This article series will focus on the Group Policy related features which will bring both easier manageability and better security.
If you would like to read the other parts in this article series please go to:
- Group Policy related changes in Windows Server 2008 - Part 2: GPMC Version 2
- Group Policy related changes in Windows Server 2008 - Part 3: Introduction to Group Policy Preferences
- Group Policy related changes in Windows Server 2008 - Part 4: Group Policy Preferences continued
In this article we will discuss “Starter GPOs”. With Starter GPOs you get the ability to save baseline templates to use when creating new Group Policy Objects (GPO). These templates can actually be exported to other domain environments, giving you enhanced flexibility.
The next articles in this series will deal with the new features of Group Policy Management Console (GPMC) version 2.0, new policy settings for Windows Server 2008, Group Policy Preferences Extensions and much more…
Please note that some of the information in this article series is based on information from the Beta versions of Windows Server 2008 (Beta 3, RC0 and RC1). So, some features and dialog boxes may change a bit before the final release.
GPMC – in and out?
Built into Windows Server 2008 is the new and shiny Group Policy Management Console (GPMC) version 2.0. The look and feel is pretty much like the older versions, but some nice features have been added.As you probably know, Service Pack 1 for Windows Vista will uninstall the version of GPMC that comes as part of the operating system – leaving you without a tool to manage you domain GPOs… But don’t get too disappointed now: around the release of SP1 for Vista GPMC version 2.0 will be available as a separate download from the Microsoft website.
So, to use GPMC version 2 you need one of the following:
- Microsoft Windows Vista Service Pack 1 with the GPMC 2.0 download, or
- Microsoft Windows Server 2008 with the Group Policy Management feature added.
Source Starter GPOs
When opening GPMC 2.0 you will probably notice a new (empty) container called "Starter GPOs". This new container can hold what I would call "templates" for creating new GPOs - with the limitation that only “Administrative Templates” settings are available – from both ‘Computer Configuration’ and ‘User Configuration’. Settings like “Software Settings” (software installation) and “Windows Settings” (scripts, account policies, user rights, software restriction policies, etc.) are NOT available in Starter GPOs, see Figure 1.Figure 1: Only settings from “Administrative Templates” |
Figure 2: Source Starter GPOs
The new GPO will contain all “Administrative Templates” policy settings from the Starter GPO which was used as a template during creation and the additional features we normally have within GPOs (like “Security Settings”, etc.). Everything other than “Administrative Templates” policy settings must then be created from scratch, just as it is today. This is where Advanced Group Policy Management (AGPM) templates show their worth. However, that product is not part of the scope for this article series, but my colleague Derek Melber has a great article on the AGPM product rightA new folder in SYSVOL
The first time you want to test - or use - Starter GPOs, you must enable the feature in the relevant domain(s). This is done by clicking the “Create Starter GPOs Folder” button, or just right clicking the “Starter GPOs” container and selecting “New…” (see Figure 3). The latter option actually creates the Starter GPOs folder too. After clicking the “Create Starter GPOs Folder” button you will have to right click the “Starter GPOs” container anyway and choose “New…”. So, if you want to save a click (hey, maybe someday you’ll need it elsewhere), just forget about the fancy button and instead select “New…” as the first thing you do (unless you have a really good reason not doing so).Figure 3: First time use
The “New Starter GPO” dialog should pop up, asking you to leave a name and a comment up front, see Figure 4. Figure 4: Creating a new Starter GPO
Note that anything you type into the “Comment” field will be inherited to any GPO created with this particular Starter GPO as source. The text will be written as the GPO comment – a new feature which we will get back to in another part of this article series.When you 'enable' Starter GPOs in the domain for the first time, a folder called "StarterGPOs" is created inside the SYSVOL folder at this path: “\\domain.com\SYSVOL\domain.com\StarterGPOs” - this is where all the "magic" is done (see Figure 5).
Figure 5: The StarterGPOs folder in SYSVOL
For each new Starter GPO you create, you will see a new folder below this folder - each will have a unique GUID (just like regular GPOs). So, when you create a new GPO with a Starter GPO as source, a nice and simple COPY process is actually performed behind the scenes. The subfolders and files below the Starter GPOs GUID folder is just copied into the \\domain.com\SYSVOL\domain.com\Policies\[SomeNewGUID] folder (a new unique GUID is created on the fly) - and ‘presto’, you are ready to deploy a fresh GPO. Figure 6: Ready to create a new GPO, but not from “scratch” anymore
When right-clicking a Starter GPO, see Figure 6, you have the option to create a “New GPO From Starter GPO…”. This will give almost the same dialog as when you choose to create a new GPO from the “Group Policy Objects” container (see Figure 4) - or when right clicking an Organizational Unit (OU), or the domain itself, and selecting the option: ”Create a GPO in this domain, and Link it here...” – only this time the “Source Starter GPO” dropdown box is grayed out and static. Figure 7: Source Starter GPO is grayed out
The cabinet and what’s inside
The very cool thing is that you can now "export" those GPO templates (Starter GPOs) to a Cabinet file (.CAB) and then import this cabinet into another environment - completely independent of the source domain/forest! These Group Policy Objects are ‘airborne’ so to speak – finally you might add…So, you can now create the PERFECT Starter GPO, export it (see “Save as Cabinet…” button in Figure 8) and then bring it around the world, share it with friends, on your website, deploy it on all systems you can get a hold on, etc. After the import process, which is extremely easy (see “Load Cabinet…” button in Figure 8), you are ready to create new GPOs with the Starter GPO as a baseline.
Figure 8: Load or Save Cabinet file
If you are just as nosy as I am, you are probably dying to know what’s inside the .CAB file… Let me release you from your pain: Each file contains a minimum of 2 (if nothing is configured) and up to 6 compressed files, depending on what settings you have configured in the particular Starter GPO:Filename | Contents |
StarterGPO.tmplx | Contains GUID, version information, name, description and more (XML format). This file is always inside the CAB file. |
Report.html | The settings report is generated and included as an HTML file for every “export”. This is probably done for easy reference & documentation. This file is always inside the CAB file. |
Machine_Registry.pol | The ‘Computer Configuration’ (CC) part of the GPO. This file is only present if any CC settings are present in the Starter GPO. |
User_Registry.pol | The ‘User Configuration’ (UC) part of the GPO. This file is only present if any UC settings are present in the Starter GPO. |
Machine_Comment.cmtx | Contains comments* made on settings within the CC part of the Starter GPO (XML format). This file is only present if a minimum of one CC setting has a comment linked to it. |
User_Comment.cmtx | Contains comments* made on settings within the UC part of the Starter GPO (XML format). This file is only present if a minimum of one UC setting has a comment linked to it. |
* I’ll get back to “comments” in another part of this article series.
One limitation with the Cabinet export is that you can only export a single Starter GPO per Cabinet file. So, this procedure does not take over from a regular backup procedure, which is covered next.
Backup Starter GPOs separately
The way things look right now you will have to create a separate backup process for Starter GPOs. This is because they are not backed up through the GPMC "Backup All" method you have for the regular GPOs – but they have a separate backup procedure.If you right click the “Starter GPOs” container you have the “Back Up All…” option. This will backup all of your Starter GPOs in one go (see Figure 9).
Figure 9: Back Up All Starter GPOs at once
If you just right click a single Starter GPO in the right pane of the GPMC you will see the “Back Up…” option. This will create a backup of that particular Starter GPO only. Figure 10: Select a backup location
So far there's no script for backing up the Starter GPOs, but I'm pretty sure it will show up (just like the "BackupAllGPOs.wsf” script from the GPMC Sample Scripts package).Delegate the power
As with many other Windows features, you can delegate permissions to other users and/or groups. In this case you can delegate the permissions to create Starter GPOs in the domain. This is done from the “Delegation” tab which is visible only when the “Starter GPOs” container is selected in the tree view to the left, inside the GPMC (see Figure 11). Figure 11: The Delegation tab for Starter GPOs
Behind the scenes this tab reflects the NTFS security permissions on the “StarterGPOs”-folder below SYSVOL (see above); only users and groups with the adequate permissions will show up in this view.Conclusion
Starter GPOs are templates to be used as baselines for new Group Policy Objects – making it fast and easy to create, export and import “Administrative Templates” policy settings. They may not include the same features as the GPO Templates we got with AGPM - but, even if you don't have the required DOP/SA license you still get a few cookies for "free" with Starter GPOs...The only thing I personally don’t like about Starter GPOs is the name – to me it is a plain old ‘template’, just for GPO settings. But, my guess is that the word “template” is reserved for the more “feature complete” functionality: AGPM templates, but more on those some other time.
Update
Since this article was published Microsoft has released the required Group Policy Preference Client Side Extensions. These are the links:- GPP CSEs for Windows Vista (KB943729)
- GPP CSEs for Windows Vista x64 Edition (KB943729)
- GPP CSEs for Windows Server 2003 (KB943729)
- GPP CSEs for Windows Server 2003 x64 Edition (KB943729)
- GPP CSEs for Windows XP (KB943729)
- GPP CSEs for Windows XP x64 Edition (KB943729)
- Group Policy related changes in Windows Server 2008 - Part 2: GPMC Version 2
- Group Policy related changes in Windows Server 2008 - Part 3: Introduction to Group Policy Preferences
- Group Policy related changes in Windows Server 2008 - Part 4: Group Policy Preferences continued
0 nhận xét:
Post a Comment