It is possible to run Group Policy Preferences on a Windows Server 2003 Domain. This post will step you through the process so you can get it deployed in your organization if you have not yet upgraded your domain to Windows Server 2008. I am a huge fan of Windows Server 2008 so if you have the capability to upgrading one of your domain controllers to 2008, that would be my preference. However, there are cases where upgrading the domain is a drawn out technical or political process so I wanted to share “instructions” on how to make this great technology work with a 2003 Domain.
- Windows Server 2003 Domain (may work in a 2000 domain but I have not tested)
- Windows Server 2003 Server has all updates applied including SP2
- Windows Vista workstation (with all patches including SP1 installed) is attached to the domain
- Windows 2008 attached to the domain would be acceptable in place of the Vista machine
- Client Side Extensions would need to be installed on all machines that would need to have group policy extensions applied (free download from Microsoft) best to deploy via WSUS or other distribution method
- All group policy changes would need to be made from a Windows Vista or Windows Server 2008 machine after preferences are added
Turning On Group Policy Preferences on Windows Vista SP1
The first thing you need to do is download and install Remote Server Administration Tools (KB941314) onto a Windows Vista SP1 machine with all patches installed. This will install the GPMC components. Notice when you do the install, it puts the bits on the workstation but it does not install them. You have to go to … Start\Control Panel\Programs and Features\Turn Windows Features On and Off. Scroll down the list and expand “Remote Server Administration Tools“; Expand “Feature Administration Tools“; Turn on “Group Policy Management Tools“. It is the installation of Remote Server Administration Tools (KB941314) that installs these components so if it is not in your list something was not successful with your prior installation.
Finally, you need to install the Group Policy Preferences in Windows Server 2008 Client Side Extensions. I highly recommend you deploy this using WSUS or other software deployment mechanism to make sure they are deployed for all clients that need to “apply” preferences. Especially if these preferences will be used to lock down security. The way to use preferences to “lock down” a machine is to simply use it to change the settings to what you want them to be and then use Group Policy to prevent users from being able to change them. (ie. change a registry key in preferences and then do not allow users access to the registry with policy).
Now that you have successfully installed the tools, you can open it up with the Group Policy Management Tools MMC snap-in which is located at Start\Control Panel\Administrative Tools\Group Policy Management Tools. Expand your forest, expand domains, expand your domain name, expand group Policy Objects then Right-Click on one of the policies and select Edit. This will bring up the Group Policy Management Editor. You will now see preferences and be able to make changes to them.
Your Feedback is appreciated
I have created a recording of these steps so you can see these steps in action. Please let me know what you think of this post. If there are other topics you would like to see, please let me know.
Want The Click By Click Demo/Training on Installing Group Policy Preferences – Get it here!
Download it here! http://mschnlnine.vo.llnwd.net/d1/inetpub/danstolts/Installing_Group_Policy_Preferences_on_Windows_Server_2003_Domain_By_Dan_Stolts.wmv If you have a problem opening, try right clicking it and saving to your computer and then running it. This is a short 9 minute video walk-through of the steps to install group policy preferences on a windows server 2003 domain using a windows vista workstation. I will put the video in a frame so you can stream it in the next couple of days so check back if you want to play it online instead of downloading it.
Want More Help With Group Policy Preferences?
If you want to a walk-through on setting a preference check out Disable Adding USB Drive and Memory Sticks via Group Policy and Group Policy Preferences
roeman29 Apr 2009 4:42 PM
I’ve actually been using this same setup in my environment to allow me to access the newer GP Preferences… I’m curious, though, if you believed prepping our 2003 DC’s for the 2008 schema is a more solid-approach than just trusting the ClientSideExtensions on our 2003 server. I’m looking at sites like: http://ts2blogs.com/blogs/rwagg/archive/2008/06/25/extend-your-server-2003-active-directory-schema-for-windows-vista-and-server-2008.aspx and http://technet.microsoft.com/en-us/library/cc771461.aspx
Frank Rizzo22 Dec 2009 1:11 PM
I currently have a domain similar to your example but the Group Policy enhancements simply dont work. Group policy complaint with server 2003 does work. Any ideas? I have a server 2003 domain and a server 2008 R2 box.
Lemuel Agana11 May 2011 1:15 PM
You said in your statement that you will show hot it works on 2033 Domain, but from your examples you used Vista and 2008 Server.???
We have 2003 Server and XP clients SP3?
— Dan Stolts
You have to have one Windows 7 or 2008/2008 R2 machine that you use to set the policy. You can do it on a 2003 domain but you have to have a new OS to configure the Group Policy Preferences
Allan13 Aug 2011 2:48 PM
Can windows 7 join my windows 2003 server domain?