Windows 8 Group Policy changes – Part 1

Group Policy received some major attention with Windows 8. This series in three parts covers the new additions, changes in reporting, and the removed features.

Joseph MoodyMVP By Joseph Moody - Fri, October 5, 2012 - 0 comments google+ icon

Joseph Moody is an admin for a public school and helps manage 5,500 PCs. He is a Microsoft Most Valuable Professional (MVP) in Software Packaging, Distribution, and Servicing. He blogs at DeployHappiness.com.

Group Policy is the life blood of all Windows Administrators. One can easily make the argument that Group Policy is what separates Microsoft’s desktop operating systems from any rival. With Windows 8, Group Policy underwent some small changes and one major alteration. Using and understanding these changes will help ensure success in your environment.

Group Policy and PowerShell

Not only did Microsoft streamline the installation of the RSAT tools by enabling all tools by default but they also included the Group Policy PowerShell cmdlets by default. The 26 cmdlets include all of the basic automation tasks for an administrator. Although most of these cmdlets existed before, Microsoft merged and added to the fold. For those without Advanced Group Policy Management, the Backup-GPO and Restore-GPO will be especially useful.

Overtime, the Group Policy infrastructure can become very complicated. By using Get-GPInheritance and get-GPPermission, an administrator can unravel this complexity. Commands for setting and removing preferences and registry based settings allow for the mass migration of certain GPO settings. For example, an organization with many sites could migrate from Internet configurations set by Preferences to a configuration maintained by registry (ADMX) settings. The complete list of cmdlets is available here.

The Group Policy module within PowerShell ISE

The Group Policy module within PowerShell ISE

Remote GPUpdate

There are several remote GPUpdate tools available. One of my favorite tools is SPECOPS GPUpdate. If you have ever used this tool, you will see that a GPUpdate command is added to Active Directory Users and Computers (ADUC). While this is helpful, one doesn’t edit GPOs in ADUC. So after editing a GPO linked to a certain OU within GPMC, I then have to navigate to that OU in within ADUC. No more! Right clicking on any OU (within GPMC) will allow you to execute a remote GPUpdate. So that issues do not occur, this GPUpdate will run within a 10 minute refresh interval. As a note, this option doesn’t appear when right clicking on the domain.

Remote GPUpdate

Remote GPUpdate

A remote GPUpdate can also be issued with the new Invoke-GPUpdate Cmdlet. Although it isn’t as clear cut as right clicking an OU, you can eliminate the delay in minutes. In the example below, all computers in the Accounting OU will run a GPUpdate immediately.

Get-ADComputer –filter * -Searchbase “ou=Accounting, dc=Contoso,dc=com” | foreach{ Invoke-GPUpdate –computer $_.name –force –-RandomDelayInMinutes 0}

Additional information can be found here. The Invoke-GPUpdate works by creating a scheduled task on the remote computer.

The ten minute time is set in the Trigger portion of the task

The ten minute time is set in the Trigger portion of the task.

 Group Policy Results

The reporting engine for Group Policy has certainly come a long way, especially remembering that the dedicated Group Policy service is just a few years old. With Windows 8, Microsoft added the following information to a Group Policy report:

  • The connection link type (slow or fast)
  • The status of inheritance (blocked or unblocked)
  • The status of loopback (disabled, enabled in merge mode, enabled in replace mode)
  • The processing time and status of each Client Side Extension (CSE)
  • Special alerts for GPOs with certain components disabled or mismatched

The excerpt above highlights certain GPOs meeting a special alert

The excerpt above highlights certain GPOs meeting a special alert.

 When a specific CSE, such as Software Installation or Group Policy File Preferences, fail, a Group Policy report will show detailed event log information on that CSE.

And when Group Policy infrastructure fails, everything fails

And when Group Policy infrastructure fails, everything fails.

Honor the fallen

Several components within Group Policy have been removed:

  • NetMeeting Administrative Templates
  • Ability to send a message/email with an Immediate Task
  • Internet Explorer Maintenance

I doubt if the first one will be missed. The second one can mostly be substituted. The third one seems to still be widely used; mainly because it continues to work. Organizations can use the GP search feature to find GPOs containing IE Maintenance settings. To find suitable replacements for certain IE Maintenance settings, see this article.

In my next post I will discuss more changes in Windows 8 Group Policy.

-1+1 - Rate this post
Loading ... Loading ...
Disclaimer
Your question wasn't answered? Please ask in the new 4sysops forum!
Please share your thoughts in a comment!

Login

Lost your password?