Server 2008 Group Policy Features

Over the next few weeks I plan to have a series of posts each focusing on a feature of Windows Server 2008. Microsoft’s newest server OS has been out for about 6 months, and is beginning to see rapid deployment as organizations replace older hardware. Server 2008 has a number of enhancements that make it one of the most functional & secure server-class operating systems to date. These posts will hopefully help those who are not yet familiar with the newest features, and at the same time will help me as I transition my MCSE to the new MCTS certification.

This post will cover Group Policy changes in the Server 2008 Active Directory implementation. Group Policy has been around since the Windows 2000 days as a solution for centrally managing OS and application configuration.

There are a number of major changes to GP, the most important of which may be the fact that there are a bunch of new settings for Server 2008 & Vista that improve on security, removable device access, and management of Internet Explorer, power settings, wireless networking, and printers, just to name a few. Microsoft maintains a list of settings here. Another big change is a new Group Policy Management Console (GPMC). The new GPMC has some under the hood updates as well as improvements to search functionality, but one of the most useful changes, in conjunction with GPO changes, is the ability to add comments to both GPOs and individual administrative template settings in a GPO. This is a huge addition and goes a long way towards integrating a change management documentation aspect into Group Policy.

On the subject of administrative templates, their format has changed from the old .ADM simple text based file to an XML based format, using the .ADMX extension. Language dependence has been removed so that the ADMX templates can be used between environments supporting different languages. Also, ADMX files can now be centrally stored in the \SYSVOL\Polices\DomainName\PolicyDefinitions folder on DCs rather than multiple copies for each GPO. This stands to improve replication performance and decrease SYSVOL space usage. It’s worth a mention here that ADMX files can only be administered from a Vista or Server 2008 machine, older OS’s are not ADMX-aware, though the settings in ADMX templates can still apply to them.

Another new concept related to Administrative Templates is that of Starter GPOs. Starter GPOs allow an administrator to configure multiple administrative template settings into a “Starter GPO”, which can then be used as a baseline for deploying future GPOs based on those settings. Starter GPOs can also be exported/imported to completely different environments as a .CAB file, which will retain settings & comments.

On the performance side of things, the Group Policy client engine has been separated as its own service, called “Group Policy Client” (who would’ve guessed?). Previously it ran under the Winlogon process. This was done as a performance enhancing feature and was also designed to improve GP related event logging. It has supposedly gotten a little easier to troubleshoot problems related to GP processing, though I haven’t had the fun of that experience yet. There were also improvements to Network Location Awareness (NLA), the feature that deals with slow link determination, which will improve startup times and intelligently deal with network connectivity changes.

Group Policy Preferences

Group Policy Preferences

Rounding out the major changes to Group Policy are two final features. First, it is now possible in Vista & Server 2008 to have multiple Local GPOs. This is most advantageous in non-domain environments such as workgroup or kiosk computers. This allows one LGPO to be applied for certain groups, and a different LGPO to be applied for others. This is useful because it allows IT staff to administer machines without being hindered by the regular restrictive LGPO. Finally, Group Policy Preferences have been enhanced to expand control over such settings as drive mappings, local groups, printers, tasks, data sources, file & folder options, and many other application & environmental settings that are traditionally scripted. See this blog for a good description on the differences between Policies and Preferences.

That’s all for this time. Check back soon for Server 2008 related posts on Active Directory, Terminal Services, Server Core, Scheduled Tasks, Performance Improvements, and anything else that might be blog worthy.

For further information: Windows Server Group Policy Home


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: