Windows Server 2008 R2 Unleashed (123 page)

Active Directory.

ptg

FIGURE 19.10

Examining Group Policy loopback processing.

Group Policy Slow Link Detection and Network Location Awareness

Group Policy uses several mechanisms to determine whether a policy should be processed.

One of the mechanisms used by the Group Policy client computer is called slow link

detection. By default, network tests are performed between the client computer and the

domain controller to determine the speed of the link between the systems. If the speed is

determined to be less than 500kbit/sec, the Group Policy does not process any policies.

Slow link detection default settings, along with the ability to disable slow link detection,

are configurable with each policy.

Group Policy Administrative Templates Explained

603

In previous versions, Group Policy utilized the ICMP protocol or Ping to detect slow links;

this setting is shown in Figure 19.11. With Windows Vista, Windows 7, Windows Server

2008, and Windows Server 2008 R2, Group Policy now uses the Windows Network

Location Awareness service to determine network status. The slow link detection settings

are controlled within the Policies\Administrative Templates\System\Group Policy sections

of the GPO.

ptg

FIGURE 19.11

Examining Group Policy slow link detection.

Group Policy Administrative Templates Explained

Administrative templates are the core elements that make up a GPO. Most settings avail-

able within an administrative template are used to configure a corresponding Registry

19

value for the computer or a user account, usually defined within the HKEY_Local_Machine

or the HKEY_Current_User Registry hive. Other settings are provided to run computer-

and user-based scripts and, in some instances, install or make software packages available

to subsets of users or computers.

Administrative templates come in three basic types:

. ADM files for Windows 2000 client and server, Windows XP, and Windows Server 2003

. ADMX and ADML files for Windows Vista, Windows 7, Windows Server 2008, and

Windows Server 2008 R2

. Custom ADM, ADMX, and ADML files used to extend GPO functionality beyond

what is already included in the Microsoft provided templates

604

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

Administrative Templates for Windows 2000, Windows XP, and

Windows Server 2003

Administrative templates for Windows 2000, Windows XP, and Windows Server 2003 have

a file extension of .adm. ADM file formats are unlike any other file format and are not the

easiest to interpret and create. ADM files include not only the policy settings and their

possible values, but they also include the friendly language used to represent the settings

to the administrator viewing the policy settings using any of the GPO management tools,

detailed later in this chapter.

For each GPO created by an administrator using the Windows XP or Windows Server 2003

GPO tools, a folder for that GPO is created in the connected domain controller’s sysvol

folder. This unique GPO folder contains a common set of ADM files in the language used

on the administrative client computer. As a result of this, in an Active Directory infrastruc-

ture that has multiple GPOs that use the common administrative templates, each GPO has

copies of the same template files within each GPO folder. Each folder is commonly 3MB

to 5MB in size and this is commonly referred to as sysvol bloat because the GPO folders

are stored in the domain controller’s sysvol folder.

When new policies were created using the Windows XP and Windows Server 2003 GPO

tools, a copy of each of the of the ADM template files from the client workstation was

ptg

pushed up to the sysvol folder on the domain controller. When an existing GPO was

edited or opened for viewing, the copy of the templates in the GPO folder was compared

with the version of the template files on the administrative workstation. If the administra-

tive workstation had a newer version, the workstation template was copied up to the GPO

folder and the existing template in the folder was overwritten. This default behavior

caused several problems when Microsoft released updated templates with service pack

releases of Windows XP and Windows Server 2003.

A common issue related to this feature, as an example, is that if an administrator working

on a Windows XP SP2 administrative workstation opened an existing GPO that was

created with a Windows XP SP1 workstation, the template files would be updated to the

new version, causing a replication of the updated templates across all domain controllers.

Another implication of the template file is that the template files included the friendly

language of the administrative workstation the GPO was created on and administrators

across the globe would be unable to manage the same GPO in their local operating

system language. This, of course, caused several administration issues and, in some cases,

regional Active Directory domains were created to allow regional administrators to

manage their client workstations and users with GPOs written and managed in their local

language. To support global administration, Active Directory infrastructures have become

unnecessarily complicated and moved away from the original reason GPOs were created,

to simplify the management, standardize security, and centrally administer and configure

companywide resources.

As a means of avoiding the administrative- and infrastructure-related issues associated with

this GPO infrastructure, a common best practice for managing GPOs for XP or later operat-

ing systems is to only manage GPOs from workstations or servers that meet a single speci-

fication for operating system version, service pack level, and language. Another means of

Group Policy Administrative Templates Explained

605

controlling this is to follow a common practice of configuring all GPOs to not automati-

cally update GPO templates when a GPO is opened for editing. Automatic updates of ADM

files, shown in Figure 19.12, is located in the User Configuration\Policies\Administrative

Templates\System\Group Policy\ section and is named Turn off automatic updates of

ADM Files. As a best practice, many administrators enable this setting to improve GPO

reliability and to keep GPO replication traffic at a minimum.

ptg

FIGURE 19.12

Examining automatic updates of ADM files.

Group Policy Administrative Templates for Windows Vista, Windows

7, Windows Server 2008, and Windows Server 2008 R2

Group Policy for Windows Vista and Windows Server 2008 have been completely revised

and rebuilt from the previous versions, but they still support Windows 2000 client and

server, Windows XP, and Windows Server 2003. Windows 7 and Windows Server 2008 R2

19

build upon this new revision, adding new settings to support the features of the latest

operating systems. The original ADM files have been replaced or split into two files:

. ADMX administrative template settings file

. ADML administrative template language file

The original GPO single administrative template ADM file format was replaced to over-

come many of the original issues with this file format, including the unique ADM format

as well as the inclusive local language of the particular ADM files contained on the admin-

istrative workstation.

With the separation of the ADM file into a settings and local language file, the new

templates enable the administration of a single GPO using different local languages.

606

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

In previous versions, when an administrator viewed or edited a GPO, the local template

files from the administrative workstation were pushed up to the server GPO folder. With

the new Windows Vista/Windows Server 2008 R2 GPO infrastructure, when the GPO is

opened for viewing or editing, the template files located on the local hard drive are loaded

to view the GPO. The GPO folder created with the Windows Vista or Windows Server

2008 R2 GPO tools contains only the files and folders that provide the specifics of the

GPO and not the general template files, as with the previous versions. This improves the

GPO processing time as well as reduces the amount of data stored in the sysvol folder on

each domain controller.

Custom Administrative Templates

Microsoft has provided, in previous versions as well as the current release, the ability for

administrators and independent software vendors (ISVs) to create their own administrative

templates. The current administrative templates released with Windows 7 and Windows

Server 2008 R2 have all of the original ADM settings as well as many of the settings that

administrators either had to create custom templates to support or purchase ISV-created

templates. But even though the new templates provide many more settings, there will still

be custom Registry keys and values, specific application services, and other functions that

organizations want to manage with GPOs. These settings will still need to be provided

with custom templates or by ISV GPO products. For example, when Microsoft releases a

ptg

new version of Internet Explorer, they provide a custom administrative template Group

Policy administrators can import to block domain computers from downloading,

installing, or even presenting the new browser in Windows Updates.

Many ISVs now provide administrative templates for their own applications. Microsoft

also provides administrative templates to further manage their own applications and

suites; for example, Microsoft Office includes new templates that can be used with each

new version of the Office suites.

Custom administrative templates can be created in both the ADM and ADMX/ADML file

formats. To support the amount of time and effort administrators and ISVs have put into

creating custom templates and to support legacy applications, new GPOs will continue to

support administrative templates created in the original ADM file format as well as the

new ADMX/ADML formats.

Although Microsoft has provided the steps to create custom ADMX and ADML files, the

current GPO management tools only allow adding custom ADM templates to specific

GPOs. To leverage the settings in a new custom ADM file, the file must be added to each

GPO that will use it. ADM files that are added to a GPO are made available beneath the

respective Administrative Templates\Classic Administrative Templates (ADM) section of

the computer or user configuration Policies node.

NOTE

When a Group Policy administrator needs to extend Group Policy settings using

ADMX/ADML templates, they should consider using a central store and simply add

these templates to the store, as explained in Chapter 27.