What’s New in Group Policy - Windows Server 2012

In this post we will discuss some of the new features in Group Policy in Windows Server 2012 / Windows 8.

Many changes and enhancements have been introduced in Group Policies such as, enhanced Group Policy Reporting, reducing service utilization, remote refresh of group policies, new starter GPOs and Infrastructure Status that contains important information about group policy infrastructure for a domain 

Group Policy Infrastructure Status

If you have worked in GPO troubleshooting before properly you know about gpotool.exe.

GPOtool.exe is a Windows 2000 resource kit tool used to verify the consistency between GPO parts Group Policy Template and Group Policy Container on only one DC or on all DCs in the domain.

Each GUID folder in SYSVOL contains many files critical to applying group policy, Gpotool only checks the Gpt.ini files in SYSVOL and doesn’t check any other critical files for group policy applying such as registry.pol

In GPMC, there is a new tab labeled ‘status’ at each domain and group policy object node (not link), through it you can see the current status of GPOs replication across all Domain Controllers and you can select a baseline DC for a comparison between GPO parts for the following: 

• ACL on each GPC
• VersionNumber attribute on each GPC
• Count of GPC objects
• ACL on each GPTCount of GPT folders and files

Ok, what are the requirements to use this feature? The answer is simply Windows Server 2012 member server with the GPMC feature installed or a Windows 8 machine with RSAT installed …. no schema extension no specific functional level no needs even for domain controller running Windows Server 2012 …….. WOOW !! That’s is great

To start the check just select a baseline DC (default is the PDCe)

Then click detect now

When GPMC cannot contact a domain controller or that server does not match the baseline, the server moves to the replication in progress section. GPMC displays further messaging to assist you troubleshooting the problem

Note: The Status tab will not appear if you click on any OU level, it appears only on domain level and on the GPO itself (not the link) 

Group Policy Reporting Enhancement

Group Policy Result in Windows Server 2012 / Windows 8 includes more information to help determine if a Group Policy setting was applied to a computer or user and assists in troubleshooting

You can generate RSOP report using either GPMC.msc or gpresult.exe.

New information in “Summary” section: 

• If a slow link or fast link is detected
• If block inheritance is set
• If enforced is set
• If loopback is enabled
• Disabled User or Computer configurations  

New information in “Component Status”: 

• Displays the amount of time each client-side extension took to process and the last time each client-side extension processed.
• Provides a link in the Event Log column that displays the event log messages from the last Group Policy refresh. This functionality is equivalent to the information that is returned from the GPLogview.exe utility.

To use RSoP reporting for remotely targeted computers through the firewall, you must have firewall rules that allow inbound network traffic on the ports listed in the following table. This allows remote WMI and event log traffic to flow between the computer running the GPMC and the remotely targeted computer

To generate a report using gpresult.exe command line:

Gpresult.exe /h <report.htm>

To target a remote computer:

Gpresult.exe /s <computer name> /h <report.htm>

To target only the user or computer scope remotely, use:

Gpresult.exe /scope <user> OR <computer> /s <computer name> /h <report.htm>

Remote Group Policy Update

Another nice feature called Remote Group Policy Update: that has been requested from long time and is finally here, now you can refresh Group Policy settings by using this feature that is added to the context menu for an organizational unit (OU) in the Group Policy Management Console (GPMC).

This functionality schedules a task on all computers in a selected OU and child OUs to refresh policy (via gpupdate /force) for computer and currently logged on users. The refresh happens within 1-10 minutes, randomized on a per-computer basis.

If the computers are online, the user has permission, the firewall rules are correct, and the WMI and Scheduled Tasks services are running, the tasks are created without errors.

Otherwise, a Windows error returns (typically: The remote procedure call was cancelled).

Also this can be using Invoke-GPUpdate PowerShell cmdlet with different options

To schedule a remote Group Policy refresh for domain-joined computers you must have firewall rules that enable inbound network traffic on the ports listed in the following table.

Notes: 

1. This option is not available on domain level and can’t not be used on OU without computer accounts to refresh Group Policies
2. All connections are direct for each remote client from the computer running the tool, not from Domain Controllers
3. Requires permissions sufficient to allow remote WMI and scheduled task creation (local administrator)
4. Creates a scheduled task to run in the context of that computer and in the context of each logged on user
5. You can remotely refresh Group Policies on the following operating systems:

• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2
• Windows 8
• Windows Server 2012

A complete list of new and enhanced functionality for Group Policy in Windows Server 2012 can be found here

https://technet.microsoft.com/en-us/library/jj574108.aspx

Thanks

Mahmoud Abdul Wahab from NEPA team.