Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Server

Windows Server 2012 Group Policies and Policy Management : Group Policy Policies Node

8/4/2013 9:17:01 AM

1. Group Policy Policies Node

The Policies node contained in both the computer and user configuration of group policies contain settings that in most cases are enforced and no longer configurable by the client. For settings that can have multiple values, the settings with the Policies node are enforced on the client, but administrators can add or still modify a portion of the setting. For example, if a user right assignment is configured within a domain-based policy, an administrator cannot remove the entries within that user right applied from the policy, but additional entries can be added and allowed. The Policies node contains security settings, including firewall and networking settings, but the bulk of the settings are contained within the Administrative Templates section of the Policies node.

Group Policy Administrative Templates

Administrative templates are the core elements that make up a GPO. Most settings available within an administrative template are used to configure a corresponding Registry value for the computer or a user account, usually defined within the HKEY_Local_Machine or the HKEY_Current_User Registry hive. Other settings are provided to run computer-based and user-based scripts and, in some instances, install or make software packages available to subsets of users or computers.

Administrative templates come in three basic types:

• ADM files for Windows 2000 Client and Server, Windows XP, and Windows Server 2003

• ADMX and ADML files for Windows Vista, Windows Server 2008 and later OSs

• Custom ADM, ADMX, and ADML files used to extend GPO functionality beyond what is already included in the Microsoft provided templates

Administrative Templates for Windows 2000, Windows XP, and Windows Server 2003

Administrative templates for Windows 2000, Windows XP, and Windows Server 2003 have a file extension of .adm. ADM file formats are unlike any other file format and are not the easiest to interpret and create. ADM files include not only the policy settings and their possible values, but they also include the friendly language used to represent the settings to the administrator viewing the policy settings using any of the GPO management tools.

For each GPO created by an administrator using the Windows XP or Windows Server 2003 GPO tools, a folder for that GPO is created in the connected domain controller’s SYSVOL folder. This unique GPO folder contains a common set of ADM files in the language used on the administrative client computer. As a result of this, in an Active Directory infrastructure that has multiple GPOs that use the common administrative templates, each GPO has copies of the same template files within each GPO folder. Each folder is commonly 3MB to 5MB in size and this is commonly referred to as SYSVOL bloat because the GPO folders are stored in the domain controller’s SYSVOL folder.

When new policies were created using the Windows XP and Windows Server 2003 GPO tools, a copy of each of the of the ADM template files from the client workstation was pushed up to the SYSVOL folder on the domain controller. When an existing GPO was edited or opened for viewing, the copy of the templates in the GPO folder was compared with the version of the template files on the administrative workstation. If the administrative workstation had a newer version, the workstation template was copied up to the GPO folder and the existing template in the folder was overwritten. This default behavior caused several problems when Microsoft released updated templates with service pack releases of Windows XP and Windows Server 2003.

A common issue related to this feature, as an example, is that if an administrator working on a Windows XP SP2 administrative workstation opened an existing GPO that was created with a Windows XP SP1 workstation, the template files would be updated to the new version, causing a replication of the updated templates across all domain controllers. Another implication of the template file is that the template files included the friendly language of the administrative workstation the GPO was created on and administrators across the globe would be unable to manage the same GPO in their local OS language. This, of course, caused several administration issues and, in some cases, regional Active Directory domains were created to allow regional administrators to manage their client workstations and users with GPOs written and managed in their local language. To support global administration, Active Directory infrastructures have become unnecessarily complicated and moved away from the original reason GPOs were created, to simplify the management, standardize security, and centrally administer and configure companywide resources.

As a means of avoiding the administrative-related and infrastructure-related issues associated with this GPO infrastructure, a common best practice for managing GPOs for XP or later OSs is to only manage GPOs from workstations or servers that meet a single specification for OS version, service pack level, and language. Another means of controlling this is to follow a common practice of configuring all GPOs to not automatically update GPO templates when a GPO is opened for editing. Automatic updates of ADM files are located in the User Configuration\Policies\Administrative Templates\System\Group Policy\ section and is named Turn Off Automatic Updates of ADM Files. As a best practice, many administrators enable this setting to improve GPO reliability and to keep GPO replication traffic at a minimum.

Group Policy Administrative Templates for Windows Vista and Windows Server 2008 and Later

Group Policy for Windows Vista and Windows 2008 has been completely revised and rebuilt from the XP/2003 version, but they still support Windows XP, and Windows Server 2003. Windows 7, Windows Server 2008 R2, and later build on this new revision, adding new settings to support the features of the latest OSs. The original ADM files have been replaced or split into two files:

• ADMX administrative template settings file

• ADML administrative template language file

The original GPO single administrative template ADM file format was replaced to overcome many of the original issues with this file format, including the unique ADM format as well as the inclusive local language of the particular ADM files contained on the administrative workstation.

With the separation of the ADM file into a settings and local language file, the new templates enable the administration of a single GPO using different local languages.

In earlier versions, when an administrator viewed or edited a GPO, the local template files from the administrative workstation were pushed up to the server GPO folder. With the new Windows 8/Windows Server 2012 GPO infrastructure, when the GPO is opened for viewing or editing, the template files located on the local hard drive are loaded to view the GPO. The GPO folder created with the Windows 8 or Windows Server 2012 GPO tools contains only the files and folders that contain the configured settings of the GPO and not the general template files, as with the earlier versions. This improves the GPO processing time as well as reduces the amount of data stored in the SYSVOL folder on each domain controller.

Custom Administrative Templates

Microsoft has provided, in earlier versions as well as the current release, the ability for administrators and independent software vendors (ISVs) to create their own administrative templates. The current administrative templates released with Windows 8 and Windows Server 2012 have all the original ADM settings as well as many of the settings that administrators either had to create custom templates to support or purchase ISV-created templates. But even though the new templates provide many more settings, there will still be custom Registry keys and values, specific application services, and other functions that organizations want to manage with GPOs. These settings will still need to be provided with custom templates or by ISV GPO products. For example, when Microsoft releases a new version of Internet Explorer, they provide a custom administrative template Group Policy administrators can import to block domain computers from downloading, installing, or even presenting the new browser in Windows Updates.

Many ISVs now provide administrative templates for their own applications. Microsoft also provides administrative templates to further manage their own applications and suites such as Microsoft Office include new templates that can be used with each new version of the office suites.

Custom administrative templates can be created in both the ADM and ADMX/ADML file formats. To support the amount of time and effort administrators and ISVs have put into creating custom templates and to support legacy applications, new GPOs will continue to support administrative templates created in the original ADM file format as well as the new ADMX/ADML formats.

Although Microsoft has provided the steps to create custom ADMX and ADML files, the current GPO management tools only allow adding custom ADM templates to specific GPOs. To leverage the settings in a new custom ADM file, the file must be added to each GPO that will use it. ADM files that are added to a GPO are made available beneath the respective Administrative Templates\Classic Administrative Templates (ADM) section of the computer or user configuration Policies node.

2. Group Policy Preferences Node

The Preferences node contained in both the computer and user configuration of group policies contain settings that in most cases are new settings that were previously not included in Group Policy settings and had to be managed with custom scripts and administrative templates. Preference settings are set initially, but in most cases the end user can change those settings after Group Policy processing. Preferences are unique in that within a preference setting there is a function named Item Level Targeting that allows a very granular application of the preference setting based on many different types of criteria. In essence, even though a group policy is applied to a set of users or computers, the preference settings within may only apply to a subset within that group. 

Other -----------------
- SQL Server 2012 : Running SQL Server in A Virtual Environment - MONITORING VIRTUALIZED DATABASE SERVERS
- SQL Server 2012 : Running SQL Server in A Virtual Environment - ARCHITECTING SUCCESSFUL VIRTUAL DATABASE SERVERS
- SQL Server 2012 : Running SQL Server in A Virtual Environment - IDENTIFYING CANDIDATES FOR VIRTUALIZATION
- SQL Server 2012 : Running SQL Server in A Virtual Environment - MANAGING CONTENTION
- Microsoft Content Management Server Development : A Placeholder Control to Store All HTML Tags (part 2)
- Microsoft Content Management Server Development : A Placeholder Control to Store All HTML Tags (part 1)
- Sharepoint 2013 : Create a Team Site, Create an Enterprise Wiki Site in SharePoint Server, Create a Blog Site
- Sharepoint 2013 : Create a Subsite
- SQL server 2008 R2 : Reverting to a Database Snapshot for Recovery
- SQL server 2008 R2 : Setup and Breakdown of a Database Snapshot
- First look: Apple Watch

- 10 Amazing Tools You Should Be Using with Dropbox

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
Top 10
- Microsoft Excel : How to Use the VLookUp Function
- Fix and Tweak Graphics and Video (part 3) : How to Fix : My Screen Is Sluggish - Adjust Hardware Acceleration
- Fix and Tweak Graphics and Video (part 2) : How to Fix : Text on My Screen Is Too Small
- Fix and Tweak Graphics and Video (part 1) : How to Fix : Adjust the Resolution
- Windows Phone 8 Apps : Camera (part 4) - Adjusting Video Settings, Using the Video Light
- Windows Phone 8 Apps : Camera (part 3) - Using the Front Camera, Activating Video Mode
- Windows Phone 8 Apps : Camera (part 2) - Controlling the Camera’s Flash, Changing the Camera’s Behavior with Lenses
- Windows Phone 8 Apps : Camera (part 1) - Adjusting Photo Settings
- MDT's Client Wizard : Package Properties
- MDT's Client Wizard : Driver Properties
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro