Windows Server 2008 R2 Unleashed (125 page)

inheritance.

. Rename a GPO.

. Generate a report of GPO settings and configurations.

ptg

. Generate a Resultant Set of Policies report.

. Set GPO administrative permissions and delegation.

. Set GPO policy and preference settings that are stored in the Registry.

Two important points that need to be stated about managing GPOs though PowerShell is

that in order to manage or report on any existing GPO, the Group Policy administrator

must know the GUID ID of the GPO or the exact spelling of the name. The second point

is that currently there is no PowerShell GPO cmdlet that can configure or report on the

GPO link precedence of a particular domain or organizational unit.

Microsoft Desktop Optimization Pack for Software Assurance

The Microsoft Desktop Optimization Pack for Software Assurance contains several func-

tions and features that administrators can leverage to assist with the management of the

organization’s desktops. One feature included with this kit is called Microsoft Advanced

Group Policy Management (AGPM), which provides extended functionality not available

in the GPMC and GPME. This feature provides several functions to improve GPO manage-

ment, including GPO change control, GPO archiving, offline editing of GPOs, granular

GPO administrative delegation, integration of policy changes, and auditing and GPO

difference and comparison functionality. AGPM can even enable administrators to reject

changes to GPOs or roll back a GPO to a previous version stored in the archive. AGPM 3.0

Policy Management Tools

613

is supported on Windows Vista and Windows Server 2008, but provides only partial

support for Windows 7 and Windows Server 2008 R2.

The Desktop Optimization Pack is only available for software assurance customers and

your Microsoft reseller should be contacted to determine how to qualify for or down-

load the pack.

ADMX Migrator

The ADMX Migrator tool, shown in Figure 19.16, allows administrators to take existing

ADM templates and migrate those settings to the new ADMX and ADML template format.

This tool is fully supported by www.fullarmor.com, the company that makes ADMX

Migrator. The tool creates both the ADMX and ADML files, and after they are created,

they can be copied to the PolicyDefinitions folder of a Windows Vista, Windows 7,

Windows Server 2008, or Windows Server 2008 R2 system or GPO central store in a test

Active Directory infrastructure for testing. Any ADMX/ADML files created using this tool

should be tested thoroughly before releasing to a pilot group or users or computers in

production.

ptg

19

FIGURE 19.16

Examining the ADMX Migrator tool.

Group Policy Log View (GPLogView)

GPLogview is a downloadable tool from Microsoft that allows administrators to monitor

or generate reports of GPO administrative and operational events in text, XML, and HTML

format. The tool can be run in monitor mode during a Group Policy refresh interval to

614

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

watch a live view of what the GPO processing is logging. GPLogView is available for

download but is not supported by Microsoft.

Event Viewer

Event Viewer for Windows 7 and Windows Server 2008 R2 includes several new event

logs, which now provide additional GPO logging events, similar to those shown in Figure

19.17. GPO logging now includes administrative GPO events, stored in the system log

with a source of “Group Policy,” and GPO operational events, stored in the “Applications

and Services Logs,” which is stored in Microsoft/Windows/GroupPolicy/Operational.

ptg

FIGURE 19.17

Examining the filtered event log.

GPO Administrative Events

The administrative events include the state of the GPO processing on a particular computer

or user, including high-level information detailing if GPO processing was successful or

failed. To view Group Policy administrative events, perform the following steps:

1. Log on to a designated administrative workstation running Windows Server 2008 R2.

2. Click the Start button.

3. Select All Programs.

4. Select Administrative Tools.

5. Double-click the shortcut for Event Viewer.

6. When Event Viewer opens, expand Windows Logs.

7. Right-click the System log and select Filter Current Log.

Policy Management Tools

615

8. In the middle of the filter windows, click the Event Sources drop-down list arrow.

9. Scroll down and check Group Policy and click back on the filter window to close the

menu.

10. Click OK at the bottom of the window to apply the filter.

11. Review the group policy events.

12. If the task is complete, close Event Viewer to clear the filter; otherwise, clear the

filter by right-clicking on the system log and selecting Clear Filter.

13. Close Event Viewer when you are finished.

GPO Operational Events

The GPO operational events include very granular detail of GPO processing. When GPO

processing occurs, the operational events are created almost one for one with each task

included within the GPO processing. This new logging functionality simplifies trou-

bleshooting GPO processing tremendously. To view the GPO operational events on a

Windows Server 2008 R2 system, perform the following steps:

1. Log on to a designated administrative workstation running Windows Server 2008 R2.

2. Click the Start button.

ptg

3. Select All Programs.

4. Select Administrative Tools.

5. Double-click the shortcut for Event Viewer.

6. When Event Viewer opens, expand Applications and Services Logs.

7. Expand Microsoft.

8. Expand Windows.

9. Expand Group Policy.

10. Select the Operational log beneath the Group Policy container and view the events

in the right pane.

11. Click on particular events to see the details.

12. Close Event Viewer when you are finished.

19

DFS Management

GPO files are stored in the Active Directory domain sysvol folder. GPO files in the sysvol

folder are replicated by the Distributed File System Replication service. The DFS

Management console enabled administrators to configure the replication options, includ-

ing scheduling and other DFS management tasks. The sysvol share is known as the domain

system volume and the replication of this volume follows the site link replication schedule.

More details about the DFSR service can be found in Chapter 28, “File System Management

and Fault Tolerance.” Changing or managing the domain system volume replication sched-

ule between domain controllers in the same Active Directory site is not an option.

616

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

Designing a Group Policy Infrastructure

Designing a Group Policy infrastructure requires a detailed understanding of the available

configuration settings available in Group Policy Objects. Chapter 27 details the available

settings administrators can configure with group policies and also covers some best-prac-

tice configurations. This section of the chapter covers the high-level steps required to

successfully plan and deploy a reliable Group Policy infrastructure.

Active Directory Design and Group Policy

A key to determining how to best design the Group Policy infrastructure is to first under-

stand how the Active Directory infrastructure is configured. The site, domain, and OU

design of an Active Directory infrastructure usually follows a few key elements, including

physical office locations, network connectivity, and delegation of administration, includ-

ing branch office management, separation of Active Directory management tasks, desktop

and server administration, and, of course, security and reliability.

Site Group Policy Links

Group policies can be linked to Active Directory site objects. There is no default site policy

created when Active Directory is first deployed. In the past, common uses of site-linked

ptg

group policies included settings related to networking and security configurations. Some

considerations for determining whether a GPO should be linked at a site should include

the following:

. Every object in a site, determined by the associated site subnet, will process the

policy, regardless of the domain the user or computer account is located in. Is this

the desired configuration?

. Does the site contain a domain controller in the domain in which the group policy

is created?

. Do any of the associated site subnets include networks across slow links or virtual

private networks? If so, changing the default values or disabling slow link detection

on the site policy might be required for proper processing.

. Is there a particular security requirement for the site that required a higher level of

enforced security or a required configuration or application?

Before a GPO can be linked to a site, the site will need to be added into the GPMC. To add

an Active Directory site to the GPMC and add a GPO link, perform the following steps:

1. Log on to a designated Windows Server 2008 R2 administrative server.

2. Open the Group Policy Management Console.

3. Right-click the Sites container and select Show Sites.

4. In the Show Sites window, click the Select All button or check the box next to the

site you want to add to the GPMC. Click OK to add the site(s) to the console.

5. In the tree pane, expand the Sites container, and right-click the desired site.

6. Select the Link an Existing GPO option.

Designing a Group Policy Infrastructure

617

7. In the Select GPO window, select the source domain from which you want to link

the GPO.

8. In the Group Policy Objects section of the window, select the desired GPO or GPOs,

and then click OK to create the link.

9. If necessary, configure the link settings for each new site link and then close the

GPMC.

Domain GPO Links

When Active Directory is deployed, two preconfigured, default group policies are created.

One is linked to the domain named the Default Domain Policy and the other is linked to

the Domain Controllers OU named the Default Domain Controllers Policy.

The Default Domain Policy contains the default security settings for the entire domain,

including account policies. As a best practice, use this policy only for managing the

default account policies for the entire domain. Any additional GPO settings that an orga-

nization would desire to apply to all users and/or computers, including domain

controllers, member servers, and client workstations, should be added to new Group

Policy Objects and linked at the domain level. The number of policies linked at the

domain level should be kept to a minimum to ensure quality Group Policy processing

performance for the organization.

ptg

Organizational Unit Links

Linking GPOs to organizational units is the most common use of GPO links. OU GPO

links provide the most targeted GPO application and granular administrative control of

the OU GPO–related tasks as well as the configuration and management of the objects

contained in the OU. The only way to get more granular on an OU GPO link is to apply a

security filter or a WMI filter on that particular GPO, but that would affect each GPO link