Getting Started on GPanswers.com
I am somewhat confused as to what to do for my setup in regards to the policies for :
Always use local ADM files for GPO editor
Turn off automatic update of ADM files
I control GPOs for my domain (only one domain). Based on what I have read in Jeremy's book, I have created a GPO management pc which everyone uses (really no one but me...) to edit the GPOs. However, I understand that anytime another admin opens a GPO in the editor, even to view the settings of that GPO their local ADM files will be uploaded to the domain controller by default. I cannot control other user's ability to view/install the GPO edits and I can't force them to use the same workstation I am using.
What is the best practice regarding this? Should I prevent automatic update of ADM files through my default domain policy. And, if I do choose this option do I need to have it in both my default domain policy and my domain controller policy so that no matter where they are viewing these files from it will not overwrite the existing files?
Also, if I do go with this option, what happens when I finally need to update the adm files on the DC. Will I manually copy them from my GPO management machine over to the DC sysvol?
Any insight would be greatly appreciated!
Thanks!
Allison
30+ Helpful Posts
50+ Helpful Posts
Hi Alison,
have just read your post and I am coming accross exactly the same problem.
I am unsure like you th best way to update adm files.
I think what you said sounds correct about forcing the setting to always use local adm files, there is also another setting about auto update of adm files.
Have you had any progress your side with this?
Kev
Getting Started on GPanswers.com
Kev,
I did get part of this post answered. Microsoft came out to our office to perform an Active Directory Health Check (I strongly recommend it for anyone that has a premier agreement). The tech referred me to two articles (816662 and 316977) regarding GPOs and templates.
Based on the articles Microsoft's recommendation is:
Turn off automatic updates of ADM files
Always use local ADM files for Group Policy editor
The articles explain more about this.
Best of luck
Allison
30+ Helpful Posts
50+ Helpful Posts
Thanks for the tips.
Have you implemented a Group Policy Management station?
If so, is that the only machine that can administer GPOs?
What scenario/settings did you choose?
Have you had to deal with a service pack upgrade yet on the Group Policy Management Station? If so, how did this go, what process did you have to follow
Getting Started on GPanswers.com
Yes, we implemented a GPO management workstation. Its a pc locked in the data center that only the AD team can get to in order to handle GPOs.
Originally, I set it up with XP then when we moved to SP2 I first ran the SP2 upgrade on that pc (make sure to be physically in front to turn off the firewall) then I used GP Management to create new SP2 GPOs.
Other than that there isn't a whole lot of settings on the management pc.
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote