Group Policy Changes: Windows Server 2012, Windows 8 and Window RT (Part 1)

by [Published on 24 April 2013 / Last Updated on 24 April 2013]

In this series of articles, we’ll be taking a look at changes in Group Policy and how you can best use them to your benefit in keeping your Windows network as secure as possible.

If you would like to read the other parts in this article series please go to:

Introduction

Group Policy is one of the most powerful and convenient tools that network administrators and IT security specialists have for controlling the Windows environment and specifying what users can and can’t do on the computer. Setting local and/or domain policies is far easier and less risky than editing the registry to accomplish the same things. Group Policy is the best means for setting restrictions that apply to the whole computer (either server or client) or to specific user accounts.

With the release of their newest operating systems, Windows Server 2012, Windows 8, and Windows 8’s “little brother,” Windows RT, Microsoft has made a number of changes related to Group Policy. There are several new Group Policy features, and some of the familiar ones have been updated to provide new functionality. In this series of articles, we’ll be taking a look at those changes and how you can best use them to your benefit in keeping your Windows network as secure as possible.

Windows RT supports Group Policy

One of the most frustrating things about working with Windows home editions, on those occasions when we have to do so (that usually being when we’re pressed into service as off-duty ad hoc ‘computer experts’ for family and friends) is the lack of a local group policy editing tool. I don’t know how many times I’ve automatically typed “gpedit.msc” into the Run field on somebody’s Home machine, forgetting that it’s missing in action.

So I was pleasantly surprised when I learned that Windows RT – the ARM-based version of Windows designed primarily to run on tablets – does support local group policy. Microsoft apparently recognized that this is important in a business world where Bring Your Own Device (BYOD) is quickly becoming the order of the day, and it will give Windows RT tablets another advantage over tablets that run other platforms such as iOS or Android, when it comes to integrating into a Windows-based corporate network.

I have a Surface RT, and when I went to the desktop and typed gpedit.msc into the Run box (which I had already pinned to the taskbar – remember, there’s no Start menu. You can also just type the command on the Start screen). This opens the Local Computer Policy.

However, note that the Group Policy Client service is disabled by default, as shown in Figure 1. However, you can easily turn it on. Just type services.msc in the Run box or on the Start screen, scroll down and find the Group Policy Client and double click it. This opens its Properties dialog box and you need to set the Startup Type to Automatic. Then right click it and click Start to turn on the service.

Image
Figure 1:
Start the Group Policy Client service on Windows RT

Remember, though, that a Windows RT device can’t be a member of a Windows domain so it can’t be managed through domain group policy – although it can, like Windows Home edition computers, be used to log into a user’s domain account.

Windows RT contains most of the same Local Group Policy security settings that you’re used to configuring in earlier versions of Windows, as shown in Figure 2.

Image
Figure 2:
Local Group Policy in Windows RT contains familiar security settings

New Group Policy features and issues in Windows 8/Server 2012

The rest of this article will discuss new features and issues affecting Group Policy in Windows 8 and Server 2012.

Remote Group Policy Update

This is a new feature for Windows Server 2012 that will make it a little easier to refresh the Group Policy settings (including security settings) on remote computers. When you have a group of remote computers in an Organizational Unit (OU), and you want to refresh Group Policy settings on all of the computers in that OU, you can do that all at once instead of being required to make a remote connection to each individual computer and run the command line tool gpupdate.exe. That’s going to be a big time-saver when you have a large number of computers in a GPO that you want to update.

There are two ways to accomplish this:

  • Using the Group Policy Management Console (GPMC)
  • Using Windows PowerShell

Either way, forcing a remote update on the computers in an OU creates a scheduled task for each user who is logged onto those computers. The scheduled task is set to run gpupdate.exe /force on the computer. The scheduled tasks will be set with random start delays, so as to reduce the network traffic load. If you want the update to run immediately (or control the delay time), you will have to use PowerShell to configure the remote refresh.

Using GPMC to force a remote refresh of Group Policy

To force a remote refresh of Group Policy by running gpupdate.exe on all the computers in an OU using the GPMC, here’s what you need to do:

  1. Right click the OU containing the computers you want to update.
  2. Select Group Policy Update …
  3. In the dialog box asking if you want to force a Group Policy update, select Yes.
  4. You’ll then see the status of the scheduling process for each of the computers. Note that the update will be applied to all computers in the OU you selected and any computers in OUs that are contained within that OU.

One small annoyance here is that this dialog box does not tell you whether or not the refresh was successfully performed. The status field refers only to the scheduling of the update. To find out for sure, you’ll need to use the Resultant Set of Policy tool. You can find instructions for using that tool here.

Using PowerShell to force a remote refresh of Group Policy

To use PowerShell to schedule a remote update for all computers in an OU, you can use the Invoke-GPUpdate cmdlet. One advantage of using PowerShell is that, in addition to being able to set the start delay times for the updates, you can force a remote refresh on all of the computers in the Computers container in Active Directory; this is something you can’t do via the GPMC. The process for this involves first using the Get-ADComputer cmdlet to obtain a list of all the computer names. You can also schedule the Group Policy update for just a selected set of computers.

You can also run the Invoke-GPUpdate cmdlet as a background job, and you can command the computer(s) to reboot after the Group Policy settings or force a logoff after the settings are applied. For more information about the Invoke-GPUpdate cmdlet and its parameters, see this link.

Here is an example of the string you would need to use to force a Group Policy update for all Group Policy settings on all the computers in an OU. It combines the ADComputer and the Invoke-GPUpdate cmdlets:

Get-ADComputer –filter * -Searchbase "ou=Accounting, dc=Contoso,dc=com" | foreach{ Invoke-GPUpdate –computer $_.name -force}

Factors to consider regarding remote refresh of Group Policy

The remote refresh can be applied to computers in the OU that are running Windows Vista, 7, 8, Server 2008/2008 R2 or 2012 (not Windows XP or Server 2003). You must schedule the remote refresh from a Windows Server 2012 computer or a Windows 8 computer that’s running the Remote Server Administration Tools.

Note, too, that your firewall rules will need to allow traffic on applicable ports if you are going through a firewall to schedule the update on the remote computers. This is made easier by the Start GPO named Group Policy Remote Update Firewall Ports that’s one of the new Starter GPOs included in Windows Server 2012. That’s another new feature that we’ll talk about later in this article series. This Starter GPO includes the policy settings for configuring the firewall ports as needed.

You could configure the firewall settings manually, by opening the ports described here in the section Remote Group Policy Refresh: Ports that require Firewall Rules

The foregoing link also includes the instructions for using PowerShell cmdlets to create a GPO based on the Group Policy Remote Update Firewall Ports Starter GPO and link the GPO to the domain and put it above the Default Domain Policy in the list of domains so that you can configure all computers in the domain to perform a remote refresh of Group Policy.

Summary

The changes and additions to Group Policy in Windows Server 2012 and Windows 8, and the support for Local Group Policy in Windows RT, will give you even more control over the computers that are part of or connect to your corporate network. There are a total of seven new Group Policy related features or functionalities in the new operating systems, as well as five that have been updated or enhanced. In this, Part 1 of a multi-part article, we talked about Local Group Policy support in Windows RT and the new Remote Group Policy Update feature. We will continue our introduction of these new and improved features in subsequent parts of this series.

If you would like to read the other parts in this article series please go to:

Featured Links