Top five Group Policy improvements in Windows Server 2012

What's changed with Active Directory Group Policy in Windows Server 2012? Get an idea of some of the improvements in this tip.

Within the Windows Server 2012 beta (formerly known as the Windows Server 8 beta), there are over 4,560 group policies to play with-- some old, some new. Additionally, there are usability improvements to the Group Policy infrastructure and the venerable Group Policy Management Console.

Here are the top five areas to focus your research on as you test for compatibility and understand how the Windows 8 client and server partners work together:

  • The Group Policy Update option within the Group Policy Management Console. Instead of issuing clunky command-line refresh commands, like gpupdate /force, on individual machines, you can graphically select organizational units on which to refresh Group Policy. This effectively means that because you can kick things off right from within the console, you don’t have to wait the hour and a half that it sometimes took for those refreshes to take place across a network. You can only target computers in organizational units, but the refresh itself will kick off a re-download of both the user and the computer portions of the group policy objects (GPOs) that apply to the given target. Behind the scenes, this option creates two scheduled tasks on each computer in the targeted organizational unit. For this to work, the domain controllers need to have access to create scheduled tasks on the computers, so firewalls on each system will need to be configured appropriately.
  • An easy-to-monitor status report about the Group Policy infrastructure on your Active Directory network. Within the Group Policy Management Console, there’s a new tab called “Infra Status.” (As a mechanical perfectionist, I’m hoping Microsoft will expand that unfortunate abbreviation, but I digress.) This information on this tab shows the status of Active Directory and Sysvol (using distributed file system replication services) replication for this domain as it relates to Group Policy. Previously, you had to look at the Sysvol status on each individual server and issues wouldn’t always bubble themselves up to the surface in an easy-to-digest way. Because AD replication is key to getting Group Policy to apply correctly within your domain, this will end up being a very handy troubleshooting tool.
  • Group Policy-based management of the Setting Sync feature. New to the Windows 8 family is the ability for users to enable one Windows Live ID to tie together all of their documents, settings and so on via a cloud-based synchronization service a la Apple’s iCloud service. When users roam from one device to another, by entering their ID, preferences and files are available to them just like on other devices; picture this as a giant roaming profiles service that works across security boundaries. Of course, corporate administrators will be wary of allowing many personal preferences to enable themselves on company machines, and there are seven new GPOs in Windows Server 2012 to control this feature. The Group Policy settings for the Setting Sync options are located in Computer Configuration > Administrative Templates > Windows Components > Settings Sync.
  • New Internet Explorer policies. You can now manage policy preferences for Internet Explorer 9 directly from the Windows Server 2012 Group Policy Management Console. Other new IE capabilities include disabling the password reveal (new to Windows 8 and IE 10), requiring that Enhanced Protected Mode be used (this forces Internet Explorer to run in 64-bit mode), preventing ActiveX controls from running in lesser security contexts in Enhanced Protected Mode and disabling the Windows 8 “Delete Browsing History on Settings” charm, among others.
  • Windows 8 and Metro-specific GPOs.  You can customize the behavior of some of the new features in Windows 8, like disabling the lock screen, turning off PIN logon, turning off picture password logon, customizing how the default Metro app packages are deployed and enabled, using certain colors for the Start screen background, turning off tracking of app usage, disabling access to the Windows 8 App Store and customizing how Windows to Go behaves.

Microsoft has released a full spreadsheet of all the Group Policy settings for Windows 8 and Windows Server 2012 here.

Follow SearchWindowsServer on Twitter @WindowsTT.

Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS, Hardening Windows and recently Windows Vista: Beyond the Manual.

Dig Deeper on Windows systems and network management