It's been quite a while since I've blogged here, but things have settled down enough for me that I'm going to get back to this blog regularly now. I can always count on our readers to give me a kick in the backend just exactly when I need it, and this return to blogging is a great example. I got the following email from Jeff Vandervoort, which motivated me to post his concern and see if we can get a response from Microsoft.
Jeff's message:
I just received the June 2008 Windows IT Pro. You discussed RSAT and its awesome new feature, Group Policy Preferences (GPP). I'm sure you know this technology was originally DesktopStandard PolicyMaker, acquired by Microsoft in late 2006.
I was delighted when Microsoft elected to make PolicyMaker (PM) part of the OS. But unfortunately, Microsoft left PM sites out in the cold.
Here are the major ways Microsoft bungled this transition:
1. The PM console was broken by IE7, shortly after Microsoft purchased PM. Microsoft never released a fix. They finally documented a registry hack to disable the IE7 functionality:
http://support.microsoft.com/kb/938611. This was really aggravating at the time, but turned out to be a minor nuisance compared to what was to follow.
2. GPP and PM are nearly identical in UI and functionality. But GPP uninstalls PM extensions. OK, fine...GPP is PolicyMaker's replacement, and Microsoft is entitled to use their own branding. But once that happens, PolicyMaker settings are not applied to clients. One can
re-install the PM extensions--but they don't work because GPP disables PM if it finds it.
Rumor has it that Microsoft will release a PM-to-GPP migration tool. Someday. I've been advised by Microsoft Partner support that the rumors are true. But no one knows when.
Three months after release of Windows Server 2008 the migration tool has not materialized. I check the MS download site every week. So what do PM admins do? Every time we add a PM setting as our systems evolve we know we're digging ourselves in deeper. Do we wait for MS to release the migration tool, or do we cut our losses and make the huge investment in manual migration to GPP? How do we plan?
The migration tool should have been included in the box with WS2008 or made available for download no later than the release of WS2008. It's too late for that, of course. So now they need to give us a date when it will be available so we can plan. This is painful to PM customers, but it can also be painful for Microsoft: I have one client that is holding off on migrating to WS2008 until there is more clarity on this issue, because WS2008 includes GPP, which forces us to migrate at least server-related settings manually.
3. This last oversight greatly enlarges the scope of the problem from just former PM sites to all sites using Win XP SP3 where GPP was not already installed. WSUS has been dangling GPP in front of our noses for several weeks. PM sites can't install it until they're ready to migrate, as explained previously. So the updates continue to dangle, unapproved.
But guess what? There's one less GPP update in WSUS these days! When Windows XP SP3 is installed, XmlLite, a prerequisite for GPP, is uninstalled! So, even those who are ready for GPP--even sites that PM never touched--can't deploy GPP by WSUS to Windows XP clients any more.
I found a Startup Script that will install XmlLite and the CSE's for all GPP supported OS's, including XP SP3, but MS shouldn't penalize Win XP SP3 users this way. GPP needs to be repackaged with XmlLite for XP SP3 and made available by WSUS.
Microsoft owes PM users a migration plan.
-- Jeff Vandervoort
duh... jeff why not include a url for the script? i can't imagine viewers wouldn't appreciate your research.
the acquisition of PM by MS was a disappointmenting to me as we had just completed a reseller agreement with Desktop Standard, when the merger took place. Fortunately, Beyond Trust did not sell PrivilegeManager. This utility installs into the policy to allow admins to elevate privileges on objects. When working with legacy apps which require write access to resources beyond users policy limits, this has been a real lifesaver. It's possible to remove admin rights in accounts which run these older applications. Previously, we'd have to open the accounts, and use all kinds of hacks and tricks to try and limit the damage possible by admin rights installs.
Well, sopan123, who could resist a polite, gracious, friendly request for a favor like yours?
Couldn't find the script when I composed my message so I didn't post a link, but I finally dug it out and Googled its name. You should find it at--
http://www.heidelbergit.dk/Code/InstallGPPCSE.vbs
If it's still mentionned on the English version of the blog anywhere, I couldn't find a reference to it.
You're welcome.
I have written a small utility to convert my PolicyMaker settings to GPP, it seems quite simple to do so i don't know why Microsoft still don't have a migration tool available. I have only tested it on a VMWare hosted copy of one of my DCs and it seems to work ok, but maybe i have missed something fundamental.
I'm intrigued. I've read anecdotally on some message board or other that the differences between GPP & PM XMLs are trivial. Not prepared to accept the potential liability of DIY import scripts, however! At least not with a client's system. If it's available somewhere for d/l, might consider it for my company's system.
You can download it here http://tinyurl.com/67k4sj
This is for testing only. USE AT YOUR OWN RISK
Posted over 3 months ago. No response from MS, no migration tool, no repackaged GPP for XP SP3 on WSUS. I'm very disappointed in the way Microsoft has dealt with PolicyMaker users.
Thanks for checking in again, JRV. I'll ping MS and see if I can get some kind of response.
http://www.filefactory.com/file/a52bf9/n/PM2GPPConverter_zip
I've uploaded my program again, this should be hosted for 90 days.
Register
