using group policy with windows and windows server 2008
DESCRIPTION
CLI331. Using Group Policy with Windows and Windows Server 2008. Mazhar Mohammed Development Manager Derek Melber DesktopStandard. Session Objectives and Agenda. New features in Windows Vista Multiple Local GPOs Network Awareness ADMX Files Improved Logging. - PowerPoint PPT PresentationTRANSCRIPT
CLI331
Using Group Policy with Windows and Windows Server 2008
Mazhar MohammedDevelopment ManagerDerek MelberDesktopStandard
New features in Windows Vista Multiple Local GPOs Network Awareness ADMX Files Improved Logging
Coming in Windows Server 2008 Filters Comments Starter GPOs
So, what about those DesktopStandard products? GPOVault PolicyMaker
Session Objectives and Agenda
Breakout SessionsCLI331: Using Group Policy with Windows Vista and Windows Server 2008 – Mark Williams (Wed 10:15am – 11:30am, Thu 1:00pm – 2:15pm)CLI316: Microsoft Desktop Optimization Pack: Advanced Group Policy Management – Derek Melber and Winni Verhoef (Tue 4:30pm – 5:45pm)CLI405: Deep Dive Into Windows Vista Group Policy Changes and Troubleshooting – Jeremy Moskowitz (Tue 8:30am – 9:45am, Thu 9:45am – 11:00am)
Chalk TalkCLI103-TLC: ADMX File Creation and Management - Judith Herman (Wed 3:45pm – 5:00pm)
Hands on LabCLI13-HOL: Managing Windows Server 2008 and Windows Vista using Group Policy – Self Study lab, throughout the weekCLI13-ILL: Managing Windows Server 2008 and Windows Vista using Group Policy – Gary Dunlop (Tue 10:15am – 11:30am, Wed 8:30am – 9:45am)
Lots of Group Policy Content This Week…
Group Policy Before Windows Vista
Heavily used…Majority of enterprise customers actively use Group PolicyAround 1,800 policy settings in Windows XP
But…Group Policy process was part of WinlogonPolicy setting coverage wasn’t great and missed some important business scenariosManaging ADM files was “interesting”Limited awareness of changing network conditionsLimited flexibility with a single local GPOTroubleshooting Group Policy was not a joyful experienceNeed to find settings? “Where is that spreadsheet?”
Group Policy ToolsNew GPOE & GPMC ToolsUse consistent versions!
Group Policy ServiceGP now runs in a shared serviceHardened Service, more reliable
Group Policy TemplatesADM Templates now in ADMX files (ADMX, ADML)
Network Location Awareness (NLA)
NLA service provides the latest network informationApplications can query or register with NLA for network change indications
Group Policy LoggingAdministrative logApplications and Services logXML based event logsNew Tools - GPOLogView
Group Policy Central StoreCentralized repository for ADMXContains all ADMX templatesCreated in the Sysvol on DC in each domain
Group Policy Enhancements
Multiple Local GPOs
Group Policy SettingsOver 800 new policy changes with Windows VistaExtended GP for new Windows Vista features
NLA
Windows Vista/Windows Server 2008
ADM ADMX
LGPO’s
LGPO
Admin
UserUser Specified Group Policy
Admin/Non-Admin Group Policy
Local Computer Policy
DC
FRS/DFS-R
SysVol
ADMXADML
+ Policies++
GUIDADM
Policy DefinationsADMX, ADML Files
+
A Summary of New Features in Windows Vista
Multiple Local GPOs
More granular management of the local machine (for example differences for admin and non-admin users)Local GPOs still lower precedence than domain-based GPOs!Processed in the following order (least precedence first)
Local Policy Object (as before Windows Vista and always exists)Processes both computer and user policy
Admin/Non-Admin LGPOs (optionally created by admin)Mutually exclusive for any one userProcesses only user policy
Specific User LGPO (created by admin)Local user accountsProcesses only user policy
Create/Manage LGPOs through GPEdit.mscNew policy in Windows Vista to turn off LGPO processing (only available for domain-joined machines - think about it!)
Network Awareness
Slow Link DetectionUsed to be based on ICMP/PINGNow uses NLA (no reliance on ICMP/PING)
Policy RefreshWhen a DC is detected, NLA tells GP it can refresh
If refresh did not occur within last interval, GP will automatically updateIf refresh did occur during last interval, GP will not refresh (waits for next scheduled refresh)
When DC is not responsive, policy processing fails and uses the same state as last successful application
Now responsive to VPN sessions being established
Improved Group Policy Logging
New logging based upon Windows EventingTwo new logs
“Windows Log”“Applications and Services Log”
Administrative events are created in the System log with “Group Policy” as the event source nameApplications and Services Log: stores operational events Replaces userenv.log troubleshooting fileNew Event View options to report, filter and create customised log viewsGPLogView Tools
Allows export to XML for event loggingReal-time logging
DEMOUsing Multiple LGPOs and Viewing Group Policy Logs
From ADM to ADMX/L
Why move away from ADM files?Language independenceSysvol bloatEase of use (ADM “language”)
So, what did we do?Introduced ADMX and ADML filesIntroduced the ADMX Central StoreMoved to XML
Language Independence
ADM files include strings for a single languageBy comparison, with ADMX files:
One ADMX file is associated with one or more ADML (Language) filesADMX files sit in the policydefinitions “root,” with ADML files in language-specific subdirectoriesAdding support for a language means adding an ADML file
Sysvol Bloat
Before Windows Vista, when you create a GPO an ADM subdirectory is created in the GPO automatically (Sysvol)If you merely view a GPO which does not have the ADM directory, it is recreatedThe ADM subdirectory includes five ADM files, totaling about 3.5 MB100 GPOs? That’s about 350 MB of data, replicated to all DCs. That’s Sysvol Bloat!
ADMX, ADML Files and the Central Store
The Central Store is a domain-wide directoryIn Sysvol at \Policies\PolicyDefinitionsStores ADMX files (normally one per component)One subdirectory for each supported language (en_us, fr, etc.), each storing ADML files
If the Central Store exists, Windows Vista tools use it for locating ADMX/ADML filesIf the Central Store does not exist, Windows Vista tools use their local policydefinitions directory
Interop
Can manage all Group Policy operating systems
Windows Vista and Windows Server 2008
Windows XP, Windows Server
2003 and Windows 2000
Can manage
Windows XP Windows Server 2003 Windows 2000
Can not manage
Windows Vista Windows Server 2008
DEMOCreating The Central Store(SysVol Bloat And How To Avoid it)
Things You Should Know About ADMX Files
Neither ADMX files or the central store have any dependency on Windows Server 2008 (works fine with Windows Server 2003, Windows 2000 and Windows Server 2008 domains). It’s just a directory!Windows Vista machines:
Use Local ADMX files if the Central Store is not created orUse the Central Store if it exists, ignoring local ADMX files
Windows Vista will consume any custom ADM files found in a GPO, but ignores the system ADM filesADMX files can be stored in the Central Store but not in individual GPOs; you can still add ADM files to a GPO
Coming in Windows Server 2008
Search/Filters: Constrain list of settings based on…
Text search of setting title, explain text and commentsPlatform and applications “supported on”Managed (true GP policy setting)Configured (enabled or disabled)Results of search is a filtered view in the editor
Comments: Annotate per GPO or per setting
Coming in Windows Server 2008
Starter GPOs:Encapsulate of best practices/scenariosContain recommended policy settings and valuesMicrosoft will make some available for downloadAnyone can create and share new custom templatesCreate new GPOs based on a Starter GPO
DEMOFilters, Comments and Starter GPOs
PolicyMaker Functionality
Greatly extends number of settingsComputer/user settingsControl Panel/Windows settings
New functionality for new settingsRich UI for easier administrationSettings-level filteringComments
We are considering how and when to integrate into Windows
Shortcuts
Windows Settings include:
PolicyMaker Settings Examples
Drive Mapping Folders Registry
Control Panel includes:
Folder Options Local Users and Groups
Scheduled Tasks
Advanced Group Policy Management
Previously DesktopStandard GPOVaultVersion 2.5 released in July as part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance customersKey Features
Offline EditingCheck In/OutVersion ControlRole-based DelegationDifference Reports (between GPO versions, archived vs. deployed)
DEMOAdvanced Group Policy Management and What-Was-PolicyMaker
Helpful ResourcesLink to Group Policy TechNet page http://www.microsoft.com/technet/grouppolicy
Deploying Group Policy Using Windows Vista http://go.microsoft.com/fwlink/?LinkId=77080
Group Policy Wikihttp://grouppolicy.editme.com
Group Policy Team Bloghttp://blogs.technet.com/grouppolicy
Group Policy Settings Reference Windows Vista http://go.microsoft.com/fwlink/?LinkId=54020
Step-by-Step Guide to Managing Multiple Local Group Policy Objects http://go.microsoft.com/fwlink/?LinkId=73434
How to troubleshoot Group Policy using Event logs http://go.microsoft.com/fwlink/?LinkId=74139
ResourcesTechnical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx
Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet
Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx
Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
Q&A
Want to know more about Microsoft System Center?
Come to the Yellow TLC area (MGT) and see the Microsoft System Center product family
Complete an evaluation on
CommNet and enter to win!
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.