Boswell's Q&A
The Case of the Disappearing User Settings
Administering mixed Windows platforms? Then be sure to manage Group Policy Objects from one machine or you'll run into this baffling feature of Windows 2003.
- By Bill Boswell
- 09/09/2003
Bill: Am I going crazy or do Group Policy Objects
sometimes disappear in Windows Server 2003? I created a GPO on a Windows
2003 machine with lots of settings for my Windows XP desktops. I went
back a couple of days later and not only are all those settings gone,
so are all of the Windows XP settings in general. What gives?
—Adam
Adam, what you're seeing is a feature in Windows that controls
the storage and update of template files used for building Group Policy
Objects. I've worked with Jeremy Moskowitz, a colleague and authority
on this subject, to chart out this behavior. It's definitely not intuitive.
Let's start with some background information:
Get
Help from Bill |
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
|
|
|
When you create a GPO, you run an MMC console snap-in called the Group
Policy Editor. (This is true even if you use the Windows 2003 Group Policy
Management Console to organize your policies.) When you launch the GPE,
it reaches into the %windir%\INF folder on the machine where you launch
it to find files that hold the administrative template policy settings.
These files have an ADM extension, so you'll hear them called the ADM
template files.
This is an important point, so let me repeat it: The ADM files used by
the Group Policy Editor when creating a GPO come from the %windir%\INF
folder on the machine running the editor, not from the PDC Emulator
or the desktop's logon server.
When you create a GPO, the GPE creates a policy folder in Sysvol to hold
files that support the GPO. This policy folder gets a unique name that
looks like a long number. That number is called a Globally Unique Identifier
(GUID). The GPE uses that GUID to create attributes in Active Directory
that point at the GPO. In addition to the GPO support files, the Group
Policy Editor stores a copy of the ADM files it used when it created the
GPO.
When you edit a GPO following its creation and drill down to the Administrative
Template settings, the Group Policy Editor uses the cached ADM files in
Sysvol to display available policy settings.
Here's a quick summary: Every GPO gets a unique policy folder in Sysvol.
The Group Policy Editor stashes a copy of the ADM files it used to create
the GPO in this policy folder. The ADM files come from the machine running
the Group Policy Editor.
Things get interesting at this point. Let's say you install the Windows
2003 admin tools on a Windows XP SP1 desktop and you use this machine
to create your GPOs.
So, you now have a set of files in Sysvol that support the GPO you just
created from an Windows XP SP1 desktop. The File Replication Service replicates
these files to every domain controller in the domain. Your Windows XP
desktops download the GPO files from the Windows 2000 and Windows 2003
domain controllers they use for logon servers. At this point, life is
sweet and you can go home at night and actually enjoy your free time.
Now you decide to spend a long Sunday afternoon installing Service Pack
4 on your Windows 2000 domain controllers. At the end of the afternoon,
you use one of these domain controllers to peek at the GPO you created
a few days ago from your Windows XP SP1 workstation.
Because the timestamp on the ADM files on the Window 2000 SP4 server
are later than the timestamp on the Windows XP SP1 ADM files, the Windows
2000 SP4 ADM files overwrite the current ADM files and all your Windows
XP policy settings disappear.
Believe it or not, what happened is not a bug. It's a feature. It's by
design. And it gets worse. The Windows XP SP2 beta is coming to a close
soon, and Windows 2003 SP1 is not far away from release, either. Depending
on when the Microsoft team approves the gold code, you may end up overwriting
the GPO files several more times as you upgrade your Windows 2003 and
Windows XP machines with the new service packs.
There's a group policy in Windows 2003 that tells a machine not to overwrite
the current ADM file, but that policy only affects Windows 2003 servers,
as of this writing.
So, if you have a mixed environment of Windows platforms, here's my advice:
You and anyone else on your team need to agree to use one set of machines
to manage Group Policy Objects. On each machine, make an innocuous change
to the ADM files so as to update the timestamp to the current date (or
use a utility that does this for you.) When you distribute new service
packs, make sure that updating the ADM template file timestamps gets included
in your change control process.
And as you do this, remind yourself: This is fun. This is fun. This is
fun.
Hope this helps.
About the Author
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.