Spiga

Group Policy related changes in Windows Server 2008 - Part 2: GPMC Version 2

The new Group Policy related features which will bring both easier manageability and better security.
If you would like to read the other parts in this article series please go to:




In part 1 of this article series we discussed “Starter GPOs”. Part 2 will deal with the Group Policy Management Console (GPMC) version 2 and its new search, filtering and comment options.
The next articles in this series will deal with all the new possibilities available with the fresh policy settings for Windows Server 2008, Group Policy Preferences Extensions and much more…
Note:
Please note that some of the information in this article series is based on information from the Beta versions of Windows Server 2008 (Beta 3, RC0 and RC1). So, some features and dialog boxes may change slightly before the final release.

These are my comments

You probably know the problem – the name of a given Group Policy Object (GPO) does not really say what the GPO does, who ordered it to do whatever it does, why it should do whatever it does and stuff like that. The “what it does” part can be seen in the Settings tab in the Group Policy Management Console (GPMC) you could argue (this is where you can print or save a detailed report), but the other questions are still unanswered.
With GPMC version 2.0 you get 2 different types of comments. These comments can be used for the exact situations I mentioned above – and more depending on your needs, of course.
The first type of comment we will look at is the primary GPO comment – you can have one of these “general” comments per GPO only.
There’s only one official way to edit this type of comment, and that is by right clicking the policy object within the Group Policy Management Editor (GPME) and choosing “Properties” (see Figure 1).
 Figure 1: Selecting GPO Properties
In the properties of the selected GPO you will notice a new tab called “Comment”, see Figure 2.
 Figure 2: The new Comment tab on a GPO
In the text field you can type in whatever comment you want. You could create a company syntax that must be used, to make sure that all relevant information is included (Ex. “who requested this GPO”, “who created this GPO”, “contact information,” etc).
The GPO comment can be viewed from GPMC on the Details tab - together with GUID information, create data, last modification date, etc, which has been there since the first version of GPMC (see Figure 3).
 Figure 3: The GPO comment viewed from GPMC Details tab
The second type of comment is available on the individual Group Policy settings – not just the GPO itself, but each setting within it! That’s good news - however the bad news is that this is only true for Administrative Template policy settings (both User and Computer Configuration). Figure 4 shows an example of a Security Setting/Password Policy – and as you can probably see there’s no Comment tab, unfortunately.
 Figure 4: No Comment tab, just the same old tabs
The Comment tab shows up on policy settings within the Administrative Template settings only (see Figure 5) – leaving a lot of stuff out. It could have been extremely nice to get the comment feature on other policy settings as well, but I guess there must be a good reason why these were left out for now.
 Figure 5: The Comment tab is present
As with the GPO comment, policy setting comments (like the one in Figure 5) could include underlying company syntax of some kind. In my example I included a reference number for the internal Request-for-Change or Support system, a date for when this setting was set the first time, who requested the change, who authorized the change and who implemented it. I think you get the point and hopefully you will find this feature very useful.
The policy setting comments can also be seen in the report you get in GPMC under the “Settings” tab, a new column has been added for this purpose (both when printing and saving the report).
To start off with I stated “There’s only one official way to edit this comment” – by that I also say that there must be an “undocumented” way of doing it – and there is. In part 1 of this article series I mentioned some files that are placed in SYSVOL when commenting a Starter GPO. The same is the case for normal GPOs, this time you just have to look below \\domain.com\SYSVOL\domain.com\Policies\{GUID} – where GUID is the unique ID of the GPO (see Figure 3). The whole point is that these files of course can be edited and/or created manually, or by a script, if you wish so.
The files mentioned in Table 1 are the reason why commenting on a GPO, and individual policy settings, is now possible. The files are not present until a comment is made, see table for more information.
Filename Contents
\Machine\Comment.cmtx Contains comments made on settings within the CC part of the Starter GPO (XML format).
This file is only present if a minimum of one CC settings has a comment linked to it.
\User\Comment.cmtx Contains comments made on settings within the UC part of the Starter GPO (XML format).
This file is only present if a minimum of one UC settings has a comment linked to it.
GPO.cmt
Contains the GPO comment (flat text file).
This file is only present if the GPO has a comment linked to it.
Table 1: Comment files
That rounds up the commenting part of the improvements we will get with Windows Server 2008 - and GPMC version 2.0. Next we’ll take a look at some cool news related to the Group Policy search functionality – or to be more exact: Filtering.

Filtering to search

If you’ve been administering Group Policies for just a short period of time you have probably asked yourself “Why can’t I search for specific policy settings?”, or “Can other people remember 2400 policy settings?”, a number of times. It’s just one of those “should have been there all the time” functions that you can’t live without, but you have had to until now…
Search is not referred to as “search” within GPME, it’s still called “filtering” like the limited functionality we had in previous versions – but it’s much more advanced now. You’ll be able to see that as soon as you select the “Filter Options” from the View menu, or as done in Figure 6.
 Figure 6: Selecting the Filter Options
Important!
As with comments, filtering is only available within Administrative Templates… Leaving room for improvement, you could say! This means that you have to select “Administrative Templates” (either below the Computer Configuration or the User Configuration part of the chosen policy) for the “Filter Options” choice to show up.
Expanding the search functionality to include the possibility to search other parts of the GPO, especially the “Security Settings”, would have been extremely nice, let’s hope it will be part of the Group Policy team’s upcoming tasks… But for now you will have to live with the “Group Policy Settings Reference for Windows Vista“ Excel sheet (see External Links section) to search for those other settings.
The Filter Options dialog, see Figure 7, is divided into 3 chunks. From the top we have some dropdown boxes to select from, then we have “Keyword Filters” and at the bottom “Requirements Filters”.
 Figure 7: The Filter Options dialog
Let’s start off from the top – or the first chunk that is…
The first dropdown box (see Figure 8) gives you the choice to show only Managed policies (those that do not “tattoo” the registry) – this is done by selecting ‘Yes’. You can also choose ‘No’, meaning you don’t want to see any Managed policies. Or you could choose ‘Any’ to get both Managed and un-Managed policies.
 Figure 8: Filter by “Managed”
The second dropdown box (see Figure 9) gives you the choice to show only Configured policy settings (those that are set) – this is done by selecting ‘Yes’. By selecting ‘No’ you get only policy settings that are left untouched – and finally ‘Any’ leaves you with both Configured and un-Configured policy settings.
 Figure 9: Filter by “Configured”
The third dropdown box (see Figure 10) gives you the choice to show only Commented policy settings (those that have a linked comment) – this is done by selecting ‘Yes’. By selecting ‘No’ you get only policy settings that are not commented – and finally ‘Any’ leaves you with both Commented and un-Commented policy settings.
 Figure 10: Filter by “Commented”
The selections you make in the 3 dropdown boxes are of course combined to narrow down the search.
The second chunk is for Keyword Filers, see Figure 11 – this is what you could actually call “Search”, yeah!
First, click “Enable Keyword Filters” and then type in some words to search for in the search field, ex. “Wait network” like in Figure 11. Then select what you want to search within by checking/un-checking the checkboxes below the search field. You can search for matches within the “Policy Setting Title”, the “Explain Text” or the “Comment” field (the stuff you have written yourself) – very cool I think!
 Figure 11: Keyword Filters
The dropdown box to the right in Figure 11 has 3 possible settings:
  • ‘All’ – all the words you have typed into the search field must be present in the policy setting title, explain text or comment – depending on your checkbox choices (see above).
  • ‘Any’ – if just one of the words is present it will be considered as a good match.
  • ‘Exact’ – the words must be present in the exact order you typed them in, ex. “wait network” would leave you without any hits, but “wait for the network” should give you “Always wait for the network at computer startup and logon” and other policies with the exact words (in that exact order) in them.
The last chunk is for Requirements Filters, see Figure 12 – click “Enable Requirements Filters” to set these filters. Some policy settings apply to the “Windows Vista” platform only, others “Windows Vista Service Pack 1” only etc. – by using these filters you are able to see exactly what is possible when you have a given operating system/Internet Explorer/Media Player version etc.
You can select from two criteria:
  • Include settings that match any of the selected platforms’– will return policy settings that any of the selected platforms are capable of handling (not all platforms must comply here).
  • Include settings that match all of the selected platforms – will return policy settings that all of the selected platforms are capable of handling – so if you select “Microsoft Windows 2000” and “Windows Vista” it should return only policy settings that BOTH of these platforms comply with*.
 Figure 12: Requirements Filters
Note:
This feature has some known bugs in Windows Server 2008 RC0 that are fixed in later BETA versions, so don’t worry if it doesn’t work in your BETA test lab.
When you are done configuring and tweaking your Filter Options, hit “OK” and voila… Now what you see is what you wanted (WYSIWYW, just kiddin’). Click the new and shiny “All Settings” node, shown in Figure 13.
 Figure 13: The “All Settings” node
The “All Settings” node is so great – there‘s one for the Computer Configuration part and one for the User Configuration part of the policy. Note that when the Filter Options are enabled the filtering is done for both the Computer and the User Configuration. You can also browse through the hierarchy of policy containers like we used to (see Figure 14), but I think we’ll all get to like the “All Settings” node a lot. Notice the icons have changed where the filter takes effect.
 Figure 14: The old fashion filter browsing
If you should change something within a policy while the filter is active, let’s say you configured a previously un-configured policy setting, and you think is might have an influence on what the filter should show, you will have to “refresh” the view manually, known as “Re-Apply Filter” (see Figure 15). This is actually just like turning off the filter and then back on again.
 Figure 15: Selecting Re-Apply Filter
When you don’t want to use the filter anymore you can switch if off by removing the checkmark next to “Filter On”, see Figure 16. One thing to notice is that your Filter Options are “remembered” by GPME, so the next time you boot GPME you can switch on the last used filter right away.
 Figure 16: Filter On/Off
The last thing I want to show is the “All Settings” node in all its glory – even without filters activated this view is really nice to have. This view gives us an alphabetical view of everything below either the Computer Configuration (see Figure 17) or the User Configuration (see Figure 18) part of the policy.
 Figure 17: Computer Configuration: “All Setting” node
Click the “Setting”, “State”, “Comment” or “Path” column to order the shown policy settings if you want to find something quickly, ex. see all policy settings that have comments defined – or all that are in the state ‘Enabled’. Notice that at this point (Windows Server 2008 RC0) we have 1375 Computer Configuration settings below “Administrative Templates” alone, and 1307 for the User Configuration part, see Figure 18 – that’s a lot to remember!
 Figure 18: User Configuration: “All Setting” node
Search functionality – or filtering I should say – is going to be a huge advantage for all of us. We are not that far from the release of GPMC version 2.0 for Windows Vista – the Group Policy team once promised to release this as a separate download when Windows Vista Service Pack 1 is released (because as you know, if you read part 1 at least, the built-in GPMC will be removed during the Service Pack 1 installation). So, hang in there…

Conclusion

Windows Server 2008 and GPMC version 2 does bring some wonderful new features related to Group Policy. Some are tiny improvements, others are huge improvements. A large part of it can be very useful for administrators in most environments out there. The search functionality has been asked for, for many, many years now – and finally it has (partly) arrived. Thank you, Microsoft.

Update

Since this article was published Microsoft has released the required Group Policy Preference Client Side Extensions. These are the links:
If you would like to read the other parts in this article series please go to:



0 nhận xét:

Your IP

IP
Blogger Widgets

Copy code, paste your site:

<p><span style="text-align:center; display: block;"><a href="http://win7-vista.blogspot.com/2011/02/get-ip-address-widget-for-your-blogger.html"><img src="http://www.wieistmeineip.de/ip-address/?size=468x60" border="0" width="468" height="60" alt="IP" /></a><br /><small><a href="http://win7-vista.blogspot.com/2011/02/get-ip-address-widget-for-your-blogger.html">Blogger Widgets</a></small></span></p>