Microsoft's implementation of commenting in Active Directory has always amazed me. In Windows Server 2003, everywhere you look you find wizards and tabs and configuration screens with a location for adding comments. It seems like every little setting in Active Directory could tell its own story through its attached comments.
If you've got a large domain run by lots of Windows administrators or if you've incorporated formalized IT processes, in-object commenting is an excellent way to self-document your environment. Attaching a comment to an Organizational Unit at creation helps large domains understand the purpose and ownership of objects throughout their forests. Those comments can contain information about the creator, the authorizing help desk ticket number and even the reason for the configuration.
But with Windows Server 2003 and earlier there's been one glaring omission in comment-capable objects: Group Policy settings.
With Windows Server 2003 and earlier, this critical part of Active Directory administration has had no such capability to store descriptive information. But that changes with the release of Windows Server 2008, which adds the capability to include comments not only for each Group Policy but also for each individual Group Policy setting as well.
Open any Group Policy within the Group Policy Management Console (GPMC), in Windows Server 2008 and view the properties of an available Group Policy setting. You'll notice a new tab marked Comment in the properties window. Even if your standard practice for managing Active Directory doesn't typically include commenting and documenting, doing so here can be vitally important for helping you understand when and why a configuration was made in the past. Knowing the history and owner of all your Group Policy settings can go far in helping you track down and troubleshoot problems down the road.
Comments aren't very useful if you can't find them later
To continue reading for free, register below or login
To read more you must become a member of SearchWindowsServer.com
on. So to facilitate this, Microsoft has added a new wizard to the GPMC that enables the searching and filtering on comments within settings. Within the GPMC, open the Group Policy Object Editor (GPOE), and take a look at the toolbar. You'll see a new icon in the toolbar titled Filter. Clicking on that icon brings up a screen that lets you enable Filter Options. Within that screen, here are the options you are given for creating your filter:
Once the filter is set, the list of Group Policy categories shrinks to include just those that contain settings of interest. If your filter is too restrictive, you'll see all the possible categories disappear. Then you know you'll need to loosen up your search terms. Right click on the Administrative Templates node to either turn off the filter or change your settings.
Another new node in the GPMC is available under Administrative Templates. There, you'll see an entry for All Settings. If you've always hated wading through the long list of Group Policy categories in the tree just to find your setting, you'll appreciate this new node where all Group Policy settings are aggregated into a single list for easy browsing. This node is especially useful when used in combination with the filters mentioned above.
As you can see, the management of individual Group Policy settings gets a lot easier with Windows Server 2008. More information and more capabilities for searching make the process of finding just the right configuration control just that much simpler.
Greg Shields, MCSE: Security, is an independent author, speaker and consultant based in Denver with many years of IT architecture and enterprise administration experience. He is a sought-after IT trainer and speaker, speaking publicly on such IT topics as Microsoft administration, systems management and monitoring, and virtualization. His recent book Windows Server 2008: What's New/What's Changed is available at www.sapienpress.com.
