Microsoft's implementation of commenting in Active Directory has always amazed me. In Windows Server 2003, everywhere you look you find wizards and tabs and configuration screens with a location for adding comments. It seems like every little setting in Active Directory could tell its own story through its attached comments.
If you've got a large domain run by lots of Windows administrators or if you've incorporated formalized IT processes, in-object commenting is an excellent way to self-document your environment. Attaching a comment to an Organizational Unit at creation helps large domains understand the purpose and ownership of objects throughout their forests. Those comments can contain information about the creator, the authorizing help desk ticket number and even the reason for the configuration.
But with Windows Server 2003 and earlier there's been one glaring omission in comment-capable objects: Group Policy settings.
With Windows Server 2003 and earlier, this critical part of Active Directory administration has had no such capability to store descriptive information. But that changes with the release of Windows Server 2008, which adds the capability to include comments not only for each Group Policy but also for each individual Group Policy setting as well.
Open any Group Policy within the Group Policy Management Console (GPMC), in Windows Server 2008 and view the properties of an available Group Policy setting. You'll notice a new tab marked Comment in the properties window. Even if your standard practice for managing Active Directory doesn't typically include commenting and documenting, doing so here can be vitally important for helping you understand when and why a configuration was made in the past. Knowing the history and owner of all your Group Policy settings can go far in helping you track down and troubleshoot problems down the road.
Comments aren't very useful if you can't find them later on. So to facilitate this, Microsoft has added a new wizard to the GPMC that enables the searching and filtering on comments within settings. Within the GPMC, open the Group Policy Object Editor (GPOE), and take a look at the toolbar. You'll see a new icon in the toolbar titled Filter. Clicking on that icon brings up a screen that lets you enable Filter Options. Within that screen, here are the options you are given for creating your filter:
- Managed -- Remember that there are two types of Group Policy settings: those that arrive with Active Directory, called Managed policies, and those that are customized by administrators, called Unmanaged policies. Native policies are called Managed because the Group Policy service manages both the setting and the "un-setting" of these policy settings when they are later set to Not Configured. Setting this filter to Yes only filters the settings natively managed by the Group Policy service.
Configured -- Configured settings are those that have been set to anything other than Not Configured. Setting this filter to Yes only filters settings that have been specifically enabled and have an assigned configuration.
Commented-- Commented settings are those where a comment has been attached. Setting this filter to Yes filters the settings where a comment has been placed inside the setting.
Enable keyword filters -- Keyword filters allow searching based on words contained in the setting title, explanatory text or attached comment. Enabling this filter allows you to search on any entered word or set of words.
Enable requirements filters -- Group Policies and their settings are typically associated with an operating system or an application. By limiting your search to just the operating system or an application, you can reduce your level of searching for the setting of interest. This setting allows the filter to narrow down the search to the ones that are pertinent.
Once the filter is set, the list of Group Policy categories shrinks to include just those that contain settings of interest. If your filter is too restrictive, you'll see all the possible categories disappear. Then you know you'll need to loosen up your search terms. Right click on the Administrative Templates node to either turn off the filter or change your settings.
Another new node in the GPMC is available under Administrative Templates. There, you'll see an entry for All Settings. If you've always hated wading through the long list of Group Policy categories in the tree just to find your setting, you'll appreciate this new node where all Group Policy settings are aggregated into a single list for easy browsing. This node is especially useful when used in combination with the filters mentioned above.
As you can see, the management of individual Group Policy settings gets a lot easier with Windows Server 2008. More information and more capabilities for searching make the process of finding just the right configuration control just that much simpler.
Greg Shields, MCSE: Security, is an independent author, speaker and consultant
based in Denver with many years of IT architecture and enterprise administration experience. He is
a sought-after IT trainer and speaker, speaking publicly on such IT topics as Microsoft
administration, systems management and monitoring, and virtualization. His recent book Windows
Server 2008: What's New/What's Changed is available at www.sapienpress.com.
This was first published in January 2008