I am tired of hearing people say they don’t want to deploy Windows 7 because they can’t manage it properly on their Windows 2003 domain.
This is utter rubbish.
I heard this all before with Vista, and it wasn’t true then either. Here’s a summary some of the idiocy I’ve seen:
- “You have to have Windows Server 2008 R2 to join Windows 7 to the domain” – UTTERLY WRONG.
- “We can’t use any of the new Group Policy settings because we don’t have Windows Server 2008/2008 R2″ – PLAIN WRONG.
- “We’d have to upgrade our domain schema to support the new Group Policy settings” – UNTRUE.
and along with them, the slightly different but equally ill-informed:
- “We can’t use Group Policy Preferences because we don’t have Windows Server 2008/2008 R2″ – ALSO WRONG.
OK, listen in, morons. I will now explain how you (yes YOU), can manage Windows 7 using Group Policy and Group Policy Preferences with only Windows Server 2003 servers on your domain. This is a technical article, so try to keep up.
Windows 7 on the domain
First things first: Windows 7, just like Windows 2000, XP and Vista before it, can be joined to a domain that is running an earlier generation of the Windows Server product. The limit is that you must have a Windows 2000-level domain – an NT4 domain won’t work (previous version, up to and including Vista, could do this). Remember that Group Policy didn’t exist in NT4, so if your domain is still on NT4, you’re wasting your time here. The 90s called, and they want their domain functional level back. It’s time to upgrade.
Group Policy
Windows 7 has a lot of new configurable options in Group Policy, but almost all of them do not require any change to the Active Directory, nor do they require a Windows Server 2008 or 2008 R2 server to use them. They are also completely optional. If you have a functioning and locked-down XP client environment on your Server 2003 domain, those settings will apply to Windows 7.
There are a few exceptions to this, such as BitLocker, which requires a schema upgrade. No-one’s forcing you to use it.
So, how do you configure these lovely new Group Policy settings without having Server 2008 R2 on the domain? Well, there are only two steps involved:
RSAT
First, you do need a Windows 7 machine – but then you were going to add one of those to the domain anyway, or we wouldn’t be having this conversation.
Once it’s on the domain, follow these instructions to install the Remote Server Administration Tools for Windows 7.
For those not familiar with RSAT from Vista (presumably because you are a Luddite who claimed Vista was rubbish and so never deployed it), these replace the Administration Tools Pack that was released for Windows XP, and allow you to manage the most common features on a Windows Server remotely, including (guess what) Group Policy.
Now you can manage your domain’s Group Policy from a Windows 7 machine, you’re halfway there. What you now need to do is expose the new ADM templates. Wait, did I say ADM templates? Whoops, they’re gone (though still supported if you have a bunch of custom ADM templates hanging around). From Server 2008 onwards, Group Policy templates are now in the ADMX format, which as you may have guessed, is an XML format. What’s more, Server 2008 introduced an extremely useful feature with which to expose ADMX templates to the entire domain: the Central Store.
The Central Store
The Central Store is a location within SYSVOL that houses a master copy of all the ADMX templates you use on your domain. Any template kept in the Central Store will be automatically loaded into GPMC on any Vista or Windows 7 workstation.
To create the Central Store, simply follow these instructions in KB929841.
The article was written for Vista, but the procedure is identical for WIndows 7; you simply use a Windows 7 machine as your source for the ADMX templates. That’s right, all the ADMX templates you need are already on your Windows 7 machine. You just need to copy them to the right place in SYSVOL, and you’re done.
Congratulations, you can now manage all of the new Group Policy settings for Windows 7 without having to upgrade a single server. So, no more excuses, OK?
Group Policy Preferences
If you haven’t seen Group Policy Preferences yet, you’re going to like them. Say goodbye to authoring custom ADM templates – and half your login scripts as well. Check out this guide by Group Policy MVP Florian Frommherz: 10 things Group Policy Preferences can do better than your current script.
As soon as you fire up GPMC after installing it on Windows 7, you’ll notice that Group Policy Preferences support is available. Again, you don’t need Server 2008 or 2008 R2 to use them. Just start configuring them, and they’ll start applying to your Vista and Windows 7 workstations. If you want (and you know you do), you can also install the Group Policy Preferences CSE on Windows XP and Server 2003 machines, and your GPP settings will apply to those to. Just approve KB943729 in WSUS, and you’re away. Not using WSUS? Well, if you’re that kind of sadist, you can grab the standalone installers here.
Now, get out there and get deploying, you idiots!
Besides Bitlocker, Wireless settings also require a schema upgrade.
But given the fact that mainstream support for WS03 is ending, and upgrading DC’s is one of the simplest tasks there is, i don’t see why anyone is still using WS03 DCs. Except maybe if they’re idiots and didn’t purchase SA.
Excellent point about the new wireless settings, something I shouldn’t have forgotten about since I did those schema upgrades myself a few weeks ago. Similarly, configuring 802.1x on wired networks also requires an upgrade.
In my experience there are a lot of people who didn’t buy SA, especially in schools in the UK. Becta, the Government quango that advises schools on IT issues, still claims that SA represents poor value for money and recommends against it. My DCs are also still on 2003 because I inherited an ageing network solution supplied by an external company that has a lot of proprietary software that doesn’t run on anything else. I’m planning to scrap it next year.
Thank you, this was a nice clear article on these features. Something I can easily refer to in the future, instead of pounding away in search engines.
Oh my, turning from abusing suppliers and the IT industry in general, to abusing your readers.
Still, maybe I get a couple of days relaxation before your guns back onto the “industry” :)
I’m planning to use this post a destination to link to every time I read a variation of the above nonsensical remarks by someone who would already know they answers if they hadn’t stuck their head in the sand about Vista. The idea for the title was shameless stolen from Bob the Angry Flower, and the article just naturally followed from there…
P.S. You’ll notice that the two articles following this one are gunning for your two most hated competitors, so hopefully that will be restful for you.