I’d like to cover some of the new features in Windows Server 2008. Since Vista and WS2008 share the same code base, many of the enhancements are across both platforms.
Features available now in Vista include:
-The GPO engine service is hardened and more reliable
-800 more policy settings (I’ll talk later about finding specific settings)
-Network location awareness is built-in
-Enhanced GPO error logging (more detail below)
-Templates are now in XML, using ADMX templates
-Multiple local GPOs
-GPO central store eliminates SYSVOL "ADM bloat"
GPO refreshing is now sensitive to VPN sessions being established, and will refresh automatically. This is great for remote users that are rarely in the office. Previously it was very hit and miss when a remote PC would get a GPO refresh. Unfortunately there’s no Exchange-like "RPC over HTTP" GPO functionality in Vista or server 2008 to refresh GPOs without a VPN to the corporate network.
Another common problem with GPOs is that Windows 2000, XP and 2003 all push the GPO .ADM template files to SYSVOL for EACH GPO. In WS2003 if you created a new GPO and just edited one setting, it would push 3.5MB of templates into the GPO. In a large organization with many dozens or hundreds of GPOs, SYSVOL quickly becomes quite large. There are some GPO settings which can alter this behavior, but it has some trade offs in manual maintenance of ADM files.
With WS2008, Microsoft has a concept of the central store and ADMX files. ADMX files are XML GPO definition files which replaces the legacy ADM templates. This central store houses a single copy of each ADMX template, regardless of how many GPOs exist. As of this writing with RC0, the central store folder is not automatically created in the SYSVOL.
To create the central store, create the following folder on a DC: %systemroot%sysvoldomainpoliciesPolicyDefinitions. From your 2008 DC, copy all of the files in %systemroot%PolicyDefinitions to the folder in SYSVOL. Now if you create a new GPO, you will notice that it is not populated with several megabytes of template information. If you open the GPMC and edit a GPO, mouse over "Administrative Templates" and it should display a message that they were retrieved from the central store. Neat!
Error logs now have a ‘Correlation ActivityID’ which is unique per refresh interval, so you can easily filter for all actions during a single refresh cycle. If you open the raw XML view of Event ID 8004, you will see unique "Correlation ActivityID" field. To find the GPO log in WS2008, open the Service Manager and navigate down to: Diagnostics, event viewer, applications and services logs, microsoft, Windows, GroupPolicy, operational (WHEW!). Previously, tracking down GPO refresh errors was very painful as the logs did not clearly delineate when the refresh cycles stopped and started.
Microsoft created the GPlogview utility which will parse GPO log files into HTML format (and others) and will color-code output for Activity ID. It also has a real-time mode you can start/stop. The real time mode is great for troubleshooting as you can see exactly what is happening in real time.
Server 2008 brings to the table:
-New Search and filter capabilities in the GPMC
–Setting title, explain text and comments
–Platform and applications the setting is supported on
–Results of a search in a filter view
-Annotate a whole GPO or individual settings
-Starter GPOs
–Encapsulate best practices or various scenarios
–Contain recommended policy settings and values
–Anyone can create and share custom templates
–Create a new GPO based on a starter GPO
-A total of more than 2,400 settings, up from 1,700 in WS2003
One of the real time saver features is the new search feature in the GPMC. In RC0 it appears you can only search/filter "Administrative Templates" and NOT on the Software settings and Windows setting branches. Hopefully MS will change this behavior before RTM.
To search Administrative templates, edit a GPO, right click on Administrative Templates, and choose Filter Options. If you want to display all GPOs related to printers change the search criteria to "Any" for Managed, Configured and Commented. Then type "printer" in the filter box. Click OK, then go to the "All Settings" container in the GPO and right click and make sure "Filter On" is checked. You should then see a list of approximately 30 GPO settings with the word Printer.
GPO documentation rarely occurs, and you may wonder why a particular setting was configured. With Server 2008, you can now annotate at the GPO object, or individual settings. Open the properties page for the GPO or any setting and you will see a new Comment tab. This can be a life saver for documenting why a particular setting was configured. GPO comments are stored in a plain text "GPO.cmt" file inside the SYSVOL GPO folder, whereas individual GPO setting comments are stored in a "comment.cmtx" file in XML format inside the USER or MACHINE folder of the GPO.
WS2008 brings many new GPO enhancements and increased usability features to the table. Searching, comments, and no more SYSVOL bloat will be great features for organizations of any size and even more so for large enterprises. I encourage you to try the latest beta and explore for yourself.
