Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
inheritance.
. Rename a GPO.
. Generate a report of GPO settings and configurations.
ptg
. Generate a Resultant Set of Policies report.
. Set GPO administrative permissions and delegation.
. Set GPO policy and preference settings that are stored in the Registry.
Two important points that need to be stated about managing GPOs though PowerShell is
that in order to manage or report on any existing GPO, the Group Policy administrator
must know the GUID ID of the GPO or the exact spelling of the name. The second point
is that currently there is no PowerShell GPO cmdlet that can configure or report on the
GPO link precedence of a particular domain or organizational unit.
Microsoft Desktop Optimization Pack for Software Assurance
The Microsoft Desktop Optimization Pack for Software Assurance contains several func-
tions and features that administrators can leverage to assist with the management of the
organization’s desktops. One feature included with this kit is called Microsoft Advanced
Group Policy Management (AGPM), which provides extended functionality not available
in the GPMC and GPME. This feature provides several functions to improve GPO manage-
ment, including GPO change control, GPO archiving, offline editing of GPOs, granular
GPO administrative delegation, integration of policy changes, and auditing and GPO
difference and comparison functionality. AGPM can even enable administrators to reject
changes to GPOs or roll back a GPO to a previous version stored in the archive. AGPM 3.0
Policy Management Tools
613
is supported on Windows Vista and Windows Server 2008, but provides only partial
support for Windows 7 and Windows Server 2008 R2.
The Desktop Optimization Pack is only available for software assurance customers and
your Microsoft reseller should be contacted to determine how to qualify for or down-
load the pack.
ADMX Migrator
The ADMX Migrator tool, shown in Figure 19.16, allows administrators to take existing
ADM templates and migrate those settings to the new ADMX and ADML template format.
This tool is fully supported by www.fullarmor.com, the company that makes ADMX
Migrator. The tool creates both the ADMX and ADML files, and after they are created,
they can be copied to the PolicyDefinitions folder of a Windows Vista, Windows 7,
Windows Server 2008, or Windows Server 2008 R2 system or GPO central store in a test
Active Directory infrastructure for testing. Any ADMX/ADML files created using this tool
should be tested thoroughly before releasing to a pilot group or users or computers in
production.
ptg
19
FIGURE 19.16
Examining the ADMX Migrator tool.
Group Policy Log View (GPLogView)
GPLogview is a downloadable tool from Microsoft that allows administrators to monitor
or generate reports of GPO administrative and operational events in text, XML, and HTML
format. The tool can be run in monitor mode during a Group Policy refresh interval to
614
CHAPTER 19
Windows Server 2008 R2 Group Policies and Policy Management
watch a live view of what the GPO processing is logging. GPLogView is available for
download but is not supported by Microsoft.
Event Viewer
Event Viewer for Windows 7 and Windows Server 2008 R2 includes several new event
logs, which now provide additional GPO logging events, similar to those shown in Figure
19.17. GPO logging now includes administrative GPO events, stored in the system log
with a source of “Group Policy,” and GPO operational events, stored in the “Applications
and Services Logs,” which is stored in Microsoft/Windows/GroupPolicy/Operational.
ptg
FIGURE 19.17
Examining the filtered event log.
GPO Administrative Events
The administrative events include the state of the GPO processing on a particular computer
or user, including high-level information detailing if GPO processing was successful or
failed. To view Group Policy administrative events, perform the following steps:
1. Log on to a designated administrative workstation running Windows Server 2008 R2.
2. Click the Start button.
3. Select All Programs.
4. Select Administrative Tools.
5. Double-click the shortcut for Event Viewer.
6. When Event Viewer opens, expand Windows Logs.
7. Right-click the System log and select Filter Current Log.
Policy Management Tools
615
8. In the middle of the filter windows, click the Event Sources drop-down list arrow.
9. Scroll down and check Group Policy and click back on the filter window to close the
menu.
10. Click OK at the bottom of the window to apply the filter.
11. Review the group policy events.
12. If the task is complete, close Event Viewer to clear the filter; otherwise, clear the
filter by right-clicking on the system log and selecting Clear Filter.
13. Close Event Viewer when you are finished.
GPO Operational Events
The GPO operational events include very granular detail of GPO processing. When GPO
processing occurs, the operational events are created almost one for one with each task
included within the GPO processing. This new logging functionality simplifies trou-
bleshooting GPO processing tremendously. To view the GPO operational events on a
Windows Server 2008 R2 system, perform the following steps:
1. Log on to a designated administrative workstation running Windows Server 2008 R2.
2. Click the Start button.
ptg
3. Select All Programs.
4. Select Administrative Tools.
5. Double-click the shortcut for Event Viewer.
6. When Event Viewer opens, expand Applications and Services Logs.
7. Expand Microsoft.
8. Expand Windows.
9. Expand Group Policy.
10. Select the Operational log beneath the Group Policy container and view the events
in the right pane.
11. Click on particular events to see the details.
12. Close Event Viewer when you are finished.
19
DFS Management
GPO files are stored in the Active Directory domain sysvol folder. GPO files in the sysvol
folder are replicated by the Distributed File System Replication service. The DFS
Management console enabled administrators to configure the replication options, includ-
ing scheduling and other DFS management tasks. The sysvol share is known as the domain
system volume and the replication of this volume follows the site link replication schedule.
More details about the DFSR service can be found in Chapter 28, “File System Management
and Fault Tolerance.” Changing or managing the domain system volume replication sched-
ule between domain controllers in the same Active Directory site is not an option.
616
CHAPTER 19
Windows Server 2008 R2 Group Policies and Policy Management
Designing a Group Policy Infrastructure
Designing a Group Policy infrastructure requires a detailed understanding of the available
configuration settings available in Group Policy Objects. Chapter 27 details the available
settings administrators can configure with group policies and also covers some best-prac-
tice configurations. This section of the chapter covers the high-level steps required to
successfully plan and deploy a reliable Group Policy infrastructure.
Active Directory Design and Group Policy
A key to determining how to best design the Group Policy infrastructure is to first under-
stand how the Active Directory infrastructure is configured. The site, domain, and OU
design of an Active Directory infrastructure usually follows a few key elements, including
physical office locations, network connectivity, and delegation of administration, includ-
ing branch office management, separation of Active Directory management tasks, desktop
and server administration, and, of course, security and reliability.
Site Group Policy Links
Group policies can be linked to Active Directory site objects. There is no default site policy
created when Active Directory is first deployed. In the past, common uses of site-linked
ptg
group policies included settings related to networking and security configurations. Some
considerations for determining whether a GPO should be linked at a site should include
the following:
. Every object in a site, determined by the associated site subnet, will process the
policy, regardless of the domain the user or computer account is located in. Is this
the desired configuration?
. Does the site contain a domain controller in the domain in which the group policy
is created?
. Do any of the associated site subnets include networks across slow links or virtual
private networks? If so, changing the default values or disabling slow link detection
on the site policy might be required for proper processing.
. Is there a particular security requirement for the site that required a higher level of
enforced security or a required configuration or application?
Before a GPO can be linked to a site, the site will need to be added into the GPMC. To add
an Active Directory site to the GPMC and add a GPO link, perform the following steps:
1. Log on to a designated Windows Server 2008 R2 administrative server.
2. Open the Group Policy Management Console.
3. Right-click the Sites container and select Show Sites.
4. In the Show Sites window, click the Select All button or check the box next to the
site you want to add to the GPMC. Click OK to add the site(s) to the console.
5. In the tree pane, expand the Sites container, and right-click the desired site.
6. Select the Link an Existing GPO option.
Designing a Group Policy Infrastructure
617
7. In the Select GPO window, select the source domain from which you want to link
the GPO.
8. In the Group Policy Objects section of the window, select the desired GPO or GPOs,
and then click OK to create the link.
9. If necessary, configure the link settings for each new site link and then close the
GPMC.
Domain GPO Links
When Active Directory is deployed, two preconfigured, default group policies are created.
One is linked to the domain named the Default Domain Policy and the other is linked to
the Domain Controllers OU named the Default Domain Controllers Policy.
The Default Domain Policy contains the default security settings for the entire domain,
including account policies. As a best practice, use this policy only for managing the
default account policies for the entire domain. Any additional GPO settings that an orga-
nization would desire to apply to all users and/or computers, including domain
controllers, member servers, and client workstations, should be added to new Group
Policy Objects and linked at the domain level. The number of policies linked at the
domain level should be kept to a minimum to ensure quality Group Policy processing
performance for the organization.
ptg
Organizational Unit Links
Linking GPOs to organizational units is the most common use of GPO links. OU GPO
links provide the most targeted GPO application and granular administrative control of
the OU GPO–related tasks as well as the configuration and management of the objects
contained in the OU. The only way to get more granular on an OU GPO link is to apply a
security filter or a WMI filter on that particular GPO, but that would affect each GPO link