Group Policy Update from GPMC
New to the GPMC with Windows 8 and Windows
Server 2012, administrators can now force a Group Policy update to be
processed on all systems within a specific OU from the GPMC. This
functionality has been lacking and has a lot of use to administrators
who need to create and enforce a policy as soon as possible. This
functionality however only applies to computers and not to users. To
perform this task, just right-click the desired OU and select Group
Policy Update, as shown in Figure 2.
After the setting is selected, you are required to approve, and the
results are shown in a Remote Group Policy Update Results window.
Figure 2. Group Policy Remote Update from GPMC.
Group Policy Infrastructure Status
One update to the Group Policy Management
Console is the domain Group Policy infrastructure status. Now within the
GPMC window, Group Policy administrators can check on the replication
status of GPOs across all domain controllers in the domain, as shown in Figure 3.
Figure 3. Group Policy infrastructure status.
PowerShell Management of Group Policies
With the release of Windows 8 and Windows
Server 2012, Microsoft has now added functionality to manage group
policies with PowerShell. This functionality is automatically enabled
when the Group Policy Management feature is installed on a Windows 8 or
Windows Server 2012 system. Microsoft includes 28 out-of-the-box
PowerShell cmdlets for Group Policy. The cmdlets allow a Group Policy
administrator to perform a number of different functions from within
PowerShell, including the following:
• Create new GPOs and create new starter GPOs
• Create new GPO links
• Restore or import GPOs
• Remove GPOs and GPO links
• Read/set the properties of an OU to inherit parent GPO links or to block inheritance
• Rename a GPO
• Generate a report of GPO settings and configurations
• Generate a Resultant Set of Policies report
• Generate a Report on Group policy inheritance
• Set GPO administrative permissions and delegation
• Set GPO policy and preference settings that are stored in the Registry
To get a list of the Group Policy-related PowerShell cmdlets, follow these steps:
1. Log on to a system
that has the Group Policy Management Tools installed. The Group Policy
tools can be installed with the remote server administration tools.
2. Move your mouse to
the lower-right corner of the Desktop, expose the Charm bar, and click
the magnifying glass to open the Search menu.
3. In the Search menu, search Apps and type in Windows, and then click the Windows PowerShell ISE tile.
4. When the Windows PowerShell ISE tile opens, pull down the View menu and verify that the Show Command Add-on option is checked.
5. On the right of the
console window in the commands pane, pull down the Modules menu and
select GroupPolicy to reveal the list of the related cmdlets, as shown
in Figure 4
Figure 4. Group Policy PowerShell cmdlets.
6. As desired, select a
particular cmdlets. After a cmdlets is selected, click Show Details to
see the parameters or click the question mark icon to show the help
information.
7. Close the Windows PowerShell ISE console window.
Note
Windows PowerShell Integrated Scripting
Environment (ISE) is a powerful tool that enables administrators to
search and learn how to leverage PowerShell like never before and should
be explored.
Event Viewer
Event Viewer for Windows 8 and Windows Server
2012 includes several new event logs, which now provide additional GPO
logging events, similar to those shown in Figure 5.
GPO logging now includes administrative GPO events, stored in the
system log with a source of Group Policy
(Microsoft-Windows-GroupPolicy), and GPO operational events, stored in
the Applications and Services Logs, which is stored in
Microsoft/Windows/GroupPolicy/Operational. By default, minimal logging
for Group Policy processing is performed, but if additional logging or
troubleshooting is required, you can increase the logging level.
Figure 5. Group Policy events.
GPO Administrative Events
The administrative events include the state of
the GPO processing on a particular computer or user, including
high-level information detailing if GPO processing was successful or
failed. To view Group Policy administrative events, follow these steps:
1. Log on to a designated administrative server running Windows Server 2012.
2. Open the Event Viewer from the Search Apps menu.
3. When Event Viewer opens, expand Windows Logs.
4. Right-click the System log and select Filter Current Log.
5. In the middle of the filter window, click the Event Sources drop-down arrow.
6. Scroll down and check Group Policy(Microsoft-Windows-GroupPolicy) and click back on the filter window to close the menu.
7. Click OK at the bottom of the window to apply the filter.
8. Review the Group Policy events.
9. If the task is
complete, close Event Viewer to clear the filter; otherwise, clear the
filter by right-clicking the system log and selecting Clear Filter.
10. Close Event Viewer when you have finished.
GPO Operational Events
The GPO operational events include very
granular detail of GPO processing. When GPO processing occurs, the
operational events are created almost one for one with each task
included within the GPO processing. This new logging functionality
simplifies troubleshooting GPO processing tremendously. To view the GPO
operational events on a Windows Server 2012 system, follow these steps:
1. Log on to a designated administrative server running Windows Server 2012.
2. Open the Event Viewer.
3. When Event Viewer opens, expand Applications and Services Logs.
4. Expand Microsoft.
5. Expand Windows.
6. Expand Group Policy.
7. Select the Operational log beneath the Group Policy container and view the events in the right pane.
8. Click particular events to see the details.
9. Close Event Viewer when you have finished.
DFS Management
GPO files are stored in the Active Directory
domain SYSVOL folder. GPO files in the SYSVOL folder are replicated by
the Distributed File System Replication service. The DFS Management
console enables administrators to configure the replication options,
including scheduling and other DFS management tasks. The SYSVOL share is
known as the domain system volume, and the replication of this volume
follows the site link replication schedule. Changing or managing the domain system volume replication schedule
between domain controllers in the same Active Directory site is not an
option. One thing that has been added to Windows Server 2012 GPMC is the
ability to view the Group Policy infrastructure status, which includes
the replication status of the GPO back-end files stored on SYSVOL.
