Sharing of thoughts and information is what blogging is all about. This way we can learn from each other. Post A Comment!These postings are provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.
Anthony Bartolo Twitter | LinkedIn
Pierre Roman Twitter | LinkedIn
I've always been a great fan of Group Policy Objects. They are a fantastic way to retain control of your environment. With Windows Server 2012 the good things keep coming. Today we will look at some of what’s new in Group Policy in Windows Server 2012. more specifically we will discuss the following:
If you want to follow along, I suggest you download the evaluation of Windows Servers 2012 and use the info in this post to setup your own lab and get acquainted with all the value you can extract from Windows Server 2012 and Group Policies
We can now refresh Group Policy settings, including security settings that are set on a group of remote computers. BAMM!! no more need to call someone local and ask them to issue the old “GPUPDATE /FORCE” command.
it’s right there in the Group Policy Management Console (GPMC). This functionality schedules a task on all computers in a selected OU, which refreshes the computer and user Group Policy settings. As long as those computer are running one of the following OS:
for anything else… you’re stuck with calling someone. or RDP in that machine and do it yourself.
One other requirement…
To schedule a Group Policy refresh for domain-joined computers you must have firewall rules that enable inbound network traffic on the ports listed in the following table.
There is already a started GPO that has all the required settings to facilitate your task. So use it and make a new GPO that will open all the appropriate ports in your environment. It is a best practice to create a new GPO from this Starter GPO and link the GPO to your domain, at a higher precedence than the Default Domain GPO, in order to configure all computers in the domain to enable a remote Group Policy refresh.
1- Right-click the OU on which you want to refresh the policy.
2- Select “Group Policy Update”
3- you’ll be prompted to confirm that you want to run the update. Click “Yes” and you’re done.
You can also use PowerShell to achieve the same results. for example, if you wanted to force the update on a single computer. you would use the following command:
to force the update on a complete OU, you would combine the Get-ADComputer with the Invoke-GPUpdate cmdlet and set the –-RandomDelayInMinutes to 0. For example, to force a refresh of all Group Policy settings for all computers in the Montreal OU of the PRlab.com domain, type the following:
more info here: http://technet.microsoft.com/en-us/library/jj134201.aspx
Group Policy can be a complicated infrastructure that give the administrators and the organization the tools to control, remotely computer and user experience in a domain. And up to ow the troubleshooting was mostly reactive. An expected result does not occur, a user call reporting missing configuration, ect… And we jump to action.
Some organization have huge reach, across continents and time zones…. This can cause replication lag that will affect the GPO infrastructure and the way they are applied. In previous versions of Windows, while there were tools, such as GPOtool.exe, to get a view of the GPO replication, it provided inconsistent information.
In Windows Server® 2012 the Group Policy Management Console (GPMC) has been enhanced to provide a report on the overall health state of the Group Policy infrastructure for a domain or to scope the health view down to a single GPO.
New for Windows Server 2012 is a graphical reporting feature in GPMC that allows you to choose a baseline domain controller for comparison and see the current Group Policy replication status along with any synchronization details when a comparison finds a differential from the baseline domain controller.
This will display the status of Active Directory and SYSVOL replication as it relates to all Group Policy Objects or a single Group Policy Object.
What works differently?
In Windows Server 2012, you no longer need to download and run a separate tool for monitoring and diagnosing replication issues related to Group Policy at the domain level. Potential differences that can be viewed by using the Group Policy infrastructure status are:
Local Group Policy is available for Windows RT. It is off by default, but can be turned on by the local administrator. don't get exited… it does not mean that you can join Windows 8 RT to the domain…. but you can configure policies on the RT device to control the experience of users.
On Windows RT devices, the Group Policy Client service is disabled by default. The Group Policy Client service must be set to Automatic and started by the administrator before Group Policy is processed on the device.
To turn on the Group Policy Client service
1- From the start screen, type Services.msc.
2-Double-click Group Policy Client to open the Group Policy Client Properties (Local Computer) dialog box.
Once that’s done you can edit the Local policy using the Group Policy Object Snap-in in the MMC console.
that’s it for today. I’ll try to drill in a bit more in GPOs on Windows Server 2012 for new posts. However, if you have specific scenarios you need help with. don't hesitate to ask in the comment section, or email us at CDN-ITPro-Feedback@microsoft.com
Pierre Roman, MCITP, ITIL | Technology Evangelist Twitter | Facebook | LinkedIn