Windows Server 2012 - What’s New for Group Policy? (Part 2)

by [Published on 25 June 2013 / Last Updated on 24 July 2013]

This article continues the discussion of Windows Server 2012 group policies by examining additional improvements to the Group Policy Management Console.

If you would like to read the other parts of this article series please go to:

Introduction

In the previous article in this series, I talked about the Status tab in Windows Server 2012’s new and improved Group Policy Management Console. In this article, I want to continue the discussion by talking about some more improvements that Microsoft has made to the Group Policy Management Console.

Forced Group Policy Update

Normally when you make an update to a group policy object, it takes some time before your modifications are propagated through the group policy hierarchy and the change is ultimately applied to the users or the computers to whom the group policy object applies.

Normally this delay isn’t a big deal, but sometimes group policy changes are made as a direct response to a security threat. When this happens you can force the changes to occur right away, but doing so has historically meant going to the command line and using the GPUpdate /Force command.

The Windows Server 2012 Group Policy Management Console makes it possible to force immediate group policy updates to users and computers without having to use the command line. To do so, simply open the Group Policy Management Console and right click on the Active Directory level at which you wish to apply the group policy update, and then select the Group Policy Update command from the shortcut menu, as shown in Figure A.

Image
Figure A:
Right click on an Active Directory container and select the Group Policy Update command from the resulting shortcut menu.

Upon selecting the Group Policy Update command, you will see a dialog box that tells you how many users and computers exist within the container that you selected. This dialog box will also ask you if you want to update the group policy for those users and / or computers.

Assuming that you move forward with forcing the update, you will see a dialog box that tells you how many of the forced updates have succeeded and how many have failed. The thing that is really nice about this dialog box however, is that it contains a Save button that you can use to export the user or computer list to a CSV file. CSV files can be imported into Excel for reporting purposes, and it is also possible to build PowerShell scripts that import data from CSV files and then perform some sort of action based on that data.

It is worth noting that the forced update feature only works if the target computers are running Windows Server 2008 (or Windows Vista) or a newer operating system. It is also worth noting that the update can take up to ten minutes to occur on each target. Updates are performed at random times ranging from zero minutes to ten minutes. This is done as a way of preventing the system from becoming bogged down by too many simultaneous updates.

Group Policy Modeling and Results

The Group Policy Modeling and Group Policy Results features have existed in one form or another since Windows Server 2003 and are alive and well in Windows Server 2012. As you probably know, the Group Policy Modeling feature allows you to see what would happen if a policy applied to a specific user and / or computer. Similarly, the Policy Results feature is a troubleshooting tool that can be used to determine where unexpected policy settings originated. Both the Group Policy Modeling and the Group Policy Results tools have been improved in Windows Server 2012.

Normally it is relatively easy to determine why specific policy settings were applied to a user or computer. Group policy objects are hierarchical and are applied in a specific order. The policy objects that apply to a user and / or computer are combined to form the effective policy. In the event that two policy settings contradict one another, the most recently applied policy takes precedence.

Although these rules for determining the effective policy are relatively straightforward, there are a few different settings that can cause group policy settings to be applied in a completely different way. For example, an administrator might use the block inheritance feature to block group policy objects that are linked to high level containers from being inherited by child level containers. Blocking inheritance disrupts the way that the effective policy is normally formed.

Another mechanism that can interfere with the way that the effective policy is normally formed is the Enforced setting. When a group policy object is enforced, the settings in the group policy object cannot be changed by another group policy object within the hierarchy. Group policy objects are applied in the following order: local computer, domain, site, OU. If an administrator wanted to make a domain level group policy object authoritative and ensure that settings were not overwritten by settings within group policy objects that reside at the site or OU level then the administrator could flag the domain level group policy object as enforced.

Yet another factor that can affect group policy object processing is the slow link detection mechanism. This mechanism, which has existed since Windows 2000, checks to see if a user is working from a computer that is connected to the domain controller over a slow link. If a slow link is detected then there are certain types of group policy settings are not applied. By default, Windows does not apply group policy settings related to software installation, scripts or folder redirection if a slow link is detected. If an administrator is not aware of the slow link detection mechanism and its impact on the effective policy then the administrator may wonder why certain policy settings are missing from the effective policy.

So what does all of this have to do with the new Group Policy Management Console? Well, as explained things like blocked inheritance, enforced policies, and slow links can cause group policy settings to be applied in a different way than they ordinarily would be. These mechanisms are notorious for making group policy troubleshooting difficult. That being the case, Microsoft has redesigned the Group Policy Management Console’s modeling and results features so that they alert you when these types of mechanisms have been used.

The modeling and reporting features automatically alert you to the use of blocked inheritance and group policy object enforcement. These features also tell you whether slow link processing or fast link processing was used, as shown in Figure B.

Image
Figure B:
The modeling and reporting features tell you whether slow link processing or fast link processing was used.

As you look at the figure above, you will notice that both of the fast link detection messages include a More Information hyperlink. Clicking on this hyperlink takes you to a TechNet article that explains link speed processing and its effect on the effective policy.

Conclusion

As you can see, Microsoft has made a number of notable improvements to the Group Policy Management Console in Windows Server 2012. Even so, the console is not the only area in which group policies have been improved. In the next article in this series, I will discuss some other ways in which group policies have been improved.

If you would like to read the other parts of this article series please go to:

 

Advertisement

Featured Links