Group Policy 2008 Features: I will discusses about the Group policy changes in windows 2008 server, Microsoft have made some of interesting changes and added new features in Group Policy 2008, first I will list the features and explain one by one
• New Administrative template files (ADMX)
• New Policy settings
o Power options
o Block device installation
o Improved security settings
o Internet Explorer settings management
o Assign printers based on location
o Delegate printer driver installation to users
• Group Policy slow link detection
• SYSVOL replication change
• SYSVOL uses DFS Replication service to replicate Group Policy object files to other domain controllers (In windows server 2003 uses FRS to replicate this)
Am very interested about the below changes because I have faced several issues related to this in windows 2003 group policy
• Group Policy slow link detection
• Internet Explorer settings management
• Blocking device installation
• SYSVOL replication change
New Administrative template files (ADMX)
In windows server 2003 and earlier versions, ADM file used to store registry based GPO settings, In Windows server 2008 ADMX file used to store registry based GPO settings, it’s a XML based and easy to manage registry based policy settings
ADMX format support Multilanguage, centralized datastore, and version control capabilities, policy can be edited in other language that was created in English language because Group Policy tools will adjust the user interface according to the administrator’s configured language, you can also create a Central Store for Group Policy Administrative Templates to reduce the disk space, see article in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=122539)
New Policy settings
Power options: Now you can configure the power option through group policy
Configure power option through GPO:
Computer Configuration ->Administrative Templates -> System -> Power Management
Block device installation: In windows 2003 to block the device assess like USB and CD drive we have to import the customized ADM file, in windows 2008 it’s inbuilt yes now you can configure he device access through group policy
Configure Block device installation through GPO:
Computer Configuration ->Administrative Templates -> System -> Device Installation
Improved security settings: IPsec & firewall setting are combined to provide the enhanced security and avoid policy duplication
Configure security settings through GPO:
Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advance Security
Internet Explorer settings management: We had an issue like some one edited the GPO to update the trusted sites and we have lost entire IE configuration because he used a different account to change the group policy, it’s a known concern in Windows server 2003 because Internet Explorer policy settings would change based on the policy settings enabled on the administrative workstation used to view the settings.
In windows 2008 this behavior has been changed, you can change the Internet Explorer policy settings without affecting the policy configuration
Configure Internet Explorer settings through GPO:
Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer
User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer
Click here to Configuring trusted website and activex settings for IE7 or Vista and later versions using group policy
Assign printers based on location: Install the network printer based on the user location, it’s very useful for the roaming user because if the user login to the network other then the base location GPO will install the printer for the new location.
Assign printers based on location through GPO:
Computer Configuration -> Windows Settings -> Deployed Printers
User Configuration -> Windows Settings ->Deployed Printers
Delegate printer driver installation to users: Now user can install the printer on there system without admin access, it helps to reduce the security risk and admin effort.
Delegate printer driver installation through GPO:
Computer Configuration -> Administrative Templates -> System -> Driver Installation
Group Policy slow link detection
This was a big problem in windows server 2003 because it uses the ICMP ping to detect the network bandwidth, some of the VPN sites ICMP ping might be disabled in firewall or the MTU size would be less then the required limit and also ping will increase the network traffic to overcome this problems Microsoft come up with solution called NLA (Network Location Awareness)
Network Location Awareness is a service on client computer, it provide necessary information about the network and GPO uses this to apply the policy settings, most important it’s not using ICMP ping and very efficient compare to earlier process in Windows 2003, Check Group Policy Processing over Slow Links for Windows server 2003
SYSVOL Replication
In windows server 2003 FRS (File replication service) has been used to replicate SYSVOL folder changes, in windows server 2008 you can use the DFS (Distributed File System) to replicate changes on the SYSVOL folder, to use this feature you should have Windows Server 2008 domain functional level that means all the domain controller has to be Windows Server 2008
If any changes in SYSVOL share, FRS replicate the entire file unlike the DFS, DFS only replicate the change in the file, sounds like a attribute level Active Directory replication, it compare the source and destination file using remote differential compression (RDC)
If you are migrated from windows 2003 to windows server 2008, FRS is the default replication service for SYSVOL replication, you have to migrate the SYSVOL share to use the DFS
Compare to earlier version Group Policy settings has increased from approximately 2,400 in Windows Server 2008 to optimize the environment and support new features, more info from technet