Group policy has always been a popular feature with most, if not all, enterprises. As Microsoft releases newer generations of Windows operating systems, greater control over the infrastructure is possible. In this article, we’ll cover how group policy in Windows Server 2008 R2 makes a group policy administrator happy.
What is Group Policy?
Group policy allows the centralization of configuration management for operating systems and applications. Configuration management includes Windows settings, software settings and administrative settings. In the latest Windows Server releases, group policy received some enhancements we can break down into four areas, namely: PowerShell Cmdlets, Group Policy Preferences, Starter Group Policy Objects and Administrative Template settings. We’ll discuss these areas, then show you some common uses for these policies.
PowerShell Cmdlets
If you are familiar with PowerShell, it is now possible to manage group policies with PowerShell Cmdlets. However, with every PowerShell session you will need to execute Import-Module grouppolicy to import group policy cmdlets.
To create a group policy object:
New-gpo
To delete a group policy object:
Remove-gpo
To link a group policy object to a container:
New-gplink
To backup/restore one or more GPO:
Backup-gpo or Restore-gpo
For a list of group policy cmdlets, execute:
Get-Help *gp*
Other than PowerShell Cmdlets for group policy, if you are using PowerShell as your logon/log off scripts, you will be happy to hear that group policy now supports the running of PowerShell scripts on computer startup, shutdown, logon and log off.
A few areas of group policy preference have been enhanced, in particular with the power management, scheduled task, immediate task and IE8 preference items. Here are some usage examples:
Some applications — if not closed properly — will corrupt the database or data files. With the policy Allow Automatic Sleep with Open Network Files, we can prevent a computer from sleeping if network files are open.
Windows Vista supports a policy called Specify the System Sleep Timeout, which applies when a user is/was present at the machine and dictates how long the system should wait before idling to sleep. In Windows 7, a new option is called Specify the Unattended Sleep Timeout, which applies when no user is present (e.g., the machine woke automatically from sleep at 3 a.m. to do some maintenance work) and dictates how long the machine should wait in this case to go back to sleep.
With the introduction of Windows Vista, Task Scheduler has received a huge facelift, with extra options like the ability to send an email when a task runs. It is now possible to push group policies for Windows Vista and Windows 7 clients through Windows Server 2008 R2’s group policy management. This goes the same for Immediate Task, when group policy gets refreshed, the client machine will run the task and delete the task on finishing.
IE8 is new in Windows Server 2008 R2 and Windows 7, and new group policies are created to cater to IE8 users. Note that the OS could be running Windows XP, but as long as IE8 is installed, these group policy settings can be applied. Here are a few common settings that you might want to know:
Turn on Internet Explorer Standards Mode for Local Intranet: If your intranet sites do not work on IE8, you can force IE8 to run all intranet sites in compatibility view.
Configure Delete Browsing History on exit: If you manage public kiosks, security can be further tightened by automatically deleting browsing history when IE closes.
Maximum number of connections per server (HTTP 1.0): With the introduction of AJAX, clients (browsers) will be using more connections to connecting to a single server. By default in IE8, one server can have up to 6 connections, up from 4 connections in previous IE versions.
Prevent Bypassing SmartScreen Filter Warnings: SmartScreen is a new feature of IE8 where it will send the URL back to Microsoft to check if the link is blacklisted by Microsoft due to whatever reasons. In a highly secured environment, administrators might want to enable this setting.
Starter Group Policy Objects
If you are wondering Starter Group Policy Objects are, they allow a baseline of security settings to be applied for specific scenarios. A Starter Group Policy Object allows the storage of Administrative template policy settings in a single object. These scenarios include:
- Windows Vista Enterprise Client
- Windows Vista Specialized Security Limited Functionality (SSLF) Client
- Windows XP SP2 Enterprise Client
- Windows XP SP2 SSLF Client
As long as the domain controller is installed on Windows Server 2008 R2, or Remote Server Administration Tool (RSAT) is installed on Windows 7, Starter Group Policy Object is built in by default.
Administrative Template
With so many group policy settings built into Windows Server, most administrators won’t be familiar with every policy. In the past, we had to click on different tabs just to understand the policy and to configure the policy. However on Windows Server 2008 R2, the interface has been re-designed in a single view for easier understanding and configuration of policies. This will be one of the most welcomed features for group policy administrators.