The Angry Technician’s Guide to Managing Windows 7, you Idiots
I am tired of hearing people say they don’t want to deploy Windows 7 because they can’t manage it properly on their Windows 2003 domain.
This is utter rubbish.
I heard this all before with Vista, and it wasn’t true then either. Here’s a summary some of the idiocy I’ve seen:
- “You have to have Windows Server 2008 R2 to join Windows 7 to the domain” – UTTERLY WRONG.
- “We can’t use any of the new Group Policy settings because we don’t have Windows Server 2008/2008 R2″ – PLAIN WRONG.
- “We’d have to upgrade our domain schema to support the new Group Policy settings” – UNTRUE.
and along with them, the slightly different but equally ill-informed:
- “We can’t use Group Policy Preferences because we don’t have Windows Server 2008/2008 R2″ – ALSO WRONG.
OK, listen in, morons. I will now explain how you (yes YOU), can manage Windows 7 using Group Policy and Group Policy Preferences with only Windows Server 2003 servers on your domain. This is a technical article, so try to keep up.
Windows 7 on the domain
First things first: Windows 7, just like Windows 2000, XP and Vista before it, can be joined to a domain that is running an earlier generation of the Windows Server product. The limit is that you must have a Windows 2000-level domain – an NT4 domain won’t work (previous version, up to and including Vista, could do this). Remember that Group Policy didn’t exist in NT4, so if your domain is still on NT4, you’re wasting your time here. The 90s called, and they want their domain functional level back. It’s time to upgrade.
Windows 7 has a lot of new configurable options in Group Policy, but almost all of them do not require any change to the Active Directory, nor do they require a Windows Server 2008 or 2008 R2 server to use them. They are also completely optional. If you have a functioning and locked-down XP client environment on your Server 2003 domain, those settings will apply to Windows 7.
There are a few exceptions to this, such as BitLocker, which requires a schema upgrade. No-one’s forcing you to use it.
So, how do you configure these lovely new Group Policy settings without having Server 2008 R2 on the domain? Well, there are only two steps involved:
First, you do need a Windows 7 machine – but then you were going to add one of those to the domain anyway, or we wouldn’t be having this conversation.
Once it’s on the domain, follow these instructions to install the Remote Server Administration Tools for Windows 7.
For those not familiar with RSAT from Vista (presumably because you are a Luddite who claimed Vista was rubbish and so never deployed it), these replace the Administration Tools Pack that was released for Windows XP, and allow you to manage the most common features on a Windows Server remotely, including (guess what) Group Policy.
Now you can manage your domain’s Group Policy from a Windows 7 machine, you’re halfway there. What you now need to do is expose the new ADM templates. Wait, did I say ADM templates? Whoops, they’re gone (though still supported if you have a bunch of custom ADM templates hanging around). From Server 2008 onwards, Group Policy templates are now in the ADMX format, which as you may have guessed, is an XML format. What’s more, Server 2008 introduced an extremely useful feature with which to expose ADMX templates to the entire domain: the Central Store.
The Central Store
The Central Store is a location within SYSVOL that houses a master copy of all the ADMX templates you use on your domain. Any template kept in the Central Store will be automatically loaded into GPMC on any Vista or Windows 7 workstation.
To create the Central Store, simply follow these instructions in KB929841.
The article was written for Vista, but the procedure is identical for WIndows 7; you simply use a Windows 7 machine as your source for the ADMX templates. That’s right, all the ADMX templates you need are already on your Windows 7 machine. You just need to copy them to the right place in SYSVOL, and you’re done.
Congratulations, you can now manage all of the new Group Policy settings for Windows 7 without having to upgrade a single server. So, no more excuses, OK?
Group Policy Preferences
If you haven’t seen Group Policy Preferences yet, you’re going to like them. Say goodbye to authoring custom ADM templates – and half your login scripts as well. Check out this guide by Group Policy MVP Florian Frommherz: 10 things Group Policy Preferences can do better than your current script.
As soon as you fire up GPMC after installing it on Windows 7, you’ll notice that Group Policy Preferences support is available. Again, you don’t need Server 2008 or 2008 R2 to use them. Just start configuring them, and they’ll start applying to your Vista and Windows 7 workstations. If you want (and you know you do), you can also install the Group Policy Preferences CSE on Windows XP and Server 2003 machines, and your GPP settings will apply to those to. Just approve KB943729 in WSUS, and you’re away. Not using WSUS? Well, if you’re that kind of sadist, you can grab the standalone installers here.
A word of warning though: some parts of Group Policy Preferences don’t quite work the way they should. Unfortunately, Microsoft made a classic mistake by buying in the technology from another company and assuming it worked as solidly as normal Group Policy. It doesn’t. I’ve encountered some odd bugs with security group filtering in particular that can make things quite frustrating, so until Windows 7 SP1 is released which (hopefully) includes all the fixes, your best bet if you have similar issues is to install the latest available hotfix.
As of October 2010, that would be KB2385775. Yes, I know it says it’s a patch for Server 2008 R2, but 2008 R2 and Windows 7 share the same codebase, and this patch resolved all the problems I was having when I pushed it to my Windows 7 clients.
Now, get out there and get deploying, you idiots!