[Samba] Windows 10 administrative templates /central store with Samba

Viktor Trojanovic viktor at troja.ch
Mon Jan 25 18:01:46 UTC 2016

On 25.01.2016 17:04, Ole Traupe wrote:
> On 25.01.2016 14:13, Viktor Trojanovic wrote:
>> Hi Ole,
>> Unless you want to add functionality that is new since 1511, I don't 
>> think that's necessary.
> I have already added a Win10 machine to a domain, where only Win7 
> clients were joined before that. I have managed this domain from Win7 
> only, so far. Therefore I believe that e.g. the Windows Update policy 
> is not fit for Win10. Before today there was no central policy store.
> Ole

No, this shouldn't be an issue. Whatever already worked while you 
managed the policy using a Win7 machine will continue to work. That's 
completely independent of the central store. Only if this specific 
policy has some additional tweaks that only work on Windows 10, you 
might profit from editing the policy again now to include those tweaks.

I think you're still not fully understanding the purpose of the central 
store. Every windows client contains a full set of administrative 
templates, for its own version. So, on Windows 7 you have a set for 
Windows 7, on Windows 10 you have a set for Windows 10, and so on. The 
set for Windows 10 will always include everything that Windows 7 had to 
offer, plus some additional functionality. So, that's why you need to 
*either* run the RSAT from a Windows 10 machine if you wish to manage 
Windows 10 (and other) clients in the domain, *or* you put the templates 
in the central store and then you can manage Windows versions that are 
higher than where you have installed RSAT.

Hope it's clearer now :)


>> The main benefit you have with the central store is that you now *can 
>> edit* GPOs with Win10-only-rules also on non-Win10-computers. It does 
>> not, however, affect how the client implements the GPO.
>> Viktor
>> On 25.01.2016 12:36, Ole Traupe wrote:
>>> Viktor, thanks again!
>>> Now that I did this (added the Win10 1511 ADMX files to the central 
>>> store), I probably will have to recreate the policies that will be 
>>> applied to Win10 machines, right?
>>> Ole
>>> On 21.01.2016 17:16, Viktor Trojanovic wrote:
>>>> Hi Ole,
>>>> I've been using Samba with Win10 clients for a while now, so I'm 
>>>> happy to share some of my findings.
>>>> See comments inline.
>>>> On 21.01.2016 15:39, Ole Traupe wrote:
>>>>> Hi list,
>>>>> This might or might not be a Samba related post. Feel free to 
>>>>> ignore it in case it is too far off-topic
>>>>> My current understanding is that ...
>>>>> a) I need those new templates in order to fully integrate Win10 
>>>>> clients in an AD domain (i.e. with compatible policies).
>>>> As long as you have your RSAT installed on a Win10 machine, you 
>>>> actually don't need to install the templates to the sysvol store. 
>>>> The purpose of the template store is that multiple admins working 
>>>> from various machines with different versions of windows can always 
>>>> access all capabilities.
>>>>> b) I can only modify policies based on Win10 admx files from Win10 
>>>>> machines (i.e. with the RSAT tools for Win10).
>>>> See above. The purpose of installing the ADMX to the central store 
>>>> is that you can modify policies for Win10 also from a Win7 machine.
>>>>> Are there any Samba-related implications or issues on doing that, 
>>>>> particularly if I follow the MS advice to store those admx files 
>>>>> in a central store in the SYSVOL (\PolicyDefinitions) folder?
>>>> I did that, and have no issues.
>>>>> Also, are there any implications for existing domains with e.g. 
>>>>> Win7 clients? Is it advised to keep Win7 and Win10 in separate 
>>>>> containers?
>>>> No, there should be no issues. The only thing you have to remember 
>>>> is that settings which are specific to Win10 will obviously not 
>>>> have any effect on Win7 machines.
>>>>> I remember that somebody here reported issues with his/her 
>>>>> existing Samba domain after having used the RSAT tools for Win10. 
>>>>> But I am not able to find this post again. Does somebody remember 
>>>>> or is able to tell how to avoid such (or other) trouble?
>>>> No issues. I did report a few but eventually found out they were 
>>>> not related to the RSAT, or to Samba.
>>>>> Also, Viktor Trojanovic and Robert Watson reported the same error 
>>>>> message on administering a domain from Win10 with RSAT in the 
>>>>> midst of November. Have you been able to understand/solve it?
>>>>> "Group Policy Management: A processing error occured collecting 
>>>>> data using this base domain controller. Please change the base 
>>>>> domain controller and try again."
>>>> You'll get that error message when you click on the domain in the 
>>>> forest shown in RSAT. You can simply ignore it, it's not an actual 
>>>> issue.
>>>>> Ole
>>>> Viktor
>> -- 
>> *Viktor Trojanovic*
>> 076 391 80 80

*Viktor Trojanovic*
076 391 80 80

More information about the samba mailing list