Windows Vista introduced many new features, but
Windows Server 2008 offers a few more. These features allow for easier
management and configuration of Group Policy settings and will change
the way you work with Group Policy in Windows Server 2008.
Filters
If you have ever tried
to decrypt the myriad settings in a GPO while trying to troubleshoot a
problem, you know that it is a difficult task. There have been very few
options for filtering the thousands of potential settings in a GPO,
until now. Windows Server 2008 introduces an entire platform for
searching and filtering the settings in a GPO. Of course, it includes
the obvious search options, such as title text, explanation text, and
comments, as shown in Figure 1.
Additional
options also allow you to search based on operating system platform
support. With so many iterations of Group Policy, it is important to be able to identify which settings work on which operating system versions.
Another option
for searching is based on the application and version supported. With
the variety of versions of Microsoft Internet Explorer and Microsoft
Office in use, it is important to know which versions the Group Policy
settings will affect.
The filtering capability applies only to the Administrative Templates
area in a GPO, the area that handles registry modifications. The filter
can denote managed (policies) settings versus unmanaged
(preferences) settings. These two types of registry settings make a
difference when applied and controlled; it is nice to be able to search
for settings by category.
Finally, you can filter
settings based on whether they are disabled or enabled. This is
important when working with the new Group Policy Preferences settings.
All of these configurations allow for the individual setting to either
be enabled or disabled. The filter quickly allows you to see which
settings in the GPO administrators have configured, which helps with
both troubleshooting and management. Figure 2
illustrates how filtering settings based on their enabled or disabled
status can make your administrative efforts more efficient.
Starter GPOs
You
now have another tool in your toolkit if you are the lead GPO
administrator or responsible for those who create GPOs in your
environment. The new Starter GPOs provide an excellent way for you to
create a baseline of settings within an off-line “Starter” GPO, which
then can be copied to create a new GPO. The new GPO will contain all of
the configurations and comments that were created in the Starter GPO.
The one small drawback to
the use of Starter GPOs is that they can contain only Administrative
Template settings. This is a bit limiting, but the ability to create a
baseline of settings that can then be copied to create new GPOs is
beneficial nonetheless. A sample Starter GPO is shown in Figure 3.
Note
If
you want to create baseline GPOs that contain settings from any portion
of a GPO, you can use AGPM. AGPM allows you to create GPO templates,
which are in essence Starter GPOs that contain all areas of a GPO. |
Another benefit of
Starter GPOs is the ability to include them in your RSoP analysis. This
gives you an inside look at the settings in the Starter GPO with regard
to how they will interact with other GPOs that might have conflicting
settings.
Commenting
Changes
to Group Policy objects can have a significant impact on the computers
in the environment. A single change to a Group Policy setting can affect
all computers in your company. With such a powerful tool as Group
Policy, some mechanism had to be developed to help maintain a
documentation system for changes that occur to GPO settings.
One of those mechanisms is
the ability to add comments to every GPO as a whole, as well as every
GPO setting individually. This provides a more global and comprehensive
way to track changes that occur to GPOs and their settings.
It is common for quick
changes to occur to GPOs that are fixes to exploits on a computer that
need to be deployed quickly. For example, an exploit might occur that an
Internet Explorer setting or a custom registry entry fixes. Changes
like these usually occur quickly and without any documented reasoning,
and administrators who perform future audits or analysis are left
wondering why the change occurred.
With commenting, all
changes are tracked immediately when the modification to the GPO occurs.
This provides a very detailed trail of the changes that occur to a GPO
throughout its life cycle. Figure 4 shows some sample comments.
Not all comments
are created equal, though. The comments that are added to a new Starter
GPO (at the GPO level) are not saved when a new GPO is created from that
Starter GPO. The comments that are associated with the settings within
the Starter GPO are copied and carried along to the new GPO.
The
commenting mechanism is built this way to help senior administrators
document information and details within the GPO for junior
administrators who might use the Starter GPO to make a new GPO. Because
the new GPO will carry along the settings configured in the Starter GPO,
the comments associated with the settings go along with the GPO.
