List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] Some Group policy Settings in 2003 do not work in 2008.

Prev Next

You are not authorized to post a reply.

Author

Messages

BrianB

Posts:25

04/28/2008 12:48 PM
Is there a tool that will analyze the current GPO's in 2003 AD and relate them to 2008 AD policies suggesting or reporting any type of incompatibility? We have been testing 2008 AD in our test environment and found that due to 2008's new security, in that service accounts run with reduced privileges, some policies do not apply correctly. Specifically, we have a policy for the Domain Controllers Windows Firewall to allow specific ports and addresses through. Additionally, we have specified that the log file be written and that it be placed in the default location of c:\Windows\Pfirewall.log. In Windows Server 2008 the policy is written to C:\Windows\Systems32\logfiles\firewall\pfirewall.log. The service that runs the firewall in 2008 does not have permission to write to c:\windows, by default. We went through a great deal of troubleshooting to find this out, not suspecting access permissions on the service account to be the cause. A tool to verify incompatibilities with GPO's in the current 2003 AD environment as they relate to 2008 GPO's would be a great help. We have several hundred GPO's in our environment and it would be a disaster to implement 2008 and find that several do not work anymore. Inevitably, we would be pushed to move back to 2003 AD. Help! Brian Britt Vanderbilt University Directory Services Specialist 615-322-4676

BrianB

Posts:25

04/28/2008 2:08 PM
We performed an in-place upgrade from 2003 to 2008. This is the scenario we chose to do when we actually do upgrade. Existing policies will be the same after the upgrade. This is of great concern given the amount of GPO's we have and the fact that we have delegated permission to OU Admins and they have also created GPO's for their respective departments. Brian Britt Vanderbilt University Directory Services Specialist 615-322-4676 -----Original Message----- From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia Sent: Monday, April 28, 2008 11:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some Group policy Settings in 2003 do not work in 2008. Brian- I have not seen such a tool and given the scenario you've described I think it would be very hard to report this kind of conflict generally. One thing I' m curious about in this scenario below. Did you use the old Admin. Templates way of configuring Windows Firewall or the new "Windows Firewall with Advanced Security" section? Darren Darren Mar-Elia CTO & Founder SDM Software, Inc. "The Group Policy Experts" www.sdmsoftware.com -----Original Message----- From: "Britt, Brian" <brian.britt@Vanderbilt.Edu> To: ActiveDir@mail.activedir.org Sent: 4/28/2008 9:43 AM Subject: [ActiveDir] Some Group policy Settings in 2003 do not work in 2008List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

darren

Posts:101

04/28/2008 2:49 PM
Hi Brian- Yep, I can understand that. One thing you might consider is to create a set of 2008 specific policies (i.e. GPOs created from Server 2008 or Vista, Sp1) that mimic the settings you have applying to your existing 2003 servers. Create those using all the latest settings and capabilities (e.g. the Windows Firewall with Advanced Security area vs. Admin. templates). Then use those new GPOs to test an in-place upgrade in your labs. That way you can predict what will happen instead of being surprised by it. If those work, then you can security filter those GPOs to only apply to newer systems and as part of your in-place upgrade, ensure that the new servers only receive 2008 specific settings. My sense is that there is probably only a small subset of these kinds of issues out there, but I realize that is poor consolation when the issue occurs. Darren **** Darren Mar-Elia CTO & Founder SDM Software, Inc. www.sdmsoftware.com Secure and configure your Windows desktops accurately every time without having to learn or install new technology. Find out more about Desktop Policy Manager at http://www.sdmsoftware.com/desktop_management -----Original Message----- From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian Sent: Monday, April 28, 2008 11:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some Group policy Settings in 2003 do not work in 2008. We performed an in-place upgrade from 2003 to 2008. This is the scenario we chose to do when we actually do upgrade. Existing policies will be the same after the upgrade. This is of great concern given the amount of GPO's we have and the fact that we have delegated permission to OU Admins and they have also created GPO's for their respective departments. Brian Britt Vanderbilt University Directory Services Specialist 615-322-4676 -----Original Message----- From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia Sent: Monday, April 28, 2008 11:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Some Group policy Settings in 2003 do not work in 2008. Brian- I have not seen such a tool and given the scenario you've described I think it would be very hard to report this kind of conflict generally. One thing I' m curious about in this scenario below. Did you use the old Admin. Templates way of configuring Windows Firewall or the new "Windows Firewall with Advanced Security" section? Darren Darren Mar-Elia CTO & Founder SDM Software, Inc. "The Group Policy Experts" www.sdmsoftware.com -----Original Message----- From: "Britt, Brian" <brian.britt@Vanderbilt.Edu> To: ActiveDir@mail.activedir.org Sent: 4/28/2008 9:43 AM Subject: [ActiveDir] Some Group policy Settings in 2003 do not work in 2008List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Some Group policy Settings in 2003 do not work in 2008.

ActiveForums 3.7

Your Home Page ..

Site Articles:

Mail List Posts:

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads