Windows server 2012 and group policy
3 likes5,456 views
This document discusses new features in Group Policy for Windows Server 2012, including: 1) Remote Group Policy update, which allows refreshing Group Policy settings on remote computers from the Group Policy Management Console without needing to log into each computer. 2) Improved Group Policy infrastructure status reporting in the Group Policy Management Console, which provides a graphical report on Group Policy replication across domain controllers. 3) Local Group Policy support for Windows RT devices, allowing Group Policy settings to control the experience of users on Windows RT tablets, though Windows RT devices cannot join a domain.
Windows server 2012 and group policy
- 1. PREPARED BY RAVI KUMAR LANKE Page 1 Windows Server 2012 and Group Policy I've always been a great fan of Group Policy Objects. They are a fantastic way to retain control of your environment. With Windows Server 2012 the good things keep coming. Today we will look at some of what’s new in Group Policy in Windows Server 2012. more specifically we will discuss the following: Remote Group Policy Update Group Policy infrastructure status Local Group Policy support for Windows RT If you want to follow along, I suggest you download the evaluation of Windows Servers 2012 and use the info in this post to setup your own lab and get acquainted with all the value you can extract from Windows Server 2012 and Group Policies Remote Group Policy Update We can now refresh Group Policy settings, including security settings that are set on a group of remote computers. BAMM!! no more need to call someone local and ask them to issue the old “GPUPDATE /FORCE” command. it’s right there in the Group Policy Management Console (GPMC). This functionality schedules a task on all computers in a selected OU, which refreshes the computer and user Group Policy settings. As long as those computer are running one of the following OS: Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows 8 Windows 7 Windows Vista for anything else… you’re stuck with calling someone. or RDP in that machine and do it yourself. One other requirement… To schedule a Group Policy refresh for domain-joined computers you must have firewall rules that enable inbound network traffic on the ports listed in the following table. Server port Type of network traffic
- 2. PREPARED BY RAVI KUMAR LANKE Page 2 TCP RPC dynamic ports, Schedule (Task Scheduler service) Remote Scheduled Tasks Management (RPC) TCP port 135, RPCSS (Remote Procedure Call service) Remote Scheduled Tasks Management (RPC-EPMAP) TCP all ports, Winmgmt (Windows Management Instrumentation service) Windows Management Instrumentation (WMI-in) There is already a started GPO that has all the required settings to facilitate your task. So use it and make a new GPO that will open all the appropriate ports in your environment. It is a best practice to create a new GPO from this Starter GPO and link the GPO to your domain, at a higher precedence than the Default Domain GPO, in order to configure all computers in the domain to enable a remote Group Policy refresh. 1- Right-click the OU on which you want to refresh the policy.
- 3. PREPARED BY RAVI KUMAR LANKE Page 3 2- Select “Group Policy Update” 3- you’ll be prompted to confirm that you want to run the update. Click “Yes” and you’re done.
- 4. PREPARED BY RAVI KUMAR LANKE Page 4 You can also use PowerShell to achieve the same results. for example, if you wanted to force the update on a single computer. you would use the following command: Invoke-GPUpdate –Computer <Name> -Force to force the update on a complete OU, you would combine the Get-ADComputer with the Invoke- GPUpdatecmdlet and set the –-RandomDelayInMinutes to 0. For example, to force a refresh of all Group Policy settings for all computers in the Montreal OU of the PRlab.com domain, type the following: Get-ADComputer –filter * -Searchbase "ou=Montreal, dc=prlab,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name –force –-RandomDelayInMinutes 0} more info here: http://technet.microsoft.com/en-us/library/jj134201.aspx Group Policy infrastructure status Group Policy can be a complicated infrastructure that give the administrators and the organization the tools to control, remotely computer and user experience in a domain. And up to ow the troubleshooting was mostly reactive. An expected result does not occur, a user call reporting missing configuration, ect… And we jump to action. Some organization have huge reach, across continents and time zones…. This can cause replication lag that will affect the GPO infrastructure and the way they are applied. In previous versions of Windows, while there were tools, such as GPOtool.exe, to get a view of the GPO replication, it provided inconsistent information.
- 5. PREPARED BY RAVI KUMAR LANKE Page 5 In Windows Server® 2012 the Group Policy Management Console (GPMC) has been enhanced to provide a report on the overall health state of the Group Policy infrastructure for a domain or to scope the health view down to a single GPO. New for Windows Server 2012 is a graphical reporting feature in GPMC that allows you to choose a baseline domain controller for comparison and see the current Group Policy replication status along with any synchronization details when a comparison finds a differential from the baseline domain controller. To create and analyze an infrastructure status report 1. To run an infrastructure status report: o For an entire domain, in the GPMC console tree, locate the domain for which you want to check the replication status of all the GPOs. Click the selected domain. o For a single GPO, in the GPMC console tree, navigate to the Group Policy Objects container. Expand the Group Policy Objects container and click the GPO for which you want to check the replication status. 2. Click the Status tab in the results pane. 3. Click the Detect Now button to gather infrastructure status from all of the domain controllers in this domain. This will display the status of Active Directory and SYSVOL replication as it relates to all Group Policy Objects or a single Group Policy Object.
- 6. PREPARED BY RAVI KUMAR LANKE Page 6 What works differently? In Windows Server 2012, you no longer need to download and run a separate tool for monitoring and diagnosing replication issues related to Group Policy at the domain level. Potential differences that can be viewed by using the Group Policy infrastructure status are: Active Directory and SYSVOL security descriptor (ACL details) Active Directory and SYSVOL GPO version details Number of GPOs listed in Active Directory and SYSVOL for each domain controller Local Group Policy support for Windows RT Local Group Policy is available for Windows RT. It is off by default, but can be turned on by the local administrator. don't get exited… it does not mean that you can join Windows 8 RT to the domain…. but you can configure policies on the RT device to control the experience of users. On Windows RT devices, the Group Policy Client service is disabled by default. The Group Policy Client service must be set to Automatic and started by the administrator before Group Policy is processed on the device. To turn on the Group Policy Client service
- 7. PREPARED BY RAVI KUMAR LANKE Page 7 1- From the start screen, type Services.msc. 2-Double-click Group Policy Client to open the Group Policy Client Properties (Local Computer) dialog box.
- 8. PREPARED BY RAVI KUMAR LANKE Page 8 o Set the Startup type to Automatic o click Apply o and then click the Start button. Once that’s done you can edit the Local policy using the Group Policy Object Snap-in in the MMC console.