- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
The new infrastructure status report ^
When Group Policy doesn’t work as expected, the first tool in my arsenal is GPResult. In our previous article, we spent some serious time showing off the new reporting features. But if your client isn’t reporting the latest GPO, you would check your DC replication status. The tool of choice would probably be GPOTool. The GPOTool is limited though as it can only report on information gathered in the GPT.ini file.
Beginning with Windows 8, the GPMC natively provides this functionality plus much more! In the screenshot below, I ran a report immediately after creating a GPO.
After a short delay, all three domain controllers are in sync.
The Group Policy infrastructure status page shows the version details between Active Directory and SYSVOL. Because every GPO is made up of two parts: the Active Directory replicated Group Policy Container (GPC) and the SYSVOL stored Group Policy template (GPT). For a client to receive the latest GPO (even when an administrator manually runs a GPUpdate), the client’s domain controller must have the latest GPO. If a mismatch is suspected, an administrator could quickly check the status page and either allow for replication to occur or manually force a replication.
Further, an infrastructure status page can report access control list (ACL) mismatches and security information. To accurately report this information, the report gathers the appropriate ACL for all GPTs and GPCs in the domain.
In the Infrastructure Status report above, three domain controllers are out of sync.
Finally, the report displays the GPO count for each GPO. This information becomes especially useful for when a new GPO is created or an obsolete GPO is deleted. As a personal note, I did find it surprising that these reports cannot be scripted or scheduled. With Microsoft’s continual push for PowerShell, this seems like a glaring omission.
First introduced with Windows Server 2008 as an optional download, starter GPOs have continued to expand. With Windows 8/Server 2012, a starter GPO for firewall configuration has been created. This starter GPO is named Group Policy Reporting Firewall Ports and opens all of the ports and network traffic types needed to run a remote Resultant Set of Policy (RSoP). As a best practice, Microsoft recommends creating a new GPO from this starter GPO and linking it to the “domain at a higher precedence than the Default Domain GPO”.
The two new Starter GPOs in Windows Server 2012
To take advantage of the new remote GPUpdate ability, another starter GPO named Group Policy Remote Update Firewall Ports is created by default.
A starter GPO showing the ability to configure Windows Firewall settings under Security
Rethinking Sign-Ins ^
As the traditional clear boundary network continues to erode, more flexibility was needed with the processing of network intensive Client Side Extensions (CSEs). As 4sysops recently featured, Windows 8 can make heavy use of mobile networks. Combine that with DirectAccess and end users could be particularly frustrated with certain GPOs!
To control this, Administrators can set “Configure Group Policy slow link detection”. If needed, an administrator can further mandate that all WWAN connections be treated as a slow link. This setting can be found here: Computer Configuration\Policies\Administrative Templates\System\Group Policy.
Always treat WWAN connections as slow link
Internet Explorer 10 ^
In the previous post, we detailed the depreciated features within Group Policy. The most notable item was the removal of Internet Explorer Maintenance. To help compensate for this, Windows 8 includes both Administrative Templates and Group Policy Preferences for Internet Explorer 10.
Two specific settings worth mentioning are:
- Install new versions of Internet Explorer automatically
- Always send Do Not Track headers
It is nice to see the IE Administrative Templates nearly mirrored with IE GPPs. And while it is true that one could easily edit the XML for IE9 GPPs to ensure compatibility with IE10, it is great to see Microsoft offering to keep both IE management tools in sync.
Creating an Internet Explorer 10 preference item