woensdag 25 juli 2007 1:05
Windows Server 2008 & Group Policy Management Console (GPMC)
Group Policy Management Console (GPMC.msc) makes it easier to understand, deploy, manage and troubleshoot Group Policy implementations and provides a single administrative tool for managing Group Policy across the enterprise and is now installed by default on a server running the Active Directory Domain Services (AD DS) role.
Eventhough this was already the case with Windows Vista, both the GPMC and Group Policy Object Editor introduce some long-wanted features.
Group Policy Templates
A long time ago (Sept, 2003), Microsoft posted the Group Policy Common Scenarios, which are a series of desktop management scenarios implemented through Group Policy and documented in the included whitepaper. All Group Policy Objects are packaged for import using the Group Policy Management Console. It represents Microsoft best practices for specific (common) Group Policy scenarios.
The concept of "best practices" is merged into the GPMC, where collections of GPO scenarios can be imported through packages (.cab)
When creating new Group Policy Objects, you are able the use a GPO template as a starting point.
Group Policy Comments
For documentation purposes, you can now include comments per GPO (global) and/or per GPO setting (individual), allowing you to comment the policy implementation you make at a certain point in time...
Comments per GPO setting (individual).
Comments per GPO (global).
Group Policy settings Search/Filters
Finally, you're able to easily find GPO settings within the Administrative Templates (only!) through filtering.
Basically, there's 3 global filters you can apply:
- Based on state of GPO setting (Managed, Configured, Commented)
- Based on keywords
- Based on Requirement Filters
Most wanted and most powerful is the (multiple) keyword search/filter, which allows you to filter the +2500 settings based on (key)words found (via AND/OR) in the GPO setting title (1), its explain text (2) and/or comments (3) you might have added.
Once you turn on the filter, the results of the Search/Filter are visible individually in the Group Policy Object Editor nodes and/or consolidated in the All Settings node.
Even though these are features available only on Windows Server 2008, they will be made available for Windows Vista shortly after the release of Windows Vista SP1 as an OOB RTW (Out-Of-Band Release-To-Web) of the Remote Server Administration Tools (RSAT).
For those of you who are not familiar with RSAT, they are the next-generation adminpak.msi (Administrative Tools) for Windows Vista/Server 2008.
Central ADMX/ADML Store
Windows Vista introduced a new format to display registry-based policy settings (aka Administrative Templates). In Windows Vista, these registry-based policy settings are defined by standards-based XML files that have an .admx file name extension. The .admx file format replaces the legacy .adm file format. The .adm file format uses a proprietary markup language. Windows Vista does only ship with .admx files located in the %windir%\PolicyDefinitions folder.
In Windows Vista, Administrative Template files are divided into general .admx files and language-specific .adml files. The changes that are implemented since Windows Vista let administrators configure the same set of policies by using different languages. Administrators can configure policies by using the language-specific .adml files and the language-neutral .admx files.
In pre-Vista operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on the domain controller's SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the same domain. A policy file uses approximately 4 to 5 megabytes (MB) of hard disk space. Because each domain controller stores a distinct version of a policy, replication traffic is increased. This is referred to as SYSVOL bloat.
Windows Vista/Server 2008 uses a Central Store to store Administrative Template files. Since Windows Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore, domain controllers do not store or replicate redundant copies of .adm(x/l) files.
To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain.
A part from this replication optimisation (by not inserting ADM(X) files into a GPO), also know that all SYSVOL replication is done by DFSR (DFS-Replication) instead of FRS (File Replication Services). More about this in an upcoming blog post, so keep posted.
For more information on "How to create the central store": Q929841 and Managing Group Policy ADMX Files Step-by-Step Guide
Group Policy Change and Release Management
DesktopStandard GPO Vault Enterprise is transformed into Microsoft Advanced Group Policy Management and is included as part of the Microsoft Desktop Optimization Pack for Software Assurance (DOPSA) available now.
In the near future, I will do a quite detailed post on the features "Advanced Group Policy Management" brings!!
For more information on the Microsoft Desktop Optimization Pack for Software Assurance, see here.
DesktopStandard PolicyMaker Standard Edition, Share Manager, and Registry Extension will be integrated into a future release of the Group Policy Management tools. Microsoft is still working through the long-term integration plan to determine a time frame for their release, which is not anticipated before fall 2007.
Not sure (anymore) what else is new for Group Policies in Windows Vista, check out my "Group Policies in Windows Vista" presentation on DevITProDays 2007 in Belgium, Ghent.
More information: Group Policy Settings Reference Windows Server 2008 Beta 3
Filed under: WindowsServer2008, GroupPolicies