Todd, ditto congrats below ;-) Careful with that NSA paper, I know the one you mean I think, and as you can imagine it does indeed break a lot of strange things. We were all gung-ho security ra-ra and then had to start pruning, and still some of the things came back to get us. Like registry permissions section had to be applied but oh also install these smart card readers by November and gee they don't work now and not even the vendor could figure it out....
To expound a little on what Darren talked about - there was a little tidbit about logon banners - if you edit the Default Domain GPO with XP, in the security section, the logon banner gets truncated at 255 characters (I think 255, there's a KB on it). You have to go fix it with a Win2K box. At least, this was the behavior on a Win2K AD with SP3 and XP SP1. I don't know what other things might have occurred like that, this one was an obvious one. Rich -----Original Message----- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 9:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] XP and 2003 ADM templates and GPO's Thanks Darren... I found a pretty good White Paper on the NSA site about XP as well. I just want to make sure I fully understood all aspects of the XP GPO stuff since there was a lot of information out there. Todd -----Original Message----- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] XP and 2003 ADM templates and GPO's Todd- Congrats on your MVP! #1 below is correct. #2 is also correct. As far as losing settings that have been "retrograded", my experience is that you don't. That is, if you take an XP-created GPO, make some changes to it and then "downgrade" it by editing it with a Win2K box, when you then go back and "re-upgrade" it using XP, the original settings that were XP only are still there. This is a good reason why, once you start editing GPOs in XP, you should always do so going forward. XP is much smarter about this. That is, if XP finds a Win2K GPO, it leaves the ADM files alone unless you explicitly upgrade them. Win2K just goes and overwrites the ADMs in a GPO on its own without asking. Very rude that way. Also, since there is new CSE functionality in XP (e.g. Software Restriction Policy) that is not supported in Win2K, if you edit GPOs that have been upgraded on Win2K, you won't see these policy areas. Not useful. Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Friday, January 30, 2004 11:52 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] XP and 2003 ADM templates and GPO's Greetings all, I am looking for the best way to update the default ADM templates to support XP and 2003 servers. According to all the documentation I can find and some of my own testing, I have been able to update existing GPO's to use the newer XP ADM templates without a problem. I am concern about creating new GPO objects though. If you create them using AD U&C on a 2K workstation that hasn't updated their ADM templates it appears to default to creating new GPO's using the original ADM templates. So in order to create NEW GPO objects with the new XP settings the machine has to have the XP ADM templates installed. It also appears that if you Modify an existing XP GPO using the same 2K workstation it will use the 2K ADM templates unless you overwrite them with XP ADM templates. So for my own sanity I just wanted to verify the following with you all. 1. If you want to upgrade existing GPO's to use XP ADM or 2003 ADM templates you need to manually update the machine you are working form ADM templates, then on the OU, select the GPO you want to upgrade, EDIT it, then under administration templates right click and select add/remove templates and add then remove the old 2K templates and add the new XP or 2003 ones. 2. If you try to modify a XP GPO in the AD using a machine that doesn't have the newer XP ADM templates installed, My experience is it will default to using the older templates even though the actual GPO is newer. Q. Is this what many of you experienced? Q. If this is true, if you save the GPO will it overwrite the GPO using the older template settings and drop the XP and 2003 settings? Thanks, Todd List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
