Windows Server 2012 and Group Policy

  • Article

I've always been a great fan of Group Policy Objects.  They are a fantastic way to retain control of your environment.  With Windows Server 2012 the good things keep coming.  Today we will look at some of what’s new in Group Policy in Windows Server 2012. more specifically we will discuss the following:

If you want to follow along, I suggest you download the evaluation of Windows Servers 2012 and use the info in this post to setup your own lab and get acquainted with all the value you can extract from Windows Server 2012 and Group Policies

Remote Group Policy Update

We can now refresh Group Policy settings, including security settings that are set on a group of remote computers.  BAMM!! no more need to call someone local and ask them to issue the old “GPUPDATE /FORCE” command.

it’s right there in the Group Policy Management Console (GPMC). This functionality schedules a task on all computers in a selected OU, which refreshes the computer and user Group Policy settings. As long as those computer are running one of the following OS:

  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows 8
  • Windows 7
  • Windows Vista

for anything else…  you’re stuck with calling someone. or RDP in that machine and do it yourself.

One other requirement…

To schedule a Group Policy refresh for domain-joined computers you must have firewall rules that enable inbound network traffic on the ports listed in the following table.

Server port Type of network traffic
TCP RPC dynamic ports, Schedule (Task Scheduler service) Remote Scheduled Tasks Management (RPC)
TCP port 135, RPCSS (Remote Procedure Call service) Remote Scheduled Tasks Management (RPC-EPMAP)
TCP all ports, Winmgmt (Windows Management Instrumentation service) Windows Management Instrumentation (WMI-in)

There is already a started GPO that has all the required settings to facilitate your task. So use it and make a new GPO that will open all the appropriate ports in your environment. It is a best practice to create a new GPO from this Starter GPO and link the GPO to your domain, at a higher precedence than the Default Domain GPO, in order to configure all computers in the domain to enable a remote Group Policy refresh.

gpo1

 

 

1- Right-click the OU on which you want to refresh the policy.

gpo2

2- Select “Group Policy Update”

gpo3

3- you’ll be prompted to confirm that you want to run the update. Click “Yes” and you’re done.

gpo4

You can also use PowerShell to achieve the same results.  for example, if you wanted to force the update on a single computer.  you would use the following command:

Invoke-GPUpdate –Computer <Name> -Force

to force the update on a complete OU,  you would combine the Get-ADComputer with the Invoke-GPUpdate cmdlet and set the –-RandomDelayInMinutes to 0. For example, to force a refresh of all Group Policy settings for all computers in the Montreal OU of the PRlab.com domain, type the following:

Get-ADComputer –filter * -Searchbase "ou=Montreal, dc=prlab,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name –force –-RandomDelayInMinutes 0}

 

more info here: https://technet.microsoft.com/en-us/library/jj134201.aspx

Group Policy infrastructure status

Group Policy can be a complicated infrastructure that give the administrators and the organization the tools to control, remotely computer and user experience in a domain. And up to ow the troubleshooting was mostly reactive.  An expected result does not occur, a user call reporting missing configuration, ect…  And we jump to action.

Some organization have huge reach, across continents and time zones….  This can cause replication lag that will affect the GPO infrastructure and the way they are applied.  In previous versions of Windows, while there were tools, such as GPOtool.exe, to get a view of the GPO replication, it provided inconsistent information.

In Windows Server® 2012 the Group Policy Management Console (GPMC) has been enhanced to provide a report on the overall health state of the Group Policy infrastructure for a domain or to scope the health view down to a single GPO.

New for Windows Server 2012 is a graphical reporting feature in GPMC that allows you to choose a baseline domain controller for comparison and see the current Group Policy replication status along with any synchronization details when a comparison finds a differential from the baseline domain controller.

To create and analyze an infrastructure status report

  1. To run an infrastructure status report:
    • For an entire domain, in the GPMC console tree, locate the domain for which you want to check the replication status of all the GPOs. Click the selected domain.
    • For a single GPO, in the GPMC console tree, navigate to the Group Policy Objects container. Expand the Group Policy Objects container and click the GPO for which you want to check the replication status.
  2. Click the Status tab in the results pane.
  3. Click the Detect Now button to gather infrastructure status from all of the domain controllers in this domain.

GPO5

This will display the status of Active Directory and SYSVOL replication as it relates to all Group Policy Objects or a single Group Policy Object.

image

 

What works differently?

In Windows Server 2012, you no longer need to download and run a separate tool for monitoring and diagnosing replication issues related to Group Policy at the domain level. Potential differences that can be viewed by using the Group Policy infrastructure status are:

  • Active Directory and SYSVOL security descriptor (ACL details)
  • Active Directory and SYSVOL GPO version details
  • Number of GPOs listed in Active Directory and SYSVOL for each domain controller

 

Local Group Policy support for Windows RT

Local Group Policy is available for Windows RT. It is off by default, but can be turned on by the local administrator.  don't get exited… it does not mean that you can join Windows 8 RT to the domain….  but you can configure policies on the RT device to control the experience of users.

On Windows RT devices, the Group Policy Client service is disabled by default. The Group Policy Client service must be set to Automatic and started by the administrator before Group Policy is processed on the device.

To turn on the Group Policy Client service

1- From the start screen, type Services.msc.

gpo-rt-1

 

2-Double-click Group Policy Client to open the Group Policy Client Properties (Local Computer) dialog box.

gpo-rt-3

gpo-rt-4

 

    • Set the Startup type to Automatic
    • click Apply
    • and then click the Start button.

Once that’s done you can edit the Local policy using the Group Policy Object Snap-in in the MMC console.

 

that’s it for today.  I’ll try to drill in a bit more in GPOs on Windows Server 2012 for new posts.  However, if you have specific scenarios you need help with.  don't hesitate to ask in the comment section, or email us at CDN-ITPro-Feedback@microsoft.com

 

Cheers!

Signature

Pierre Roman, MCITP, ITIL | Technology Evangelist
Twitter | Facebook | LinkedIn