Group Policy Changes: Windows Server 2012, Windows 8 and Window RT (Part 3)

by [Published on 15 May 2013 / Last Updated on 15 May 2013]

In this, Part 3, we’ll wrap up this article series with all the other “little” changes to Group Policy and how they improve the Windows admin experience.

If you would like to read the other parts in this article series please go to:

Introduction

In Part 1 of this series, we started our discussion of the changes and additions to Group Policy in Windows Server 2012 and Windows 8, and Windows RT. Specifically, we talked about Local Group Policy support in Windows RT and its limitations, and the new Remote Group Policy Update feature in Windows Server 2012. In Part 2, we continued our introduction of these new and improved features in subsequent parts of this series by looking at some of the Group Policy additions and changes that pertain to the Internet Explorer web browser. In this, Part 3, we’ll wrap up with all the other “little” changes to Group Policy and how they improve the Windows admin experience.

Improved GPMC

Once upon a time, we had to manage Group Policy through the Active Directory Users and Computers (ADUC) administrative tool. Then Microsoft introduced the Group Policy Management Console (GPMC), which is a separate MMC snap-in. With Windows Server 2012, some improvements have been made to the GPMC that make it easier to manage Group Policy across a domain. We already talked about one new feature, remote GP update, back in Part 1 of this series – but there’s more.

There is a new tab in the GPMC called Status. When you select it, you see the status of Active Directory and SYSVOL (FRS) replication for the domain, as it relates to Group Policy. It’s important for Group Policy to be replicated to all of your domain controllers in a timely manner, but sometimes there can be delays. Previously, we had to download a separate tool, GPOtool.exe, to troubleshoot such problems.

Now you’ll be able to tell almost instantly, right there in the GPMC, whether the GPOs in your domain are synchronized between domain controllers. When GPOs are edited, you’ll be able to see that replication is in progress, and you can see the version numbers for the GPO version in Active Directory and the one in SYSVOL that haven’t yet been synchronized. You can also see Access Control List (ACL) details for AD and SYSVOL. Note that you may need to refresh the console to see changes to the status as the GPOs come into sync.

Improvements have also been made to the Group Policy reporting functionality. New information that’s displayed in Group Policy Results include an indicator of whether inheritance is blocked, an indicator of when a GPO is enforced, the detection of a fast link, and active links for the recent GPO Event Log data on the machine in question. Results also now tell you when Group Policy was most recently refreshed, as well the length of time it took.

The Group Policy infrastructure status report gathers infrastructure status from all the domain controllers in the domain. You choose a domain controller to act as a baseline and compare the others against it. Comparison is made of ACLs, version numbers, object count, GPT files and folders and the file hash for each file. This tool can be used to detect replication issues. This technet article goes into more detail about checking Group Policy infrastructure status and contains links to articles that tell you how to troubleshoot AD and file services replication issues.

The updated GPMC is included with Windows Server 2012 servers and Windows 8 domain members that have the RSAT tools enabled. You don’t have to have any Windows Server 2012 domain controllers in order to use the tool.

Little things that matter

Some of the changes in Windows Server 2012/Windows 8 are subtle and simple, but can have an impact on Group Policy issues. For example, the Fast Startup feature puts the computer into a state of hibernation instead of shutting down completely. This reduces the amount of time required to start the computer, but it may result in Group Policy settings and scripts that get applied at startup or shutdown might not run as expected. There are a couple of solutions:

  • You can use the Restart Computer option on client computers to force a complete shutdown so policies will be applied as expected.
  • You can disable the Require use of fast startup policy, which you’ll find in Computer Configuration | Policies | Administrative Templates | System | Shutdown

Another small change is the sign-in optimization that improves the processing of slow links during the sign-in process. There is a new policy setting that allows you to have all 3G connections detected as slow links. You’ll find the policy setting, which is called Configure Group Policy slow link detection, in Computer Configuration | Policies | Administrative Templates | System | Group Policy.

Finally, there is a change to address the problem that is sometimes encountered, wherein an administrator isn’t able to add any new Administrative Template settings to a GPO because the maximum size of the registry.pol file has been reached. These files are where registry-based configuration settings are stored. The maximum size limit for the file has been increased to 100 MB and larger amounts of data can now be read from a registry.pol so that the processing of Group Policy can be performed more quickly.

In fact, many of the changes in Windows Server 2012 and Windows 8 are designed to increase performance and this applies to Group Policy related changes, too. Another area where this has been improved is with the new feature that causes the Group Policy client service to sleep in between processing sessions. By default, Group Policy processing occurs at 90 minute intervals, but there is no need for the service to run and continually check for time to perform the refresh. So Microsoft has changed this service in Windows 8 to run now as a scheduled task. Any time the Group Policy service is idle for 10 minutes or more, the service will go to sleep. In that state, it doesn’t use system resources and this can result in better overall performance of the client operating system.

Gone but not forgotten

As is usual with the release of a new OS version, some features that existed in previous versions of Windows were removed in Windows Server 2012 / Windows 8. High profile issues such as the removal of the Start button and menu have received a lot of attention. Group Policy hasn’t lost much of its functionality, but there has been a change to the Immediate Task preference item that some folks may not be happy with.

The Immediate Task item allows you to create a task that will run immediately, and then it will be removed whenever Group Policy is refreshed. Immediate tasks are configured New Tasks selection in the Scheduled Tasks node, under either Computer Configuration or User Configuration | Preferences | Control Panel Settings. Note that you can find out more about configuring an immediate task here.

Two of the actions that were formerly available in Windows 7 and Windows Server 2008 R2 have been deprecated in Windows 8 and Windows Server 2012. If you attempt to apply either the Send an email or the Display a message preference item, nothing will happen. If you take a look at the log file, though, you’ll see an error message that says 0x80041330 – the task definition uses a deprecated feature.

Summary

Change is inevitable, and Microsoft has made a number of changes to Group Policy in Windows Server 2012 and Windows 8. In this three-part series of articles, we’ve taken a look at the most important additions, improvements and (one) removal of Group Policy features that may affect your use of Group Policy to manage and control the server and client computers in your Windows domain – for the better, I hope.

If you would like to read the other parts in this article series please go to:

 

Featured Links