Group Policy Enhancements in Windows 2008 R2

Updates to the Group Policy Editor and Policy Management

Most of what is “new” in Group Policy enhancements in Windows 2008 R2 were actually in Windows 2008, however many organizations never migrated off Active Directory 2003 to Active Directory 2008, so this is all new to administrators who have basically gone from Active Directory straight to Active Directory 2008 R2.  What Microsoft has done with Group Policies in Windows 2008 (and 2008 R2) has been awesome!  So the minute you launch the Group Policy Management Console (GPMC) you’ll notice not just the Computer Configuration container and the User Configuration container, but under the Computer and User containers are “Policies” and “Preferences”.

The Policies container is the same container that has been in AD all along where you have containers for Account Policies, Windows Settings, Administrative Tools, Security, etc.  But under the “Preferences” is a whole new set of “views” to policies.  For some 1000+ policies, instead of more text based “descriptions” of stuff, there’s a GUI for you to “see” a user Control Panel type stuff where you can click through the GUI to “set” settings.  When you set the settings and click OK, you’re effectively creating the group policy.  So for things like Internet Explorer settings, you just click the checkbox or option on screen, and those settings are set.  Or you can do drive mappings through a GUI, or set display settings through a GUI.  This whole Preferences area REALLY makes setting policies easier.  It’s just like you are in Control Panel on your workstation, but instead what you choose are set for the “policy” for the managed systems…

Policies and Preferences

As mentioned, Windows 2008 Group Policy introduced a brand new set of configurable settings known as Preferences. Group Policy Objects are now organized into Policy settings and Preference settings. Preferences provide many of the features that the Group Policy infrastructure was lacking in previous versions, and preferences also provide many functions that were commonly handled with complex logon and startup scripts, with Registry file import tasks, and by administrators configuring the default user profile on workstations and servers. Many preference settings, such as Registry keys and Drive Maps, would have previously been applied with scripts that required the workstation to be logged on to or started up on the internal network. With preference settings in domain group policies, these settings can now be applied during the Group Policy refresh interval, which can greatly increase the successful application of these types of settings.

Policy settings and Preference settings have different characteristics. Policy settings are enforced and all users are commonly restricted from changing any configured policy setting. If a policy setting contains a graphic interface, when configured, the setting is normally grayed out to the end user for the policy-configured Remote Desktop settings. Policy settings such as software installations and computer or user scripts are only processed during computer startup or shutdown and user logon and logoff cycles.

Preference settings are applied to computers and users the same as policy settings: during startup, shutdown, and refresh cycles for computers and logon, logoff, and refresh cycles for users. Preferences settings, however, are configured but not enforced. As an example of this, using a user printer preference, a printer can be installed in a user profile and set to be the default printer but the end user will still retain the ability to define a different default printer if necessary. Preference settings are applied during refresh intervals, but certain settings, such as creating Registry keys and values, might require a computer reboot or user logoff/logon cycle to actually apply the new setting. One important point to note is that the domain group policy preferences are supported on Windows 7, Windows Server 2008, and Windows Server 2008 R2, but Windows XP, Windows Server 2003, and Windows Vista all need an update to support preference settings.

Preference settings are all different, but they each share common administrative functionality. Each preference setting will either be presented in a graphic interface similar to, if not exactly, what the end user can see and access within the user profile. This is one distinction between preference and policy settings, as most policy settings are enabled, disabled, or not configured whereas a preference setting can contain several configuration features.

Furthermore, each preference settings can have multiple items defined within it, each with a separate configuration value. As an example, a Drive Map preference can have a setting item of a mapped drive P and a mapped drive U defined within the single domain group policy preference setting.

In addition to the specific setting options that are unique to each preference, such as the drive letter designation for a Drive Map or a folder path to a Network Share preference, each setting also contains a set of common options and many also include a preference action.

Preference Actions

Preference actions determine how a preference setting will be applied to a user or computer. Many preference settings also contain an option called the preference action. The most common preference actions include the Create, Replace, Update, and Delete actions:

►           Create—The Create action creates or configures the preference setting if the setting does not already exist. If the setting already exists, no action is taken.

►           Replace—The Replace action deletes and recreates the setting on the computer or within the user profile.

►           Update—The Update action creates the setting if it does not exist, but if the setting already exists, part or all of the setting configurations are updated to match the preference setting. Update is the default action and is less intrusive than the Replace action. It can be used to ensure that the setting is configured as desired, but processing speed will be optimized because if the setting already matches it will be skipped.

►           Delete—The Delete action simply deletes the preference setting from the computer or user profile. For example, a Delete action can remove a mapped drive, delete a Registry key, or delete a printer from a computer or a user profile.

Preference Common Options

Each preference setting contains a common tab that contains several options that can be enabled for the particular setting. Common options include the ability to process the setting only once, which is great for setting default configurations for new user profiles or a new preference setting on existing domain group policies.

Item-Level Targeting

One of the most functional preference common options is the item-level targeting option. Item-level targeting allows administrators to define the scope of application for a particular preference setting item such as a Drive Map. So with item-level targeting an administrator can create a single domain group policy and have a single Drive Map preference defined that will apply different preference setting items to subsets of computers or users based on the specifications of the item-level target. For example, a Drive Map preference that defined the G drive for groups can be configured to map \\server10\Sales to members of the domain security group named sales, based on the item-level targeting option configuration settings. The same preference can also define the G drive to \\server10\HR for members of the domain Human Resources group based on a different configuration for item-level targeting.

So what you will find after you migrate to Active Directory 2008 R2 are new features for setting and configuring policies that make policy configuration and management a LOT easier to understand and to apply.  A common question I get is “do I need to migrate ALL of my Active Directory domain controllers and global catalog servers to be able to see the new “preferences” feature in GPMC, the answer is “no”.  You just need to add a Windows 2008 (or 2008 R2) member server to the network, add the Active Directory Domain Services “role”, and run DCPromo on that system that will extend the Active Directory schema to support the new preferences features.  Once the AD schema has been extended, then you run GPMC on the global catalog / domain controller system you just added to the network.  This new system will have the new Group Policy Management Console on the system that will “see” the AD group policy structure of Policies and Preferences.

If you ran an older copy of the Group Policy Editor on an older global catalog / domain controller system, while the policy objects exist, the GPMC / GPEdit utility running on the older system would not show the underlying updated policies.

A portion of the above excerpt came from my book “Windows Server 2008 R2 Unleashed”, a 1550-page hardcover book covering everything from Active Driectory Design and migration, to Remote Desktop Services (“terminal services”), to Windows administration, to configuring DHCP/DNS, to Hyper-V R2, and more.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.