The Windows 8 and Windows Server
2012 GPMC includes a feature and GPO function named Starter GPOs. This
function allows administrators to create or load base GPOs with
preconfigured administrative template settings and values, which can be
used to prepopulate new GPOs. If any starter GPOs exist, an
administrator creating a new GPO from a Windows 8 or a Windows Server
2012 GPMC console will have the option of using any existing starter
GPO to prepopulate newly created GPOs with a number of setting values.
Once the starter GPO functionality is enabled, Group Policy
administrators can create new starter GPOs customized for their
organization’s needs.
Starter GPOs can be viewed within
the GPMC and can be edited using the Group Policy Starter GPO Editor,
but the files are stored within the domain controller SYSVOL folder.
For example, starter GPOs for the companyabc.com domain would be
located at the \\companyabc.com\sysvol\companyabc.com\StarterGPOs
folder. Microsoft provides some starter GPOs that will be automatically
installed when starter GPO functionality is enabled. These currently
include templates for two environments as described in the Windows
client security guides. These are the Enterprise Client (EC)
environment scenario and the Specialized Security Limited Functionality
(SSLF) client environment scenario.
The EC environment, as described in the
Windows client security guide, is an Active Directory domain
infrastructure that runs Windows Server 2003 or Windows Server 2008 or
later servers and Windows Vista and later or Windows XP client
workstations where functionality is as important as security. The
preconfigured settings in the EC starter GPOs have been designed to
enable the necessary functionality to allow businesses to function with
centrally managed user and computer configuration management as well as
security management and audit settings.
The SSLF environment, as described in the
Windows client security guide, is designed to provide security
configurations and guidelines for environments that require higher
security, which outweighs the importance of smoother user experiences
and manageability. As an example of this, the Windows Vista SSLF
Computer starter GPO would deny logon through Remote Desktop Services
functionality, whereas the Windows Vista EC Computer policy leaves this
setting undefined. This policy setting allows administrators and
members of the Remote Desktop Users groups to connect using Remote
Desktop Connection or Terminal Services clients.
Caution
Any Group Policy administrator must take the
highest precautions to ensure that no group policies deployed on a
network are released without thorough testing in an isolated lab
environment. This is especially true when considering deploying
policies built on the EC or SSLF starter GPO policies.
The starter GPOs included with Windows Server 2012 GPMC are as follows:
• Windows Vista EC Computer
• Windows Vista EC User
• Windows Vista SSLF Computer
• Windows Vista SSLF User
• Windows XP EC Computer
• Windows XP EC User
• Windows XP SSLF Computer
• Windows XP SSLF User
For more information about the EC and SSLF starter GPOs, refer to the Windows client security guides online.
Enabling Starter GPOs
Before starter GPOs can be put to use, the
functionality must first be enabled in the domain. Enabling this
function is about as simple as pushing a button. To enable the starter
GPO feature, follow these steps:
1. Log on to a designated Windows 8 or Windows Server 2012 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and select it.
4. In the right pane, click the Create Starter GPOs Folder button.
Once the task is completed, the eight
out-of-the-box starter GPOs are available for review in the GPMC. A
Group Policy administrator can also create new starter GPOs from
scratch and can also create new GPOs by using these default system
starter GPOs as templates.
Note
The starter GPOs included with Windows 8 and
Windows Server 2012 are read-only and cannot be edited directly. Copies
of the built-in starter GPOs can be edited.
Creating a Starter GPO
Starter GPOs can be created or added to a
domain in a few ways. A starter GPO can be created from scratch using a
blank template, it can be created by restoring from a starter GPO
backup folder, or it can be imported from a provided starter GPO
cabinet file. Before the release of the Windows 7 and Windows Server
2008 R2 Group Policy Management Tools, the Microsoft EC and SSLF
starter GPO policies were provided as separate downloads, stored in
cabinet backup files. If an organization had not yet adopted Windows
Server 2008 R2 domain controllers, this was the
only way to import these starter GPO policies.
1. Log on to a designated Windows Server 2012 administrative system that has the Group Policy Management Tools installed.
2. Open Windows PowerShell.
3. In the Windows PowerShell window, type import-module GroupPolicy and press Enter.
4. Type New-GPStarterGPO -Name “MyStarterGPO” and press Enter.
The Windows PowerShell window will show the results of the new starter GPO creation.
5. To check the status of the GPO, type Get-GPStarterGPO –Name MyStarterGPO.
6. Close the Windows PowerShell window.
Backing Up and Restoring Starter GPOs
Backing up and restoring starter GPOs is a
simple operation that can be performed using the Windows Server 2012
GPMC. Starter GPOs can be backed up individually, or all the starter
GPOs can be backed up together.
Starting with Windows Vista and Windows
Server 2008, the backup functionality of the GPMC allows for the backup
of multiple versions of the same GPOs. In earlier versions, if an
organization wanted historical backups of GPOs, or revisions, the GPOs
would need to be backed up to separate folder locations. Now, the
backups can all be stored in a single folder.
Backing Up All Starter GPOs
Even though there are many Group
Policy-related GPO cmdlets, for starter GPOs there are only the
New-GPStarterGPO and the Get-GPStarterGPO cmdlets. To perform any other
starter GPO-related task, the GPMC must be used. To back up all the
starter GPOs in a domain, follow these steps:
1. Log on to a designated Windows Server 2012 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and select it.
4. Right-click the starter GPOs container and click the Back Up All button.
5. Specify the folder
location to store the backup, enter a description of the backup, and
click the Back Up button to back up the starter GPOs.
Note
We recommend that the designated backup
folder and the description of the backup specify or make it very easy
to differentiate between starter GPO backups and domain GPO backups
even though they can be stored in the same folder.
6. In the Backup window, review the status of the backup, and click OK when the backup completes.
Backing Up a Single Starter GPO
All starter GPOs can be backed up using the
method described in the preceding section, which includes version or
revision history, but a single starter GPO can also be backed up
individually or it can be saved as a cabinet file. To individually back
up a single starter GPO, follow these steps:
1. Log on to a designated Windows Server 2012 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and expand it.
4. Select the desired starter GPO, right-click it, and then click the Back Up button.
5. Specify the folder
location to store the backup, enter a description of the backup, and
click the Back Up button to back up the starter GPO.
6. In the Backup window, review the status of the backup, and click OK when the backup completes.
Saving a Starter GPO as a Cabinet File
Starter GPOs can be exported or saved as
individual cabinet (*.cab) files. Starter GPO cabinet files can be used
to create new starter GPOs or can be used to move starter GPOs between
isolated test and production Active Directory environments. To save an
individual starter GPO as a cabinet file, follow these steps:
1. Log on to a designated Windows Server 2012 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and select it.
4. In the right pane, select a single starter GPO, and at the bottom of the pane, click the Save as Cabinet button.
5. Browse or type in
the location in which to save the cabinet file, specify a name for the
cabinet file, and click the Save button to save the starter GPO.
Restoring a Starter GPO from Backup
Restoring a starter GPO can be performed to
revert a starter GPO to a previously backed-up state, move a starter
GPO from one domain or forest to another, or to recover from a starter
GPO deletion.
To restore a deleted starter GPO, follow these steps:
1. Log on to a designated Windows Server 2012 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and select it.
4. Right-click the Starter GPO container and select Manage Backups.
5. Browse to or specify the starter GPO backup location to load the starter GPO backup set.
6. In the window, select the desired GPO object.
7. If a filtered view is desired, check the Show Only the Latest Version of Each Starter GPO check box.
8. To view the
settings of a particular backed-up GPO, select the desired starter GPO,
and click the View Settings button. Close the browser window after the
settings are reviewed.
9. After the desired starter GPO is determined, select the starter GPO backup and click the Restore button.
10. Click OK in the Restore confirmation dialog box to restore the starter GPO.
11. Review the GPO restore progress, and click OK when it completes.
12. After all the necessary starter GPOs are restored, close the Manage Backups window.
Disabling Starter GPO Functionality
An organization may determine that starter
GPO functionality should be removed. In those situations, it is quite
easy to disable starter GPO functionality. If starter GPO functionality
needs to be removed from a domain, follow these steps:
1. Log on to a designated Windows Server 2012 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and select it.
4. Verify that the starter GPO functionality is enabled by viewing the right pane.
5. If the functionality is enabled, close the GPMC.
6. Click the Windows Explore tile in the task bar and in the location field. Type \\companyabc.com\sysvol\companyabc.com\ and press Enter. This example is for the companyabc.com domain; substitute your Active Directory DNS domain name.
7. When the network path opens, one of the folders shown is the StarterGPOs folder. Right-click and delete that entire folder.
8. Close the Windows explorer window.
9. Open the Group Policy Management Console again.
10. Expand the domain to expose the Starter GPO container and select it.
11. Verify that the
Starter GPO functionality is now disabled by viewing the right pane. If
starter GPOs are now disabled, there will be a Create Starter GPO
Folder button.
12. The task is now complete, so close the GPMC.
Removing Starter GPO functionality
will not affect any domain group policies that were previously creating
using any starter GPOs.