring to the location of any possible new ADMfiles> included with Vista.>> -----Original Message-----> From: ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of DarrenMar-Elia> Sent: Thursday, December 14, 2006 10:34 AM> To: ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] Vista GPO >> What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3,> unless you mean the LDIF files that are in sources\adprep on the Vista> CD?>> -----Original Message-----> From: ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Za Vue> Sent: Thursday, December 14, 2006 9:57 AM> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Vista GPO >> Anyone know what and where the GPO plugin for Win2003 on the Vista DVD> is called and located?>> -Z.V.> List info�� : http://www.activedir.org/List.aspx> List FAQ��� :
http://www.activedir.org/ListFAQ.aspx> List archive:http://www.mail-archive.com/activedir@mail.activedir.org/>> List info�� : http://www.activedir.org/List.aspx> List FAQ��� : http://www.activedir.org/ListFAQ.aspx
> List archive:http://www.mail-archive.com/activedir@mail.activedir.org/
> List info�� : http://www.activedir.org/List.aspx> List FAQ��� : http://www.activedir.org/ListFAQ.aspx> List archive:http://www.mail-archive.com/activedir@mail.activedir.org/
>>>�� List info�� : http://www.activedir.org/List.aspx
List FAQ��� : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/List info�� : http://www.activedir.org/List.aspx
List FAQ��� : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or anyattachments. This information is strictly confidential and may be subject toattorney-client privilege. This message is intended only for the use of the namedaddressee.If you are not the intended recipient of this message, unauthorizedforwarding,printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, youshould kindly notify the sender by reply e-mail and immediately destroy thismessage. Unauthorized interception of this e-mail is a violation of federalcriminallaw. Applebee's International, Inc. reserves the right to monitor and reviewthe content of all messages sent to and from this e-mail address. Messagessentto or from this e-mail address may be stored on the Applebee'sInternational,Inc. e-mail system.List info�� : http://www.activedir.org/List.aspxList FAQ��� : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info�� : http://www.activedir.org/List.aspxList FAQ��� : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or anyattachments. This information is strictly confidential and may be subject toattorney-client privilege. This message is intended only for the use of the named addressee.If you are not the intended recipient of this message, unauthorized forwarding,printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, youshould kindly notify the sender by reply e-mail and immediately destroy thismessage. Unauthorized interception of this e-mail is a violation of federal criminallaw. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sentto or from this e-mail address may be stored on the Applebee's International,Inc. e-mail system.List info�� : http://www.activedir.org/List.aspxList FAQ��� : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info�� : http://www.activedir.org/List.aspxList FAQ��� : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
any attachments. This information is strictly confidential and may be subject
to attorney-client privilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding, printing, copying, distribution, or using such
information is strictly prohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message. Unauthorized interception of this e-mail is a
violation of federal criminal law. Applebee's International, Inc. reserves the
right to monitor and review the content of all messages sent to and from this
e-mail address. Messages sent to or from this e-mail address may be stored on
the Applebee's International, Inc. e-mail system. | | | |
| solinear@xxxx.yyy
| | 12/21/2006 11:23 AM |
| So basically the reasons are:1) To keep the stupid people from being too terribly stupid (keep them off of DCs, where they might do something like open up a website or open their e-mail and open up a vb script or something equally stupid).
2) To keep from making changes without testing them, which is more of a process issue than a "Where you edit it" issue. No matter where I edit a GPO from, it's live as soon as I edit it - doesn't matter whether I'm editing it on a DC or on my workstation, they're communicating with the master GPO in the same way. If I'm not testing a GPO first, it's going to be in the same situation no matter where I edit it from.
In the end the reason really is: We are all stupid and need to protect our companies (or customers) from our stupidity.I don't disagree, that we shouldn't log into DCs to edit GPOs, but that's more from a 'general practices', don't do anything on a server that you can do from your workstation, standpoint.
On 12/20/06, Tim Vander Kooi wrote:
Well, you did just give one valid reason for not editing GPOs
from your DC, or any other server, security. As was mentioned by MBS on one of
the Exchange lists just within the past day, some companies don't allow local
logon to servers, because it is a security risk. Perhaps not huge, but a risk
none the less.
What I haven't seen so far is a single good argument for why you
SHOULD do GPO editing from a server instead of from a workstation. If there is
even just one good reason for doing it one way vs. none for the other, that is
how best practices are born.
Just an opinion.
Tim
From:
ActiveDir-owner@mail.activedir.org [mailto:
ActiveDir-owner@mail.activedir.org] On
Behalf Of Matt Hargraves
Sent: Wednesday, December 20, 2006 10:52 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Vista GPO
I'm not too terribly suprised,
I think that there are GP-like items in Linux also.
However, that still leaves my other question unanswered:
What is the really compelling reason to not edit GPOs on a DC as opposed to a
workstation, other than the fact that you really shouldn't bother logging into
any server for something that you can do from your workstation? People
point to 'best practices', but I don't know if there is any justification
beyond the fact that you shouldn't bother hopping onto a DC just to edit a GPO
that you could edit from your workstation.
Does anyone have an answer to that?
On 12/19/06, Darren Mar-Elia
wrote:
The Mac does have something
akin to GP, though the name eludes me at the moment and its not quite the same.
And of course, folks like Centrify have created a GP client for the Mac that
integrates into Windows GP as well.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Matt Hargraves
Sent: Tuesday, December 19, 2006 8:49 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Vista GPO
Also, since we're talking about GPOs, while I
haven't managed a Mac in several years, I don't remember them offering this
functionality, so I'm not even sure how that's relevant to this discussion.
On 12/19/06, Matt Hargraves wrote:
While the only GPOs I've edited at the DC/server side have been the GPOs for
my sister's SBS box, which I connect to from around 1400 miles away, I don't
generally do it as a rule - too cumbersome and a waste of my time normally.
I guess the real question for me is "Why not?". It's just an
MMC snap-in. Nothing huge in there that's going to trash the box.
Nothing that is going to compromise security... If there is something in that
MMC that I shouldn't be doing from a server/DC, then it's probably something I
shouldn't be doing from my workstation too.
I guess the real question should be "Why, other than the fact that there's
no reason to waste the steps to pull up the RDP client and login to a remote
server, shouldn't I edit GPOs from the PDC Emulator?" The GPOs are
going to be edited there anyway (or at least that's where your GPMC is going to
connect to) and then distribute from there. I can only think of one
reason and that's "Don't login to a DC unless you need to".... but
that goes for any box... or do you just run around your environment randomly
logging in through RDP to all kinds of servers for no reason other than you
have nothing better to do? There are very few things that you really need
to do at any box, whether it's a DC, a file server, SQL or even Exchange
box. Hell, you don't even need to login locally to reboot it unless
you've defined that by GPO.
Like I said before, there is only 1 box that I do that for and that's because
that box is 1400 miles away and I can't vpn into their network yet (hope to get
that setup in the next year, when I visit sometime - *if* I visit sometime :(
). I don't really do it much, but I also can't think of a really good
reason to actually avoid doing it either (example - I have to do a dcdiag on
the PDC, then someone requests a GPO change - should I really disconnect from
that box just to do the same thing from another?).
As for backward compatability, many companies are still running NT boxes in
their environments and have been for many years now, because they don't have
much of a choice - the server apps aren't being produced any more and there
isn't an upgrade path that would take less than 6 months of hard work, not to
mention having to retrain potentially hundreds (if not more) of
employees. I don't think that it should be necessary to include all of
the features from Vista in old versions... that's part of why you upgrade...
that's why it's called an 'upgrade'. Apple is in a rather unique position
though, they can break 90% of their backward compatability and their users will
still buy their products. Why? They're fiercely loyal. If
they're upgrading next year, then they'll upgrade next year, even if it breaks
an app, they only run like 7 apps anyway (that's about the largest number of
'real' apps that I've seen a user load on a Mac - not counting things like AV
software or an internet browser) and as long as they're upgrading their
machine, they're probably going to upgrade their apps at the same time.
People who use MS software will just stay with the older version. They
can, particularly if upgrading means that it's going to cost them $millions in
retraining and software replacement. The comparison between a Mac and PC
might seem appropriate, but it's really not. I don't know of a single
medium sized corporation that runs their business on Macs. I don't know
of a single company that had to replace thousands of machines and spend nearly
as much to upgrade software versions at the same time because Apple decided to
not provide backward compatability (not that anyone's going to do that for MS
either). It's like comparing.... well... apples to oranges (no pun
intended).
On 12/19/06, Rich Milburn <
rich.milburn@applebees.com> wrote:
I'd totally agree with you
Laura. Look at how Apple has approached the backwards compatibility issue with
Mac OS X. Or rather, how they haven't. Want to stay compatible with an older
version? Stay on that version. Pretty simple. I'm not saying that is 100% the
right way to go, but they avoid a lot of problems that way. Out of the 50
million lines of code in Vista, I'm sure at least half of that is to provide
backwards compatibility. In any event, like you say, Laura, there's no point
editing Vista GPOs if you're not running Vista. And if you need to set up Vista
policy, then why not run on it yourself and just do the editing from there? Or
is this the case of the tech who says, "I don't need no stinkin' eye
candy, you can't make me run it"?
One other thing that I really
hate to hear is a complaint about how something works, with the comment that
Microsoft "forces people to do things they way Microsoft wants people to
do them." That's a pretty na�ve comment – I hear it more from kids on
the public newsgroups though. I'm surprised hearing it in the context of not
logging into a DC to edit GPOs though. Are there any MVPs here who really think
logging into a DC for GPO editing (or for anything else that can be done
remotely, for that matter) is a good practice? So if Microsoft did force people
to use a workstation to do configuration tasks such as GPO editing, that would
be enforcement of what most experts agree is best practice – yet they don't
force this. The issue is that they released Vista [client] before Server is
out, and they enhanced things in Vista beyond the previous OS (I say hooray for
them), and there has not been a new release of any prior OS service pack since
Vista's release. In fact, Vista is barely out there now. But IMHO, Microsoft
does not come up with ways to do things, generally, that are some attempt to
force people into doing things in some manner that has, as their ultimate goal,
to 'try and take over the world.' Ώ] Rather, they try to adhere to best
practices and most requested features in their software design, when they can,
as determined by various industry experts – not by some idea that they can make
people do this or that if they cut this feature. At least, I believe this to be
the case most of the time.
Ώ] if you think that, maybe
you watched too much Pinky and the Brain
-----------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
----------------------------------------------------------------------
"I love the smell
of red herrings in the morning" - anonymous
From: ActiveDir-owner@mail.activedir.org
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Laura A. Robinson
Sent: Friday, December 15, 2006 1:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
And it's the clueful customers who
(rightly) become angry when something in a product that exists purely for
backward compatibility opens a security hole. Now, I'm not saying that all
security holes are due to backward compatibility, and I'm not saying that every
bit of code that comes out of Redmond is perfect. However, I have said for
years that many of the things that people don't like about Microsoft's products
are the result of backward compatibility, not bad coding or a lack of
consideration on the part of Microsoft's programmers. As somebody else (Darren?
Richard?) said, there is a point where a line has to be drawn in the sand. I
personally don't see anything dictatorial about requiring a Vista+ machine to
edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that
would imply that you're using Vista machines, and if you're using Vista
machines, what is the issue with using one of those Vista machines as your
editing workstation? I think that that *IS* a very pragmatic, realistic
approach.
Sorry, I just don't follow your
logic on this one.
That said, my opinions are purely
my own, do not represent those of my employer, are not intended to represent
those ofmy employer and for all I know, may even pi$$ off my employer.
:-)
Laura
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
I wouldn't put it in those words.
But, yeah, I would expect Microsoft to be... shall we say...pragmatic,
realistic. Something like, "enable" its customers to run their
businesses. I mean,refrain from "dictating" its wishes. You know?
Because at the end of the day, it is the "clueless customers" that
actually write the checks that add up to those billions in the vault.
Sincerely,
_____
(, / |
/)
/) /)
/---| (/_ ______ ___// _
// _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
(/
Microsoft MVP - Directory
Services
www.akomolafe.com-
we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: Laura A. Robinson
Sent: Fri 12/15/2006 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
So Microsoft should encourage
their bad practices?
Laura
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 12:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
>>> People don't seem to
have a problem with that concept when it comes to game consoles :)
Bad analogy. Go stand in the corner, no wii
for you :)
When people start running their businesses on
game consoles, then you can come back and compare. For now, it's just plain
incomprehensible that you can't manage ADMX from anything but Vista. Yeah,
ideally we would want to encourage clients to NOT manage things directly from
servers, and to ensure that IF they are going to introduce Vista, the IT folks'
machines should be doing the dog-fooding, but realistically, the
"ideal" is always the exception in this field. Microsoft should know
that. People will insist on managing GPO directly from the DCs, best practices
be damned.
Sincerely,
_____
(, / |
/)
/) /)
/---| (/_ ______ ___// _
// _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
(/
Microsoft MVP - Directory
Services
www.akomolafe.com-
we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: Darren Mar-Elia
Sent: Fri 12/15/2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
I hear you Rich. I had a long discussion with someone on the GP newsgroupswho thought that the fact that XP and 2003 couldn't read Vista GP settingswas an abomination and a scandal of the highest order and that MS should be
beaten for their insolence (I'm paraphrasing :-)). But, yes, we should allbe used to the fact that sometimes, you have to adopt the new stuff to getthe new toys. People don't seem to have a problem with that concept when it
comes to game consoles :)Darren-----Original Message-----From:
ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Rich MilburnSent: Friday, December 15, 2006 9:04 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista GPO
Sorry, I understand it's different, what I meant was merely that we hadsome growing pains like this when XP first came out.� Our practice thenbecame to use only XP desktops for GP management.
� I think there's atendency to think this is such a terrible thing, thisbackwards-incompatibility, and we might forget that Vista is not newwith this, we had similar issues before.
� And who remembers theteeth-pulling to get people to move to Active Directory??-----------------------------------------------------------------------
Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207
913-967-2819----------------------------------------------------------------------"I love the smell of red herrings in the morning" - anonymous
-----Original Message-----From: ActiveDir-owner@mail.activedir.org
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-EliaSent: Friday, December 15, 2006 10:05 AM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista GPO
This is actually a little different because if you view a GPO that wascreated with Vista, using XP or 2003, none of the ADMX settings canactuallybe read at all, because they are a completely new format that GPEditor
orGPMC on those older platforms don't understand. In fact, those XP or2003will happily copy up the ADMs into the Vista GPO like they used to do,and
you're back to each GPO storing ADMs in SYSVOL. What I've beenrecommendingto folks is that once you introduce Vista desktops into yourenvironment,use Vista for all your ongoing GP management. The Vista ADMXs are a
supersetof the latest and greatest ADMs (i.e. they include 2003, XP and Vistasettings) so you can happily manage Vista and non-Vista targeted GPsettingsfrom a Vista machine.
DarrenDarren Mar-EliaCTO & Founderwww.sdmsoftware.com
darren@sdmsoftware.com
-----Original Message-----From: ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Rich MilburnSent: Friday, December 15, 2006 6:49 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista GPO
You may recall, there was a similar case when XP came out too - ifmemory serves, you had to manage XP GPO settings from an XP box - if youopened them on Win2K, there were problems (I can't recall now exactly
what those problems were... it would corrupt the policy? Lose thesettings?) anyway so there are tons more settings (+ side) and you haveto use Vista for now (- side, sorta).
� I wouldn't be too surprised ifthey fix that with the next server and XP SP... but I haven't actuallyheard that.-----------------------------------------------------------------------
Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th St
Overland Park, KS 66207913-967-2819----------------------------------------------------------------------"I love the smell of red herrings in the morning" - anonymous
-----Original Message-----From:
ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-EliaSent: Thursday, December 14, 2006 4:13 PM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista GPO
Vista introduces a new Admin Template format called ADMX. These arefound on Vista in C:\windows\policydefinitions and, unfortuately cannotbe consumed by earlier versions of Windows. That is you must manage
Vista GP from Vista.Darren-----Original Message-----From: "Za Vue" <
zvue@emory.edu>To:
ActiveDir@mail.activedir.orgSent: 12/14/2006 1:18 PMSubject: Re: [ActiveDir] Vista GPOSorry. Exactly what Ben wrote.Thanks..
-Z.V.WATSON, BEN wrote:> Maybe he may be referring to the location of any possible new ADMfiles> included with Vista.>
> -----Original Message-----> From:
ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org
] On Behalf Of DarrenMar-Elia> Sent: Thursday, December 14, 2006 10:34 AM> To:
ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] Vista GPO
>> What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3,> unless you mean the LDIF files that are in sources\adprep on the Vista> CD?
>> -----Original Message-----> From:
ActiveDir-owner@mail.activedir.org> [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Za Vue> Sent: Thursday, December 14, 2006 9:57 AM> To:
ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Vista GPO >> Anyone know what and where the GPO plugin for Win2003 on the Vista DVD> is called and located?
>> -Z.V.> List info�� : http://www.activedir.org/List.aspx
> List FAQ��� :
http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/>
> List info�� :
http://www.activedir.org/List.aspx> List FAQ��� : http://www.activedir.org/ListFAQ.aspx
> List archive:http://www.mail-archive.com/activedir@mail.activedir.org/
> List info�� : http://www.activedir.org/List.aspx
> List FAQ��� :
http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
>>>�� List info�� :
http://www.activedir.org/List.aspx
List FAQ��� : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/List info�� :
http://www.activedir.org/List.aspx
List FAQ��� : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any
attachments. This information is strictly confidential and may be subject toattorney-client privilege. This message is intended only for the use of the named
addressee.If you are not the intended recipient of this message, unauthorizedforwarding,printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, youshould kindly notify the sender by reply e-mail and immediately destroy thismessage.
Unauthorized interception of this e-mail is a violation of federalcriminallaw. Applebee's International, Inc. reserves the right to monitor and reviewthe
content of all messages sent to and from this e-mail address. Messagessentto or from this e-mail address may be stored on the Applebee'sInternational,Inc.
e-mail system.List info�� :
http://www.activedir.org/List.aspxList FAQ��� : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info�� : http://www.activedir.org/List.aspx
List FAQ��� :
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any
attachments. This information is strictly confidential and may be subject toattorney-client privilege. This message is intended only for the use of the named addressee.
If you are not the intended recipient of this message, unauthorized forwarding,printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, youshould kindly notify the sender by reply e-mail and immediately destroy thismessage. Unauthorized interception of this e-mail is a violation of federal criminal
law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sentto or from this e-mail address may be stored on the Applebee's International,
Inc. e-mail system.List info�� : http://www.activedir.org/List.aspx
List FAQ��� :
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info�� : http://www.activedir.org/List.aspx
List FAQ��� :
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
any attachments. This information is strictly confidential and may be subject
to attorney-client privilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding, printing, copying, distribution, or using such
information is strictly prohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message. Unauthorized interception of this e-mail is a
violation of federal criminal law. Applebee's International, Inc. reserves the
right to monitor and review the content of all messages sent to and from this
e-mail address. Messages sent to or from this e-mail address may be stored on
the Applebee's International, Inc. e-mail system. | | | |
| solinear@xxxx.yyy
| | 12/25/2006 11:09 AM |
| Actually, this is a good reason - though as you pointed out, it's something that's a 2-way street. It's best to create a GPO on a system that actually has the settings that you need (particularly services and/or files, though the latter can be manually inputted, regardless of where you create/manage the GPO at).
I completely understand the reason for not managing Vista GPOs on current (Win2k3) DCs. I was just trying to figure out why it was considered to be a 'best practice' to edit GPOs from your workstation, as opposed to doing it from a DC (or any other server, for that matter), other than the obvious reasons.
On 12/21/06, Grillenmeier, Guido wrote:
There are also a few technical reasons, some of which were
pointed out in the thread – the GPO editor on your DCs don't understand the
ADMX GPO-templates from Vista, so tough luck if you want to use them to manage
Vista settings…
But it's not only Vista related: if you want to manage a service
that runs on your clients but not on your DCs, you'll have an issue managing
GPO settings (such as startup or security) of the service from a DC, since it won't
be listed in the services node. Note that the same thing could be why you must
edit other GPOs on your DC => try managing a GPO to configure the DNS Server
service using a client workstation…
/Guido
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Matt Hargraves
Sent: Donnerstag, 21. Dezember 2006 17:24
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Vista GPO
So basically the reasons are:
1) To keep the stupid people from being too terribly stupid (keep them off of
DCs, where they might do something like open up a website or open their e-mail
and open up a vb script or something equally stupid).
2) To keep from making changes without testing them, which is more of a process
issue than a "Where you edit it" issue. No matter where I edit
a GPO from, it's live as soon as I edit it - doesn't matter whether I'm editing
it on a DC or on my workstation, they're communicating with the master GPO in
the same way. If I'm not testing a GPO first, it's going to be in the
same situation no matter where I edit it from.
In the end the reason really is: We are all stupid and need to protect our
companies (or customers) from our stupidity.
I don't disagree, that we shouldn't log into DCs to edit GPOs, but that's more
from a 'general practices', don't do anything on a server that you can do from
your workstation, standpoint.
On 12/20/06, Tim Vander Kooi
wrote:
Well, you did just give one
valid reason for not editing GPOs from your DC, or any other server, security.
As was mentioned by MBS on one of the Exchange lists just within the past day,
some companies don't allow local logon to servers, because it is a security
risk. Perhaps not huge, but a risk none the less.
What I haven't seen so far is a
single good argument for why you SHOULD do GPO editing from a server instead of
from a workstation. If there is even just one good reason for doing it one way
vs. none for the other, that is how best practices are born.
Just an opinion.
Tim
From: ActiveDir-owner@mail.activedir.org
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Matt Hargraves
Sent: Wednesday, December 20, 2006 10:52 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Vista GPO
I'm not too terribly suprised, I think that
there are GP-like items in Linux also.
However, that still leaves my other question unanswered:
What is the really compelling reason to not edit GPOs on a DC as opposed to a
workstation, other than the fact that you really shouldn't bother logging into
any server for something that you can do from your workstation? People
point to 'best practices', but I don't know if there is any justification
beyond the fact that you shouldn't bother hopping onto a DC just to edit a GPO
that you could edit from your workstation.
Does anyone have an answer to that?
On 12/19/06, Darren Mar-Elia > wrote:
The Mac does have something
akin to GP, though the name eludes me at the moment and its not quite the same.
And of course, folks like Centrify have created a GP client for the Mac that
integrates into Windows GP as well.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Matt Hargraves
Sent: Tuesday, December 19, 2006 8:49 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Vista GPO
Also, since we're talking about GPOs, while I
haven't managed a Mac in several years, I don't remember them offering this
functionality, so I'm not even sure how that's relevant to this discussion.
On 12/19/06, Matt Hargraves wrote:
While the only GPOs I've edited at the DC/server side have been the GPOs for
my sister's SBS box, which I connect to from around 1400 miles away, I don't
generally do it as a rule - too cumbersome and a waste of my time normally.
I guess the real question for me is "Why not?". It's just an
MMC snap-in. Nothing huge in there that's going to trash the box.
Nothing that is going to compromise security... If there is something in that
MMC that I shouldn't be doing from a server/DC, then it's probably something I
shouldn't be doing from my workstation too.
I guess the real question should be "Why, other than the fact that there's
no reason to waste the steps to pull up the RDP client and login to a remote
server, shouldn't I edit GPOs from the PDC Emulator?" The GPOs are
going to be edited there anyway (or at least that's where your GPMC is going to
connect to) and then distribute from there. I can only think of one
reason and that's "Don't login to a DC unless you need to".... but
that goes for any box... or do you just run around your environment randomly
logging in through RDP to all kinds of servers for no reason other than you
have nothing better to do? There are very few things that you really need
to do at any box, whether it's a DC, a file server, SQL or even Exchange box.
Hell, you don't even need to login locally to reboot it unless you've defined
that by GPO.
Like I said before, there is only 1 box that I do that for and that's because
that box is 1400 miles away and I can't vpn into their network yet (hope to get
that setup in the next year, when I visit sometime - *if* I visit sometime :(
). I don't really do it much, but I also can't think of a really good
reason to actually avoid doing it either (example - I have to do a dcdiag on
the PDC, then someone requests a GPO change - should I really disconnect from
that box just to do the same thing from another?).
As for backward compatability, many companies are still running NT boxes in
their environments and have been for many years now, because they don't have
much of a choice - the server apps aren't being produced any more and there
isn't an upgrade path that would take less than 6 months of hard work, not to
mention having to retrain potentially hundreds (if not more) of
employees. I don't think that it should be necessary to include all of
the features from Vista in old versions... that's part of why you upgrade...
that's why it's called an 'upgrade'. Apple is in a rather unique position
though, they can break 90% of their backward compatability and their users will
still buy their products. Why? They're fiercely loyal. If
they're upgrading next year, then they'll upgrade next year, even if it breaks
an app, they only run like 7 apps anyway (that's about the largest number of
'real' apps that I've seen a user load on a Mac - not counting things like AV
software or an internet browser) and as long as they're upgrading their
machine, they're probably going to upgrade their apps at the same time.
People who use MS software will just stay with the older version. They
can, particularly if upgrading means that it's going to cost them $millions in
retraining and software replacement. The comparison between a Mac and PC
might seem appropriate, but it's really not. I don't know of a single
medium sized corporation that runs their business on Macs. I don't know
of a single company that had to replace thousands of machines and spend nearly
as much to upgrade software versions at the same time because Apple decided to
not provide backward compatability (not that anyone's going to do that for MS
either). It's like comparing.... well... apples to oranges (no pun
intended).
On 12/19/06, Rich Milburn <
rich.milburn@applebees.com> wrote:
I'd totally agree with you
Laura. Look at how Apple has approached the backwards compatibility issue with
Mac OS X. Or rather, how they haven't. Want to stay compatible with an older
version? Stay on that version. Pretty simple. I'm not saying that is 100% the
right way to go, but they avoid a lot of problems that way. Out of the 50
million lines of code in Vista, I'm sure at least half of that is to provide
backwards compatibility. In any event, like you say, Laura, there's no point
editing Vista GPOs if you're not running Vista. And if you need to set up Vista
policy, then why not run on it yourself and just do the editing from there? Or
is this the case of the tech who says, "I don't need no stinkin' eye
candy, you can't make me run it"?
One other thing that I really
hate to hear is a complaint about how something works, with the comment that
Microsoft "forces people to do things they way Microsoft wants people to
do them." That's a pretty na�ve comment – I hear it more from kids on
the public newsgroups though. I'm surprised hearing it in the context of not
logging into a DC to edit GPOs though. Are there any MVPs here who really think
logging into a DC for GPO editing (or for anything else that can be done
remotely, for that matter) is a good practice? So if Microsoft did force people
to use a workstation to do configuration tasks such as GPO editing, that would
be enforcement of what most experts agree is best practice – yet they don't
force this. The issue is that they released Vista [client] before Server is
out, and they enhanced things in Vista beyond the previous OS (I say hooray for
them), and there has not been a new release of any prior OS service pack since
Vista's release. In fact, Vista is barely out there now. But IMHO, Microsoft
does not come up with ways to do things, generally, that are some attempt to
force people into doing things in some manner that has, as their ultimate goal,
to 'try and take over the world.' Ώ] Rather, they try to adhere to best
practices and most requested features in their software design, when they can,
as determined by various industry experts – not by some idea that they can make
people do this or that if they cut this feature. At least, I believe this to be
the case most of the time.
Ώ] if you think that, maybe
you watched too much Pinky and the Brain
-----------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
----------------------------------------------------------------------
"I love the smell
of red herrings in the morning" - anonymous
From: ActiveDir-owner@mail.activedir.org
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Laura A. Robinson
Sent: Friday, December 15, 2006 1:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
And it's the clueful customers who
(rightly) become angry when something in a product that exists purely for
backward compatibility opens a security hole. Now, I'm not saying that all
security holes are due to backward compatibility, and I'm not saying that every
bit of code that comes out of Redmond is perfect. However, I have said for
years that many of the things that people don't like about Microsoft's products
are the result of backward compatibility, not bad coding or a lack of
consideration on the part of Microsoft's programmers. As somebody else (Darren?
Richard?) said, there is a point where a line has to be drawn in the sand. I
personally don't see anything dictatorial about requiring a Vista+ machine to
edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that
would imply that you're using Vista machines, and if you're using Vista
machines, what is the issue with using one of those Vista machines as your
editing workstation? I think that that *IS* a very pragmatic, realistic
approach.
Sorry, I just don't follow your
logic on this one.
That said, my opinions are purely
my own, do not represent those of my employer, are not intended to represent
those ofmy employer and for all I know, may even pi$$ off my employer.
:-)
Laura
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
I wouldn't put it in those words.
But, yeah, I would expect Microsoft to be... shall we say...pragmatic,
realistic. Something like, "enable" its customers to run their
businesses. I mean,refrain from "dictating" its wishes. You
know? Because at the end of the day, it is the "clueless customers"
that actually write the checks that add up to those billions in the vault.
Sincerely,
_____
(, / |
/)
/) /)
/---| (/_ ______ ___// _
// _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
(/
Microsoft MVP - Directory
Services
www.akomolafe.com-
we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: Laura A. Robinson
Sent: Fri 12/15/2006 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
So Microsoft should encourage
their bad practices?
Laura
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 12:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
>>> People don't seem to
have a problem with that concept when it comes to game consoles :)
Bad analogy. Go stand in the corner, no wii
for you :)
When people start running their businesses on
game consoles, then you can come back and compare. For now, it's just plain incomprehensible
that you can't manage ADMX from anything but Vista. Yeah, ideally we would want
to encourage clients to NOT manage things directly from servers, and to ensure
that IF they are going to introduce Vista, the IT folks' machines should be doing
the dog-fooding, but realistically, the "ideal" is always the
exception in this field. Microsoft should know that. People will insist on
managing GPO directly from the DCs, best practices be damned.
Sincerely,
_____
(, / |
/)
/) /)
/---| (/_ ______ ___// _
// _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
(/
Microsoft MVP - Directory
Services
www.akomolafe.com-
we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: Darren Mar-Elia
Sent: Fri 12/15/2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
I hear you Rich. I had a long discussion with someone on the GP newsgroupswho thought that the fact that XP and 2003 couldn't read Vista GP settingswas an abomination and a scandal of the highest order and that MS should be
beaten for their insolence (I'm paraphrasing :-)). But, yes, we should allbe used to the fact that sometimes, you have to adopt the new stuff to getthe new toys. People don't seem to have a problem with that concept when it
comes to game consoles :)Darren-----Original Message-----From:
ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Rich MilburnSent: Friday, December 15, 2006 9:04 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista GPO
Sorry, I understand it's different, what I meant was merely that we hadsome growing pains like this when XP first came out.� Our practice thenbecame to use only XP desktops for GP management.
� I think there's atendency to think this is such a terrible thing, thisbackwards-incompatibility, and we might forget that Vista is not newwith this, we had similar issues before.
� And who remembers theteeth-pulling to get people to move to Active Directory??-----------------------------------------------------------------------
Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th St
Overland Park, KS 66207913-967-2819----------------------------------------------------------------------"I love the smell of red herrings in the morning" - anonymous
-----Original Message-----From:
ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-EliaSent: Friday, December 15, 2006 10:05 AM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista GPO
This is actually a little different because if you view a GPO that wascreated with Vista, using XP or 2003, none of the ADMX settings canactuallybe read at all, because they are a completely new format that GPEditor
orGPMC on those older platforms don't understand. In fact, those XP or2003will happily copy up the ADMs into the Vista GPO like they used to do,and
you're back to each GPO storing ADMs in SYSVOL. What I've beenrecommendingto folks is that once you introduce Vista desktops into yourenvironment,use Vista for all your ongoing GP management. The Vista ADMXs are a
supersetof the latest and greatest ADMs (i.e. they include 2003, XP and Vistasettings) so you can happily manage Vista and non-Vista targeted GPsettingsfrom a Vista machine.
DarrenDarren Mar-EliaCTO & Founderwww.sdmsoftware.com
darren@sdmsoftware.com
-----Original Message-----From: ActiveDir-owner@mail.activedir.org
[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Rich Milburn
Sent: Friday, December 15, 2006 6:49 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista GPOYou may recall, there was a similar case when XP came out too - ifmemory serves, you had to manage XP GPO settings from an XP box - if you
opened them on Win2K, there were problems (I can't recall now exactlywhat those problems were... it would corrupt the policy? Lose thesettings?) anyway so there are tons more settings (+ side) and you have
to use Vista for now (- side, sorta).� I wouldn't be too surprised ifthey fix that with the next server and XP SP... but I haven't actuallyheard that.
-----------------------------------------------------------------------Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform Development
Applebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819----------------------------------------------------------------------
"I love the smell of red herrings in the morning" - anonymous-----Original Message-----From:
ActiveDir-owner@mail.activedir.org[mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-EliaSent: Thursday, December 14, 2006 4:13 PM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista GPO
Vista introduces a new Admin Template format called ADMX. These arefound on Vista in C:\windows\policydefinitions and, unfortuately cannotbe consumed by earlier versions of Windows. That is you must manage
Vista GP from Vista.Darren-----Original Message-----From: "Za Vue" <
zvue@emory.edu>To:
ActiveDir@mail.activedir.orgSent: 12/14/2006 1:18 PM
Subject: Re: [ActiveDir] Vista GPOSorry. Exactly what Ben wrote.Thanks..-Z.V.WATSON, BEN wrote:
> Maybe he may be referring to the location of any possible new ADMfiles> included with Vista.>> -----Original Message-----> From:
ActiveDir-owner@mail.activedir.org> [mailto:ActiveDir-owner@mail.activedir.org
] On Behalf Of DarrenMar-Elia> Sent: Thursday, December 14, 2006 10:34 AM> To:
ActiveDir@mail.activedir.org> Subject: RE: [ActiveDir] Vista GPO
>> What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3,> unless you mean the LDIF files that are in sources\adprep on the Vista> CD?
>> -----Original Message-----> From:
ActiveDir-owner@mail.activedir.org> [mailto:
ActiveDir-owner@mail.activedir.org] On Behalf Of Za Vue> Sent: Thursday, December 14, 2006 9:57 AM> To:
ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Vista GPO >> Anyone know what and where the GPO plugin for Win2003 on the Vista DVD> is called and located?
>> -Z.V.> List info�� : http://www.activedir.org/List.aspx
> List FAQ��� :
http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
>> List info�� :
http://www.activedir.org/List.aspx> List FAQ��� : http://www.activedir.org/ListFAQ.aspx
> List archive:http://www.mail-archive.com/activedir@mail.activedir.org/
> List info�� : http://www.activedir.org/List.aspx
> List FAQ��� :
http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
>>>�� List info�� :
http://www.activedir.org/List.aspx
List FAQ��� : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/List info�� :
http://www.activedir.org/List.aspx
List FAQ��� : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any
attachments. This information is strictly confidential and may be subject toattorney-client privilege. This message is intended only for the use of the named
addressee.If you are not the intended recipient of this message, unauthorizedforwarding,printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, youshould kindly notify the sender by reply e-mail and immediately destroy thismessage.
Unauthorized interception of this e-mail is a violation of federalcriminallaw. Applebee's International, Inc. reserves the right to monitor and reviewthe
content of all messages sent to and from this e-mail address. Messagessentto or from this e-mail address may be stored on the Applebee'sInternational,
Inc. e-mail system.List info�� :
http://www.activedir.org/List.aspxList FAQ��� : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info�� : http://www.activedir.org/List.aspx
List FAQ��� :
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any
attachments. This information is strictly confidential and may be subject toattorney-client privilege. This message is intended only for the use of the named addressee.
If you are not the intended recipient of this message, unauthorized forwarding,printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, youshould kindly notify the sender by reply e-mail and immediately destroy thismessage. Unauthorized interception of this e-mail is a violation of federal criminal
law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sentto or from this e-mail address may be stored on the Applebee's International,
Inc. e-mail system.List info�� : http://www.activedir.org/List.aspx
List FAQ��� :
http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info�� : http://www.activedir.org/List.aspx
List FAQ��� :
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM
-------APPLEBEE'S
INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
any attachments. This information is strictly confidential and may be subject
to attorney-client privilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding, printing, copying, distribution, or using such
information is strictly prohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message. Unauthorized interception of this e-mail is a
violation of federal criminal law. Applebee's International, Inc. reserves the
right to monitor and review the content of all messages sent to and from this
e-mail address. Messages sent to or from this e-mail address may be stored on
the Applebee's International, Inc. e-mail system. | | | |
|
|