Within the Windows Server 2012 beta (formerly known as the Windows Server 8 beta), there are over 4,560 group policies to play with-- some old, some new. Additionally, there are usability improvements to the Group Policy infrastructure
Here are the top five areas to focus your research on as you test for compatibility and understand how the Windows 8 client and server partners work together:
- The Group Policy Update option within the Group Policy Management Console. Instead of
issuing clunky command-line refresh commands, like gpupdate /force, on individual machines, you can
graphically select organizational units on which to refresh Group Policy. This effectively means
that because you can kick things off right from within the console, you don’t have to wait the hour
and a half that it sometimes took for those refreshes to take place across a network. You can only
target computers in organizational units, but the refresh itself will kick off a re-download of
both the user and the computer portions of the group policy
objects (GPOs) that apply to the given target. Behind the scenes, this option creates two
scheduled tasks on each computer in the targeted organizational unit. For this to work, the domain
controllers need to have access to create scheduled tasks on the computers, so firewalls on each
system will need to be configured appropriately.
- An easy-to-monitor status report about the Group Policy infrastructure on your Active
Directory network. Within the Group Policy Management Console, there’s a new tab called “Infra
Status.” (As a mechanical perfectionist, I’m hoping Microsoft will expand that unfortunate
abbreviation, but I digress.) This information on this tab shows the status of Active Directory and
Sysvol (using distributed file system replication services) replication for this domain as it
relates to Group Policy. Previously, you had to look at the Sysvol status on each individual server
and issues wouldn’t always bubble themselves up to the surface in an easy-to-digest way. Because AD
replication is key to getting Group Policy to apply correctly within your domain, this will end up
being a very handy troubleshooting tool.
- Group Policy-based management of the Setting Sync feature. New to the Windows 8 family
is the ability for users to enable one Windows Live ID to tie together all of their documents,
settings and so on via a cloud-based synchronization service a la Apple’s iCloud service. When
users roam from one device to another, by entering their ID, preferences and files are available to
them just like on other devices; picture this as a giant roaming profiles service that works across
security boundaries. Of course, corporate administrators will be wary of allowing many personal
preferences to enable themselves on company machines, and there are seven new GPOs in Windows
Server 2012 to control this feature. The Group Policy settings for the Setting Sync options are
located in Computer Configuration > Administrative Templates > Windows Components >
- New Internet Explorer policies. You can now manage policy preferences for Internet
Explorer 9 directly from the Windows Server 2012 Group Policy Management Console. Other new IE
capabilities include disabling the password reveal (new to Windows 8 and IE 10), requiring that
Enhanced Protected Mode be used (this forces Internet Explorer to run in 64-bit mode), preventing
ActiveX controls from running in lesser security contexts in Enhanced Protected Mode and disabling
the Windows 8 “Delete Browsing History on Settings” charm, among others.
- Windows 8 and Metro-specific GPOs. You can customize the behavior of some of the new features in Windows 8, like disabling the lock screen, turning off PIN logon, turning off picture password logon, customizing how the default Metro app packages are deployed and enabled, using certain colors for the Start screen background, turning off tracking of app usage, disabling access to the Windows 8 App Store and customizing how Windows to Go behaves.
Microsoft has released a full spreadsheet of all the Group Policy settings for Windows 8 and Windows Server 2012 here.
Follow SearchWindowsServer on Twitter @WindowsTT.
ABOUT THE AUTHOR
Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS, Hardening Windows and recently Windows Vista: Beyond the Manual.
This was first published in April 2012