1 / 30

Using Group Policy with Windows and Windows Server 2008

CLI331. Using Group Policy with Windows and Windows Server 2008. Mazhar Mohammed Development Manager Derek Melber DesktopStandard. Session Objectives and Agenda. New features in Windows Vista Multiple Local GPOs Network Awareness ADMX Files Improved Logging.

sal
Télécharger la présentation

Using Group Policy with Windows and Windows Server 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CLI331 Using Group Policy with Windows and Windows Server 2008 Mazhar Mohammed Development Manager Derek Melber DesktopStandard

  2. Session Objectives and Agenda • New features in Windows Vista • Multiple Local GPOs • Network Awareness • ADMX Files • Improved Logging • Coming in Windows Server 2008 • Filters • Comments • Starter GPOs • So, what about those DesktopStandard products? • GPOVault • PolicyMaker

  3. Lots of Group Policy Content This Week… • Breakout Sessions • CLI331: Using Group Policy with Windows Vista and Windows Server 2008 – Mark Williams (Wed 10:15am – 11:30am, Thu 1:00pm – 2:15pm) • CLI316: Microsoft Desktop Optimization Pack: Advanced Group Policy Management – Derek Melber and Winni Verhoef (Tue 4:30pm – 5:45pm) • CLI405: Deep Dive Into Windows Vista Group Policy Changes and Troubleshooting – Jeremy Moskowitz (Tue 8:30am – 9:45am, Thu 9:45am – 11:00am) • Chalk Talk • CLI103-TLC: ADMX File Creation and Management - Judith Herman (Wed 3:45pm – 5:00pm) • Hands on Lab • CLI13-HOL: Managing Windows Server 2008 and Windows Vista using Group Policy – Self Study lab, throughout the week • CLI13-ILL: Managing Windows Server 2008 and Windows Vista using Group Policy – Gary Dunlop (Tue 10:15am – 11:30am, Wed 8:30am – 9:45am)

  4. Group Policy Before Windows Vista • Heavily used… • Majority of enterprise customers actively use Group Policy • Around 1,800 policy settings in Windows XP • But… • Group Policy process was part of Winlogon • Policy setting coverage wasn’t great and missed some important business scenarios • Managing ADM files was “interesting” • Limited awareness of changing network conditions • Limited flexibility with a single local GPO • Troubleshooting Group Policy was not a joyful experience • Need to find settings? “Where is that spreadsheet?”

  5. A Summary of New Features in Windows Vista Windows Vista/Windows Server 2008 Group Policy Templates ADM Templates now in ADMX files (ADMX, ADML) Group Policy Tools New GPOE & GPMC Tools Use consistent versions! ADM ADMX Group Policy Service GP now runs in a shared service Hardened Service, more reliable Multiple Local GPOs LGPO’s LGPO Local Computer Policy Group Policy Settings Over 800 new policy changes with Windows Vista Extended GP for new Windows Vista features Admin Admin/Non-Admin Group Policy User User Specified Group Policy Group Policy Enhancements Network Location Awareness (NLA) NLA service provides the latest network information Applications can query or register with NLA for network change indications NLA Group Policy Central Store Centralized repository for ADMX Contains all ADMX templates Created in the Sysvol on DC in each domain ADMX ADML SysVol DC Group Policy Logging Administrative log Applications and Services log XML based event logs New Tools - GPOLogView + Policies + GUID + ADM Policy Definations + FRS/DFS-R ADMX, ADML Files

  6. Multiple Local GPOs • More granular management of the local machine (for example differences for admin and non-admin users) • Local GPOs still lower precedence than domain-based GPOs! • Processed in the following order (least precedence first) • Local Policy Object (as before Windows Vista and always exists) • Processes both computer and user policy • Admin/Non-Admin LGPOs (optionally created by admin) • Mutually exclusive for any one user • Processes only user policy • Specific User LGPO (created by admin) • Local user accounts • Processes only user policy • Create/Manage LGPOs through GPEdit.msc • New policy in Windows Vista to turn off LGPO processing (only available for domain-joined machines - think about it!)

  7. Network Awareness • Slow Link Detection • Used to be based on ICMP/PING • Now uses NLA (no reliance on ICMP/PING) • Policy Refresh • When a DC is detected, NLA tells GP it can refresh • If refresh did not occur within last interval, GP will automatically update • If refresh did occur during last interval, GP will not refresh (waits for next scheduled refresh) • When DC is not responsive, policy processing fails and uses the same state as last successful application • Now responsive to VPN sessions being established

  8. Improved Group Policy Logging • New logging based upon Windows Eventing • Two new logs • “Windows Log” • “Applications and Services Log” • Administrative events are created in the System log with “Group Policy” as the event source name • Applications and Services Log: stores operational events Replaces userenv.log troubleshooting file • New Event View options to report, filter and create customised log views • GPLogView Tools • Allows export to XML for event logging • Real-time logging

  9. demo Using Multiple LGPOs and Viewing Group Policy Logs

  10. From ADM to ADMX/L • Why move away from ADM files? • Language independence • Sysvol bloat • Ease of use (ADM “language”) • So, what did we do? • Introduced ADMX and ADML files • Introduced the ADMX Central Store • Moved to XML

  11. Language Independence • ADM files include strings for a single language • By comparison, with ADMX files: • One ADMX file is associated with one or more ADML (Language) files • ADMX files sit in the policydefinitions “root,” with ADML files in language-specific subdirectories • Adding support for a language means adding an ADML file

  12. Sysvol Bloat • Before Windows Vista, when you create a GPO an ADM subdirectory is created in the GPO automatically (Sysvol) • If you merely view a GPO which does not have the ADM directory, it is recreated • The ADM subdirectory includes five ADM files, totaling about 3.5 MB • 100 GPOs? That’s about 350 MB of data, replicated to all DCs. That’s Sysvol Bloat!

  13. ADMX, ADML Files and the Central Store • The Central Store is a domain-wide directory • In Sysvol at \Policies\PolicyDefinitions • Stores ADMX files (normally one per component) • One subdirectory for each supported language (en_us, fr, etc.), each storing ADML files • If the Central Store exists, Windows Vista tools use it for locating ADMX/ADML files • If the Central Store does not exist, Windows Vista tools use their local policydefinitions directory

  14. Interop Windows Vista and Windows Server 2008 Can manage all Group Policy operating systems Can manage • Windows XP • Windows Server 2003 Windows XP, Windows Server 2003 and Windows 2000 • Windows 2000 Can not manage Windows Vista Windows Server 2008

  15. demo Creating The Central Store(SysVol Bloat And How To Avoid it)

  16. Things You Should Know About ADMX Files • Neither ADMX files or the central store have any dependency on Windows Server 2008 (works fine with Windows Server 2003, Windows 2000 and Windows Server 2008 domains). It’s just a directory! • Windows Vista machines: • Use Local ADMX files if the Central Store is not created or • Use the Central Store if it exists, ignoring local ADMX files • Windows Vista will consume any custom ADM files found in a GPO, but ignores the system ADM files • ADMX files can be stored in the Central Store but not in individual GPOs; you can still add ADM files to a GPO

  17. Coming in Windows Server 2008 • Search/Filters: Constrain list of settings based on… • Text search of setting title, explain text and comments • Platform and applications “supported on” • Managed (true GP policy setting) • Configured (enabled or disabled) • Results of search is a filtered view in the editor • Comments: Annotate per GPO or per setting

  18. Coming in Windows Server 2008 • Starter GPOs: • Encapsulate of best practices/scenarios • Contain recommended policy settings and values • Microsoft will make some available for download • Anyone can create and share new custom templates • Create new GPOs based on a Starter GPO

  19. demo Filters, Comments and Starter GPOs

  20. PolicyMaker Functionality • Greatly extends number of settings • Computer/user settings • Control Panel/Windows settings • New functionality for new settings • Rich UI for easier administration • Settings-level filtering • Comments • We are considering how and when to integrate into Windows

  21. PolicyMaker Settings Examples • Control Panel includes: Folder Options Local Users and Groups Scheduled Tasks • Windows Settings include: Drive Mapping Folders Registry Shortcuts

  22. Advanced Group Policy Management • Previously DesktopStandardGPOVault • Version 2.5 released in July as part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance customers • Key Features • Offline Editing • Check In/Out • Version Control • Role-based Delegation • Difference Reports (between GPO versions, archived vs. deployed)

  23. demo Advanced Group Policy Management and What-Was-PolicyMaker

  24. Helpful Resources Link to Group Policy TechNet page http://www.microsoft.com/technet/grouppolicy Group Policy Wikihttp://grouppolicy.editme.com Group Policy Team Bloghttp://blogs.technet.com/grouppolicy Deploying Group Policy Using Windows Vista http://go.microsoft.com/fwlink/?LinkId=77080 Group Policy Settings Reference Windows Vista http://go.microsoft.com/fwlink/?LinkId=54020 Step-by-Step Guide to Managing Multiple Local Group Policy Objects http://go.microsoft.com/fwlink/?LinkId=73434 How to troubleshoot Group Policy using Event logs http://go.microsoft.com/fwlink/?LinkId=74139

  25. Resources Technical Communities, Webcasts, Blogs, Chats & User Groups http://www.microsoft.com/communities/default.mspx Microsoft Learning and Certification http://www.microsoft.com/learning/default.mspx Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet Trial Software and Virtual Labs http://www.microsoft.com/technet/downloads/trials/default.mspx

  26. Q&A

  27. Want to know more about Microsoft System Center? Come to the Yellow TLC area (MGT) and see the Microsoft System Center product family

  28. Complete an evaluation on CommNet and enter to win!

More Related