Following up on our first article about Windows 8 Group Policy changes, this post will cover Infrastructure status changes, new Starter GPOs, sign in changes, and IE 10 Management within Group Policy.

The new infrastructure status report ^

When Group Policy doesn’t work as expected, the first tool in my arsenal is GPResult. In our previous article, we spent some serious time showing off the new reporting features. But if your client isn’t reporting the latest GPO, you would check your DC replication status. The tool of choice would probably be GPOTool. The GPOTool is limited though as it can only report on information gathered in the GPT.ini file.

Beginning with Windows 8, the GPMC natively provides this functionality plus much more! In the screenshot below, I ran a report immediately after creating a GPO.

Windows 8 Group Policy - Replication delay

After a short delay, all three domain controllers are in sync.

The Group Policy infrastructure status page shows the version details between Active Directory and SYSVOL. Because every GPO is made up of two parts: the Active Directory replicated Group Policy Container (GPC) and the SYSVOL stored Group Policy template (GPT). For a client to receive the latest GPO (even when an administrator manually runs a GPUpdate), the client’s domain controller must have the latest GPO. If a mismatch is suspected, an administrator could quickly check the status page and either allow for replication to occur or manually force a replication.

Further, an infrastructure status page can report access control list (ACL) mismatches and security information. To accurately report this information, the report gathers the appropriate ACL for all GPTs and GPCs in the domain.

Windows 8 Group Policy - Replication status report

In the Infrastructure Status report above, three domain controllers are out of sync.

Finally, the report displays the GPO count for each GPO. This information becomes especially useful for when a new GPO is created or an obsolete GPO is deleted. As a personal note, I did find it surprising that these reports cannot be scripted or scheduled. With Microsoft’s continual push for PowerShell, this seems like a glaring omission.

Starter-GPOs ^

First introduced with Windows Server 2008 as an optional download, starter GPOs have continued to expand. With Windows 8/Server 2012, a starter GPO for firewall configuration has been created. This starter GPO is named Group Policy Reporting Firewall Ports and opens all of the ports and network traffic types needed to run a remote Resultant Set of Policy (RSoP). As a best practice, Microsoft recommends creating a new GPO from this starter GPO and linking it to the “domain at a higher precedence than the Default Domain GPO”.

Windows 8 Group Policy - Starter GPOs

The two new Starter GPOs in Windows Server 2012

To take advantage of the new remote GPUpdate ability, another starter GPO named Group Policy Remote Update Firewall Ports is created by default.

Windows 8 Group Policy - Group Policy Remote Update Firewall

A starter GPO showing the ability to configure Windows Firewall settings under Security

Rethinking Sign-Ins ^

As the traditional clear boundary network continues to erode, more flexibility was needed with the processing of network intensive Client Side Extensions (CSEs). As 4sysops recently featured, Windows 8 can make heavy use of mobile networks. Combine that with DirectAccess and end users could be particularly frustrated with certain GPOs!

To control this, Administrators can set “Configure Group Policy slow link detection”. If needed, an administrator can further mandate that all WWAN connections be treated as a slow link. This setting can be found here: Computer Configuration\Policies\Administrative Templates\System\Group Policy.

Windows 8 Group Policy - Always treat WWAN connections as slow link

Always treat WWAN connections as slow link

Internet Explorer 10 ^

In the previous post, we detailed the depreciated features within Group Policy. The most notable item was the removal of Internet Explorer Maintenance. To help compensate for this, Windows 8 includes both Administrative Templates and Group Policy Preferences for Internet Explorer 10.

Group Policy for IE 10 contains almost 1,500 individual settings! To put that into perspective, Windows 2003 SP2, XP XP3, and Windows 2000 SP4 combined have just over 1,600!

Two specific settings worth mentioning are:

  • Install new versions of Internet Explorer automatically
  • Always send Do Not Track headers

It is nice to see the IE Administrative Templates nearly mirrored with IE GPPs. And while it is true that one could easily edit the XML for IE9 GPPs to ensure compatibility with IE10, it is great to see Microsoft offering to keep both IE management tools in sync.

Windows 8 Group Policy - Creating an Internet Explorer 10 preference item

Creating an Internet Explorer 10 preference item


Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2021


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account