Your SlideShare is downloading. ×

Windows server 2012 and group policy


Published on

Windows server 2012 and group policy

Windows server 2012 and group policy

Published in: Education

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. PREPARED BY RAVI KUMAR LANKE Page 1Windows Server 2012 andGroup PolicyIve always been a great fan of Group Policy Objects. They are a fantastic way to retain control of yourenvironment. With Windows Server 2012 the good things keep coming. Today we will look at some of what’s new inGroup Policy in Windows Server 2012. more specifically we will discuss the following: Remote Group Policy Update Group Policy infrastructure status Local Group Policy support for Windows RTIf you want to follow along, I suggest you download the evaluation of Windows Servers 2012 and use the info inthis post to setup your own lab and get acquainted with all the value you can extract from Windows Server 2012 andGroup PoliciesRemote Group Policy UpdateWe can now refresh Group Policy settings, including security settings that are set on a group of remote computers.BAMM!! no more need to call someone local and ask them to issue the old “GPUPDATE /FORCE”’s right there in the Group Policy Management Console (GPMC). This functionality schedules a task on all computersin a selected OU, which refreshes the computer and user Group Policy settings. As long as those computer arerunning one of the following OS: Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows 8 Windows 7 Windows Vistafor anything else… you’re stuck with calling someone. or RDP in that machine and do it yourself.One other requirement…To schedule a Group Policy refresh for domain-joined computers you must have firewall rules that enable inboundnetwork traffic on the ports listed in the following table.Server port Type of network traffic
  • 2. PREPARED BY RAVI KUMAR LANKE Page 2TCP RPC dynamic ports, Schedule (Task Schedulerservice)Remote Scheduled Tasks Management (RPC)TCP port 135, RPCSS (Remote Procedure Call service) Remote Scheduled Tasks Management (RPC-EPMAP)TCP all ports, Winmgmt (Windows ManagementInstrumentation service)Windows Management Instrumentation (WMI-in)There is already a started GPO that has all the required settings to facilitate your task. So use it and make a newGPO that will open all the appropriate ports in your environment. It is a best practice to create a new GPO from thisStarter GPO and link the GPO to your domain, at a higher precedence than the Default Domain GPO, in order toconfigure all computers in the domain to enable a remote Group Policy refresh.1- Right-click the OU on which you want to refresh the policy.
  • 3. PREPARED BY RAVI KUMAR LANKE Page 32- Select “Group Policy Update”3- you’ll be prompted to confirm that you want to run the update. Click “Yes” and you’re done.
  • 4. PREPARED BY RAVI KUMAR LANKE Page 4You can also use PowerShell to achieve the same results. for example, if you wanted to force the update on a singlecomputer. you would use the following command:Invoke-GPUpdate –Computer <Name> -Forceto force the update on a complete OU, you would combine the Get-ADComputer with the Invoke-GPUpdatecmdlet and set the –-RandomDelayInMinutes to 0. For example, to force a refresh of all Group Policysettings for all computers in the Montreal OU of the domain, type the following:Get-ADComputer –filter * -Searchbase "ou=Montreal,dc=prlab,dc=com" | foreach{ Invoke-GPUpdate –computer$ –force –-RandomDelayInMinutes 0}more info here: Policy infrastructure statusGroup Policy can be a complicated infrastructure that give the administrators and the organization the tools tocontrol, remotely computer and user experience in a domain. And up to ow the troubleshooting was mostly reactive.An expected result does not occur, a user call reporting missing configuration, ect… And we jump to action.Some organization have huge reach, across continents and time zones…. This can cause replication lag that willaffect the GPO infrastructure and the way they are applied. In previous versions of Windows, while there were tools,such as GPOtool.exe, to get a view of the GPO replication, it provided inconsistent information.
  • 5. PREPARED BY RAVI KUMAR LANKE Page 5In Windows Server® 2012 the Group Policy Management Console (GPMC) has been enhanced to provide a report onthe overall health state of the Group Policy infrastructure for a domain or to scope the health view down to a singleGPO.New for Windows Server 2012 is a graphical reporting feature in GPMC that allows you to choose a baseline domaincontroller for comparison and see the current Group Policy replication status along with any synchronization detailswhen a comparison finds a differential from the baseline domain controller.To create and analyze an infrastructure status report1. To run an infrastructure status report:o For an entire domain, in the GPMC console tree, locate the domain for which you want to check thereplication status of all the GPOs. Click the selected domain.o For a single GPO, in the GPMC console tree, navigate to the Group Policy Objects container.Expand the Group Policy Objects container and click the GPO for which you want to check thereplication status.2. Click the Status tab in the results pane.3. Click the Detect Now button to gather infrastructure status from all of the domain controllers in thisdomain.This will display the status of Active Directory and SYSVOL replication as it relates to all Group Policy Objects or asingle Group Policy Object.
  • 6. PREPARED BY RAVI KUMAR LANKE Page 6What works differently?In Windows Server 2012, you no longer need to download and run a separate tool for monitoring and diagnosingreplication issues related to Group Policy at the domain level. Potential differences that can be viewed by using theGroup Policy infrastructure status are: Active Directory and SYSVOL security descriptor (ACL details) Active Directory and SYSVOL GPO version details Number of GPOs listed in Active Directory and SYSVOL for each domain controllerLocal Group Policy support for Windows RTLocal Group Policy is available for Windows RT. It is off by default, but can be turned on by the localadministrator. dont get exited… it does not mean that you can join Windows 8 RT to the domain…. but you canconfigure policies on the RT device to control the experience of users.On Windows RT devices, the Group Policy Client service is disabled by default. The Group Policy Client service mustbe set to Automatic and started by the administrator before Group Policy is processed on the device.To turn on the Group Policy Client service
  • 7. PREPARED BY RAVI KUMAR LANKE Page 71- From the start screen, type Services.msc.2-Double-click Group Policy Client to open the Group Policy Client Properties (Local Computer) dialog box.
  • 8. PREPARED BY RAVI KUMAR LANKE Page 8o Set the Startup type to Automatico click Applyo and then click the Start button.Once that’s done you can edit the Local policy using the Group Policy Object Snap-in in the MMC console.