The upcoming Windows Server 2008 operating system brings a lot of new goodies. This article series will focus on the Group Policy related features which will bring both easier manageability and better security.
If you would like to read the other parts in this article series please go to:
- Group Policy related changes in Windows Server 2008 - Part 1: What are Starter GPOs?
- Group Policy related changes in Windows Server 2008 - Part 2: GPMC Version 2
- Group Policy related changes in Windows Server 2008 - Part 4: Group Policy Preferences continued
The next article in this series will take a closer look at Group Policy Preferences, how they work and how to use them.
Note:Some of the information in this article series is based on information from the Beta versions of Windows Server 2008 (Beta 3, RC0 and RC1). So, some features and dialog boxes may change a bit before the final release. Group Policy Preferences is part of the Release Candidate 1 (RC1) beta release of Windows Server 2008.
Group Policy Preferences
Back in October 2006 Microsoft acquired the company DesktopStandard. One of their great products, PolicyMaker, has now moved into the Microsoft product line as part of Windows Server 2008 and actually also the Remote Server Administration Toolkit (RSAT) which I’ll get back to later in this article.The PolicyMaker software includes the ability to control and configure a great deal more, from a central point, than regular Group Policies can. Some preference settings actually overlap with “real” policy settings, but in that case you have a choice between a policy and a preference. So, you might ask: what’s the difference? Well, a “policy” is something you enforce and which cannot be changed by the user – a “preference” is a setting you would prefer the user takes on, but the user can still change it.
Preference can be set to apply only once and from that point in time the user is free to do whatever he/she wants – or to apply every time the Group Policy is refreshed (default ever 90 to 120 minutes on clients). I’ll get back to the pros and cons of this behavior in the next article in this series.
In Figure 1 you will see the new view from the Group Policy Management Editor tool, notice my policy called “GP Preferences” is split into Computer Configuration and User Configuration as is normal, but each of these nodes are split into two additional nodes: “Policies” (red color), which is the good old Group Policy stuff we all know, and “Preferences” (green color) which is for Group Policy Preference (Windows or Control Panel) settings.
Figure 1: Policies vs. Preferences
The reason why Group Policy preferences work and offer more functionality than existing Group Policy settings is a small piece of client extension software, a Client Side Extension (CSE). This small piece of software must be present on the managed clients for Group Policy Preferences to work. The required CSE is a built-in part of Windows Server 2008 – but must be downloaded for and installed on Windows XP SP2, Windows Server 2003 SP1 and Windows Vista (Windows 2000 and earlier Windows operating systems are not supported). The CSE package will be available for both 32 and 64 bit operating systems.What can we do with it?
Group Policy Preferences offer lots of goodies for administrators around the world. A lot of it is actually stuff we would have liked there from the beginning of the Active Directory days, but hey: better late than never, right! Many of the possibilities Group Policy Preferences offer are settings people have created more or less complex scripts - or custom administrative templates (ADM/ADMX/ADML files) - to master, like drive and printer mapping, file copy tasks, desktop shortcuts, creation of ODBC data source and perhaps most importantly: custom registry tweaks for non-Group Policy aware applications! But, Group Policy preferences offers even more – the following 4 tables give a “quick view” on what this technology has to offer.Table 1 gives an idea of what Group Policy Preferences offer in regards to Windows Settings at the Computer Configuration level.
Table 1: Computer Configuration - Windows Settings
Environment | Allows you to set Environment variables for User or System. You can Create/Replace/Update or Delete variables - even the important PATH variable. |
Files | Create/Replace/Update or Delete files on clients. By defining source file(s) and destination you get a “copy” like functionality. Additionally you can set attributes (Read-Only, Hidden & Archive) on the files. |
Folders | Allows you to Create/Replace/Update or Delete folders on clients. When replacing or deleting folders you get more options to make sure everything happens the way you want it to. Additionally you can set attributes (Read-Only, Hidden & Archive) on the folders. |
INI Files | Create/Replace/Update or Delete INI files. You can specify INI file Section and Property names – and Property Values. |
Registry | This allows you to modify registry settings on the clients – you select from Registry Items, Collection Items, and a Registry Wizard to guide you through the process. The wizard allows you to browse the registry on remote computers to select a key path you want to Create/Replace/Update or Delete. You can select from the following value types: REG_SZ, REG_DWORD, REG_BINARY, REG_MULTI_SZ, and REG_EXPAND_SZ – a huge improvement compared to the process of creating custom ADM files (which didn’t support all registry value types). |
Network Shares | Allows you to Create/Replace/Update or Delete shares on clients. You choose the Share name, Folder path, Comment, User limit and even the Access-based Enumeration status. You can also choose to update all regular shares, all hidden non-administrative shares and all administrative drive-letter shares. |
Shortcuts | Create/Replace/Update or Delete shortcuts on clients. You define the Target Type (File System Object, URL or Shell Object), Location, Path, Arguments, “Start in”, Shortcut Keys, Icon etc. |
Table 2: Computer Configuration - Control Panel Settings
Data Sources | Create/Replace/Update or Delete User or System Data Sources. Choose from available Data Source Names (DSN), choose a Data Source Driver (eg. Excel, Access, SQL Server), set Username/Password, Attributes etc. So, this is the simple way to create Open Database Connectivity (ODBC) on clients. |
Devices | Control Devices on client by Enabling or Disabling the usage of a given Device Class (GUID) or Device Type (GUID). This is close to the same functionality we have with Windows Vista. |
Folder Options | Define File Types and associated classes (eg. Text Document, VBScript Script File, Windows Installer Package etc.). Additionally you can configure Class settings, like Icon, Actions and more. |
Local Users and Groups | Handle Local Users and Groups by Creating/Replacing/Updating or Deleting Users or Groups. You can change passwords, disable local users, control local group membership, set password options, set account expires date, delete all members of a group (users and/or groups), add/remove the current user to/from a group, rename users or groups etc. |
Network Options | Create/Replace/Update or Delete a Virtual Private Network (VPN) or Dial-Up Network (DUN) connection - as a “user” or “all users” connection. You can define Dialing Options, Security (encryption/authentication etc.), Networking options etc. |
Power Options | Configure Power Options and Schemes for Windows XP machines. Power Options include settings like: “Prompt for password when computer resumes from standby”, “Enable hibernation” and Power button settings. Power Schemes can be Created, Replaced, Updated or Deleted. So you can create your own perfect scheme, deploy it to your clients and make it the active Power Scheme. |
Printers | Create/Replace/Update or Delete local Printers – even TCP/IP printers. You define things like Name, Port (LPT/COM/USB), IP address, Port Settings (RAW/LPR/SNMP), Printer Path, Location, Comment. |
Scheduled Tasks | Create/Replace/Update or Delete Scheduled or Immediate Tasks. For Scheduled Tasks you select the Name, the File (typically a script or executable) to launch, any Arguments, “Start in”, Comments, “Run as” properties (specify domain/local user account & password), whether the task should be Enabled or not, the actual Schedule (even multiple schedules) and some of the more advanced task settings. An Immediate Task offers almost the same settings as mentioned above, except for the actual Schedule – Immediate Tasks run as soon they are loaded with the policy and only then. |
Services | Set properties on Services, like Startup option (No change, Automatic, Manual or Disabled), choose an Action (No change, Start/Stop/Restart service), set a timeout in case the service is locked, set Logon and Recovery properties etc. |
Table 3: User Configuration - Windows Settings
Applications | I'll get back to this part of Group Policy Preferences in a later article… |
Drive Maps | Create/Replace/Update or Delete mapped network drives (like NET USE). You can choose to map to a specific drive letter or just the next available drive letter. An option is available to “Connect As” another user – just provide the credentials (username/password) needed. Furthermore you can choose to Hide the mapped drive or all drives. |
Environment | Allows you to set Environment variables for User or System. You can Create/Replace/Update or Delete variables - even the important PATH variable. |
Files | Create/Replace/Update or Delete files on clients. By defining source file(s) and destination you get a “copy” like functionality. Additional you can set attributes (Read-Only, Hidden & Archive) on the files. |
Folders | Allows you to Create/Replace/Update or Delete folders on clients. When replacing or deleting folders you get more options to make sure everything happens the way you want it to. Additional you can set attributes (Read-Only, Hidden & Archive) on the folders. |
INI Files | Create/Replace/Update or Delete INI files. You can specify INI file Section and Property names – and Property Values. |
Registry | This allows you to modify registry settings on the clients – you select from Registry Items, Collection Items, and a Registry Wizard to guide you through the process. The wizard allows you to browse the registry on remote computers to select a key path you want to Create/Replace/Update or Delete. You can select from the following value types: REG_SZ, REG_DWORD, REG_BINARY, REG_MULTI_SZ, and REG_EXPAND_SZ – a huge improvement compared to the process of creating custom ADM files (which didn’t support all registry value types). |
Shortcuts | Create/Replace/Update or Delete shortcuts on clients. You define the Target Type (File System Object, URL or Shell Object), Location, Path, Arguments, “Start in”, Shortcut Keys, Icon etc. |
Table 4: User Configuration - Control Panel Settings
Data Sources | Create/Replace/Update or Delete User or System Data Sources. Choose from available Data Source Names (DSN), choose a Data Source Driver (eg. Excel, Access, SQL Server), set Username/Password, Attributes etc. So, this is the simple way to create Open Database Connectivity (ODBC) on clients. |
Devices | Control Devices on client by Enabling or Disabling the usage of a given Device Class (GUID) or Device Type (GUID). This is close to the same functionality we have with Windows Vista. |
Folder Options | Allows you to set Folder Options for Windows XP or Windows Vista – or to set “Open With” associations for given file extensions (eg. Notepad for .TXT files etc.). Setting Folder Options for Windows XP/Vista includes the possibility to enable or disable settings like: “Show hidden files and folders”, “Hide extensions for known file types”, “Hide protected operating system files”, “Show encrypted or compressed NTFS files in color”, “Use simple file sharing” and much more in the same category. |
Internet Settings | Allows you to set Internet Settings for Internet Explorer 5 and 6 and/or Internet Explorer 7. Some of these overlap with regular group policy settings, it’s up to you to choose what to use. Internet Settings include things like Home Page(s), Browsing History, Tabbed Browsing, Accessibility, Security levels for specific zones, Pop-up blocker, Programs, Dial-up/LAN settings etc. |
Local Users and Groups | Handle Local Users and Groups by Creating/Replacing/Updating or Deleting Users or Groups. You can change passwords, disable local users, control local group membership, set password options, set account expires date, delete all members of a group (users and/or groups), add/remove the current user to/from a group, rename users or groups etc. |
Network Options | Create/Replace/Update or Delete a Virtual Private Network (VPN) or Dial-Up Network (DUN) connection – as a “user” or “all users” connection. You can define Dialing Options, Security (encryption/authentication etc.), Networking options etc. |
Power Options | Configure Power Options and Schemes for Windows XP machines. Power Options include settings like: “Prompt for password when computer resumes from standby”, “Enable hibernation” and Power button settings. Power Schemes can be Created, Replaced, Updated or Deleted. So you can create your own perfect scheme, deploy it to your clients and make it the active Power Scheme. |
Printers | Create/Replace/Update or Delete local Printers – even TCP/IP printers. You define things like Name, Port (LPT/COM/USB), IP address, Port Settings (RAW/LPR/SNMP), Printer Path, Location, Comment. For users you can even choose what should be the default printer. |
Regional Options | Allows you to set Regional Option Properties – like User Locale, Numbers, Currency, Time format and Date format. |
Scheduled Tasks | Create/Replace/Update or Delete Scheduled or Immediate Tasks. For Scheduled Tasks you select the Name, the File (typically a script or executable) to launch, any Arguments, “Start in”, Comments, “Run as” properties (specify domain/local user account & password), whether the task should be Enabled or not, the actual Schedule (even multiple schedules) and some of the more advanced task settings. An Immediate Task offers almost the same settings as mentioned above, except for the actual Schedule – Immediate Tasks run as soon they are loaded with the policy and only then. |
Start Menu | Tweak the Start Menu of Windows XP or Windows Vista. This includes all the well know settings like Large/Small icons, Number of programs on Start menu, Display Run, Display Log off etc. |
Who can get this stuff?
This part is the best – so please listen carefully… You would expect that cool stuff like StarterGPOs, Comments, Search/Advanced Filtering and Group Policy Preferences, should cost you something, right? Well, it actually doesn’t have to be expensive, you won’t have to install Windows Server 2008 on all your Domain Controllers or anything like that – all you need to do is to have a single Windows Vista SP1 with the upcoming, and freely downloadable, “Remote Server Administration Tools” (RSAT) toolkit installed and you have it all for close to nothing! RSAT will include GPMC version 2 and updated versions of the administrative tools we had in the “Administration Tools Pack” for earlier Windows Server systems.The CSE packages will be freely downloadable from the Microsoft website, just deploy the software client to your Windows XP SP2, Windows 2003 SP1 and/or Windows Vista computers (eg. by using Group Policy Software Installation) – and it’s party time… You almost can’t stop shouting “Yippee-ki-yay”, right?
Really, I didn’t get it first – why would Microsoft give away cool stuff like this, DesktopStandard was not free, I can tell you. The best answer I have for you is from my good friend Jeremy Moskowitz: “People”. Microsoft didn’t just buy the technology, they wanted the Human Beings behind the cool software – those clever people are next in line to make Microsoft Group Policy even better than it is right now!
Note:
The final versions of both RSAT and Windows Server 2008 will be available in the first quarter of 2008.
Conclusion
Windows Server 2008 and GPMC version 2 does bring some wonderful new features related to Group Policy. Some are tiny improvements, others are huge improvements. A large part of it can definitely be very useful for administrators in most environments out there… Group Policy Preferences brings us new and very useful features we never had before – and you don’t even have to spend a lot of money to get it!External links
Update
Since this article was published Microsoft has released the required Group Policy Preference Client Side Extensions. These are the links:- GPP CSEs for Windows Vista (KB943729)
- GPP CSEs for Windows Vista x64 Edition (KB943729)
- GPP CSEs for Windows Server 2003 (KB943729)
- GPP CSEs for Windows Server 2003 x64 Edition (KB943729)
- GPP CSEs for Windows XP (KB943729)
- GPP CSEs for Windows XP x64 Edition (KB943729)
0 nhận xét:
Post a Comment