Friday, September 6, 2013

Windows Server 2012 – The New and Improved Group Policy Management Console


With Windows Server 2012, there are tools, features and functions that are available from the first member server (or Win8 PC with the RSAT pack - http://www.microsoft.com/en-us/download/details.aspx?id=28972).

You don't need a schema extension, you don't need to deploy any 2012 Domain Controllers, you don't need to flip the bit to Domain or Forest Functional Levels. All you need to do is install the OS and install/enable the Remote Server Administration Tools.
In this post, I'll show you some things in the updated "Group Policy Management Console" (GPMC).

Before I show off some of the coolness of the new GPMC, hop on the 'way-back' machine and recall the joys of GPO editing circa Windows 2000….anyone remember doing that?

The GPMC is one of those rare IT gems – free, easy to use without too much ramp-up or massive whitepapers to pour through before you're able to make use of the tool and get some work done.

We got it right with that tool….and it has some great improvements in 2012.

Group Policy Infrastructure Status

When you open the GPMC, there is now a 'Status' tab. This shows 'at-a-glance' replication status of the Group Policy elements across your DCs.
  • Repeating: You don't need any WS 2012 DCs to see this data – GPMC can get the information from W2k3 and newer DCs.
This first screen shot shows that "Infrastructure Status" data has not been gathered yet for this domain and that DC01 is the current "baseline domain controller" (which can be changed).

Click "Detect Now" at the bottom of the tab to initiate the data gathering and comparison against the baseline DC.

** WARNING ** This can take some time in a large AD environment, as it has to check multiple items on EACH DC in the domain.


Click the circle-arrow buttons to see more detail … currently showing that all four GPOs in the domain are in full sync between my baseline DC and my one other DC.


Refresh the console to see how the DCs drift from full sync as GPOs are edited and replication occurs…


If you click the "GPO version" link under "Active Directory" or "SysVol", a dialog displays which shows the version numbers for the GPO(s) not yet in sync…


Refresh the console again to see the replication status settle back into full sync against the baseline DC…


Here's a screenshot of the same process with the "baseline domain controller" being a 2003 R2 DC which also hosts all 5 FSMOs in my lab domain/forest.


And the Domain/Forest functional levels are still at 2003


Remote GP Update

Next up is remote GP Update – yes ladies and gentlemen, you can select an OU and choose to initiate a GPUpdate /FORCE on the computers within that OU.


Two computers are found in the target OU (and any sub-OUs)…


The update fails against one. We can "Save" the log to a CSV file for documentation, historical tracking or further troubleshooting work.




I opened the appropriate firewall ports via the "Group Policy Remote Update Firewall Ports" Starter GPOs which are part of WS 2012, too. I was then able to update the failing system.


The way this works, is it creates a Scheduled Task to run GPUPDATE /FORCE on each system in the OU for both USER and COMPUTER portions of the GPO(s).
  • This only works on Vista/2008 and newer OS instances
  • Uses a random offset of 0-10 minutes for each system, so they don't all jump at once
  • A command-prompt window will display when the Task executes on the target machine(s) if a user is logged in – beware possible end-user confusion and possible help-desk calls when this happens
  • The UI is an 'all-or nothing' situation. It will refresh GPOs on all systems within the OU – if you need some granularity, you need some (surprise!) Powershell via…
      • Allows you to target one or more specific computers (instead of all in an OU/subOU)
      • Allows you to set specific time offset/delay (instead of 0-10 minutes)
      • Allows you to restart the target PC or log off any logged on user (if you need to ensure that Policy settings that require a restart or log-off/on get refreshed)
      • Other flexible options
      • Example: Invoke-gpudate –computer DHCP01 –randomdelayminutes 1 –force
        • Does a GPUPDATE /FORCE for user and computer Policies on a computer named DHCP01 with a 1 minute delay
    • While you're browsing Powershell as it relates to GPOs, please take a quick look at the "Backup-GPO" cmdlet

GP Reporting

Wrapping up this post, have a look at the GP Reporting improvements (both in Results and Modeling):



A few items of note here:
  • Displays visually, right at the top of the report, if/when inheritance is blocked – an immediate flag in terms of troubleshooting
  • Displays visually, right at the top of the report, if/when a GPO is Enforced– an immediate flag in terms of troubleshooting
  • Whether or not a fast link was detected.
  • When Policy was last refreshed and how long it took
  • Active links for recent GPO Event Log data on the target machine
Broken record repeat - important note – the updated GPMC tool is ready to go as soon as you deploy your first WS 2012 or Win8 member system w/ RSAT tools installed and enabled.
  • No ADPREP needed
  • No WS 2012 DCs required
  • No domain functional levels required

No comments:

Post a Comment