Tuesday 16 October 2007

SBS - Windows Vista System Setup and Group Policy Software Installation

When Windows Defender was released in its current form we setup all of our clients to distribute the software via Group Policy (GP).

Then, along comes Windows Vista with Windows Defender built in. If one installs the Vista machine into the same OU that has the Windows Defender Group Policy Object (GPO) software installation setting applied, we end up with the following series of errors:

Event ID 103: The removal of the assignment of application Windows Defender from policy SBSComputers Software Installation Policy failed. The error was:%%2
We know that that Windows Defender cannot be removed from Vista by the GP setting as it was never installed by that GP setting in the first place as the previous Event ID 101 error indicated.

So, to alleviate any Windows XP Software Install GPO conflicts with Windows Vista, we create a new OU:

SBSVistaComputers OU with attached Security Policy

What this means for us is a little more organization between the two Windows desktop operating systems.

Keeping a naming convention is important, as this will clue anyone in as to why the OU is there in the first place.

When adding a new computer to the SBS domain via the Set Up Computer Wizard, we are greeted with the following OU options for the new computer:

Set Up Computer Wizard: SBSVistaComputers OU Available

If one tries to nest the two OUs under the SBSComputers, the SBSXPComputers and SBSVistaComputers OUs will not show up in the Set Up Computer Wizard:
  1. SBSComputers
    1. SBSXPComputers
    2. SBSVistaComputers
That is why the OUs are sitting at the same level as the SBSComputers OU.

Also, one needs to remember when adding a new OU to Link any common GPOs as required.

When it comes to Windows Vista, keep in mind that we need to manage any Group Policy settings particular to Windows Vista on a Vista machine signed in as the domain admin.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.


Anonymous said...

Thanks for the heads up.
That should save me some frustration.

If it wasn't for quirks, I guess we wouldn't have a job.

Beta tester of "0"s and "1"s

stryqx said...

A proliferation of OUs can be a headache, especially when you're trying to target settings based on user/computer combination.

The Vista issue would be better solved by either using a WMI filter, or by putting the XP computers into a security group and applying the security group to the GPO containing the Defender package.

It's about set management. A user or computer can only exist in one OU at a time, where they can exist in multiple security groups at a time.

Moving a user or computer across OUs can also be painful and creation of OUs needs to be performed carefully, otherwise you end up with a proliferation GPO links which becomes harder to manage.

Philip Elder Cluster MVP said...



Utilizing the group method provides us with the ability to divy up permissions without the proliferation of OUs.

In the end, we are fortunate that most small business only require a few customizations. In some cases, we may be required to have the four OUs shown in the image, but, it rarely goes beyond that as the group/WMI method can provide any further customizations and GP settings.

The OU method makes it a fairly simple task to add new machines via the wizard and only require a few further configuration steps for applicable GP settings on the SBS domain.

Ultimately it comes down to figuring out which method will work best and good documentation. Visio really helps to document what settings are where and what method is used to apply them to each system.