2. Use the Group Policy Management Editor
To access the Group Policy Management Editor, all you need to do is select the GPO link or GPO to edit, and select Action =>
Edit (or right-click the GPO and select Edit). Whether you choose to
edit from the link or from the GPO, they both will modify the GPO,
meaning any other scopes linked to the GPO will be affected. When you
edit the GPO, there are two main containers to work with the settings:
Computer Congifugration and User Configuration. To work with a Group
Policy setting, open the appropriate container, and click the setting
you want to edit.
If you have worked with GPO in
previous versions, the interface for the GPE was different. The new
interface in Windows Server 2008 R2 is easier to use, and it displays
all the settings for a particular setting in one page, which means...no more tabs!
This is a nice addition to the Group Policy Management Editor. One of
the great features in Group Policy is the built-in documentation. With
every setting in the editor, you will see an explanation of what it
does, and you can see the explanation as you are expanding the tree or
double-clicking a setting to configure it. Figure
10 shows an example of a setting and the explanation. You will notice that
the setting will include the minimum required OS for the setting to be
applied to the targeted system. This is important when you are working
with a variety of OSs connecting to your domain.
You can configure more than 1,000 settings. In this section, you will
see the main areas explained and what types of settings you can expect
to find. When working with the editor, the settings are broken down into
two main containers, one for computers and one for users. Inside both
Users Configuration and Computers Configurations, you will see policies
and preferences. Table 1 describes the computer and user policies you'll find in specific policy areas.
Table 1. Overview of Computer and User Policies
| Policy Area | Description |
|---|
| Software Settings | In
this section of Group Policy, you can configure installations of
software packages to the targeted computers or users. Typically the
packages are in the Windows Installer (MSI) format. You can deploy
applications by assigning or publishing them to the target. If you
assign an application in the computer configuration, the application
will be installed on the targeted system the next time the system
reboots. If you assign the application to a user, the application will
appear on the Start menu, and the first time a user clicks the icon or
opens a file associated with the application, the application will be
installed.
Publishing an application is available only if the target is a user.
Publishing an application will allow the application to appear in the
Add or Remove Programs applet. The user will need to go into the Control
Panel to install the application. |
| Computer Windows Settings | This
contains several important Windows settings specific to the computer.
This is where you would configure your startup and shutdown scripts,
networking Quality of Service (QoS) settings, and security settings. In
the security settings, you can configure IPsec, wireless or wired
network configuration and security settings, the firewall, and a variety
of other security settings. You will also find a new policy in Windows
Server 2008 R2 called Name Resolution, which is used for configuring
DirectAccess, which only really applies to Windows 7 computers and DNS
security settings. |
| User Windows Settings | This
contains several important Windows settings that are specific to the
user. This is where you configure your logon and logoff scripts,
additional networking QoS settings, and security settings. The security
settings for the users have two sections: Public Key Policies and
Software Restriction Policies. Public key policies, commonly referred as
PKI, are used for configuring the client-side certificate security
settings. Software restriction policies allow you to configure which
applications are restricted on your client systems. You can also
configure folder redirection for users' common directories, which is
particularly useful when your users have roaming profiles. |
| Administrative Templates | This
is where you find a majority of all the settings available for Group
Policy and is where you can configure most of the aspects of the
interface for users and computers. Administrative templates are also
unique in that you can add templates you have created or get from other
software applications. For example, Internet Explorer 8 has its own
administrative template with more than 1,300 settings just for the
browser.
There is also a new category in Windows Server 2008 R2 inside
Administrative Templates called All Settings, which is very useful when
you are using filtering for searching for a particular setting. |
You can also work with preferences in the Group Policy Management Editor. Table 2 gives you a quick reference for the type of settings you will find in the tool.
Table 2. Overview of Computer and User Preferences
| Preference Area | Description |
|---|
| Window Settings | You
can configure system-wide environment variables and modify registry
settings and INI files for any application. You can also work with the
local file system by configuring files, folders, and network shares. |
| Control Panel Settings | You
can configure local system devices, local users, and groups. Also, you
can set power options here to help optimize the power consumption of
your desktop operating systems. This is also where you can configure
printers on the network and local-based devices. You also have the
ability to work with services and the Task Scheduler. |
These two tables are meant to
give you just a brief glimpse into the setting areas. The best way to
learn how to use the settings is to look through them and their
categories; it is worth your time to be familiar with the setting
locations.
2.1. Filter Group Policy with the Editor
Prior to Windows Server 2008,
there was no built-in way to search through Group Policy settings. You
had to work with the Group Policy settings reference file, which is a
free downloadable spreadsheet. You can find the current Group Policy
settings reference file at www.microsoft.com/downloads/details.aspx?familyid=2043B94E-66CD-4B91-9E0F-68363245C495&displaylang=en.
In Windows Server 2008 and
Windows Server 2008 R2, you can filter the administrative template
settings inside the Group Policy Management Editor. To work with the
built-in filter, follow these steps:
Right-click Administrative Templates, and select Filter Options. You will see a screen similar to Figure 11.
You
can filter based on several criteria including keyword filters and
software requirements. You will also notice the two options to filter:
Managed and Configured. Managed policies are true policies and are
managed directly by Group Policy; unmanaged policies are persistent
settings, sometimes referred to as tattooing
the registry. Configured is a useful option to allow you quickly find
only the settings you have configured. By default all policies are
marked as not configured, so by setting the Configured option to Yes,
you will only find the settings that have been configured.
After you're done setting the options, click OK, which will enable the filter. To turn the filter off, click the Filter icon.
3. Automate Group Policy Administrator Tasks
When you work with Group
Policy, it is recommended that you perform common administrative tasks
such as backup and recovery on a regular basis. These tasks can be
performed through the GPMC, as well as PowerShell. In Table 3, you can see a few general PowerShell commands to help you with working with Group Policy.
Table 3. Group Policy PowerShell Commands
| PowerShell Command | Description |
|---|
| Get-Help *-gp* | Lists all the possible commands involved in working with GPOs.
|
| Get-GPO -all | Lists all the GPOs in your current domain. |
| Backup-GPO –all –path 'c:\gpobackup\' | Backs up all the group policies in the domain to the c:\gpobackup directory. |
| Import-GPO | Is a useful command for importing GPOs from a backup server to a new server. |
| Restore-GPO -all -path 'c:\gpobackup\' | Restores all the group policies in the domain from the c:\gpobackup
directory. Typically, you would use this command with the GUID for the
GPO you are restoring to find the GUID. In GPMC, click the GPO located
in the Group Policy Objects container, and click the Details tab or use get-gpo cmdlet. |
| Get-GPResultantSetofPolicy -ReportType html -Path 'c:\rsop\rsop2.html' | Generates
an HTML report showing you the RSOP for the policy applied to a
particular system. This is a particularly useful tool for
troubleshooting. |
