For Geeks @nd the not so Geeky

Windows Server 2008 Group Policy Management

Group Policy Management in Windows Server 2008 R2

Windows Group Policy management consists of  a setting for defining the configuration, a scope to define the users or computers the policy applies to and finally an application which enforces these settings within the scope. Group Policy is a part of Active Directory and allows you to centrally manage clients and servers alike.

AD Group Policy Management and Group Policy Objects (GPOs)

A Group Policy Object contains one or more policy settings enabling it to apply these configuration settings to a user or computer. GPOs can be managed and created in Active Directory through the use of the Group Policy Management Console (GPMC). You can link a GPO to a site, domain or OU which thereby defines its scope. Group Policy Power Management

Two types of filters for narrowing the scope are security filters which apply to specific global security groups as well as Windows Management Instrumentation (WMI) filters which are linked to the characteristics of the operating system (OS).

Windows Server 2008 comes with a third filter called Preferences.

Install Group Policy Management – Group Policy Configuration

Group Policy is applied to users and/or computers and has 3 states – Not configured, enabled or disabled. The standard setting for a new GPO is Not Configured which means that the policy has no effect on the existing configuration.  It is only by enabling or disabling that you make changes to the existing configuration of a computer or user.

Some policies only affect certain editions of Windows so be sure to read the policy settings explanatory text in the Group Policy Management Editor detail pane.

Group Policy Client-Side Extensions (CSEs)

Several dozen CSEs, such as security CSEs, CSEs that install software or others that process startup and logon scripts, are present in Windows now. They all are client driven and pull the GPO from the domain as opposed to a server driven, push technology triggering the CSE to apply theGPO settings on the client.

Standard CSE behavior is to only apply settings in a GPO if that GPO has changed to eliminate the need for redundant policy processing. Some settings could however be changed on the client computer especially if the user has local administrator rights. If this is the case, consider using CSEs that reapply policy settings at the next Group Policy refresh even when policy settings have not changed.

The only exception to this rule are Security CSEs which are reapplied every 16 hours by default even if a GPO has not changed. Group Policy Refresh happens every 90 minutes to 120 minutes thereafter and can be forced by running the command Gpupdate /force.
Resultant Set of Policy (RSOP)

Advanced Group Policy Management

Computers and users are likely to be within the scope of multiple GPOs linked to the specific site or domain they belong to. RSOP allows you to view the effective policies of these combined GPOs much like effective permissions when dealing with folder rights.

Local GPOs

Starting from Windows 2000 all clients contain at least one local GPO where all policies – except the Security Settings – are set to Not Configured. Once the computer becomes part of a domain local GPOs get overridden by the domain or site GPO in AD.

AD-Based GPOs

When AD DS is installed these two GPOs are created by default

  • Default Domain Policy
    Contains no Security groups or WMI filters and affects all users and computers in the domain including servers.
    Takes care of password, account lockout and Kerberos policies
  • Default Domain Controllers Policy
    Applied to the domain controllers OU only and should be used for auditing policies.

Group Policy Management Tools – GPO Components

A GPO consists of two components – the Group Policy Container (GPC) linked to the Group Policy Template (GPT) which contains the settings for a particular GPO. The GPC defines the settings for a GPO whereas the GPT contains the specific settings you apply.
Incremental version numbers keep track of the changes you make to any GPO and enable CSEs to discover that a policy has changed and needs updating during a policy refresh.

The GPC is replicated between domain controllers by the Directory Replication Agent (DRA) which in turn relies on the Knowledge Consistency Checker (KCC). The replication can be configured manually but usually happens within seconds between domains and between sites depending on your configuration.

The GPT on the other hand is located in the SYSVOL folder which is replicated by using either the File Replication Service (FRS) or Distributed File System Replication (DFS-R) if all your servers are running Windows Server 2008 or later.

The above also implies that both can be out of sync albeit for a short time. Clients will recognize this and will not process a new GPO until the GPT and GPC are in sync. To avoid conflicts and identify problems or version mismatch you can use gptool available from the Microsoft Download center.

Group Policy Manager – Group Policy Settings Console

  • Software Settings
    Provides a way to manage how to install and manage software. Allows for independent software vendors to add templates for configuration.
  • Windows Settings
    Includes scripts – startup/shutdown (computer), logon/logoff (user) -, security settings and policy based Qos nodes.
  • Administrative Templates
    Contains registry-based Group Policy settings
  • Preferences
    Only available since Windows Vista and requires the download of the correct version of the Remote Server Administration Tools (RSAT)
    Contains more than 20 extra CSEs to configure loads of additional settings

Group Policy Management Tool – Group Policy Central Store

Administrative templates used to have an .adm extension in versions prior to Windows Vista and used to be stored as part of a GPT in the SYSVOL folder. If used in multiple GPOs, multiple instances of the same template are stored causing for SYSVOL bloat.

Starting from Windows Vista and Server 2008 administrative templates are defined by two xml files , .admx to identify registry changes and .adml to provide language-specific settings. Any changes to be made can be applied to the .admx file and are automatically applied to all GPOs involved.

Group Policy Management Editor


Leave a Response