GPOs in Windows Server 2008 & Windows VistaWhat is new ?

Luc HALBARDIERSenior IT ConsultantMCSE – MCTS IT Pro - MCT

Management toolsGPOE & GPMCGroup Policy Preferences

Group Policy Service GP shared serviceMore stable and strengthened Service

Group Policy TemplatesNew format for the templates (ADMX, ADML)

Network Location Awareness (NLA)

The NLA service delivers the network informationApplications can interface/query NLA to get information about the network state.

Group Policy LoggingAdmin logLogs Applications and Services Event logs is XML-basedNew tool - GPOLogView

Group Policy Central Store

Central store for ADMX files

Improvements in GPOs

Multiple Local GPOs

Group Policy SettingsMore than 800 new policies in VistaGP extensions for the new Vista capabilities

NLA

Windows Vista Windows Server

2008

ADM ADMX

GPO’s

LGPO

Admin

User GP utilisateur

GP Admin/Non-Admin

Policy PC local

DC

FRS/DFS-R

SysVol

ADMXADML

+ Policies+

+

GUID

ADMPolicy Definitions

ADMX, ADML Files

+

Summary of the key new funtionalities in GPOs

Multiples Local GPOs

Increased granularity in managing local policies

E.g. easy distinction between admin and non-admin users

Execution sequenceLocal Policy (user and computer parts)secpol.msc

Local GPOs admin/non-admin (user parts only) MMC | Add-remove snap-in | Group Policy Object Editor | select group

Local GPOs user-specificMMC | Add-remove snap-in | Group Policy Object Editor | select user

Local GPOs still apply before domain GPOs and have thus lower priorities

Network detection

Improved network bandwidth detection

NLA vs. ICMP/PINGPolicy update for users and systems depends on DC availability New scenarios

VPN sessionRecovering from hibernationLong disconnected session…

New Journaling functionalities

Based on Windows Eventing2 new event logs

“Journal Windows”“Journal des Applications et des Services”

Filters, tasksNew tools

GPlogViewGPinventory

Additional New Stuff

More than 800 new GPOs and additional categories to organize themSearch & Filters in GPOs

On title, explanatory texts, comments, managed policies, platform…Alphabetic listing of all GPOs

CommentsAnnotate GPOs or annotate settings

Starter GPOsPredefined scenarios/Best practicesRecommended settingsBasis for the creation of new GPOs

ADMX Administrative Template Files

XML-based policy definition files

Central store of ADMX files

Manage both ADMX and ADM files

Convert ADM files to ADMX format

Multilanguage support : ADMXL

Creating the Central Repository

Reduces the size of the Sysvol folder and reduces replication traffic between DCsDoes not require Windows Server 2008 DCs, works with Windows Server 2003/R2Needs to be manually created:%systemroot%\sysvol\domain\policies\PolicyDefinitions Next, copy the ADMX and ADML files from the following location on a Windows Server 2008 computer:%systemroot%\policyDefinitions

Group Policy Preferences

Ex-PolicyMaker (Desktop Standard)

Windows Server 2008 et RSATExtends the number of settings[Greatly] Extends the number of functionalities Rich & easy to use interfaceYou will no longer live without it !

Group Policy Preferences

Improves IT productivity

Reduces need for logon scripts

Limits configuration errors

Enhances end-user satisfaction

Minimizes image maintenance

Reduces overall image count

Preferences vs. Policy Settings

Group Policy Preferences Group Policy Settings

Enforcement • Preferences are not enforced• User interface is not disabled• Can be refreshed or applied once

• Settings are enforced• User interface is disabled• Settings are refreshed

Flexibility • Easily create preference items for registry settings, files, and so on

• Import individual registry settings or entire registry branches

• Adding requires application support and creating administrative templates

• Cannot create policy settings to manage files, folders, and so on

Local Policy • Not available in local Group Policy • Available in local Group Policy

Awareness • Supports non-Group Policy-aware apps

• Requires Group Policy-aware applications

Storage • Original settings are overwritten• Removing the preference item does not restore the original setting

• Original settings are not changed• Stored in registry Policy branches• Removing setting restores original settings

Targeting and Filtering

• Targeting is granular, with a user interface for each type of targeting item

• Supports targeting at the individual preference item level

• Filtering is based on Windows Management Instrumentation (WMI) and requires writing WMI queries

• Supports filtering at a GPO level

User Interface

• Provides a familiar, easy-to-use interface for configuring most settings

• Provides an alternative user interface for most policy settings

Group Policy Preferences SettingsCreate

Create dynamic drive mapping to network share

ReplaceDelete and recreate mapped drive

UpdateModify settings of an existing mapped drive

DeleteDelete mapped drive or mapped drives

Exemples de Préférences

Drive MapsEnvironnement

Fichiers

Dossiers

.INI

Partages réseau

Registre

Shortcuts

Data sourceDevices

And much much more !!!

Interoperability

New GPOs created from Vista/2008 can only be managed from GPMC on Vista/2008.You can use GPMC on Vista/2008 to manage all GPOs, including older ones created on XP/2003.GPMC on Vista/2008 can be used to work with previous ADM files.Vista SP1 removes GPMC, to get it back, install RSAThttp://support.microsoft.com/kb/941314Group Policy preferences updates for XP/2003/Vistahttp://support.microsoft.com/kb/943729

Advanced Group Policy Management

Ex-GPOVault (DesktopStandard)

MDOP componentFunctionalities

Offline Editing, Check In/OutVersion control; History, Roll-backDelegation, workflows, notificationsAuditReports (differential reports between GPOS, between versions, between states…)

Scripting and the GPMC

http://go.microsoft.com/fwlink/?LinkId=109520

Scripts for Managing Group Policy

Make Cscript.exe default scripting host

Lib_CommonGPMCFunctions.js should be in same location as scripts

Import and export GPOsCopy and paste GPOsBack up and restore GPOsSearch for existing GPOs

Group Policy ModelingGroup Policy ResultsSupport for migration tablesReporting capabilities

GPMC Interfaces

IGPMGPO interface

CopyTo

GenerateReport

IGPMRSOP interface

CreateQueryResults

GenerateReport

http://msdn.microsoft.com/en-us/library/aa814147(VS.85).aspx

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

“Thank you for your attention”Luc