The Angry Technician’s Guide to Managing Windows 7, you Idiots

I am tired of hearing people say they don’t want to deploy Windows 7 because they can’t manage it properly on their Windows 2003 domain.

This is utter rubbish.

I heard this all before with Vista, and it wasn’t true then either. Here’s a summary some of the idiocy I’ve seen:

“You have to have Windows Server 2008 R2 to join Windows 7 to the domain” – UTTERLY WRONG.
“We can’t use any of the new Group Policy settings because we don’t have Windows Server 2008/2008 R2” – PLAIN WRONG.
“We’d have to upgrade our domain schema to support the new Group Policy settings” – UNTRUE.

and along with them, the slightly different but equally ill-informed:

“We can’t use Group Policy Preferences because we don’t have Windows Server 2008/2008 R2” – ALSO WRONG.

OK, listen in, morons. I will now explain how you (yes YOU), can manage Windows 7 using Group Policy and Group Policy Preferences with only Windows Server 2003 servers on your domain. This is a technical article, so try to keep up.

Windows 7 on the domain

First things first: Windows 7, just like Windows 2000, XP and Vista before it, can be joined to a domain that is running an earlier generation of the Windows Server product. The limit is that you must have a Windows 2000-level domain – an NT4 domain won’t work (previous version, up to and including Vista, could do this). Remember that Group Policy didn’t exist in NT4, so if your domain is still on NT4, you’re wasting your time here. The 90s called, and they want their domain functional level back. It’s time to upgrade.

Group Policy

Windows 7 has a lot of new configurable options in Group Policy, but almost all of them do not require any change to the Active Directory, nor do they require a Windows Server 2008 or 2008 R2 server to use them. They are also completely optional. If you have a functioning and locked-down XP client environment on your Server 2003 domain, those settings will apply to Windows 7.

There are a few exceptions to this, such as BitLocker, which requires a schema upgrade. No-one’s forcing you to use it.

So, how do you configure these lovely new Group Policy settings without having Server 2008 R2 on the domain? Well, there are only two steps involved:

Install RSAT on a Windows 7 machine.
Create an ADMX Central Store on your domain.

RSAT

First, you do need a Windows 7 machine – but then you were going to add one of those to the domain anyway, or we wouldn’t be having this conversation.

Once it’s on the domain, follow these instructions to install the Remote Server Administration Tools for Windows 7.

For those not familiar with RSAT from Vista (presumably because you are a Luddite who claimed Vista was rubbish and so never deployed it), these replace the Administration Tools Pack that was released for Windows XP, and allow you to manage the most common features on a Windows Server remotely, including (guess what) Group Policy.

Now you can manage your domain’s Group Policy from a Windows 7 machine, you’re halfway there. What you now need to do is expose the new ADM templates. Wait, did I say ADM templates? Whoops, they’re gone (though still supported if you have a bunch of custom ADM templates hanging around). From Server 2008 onwards, Group Policy templates are now in the ADMX format, which as you may have guessed, is an XML format. What’s more, Server 2008 introduced an extremely useful feature with which to expose ADMX templates to the entire domain: the Central Store.

The Central Store

The Central Store is a location within SYSVOL that houses a master copy of all the ADMX templates you use on your domain. Any template kept in the Central Store will be automatically loaded into GPMC on any Vista or Windows 7 workstation.

To create the Central Store, simply follow these instructions in KB929841.

The article was written for Vista, but the procedure is identical for WIndows 7; you simply use a Windows 7 machine as your source for the ADMX templates. That’s right, all the ADMX templates you need are already on your Windows 7 machine. You just need to copy them to the right place in SYSVOL, and you’re done.

Congratulations, you can now manage all of the new Group Policy settings for Windows 7 without having to upgrade a single server. So, no more excuses, OK?

Group Policy Preferences

If you haven’t seen Group Policy Preferences yet, you’re going to like them. Say goodbye to authoring custom ADM templates – and half your login scripts as well. Check out this guide by Group Policy MVP Florian Frommherz: 10 things Group Policy Preferences can do better than your current script.

As soon as you fire up GPMC after installing it on Windows 7, you’ll notice that Group Policy Preferences support is available. Again, you don’t need Server 2008 or 2008 R2 to use them. Just start configuring them, and they’ll start applying to your Vista and Windows 7 workstations. If you want (and you know you do), you can also install the Group Policy Preferences CSE on Windows XP and Server 2003 machines, and your GPP settings will apply to those to. Just approve KB943729 in WSUS, and you’re away. Not using WSUS? Well, if you’re that kind of sadist, you can grab the standalone installers here.

A word of warning though: some parts of Group Policy Preferences don’t quite work the way they should. Unfortunately, Microsoft made a classic mistake by buying in the technology from another company and assuming it worked as solidly as normal Group Policy. It doesn’t. I’ve encountered some odd bugs with security group filtering in particular that can make things quite frustrating, so until Windows 7 SP1 is released which (hopefully) includes all the fixes, your best bet if you have similar issues is to install the latest available hotfix.

As of October 2010, that would be KB2385775. Yes, I know it says it’s a patch for Server 2008 R2, but 2008 R2 and Windows 7 share the same codebase, and this patch resolved all the problems I was having when I pushed it to my Windows 7 clients.

Now, get out there and get deploying, you idiots!

Tags: gpp, grouppolicy, server2003, server2008, server2008r2, vista, windows7, xp

About The Angry Technician

The Angry Technician is an experienced IT professional in the UK education sector. Normally found in various states of annoyance on his blog. All views are those of his imaginary pet dog, Howard.

View all posts by The Angry Technician »

« Previous post

Lukas Beeler says : 5th November, 2009 at 19.11
Besides Bitlocker, Wireless settings also require a schema upgrade.

But given the fact that mainstream support for WS03 is ending, and upgrading DC’s is one of the simplest tasks there is, i don’t see why anyone is still using WS03 DCs. Except maybe if they’re idiots and didn’t purchase SA.
- AngryTechnician says : 5th November, 2009 at 22.08
  Excellent point about the new wireless settings, something I shouldn’t have forgotten about since I did those schema upgrades myself a few weeks ago. Similarly, configuring 802.1x on wired networks also requires an upgrade.
  
  In my experience there are a lot of people who didn’t buy SA, especially in schools in the UK. Becta, the Government quango that advises schools on IT issues, still claims that SA represents poor value for money and recommends against it. My DCs are also still on 2003 because I inherited an ageing network solution supplied by an external company that has a lot of proprietary software that doesn’t run on anything else. I’m planning to scrap it next year.
Craig says : 6th November, 2009 at 7.31
Thank you, this was a nice clear article on these features. Something I can easily refer to in the future, instead of pounding away in search engines.
Ray says : 9th November, 2009 at 20.30
Oh my, turning from abusing suppliers and the IT industry in general, to abusing your readers.

Still, maybe I get a couple of days relaxation before your guns back onto the “industry” :)
- AngryTechnician says : 9th November, 2009 at 21.01
  I’m planning to use this post a destination to link to every time I read a variation of the above nonsensical remarks by someone who would already know they answers if they hadn’t stuck their head in the sand about Vista. The idea for the title was shameless stolen from Bob the Angry Flower, and the article just naturally followed from there…
  - AngryTechnician says : 9th November, 2009 at 21.04
    P.S. You’ll notice that the two articles following this one are gunning for your two most hated competitors, so hopefully that will be restful for you.
CCWalsh says : 1st April, 2010 at 18.10
I bought an HP Pavilion notebook for $1800. It took me 2 weeks to get it up and running because of all the software and data I had to transfer. On the day it turned 5 weeks old, it died. Dead.

HP’s IT hadn’t a clue. Their only response was send it in for repair. 4-6 week w/o a computer. I asked for a refund. They refused because I was over the 3 week return policy. 3 WEEKS !!!

They have perfected their return window so that most people will not find the problems with their computers (that HP is well aware of) until after the return period expires. Then, they hire incompetent IT people forcing their customers to send the equipment in for repair- at their convenience and in their own time table.

It’s a big scam on consumers who pay $$$ for IT service in the price of their computer. And, there is nothing and no one who can make them honor their agreement to provide on site and phone assistance. They just demand you mail in your computer.

By the way, a geek on YouTube showed me how to fix the major issue. Then I had to figure out how to undo the mess the IT guy made on my notebook. He took 3 hours to disable and/or delete Outlook, Norton, my graphic software, the fingerprint reader, and freeze my cursor. I finally fixed most of the issues myself- I had nothing to lose at that point so I went in and started fixing. So far, so good but no satisfaction from HP.

You can’t even call HP to complain at their corporate headquarters. Their operators refuse to put through client complaints to anyone. Apparently, consumers are not a priority. We are just a nuisance.
Chandresh Varsani says : 17th October, 2011 at 12.58
Has anyone had any sucess in acheiving the management of Windows Vista & Windows 7 from a Server 2003 based domain?

I have tried following this to no avail, other similar sites also mention using a Server 2008 disc to extend the domain schema using ADPrep util, which is a last resort to try.

Am stumped. Any help greatly appreciated
- AngryTechnician says : 18th October, 2011 at 8.37
  When I wrote the above I was running on a Server 2003 domain, with no Server 2008 or R2 servers, and it all worked fine.
Keith says : 3rd January, 2012 at 22.15
this worked great! My gp scripts on our 2003 domain controller servers pick up perfectly. Although I’ve noticed some of the gp preference settings don’t. Such as our lock out policy. Such as a user leaves a workstation idle for 15 minutes the PC locks. SP1 is installed so unsure what to do next to make those work. any help is much appreciated.
- jimbobmcgee says : 16th July, 2012 at 15.36
  Do you set the lockout policy using the standard Control Panel/Display GPO template, or did you use some other Registry-fu in your GPP?
  
  We set ours using the Display template and found that it would work, provided it could find the screensaver .scr file on the system. They removed the old common, bouncing Windows logo screensaver, login.scr, from Win7, so we had to change our GPO to use “Blank Screen” (scrnsave.scr), which was common to both OS versions.
Dan says : 7th February, 2012 at 17.10
Ok. Got a question for ya then. Does Windows Server 2008 (not R2) have the capabilities to manage Windows 7? I’ve copied all the admx files over to the central store from an existing Windows 7 box and tried to implement both changes to existing GPOs and new GPOs to no avail. I did this through the GPMC loaded on the 2008 domain controller itself.

Because of licensing and hardware resource constraints I’d like to be able to manage this on the Server 2008 domain controller if it’s possible.
- The Angry Technician says : 7th February, 2012 at 17.24
  What you’re trying to do should work. Is the problem that the new settings do not appear in the the Group Policy editor, or that they appear but are not applied?
  - Dan says : 7th February, 2012 at 18.31
    Within GPMC on the Server 2008 box I can see the GPOs and Preferences section within the GPOs. And when I highlight and hold the mouse pointer over the Administrative Templates section, it shows “…. (ADMX files) retrieved from the central store”. So it appears that things are working. However, for the power settings I’m trying to configure in preferences only allow for (Windows XP) Options and Scheme settings to be created. There’s no options for Windows Vista or greater that I would expect to see.
    
    Any ideas? Are the preferences something that is referred to somewhere other than the PolicyDefinitions that should now be being accessed from the Sysvol? And should contain Windows 7’s ADMX files (dated 6/10/2009 in my case). The dates on the ADMX files in the c:\Windows\PolicyDefinitions folder on the 2008 server is 1/19/2008.
Troy says : 14th March, 2012 at 23.47
Thank You for these instructions! I had to figure out how to push a registry setting out to fix a printer duplexing problem that Adobe introduced into Acrobat X 10.1.2. All clients are Win7 running on a 2003 domain. 2003 will be replaced within the next few months, but the company has been in no real hurry because it worked and they have not seen a need to upgrade yet. At first the settings were not being pushed down, spent a while trying to figure it out, I am guessing it helps if your test standard user account exists in the OU that you are testing and the reg key you are pushing is in HKCU! DOH! Thanks again.
- jimbobmcgee says : 16th July, 2012 at 16.08
  At times like that, without GPP, psexec.exe from Sysinternals is your free best friend…
  
  psexec \\* reg add HKLM\Software\PrinterFix /v fixme /d 1 /t REG_DWORD /f
  
  …will enumerate the machines on your domain and add a value to the registry of the ones that are currently turned on…
Gary says : 9th May, 2012 at 13.23
Thanks for that, your article have me a kickstart for moving to Windows 7, saving hours of trudging through MS docs.
Knaphie says : 7th August, 2012 at 9.50
Quality. Many thanks.
I particularly liked the “level 7” sarcasm.
More please – more.

8^)
Brian says : 15th November, 2012 at 16.04
Very helpful article, I appreciate it! I do have question about upgrading the schema. Would this be necessary in the case of changing the Teredo State to “Enterprise Client” in “Computer Configuration, Policies, Administrative Templates, Network, TCPIP Settings, IPv6 Transition Technologies”? Juat curious if Bit Locker was the only setting requiring the upgrade of the schema or if others like IPv6 settings also fell under that category.

Sincerely,
Brian
ScottishTech says : 5th February, 2013 at 9.23
We’re getting ready for the big Win7 push this Summer (cutting edge, us!).

One issue I’ve found so far in my fairly limited testing is that my laptop requires me to restart the local print spooler before it’ll talk to any shared printers on our Win2008R2 print server.

I’ve tried assorted hotfixes and the Print rollup update, to no avail.

Has anyone encountered this?

I’m loathe to start messing about with the print server, as all of the XP clients are absolutely fine :)

Has anyone stumbled on this one?