Windows Server 2008 Directory Services

Module 12

Changes to Group Policy

Microsoft Confidential - For Internal Use Only

Module 12: What you will learn

 ADMX and ADML Policy Files

 Steps to create a Central Store (During the Lab)
 Using classic and ADMX Administrative Templates
 Filtering and Searching Policy Settings
 Introduction to the Group Policy Preference extensions for
GPMC

2
Microsoft Confidential - For Internal Use Only
Lesson 1: Group Policy Changes with Windows
Server 2008
 Windows Server 2008 Administrative Templates
 ADMX and ADML files
 Legacy Template Support for ADM files
 How to: Create a Central Server to store templates
 Starter Group Policies

3
Microsoft Confidential - For Internal Use Only
Administrative Templates

 Administrative Template files contain markup language that

is used to describe registry-based Group Policy. First
released in Windows NT 4, Administrative Template files
used a unique file format known as ADM files. In Windows
Vista, these files are replaced by an XML-based file format
known as ADMX files. These new Administrative Template
files make it easier to manage registry-based policy
settings in Windows Vista and Windows Server 2008.

4
Microsoft Confidential - For Internal Use Only
ADMX and ADML files

 New for Group Policy starting with Windows Vista and

Windows Server 2008 is the ADMX file. The ADMX file
provides an XML-based administrative template file format
for registry-based policy setting display information.
 In Windows Vista, Group Policy Object Editor and Group
Policy Management Console can obtain registry-based
policy settings from an XML-based administrative template
ADMX file. An ADMX file is defined as a set of one
language neutral file (.admx) and associated ADMX
language resource files (.adml).
 

5
Microsoft Confidential - For Internal Use Only
ADM and ADMX File Locations

6
Microsoft Confidential - For Internal Use Only
Locations for ADMX files on the Central Store
 

7
Microsoft Confidential - For Internal Use Only
Changes to Storage of Policy files

 Unlike ADM files, ADMX files are not stored in individual GPOs. For
domain-based enterprises, administrators can create a central store
location of ADMX files that is accessible by anyone with permission to
create or edit GPOs.

 Group Policy tools will continue to recognize custom ADM files you
have in your existing environment, but will ignore any ADM file that has
been superseded by ADMX files: System.adm, Inetres.adm,
Conf.adm, Wmplayer.adm, and Wuau.adm.

 Therefore, if you have edited any of the these files to modify existing or
create new policy settings, the modified or new settings will not be read
or displayed by the Windows Vista–based Group Policy tools.

8
Microsoft Confidential - For Internal Use Only
Implications of ADMX Files in Your Environment

 New Windows Vista–based or Windows Server 2008–

based policy settings can be managed only from
Windows Vista–based or Windows Server 2008–based
administrative machines running Group Policy Object
Editor or Group Policy Management Console.
 Group Policy Object Editor on Windows Server 2003,
Windows XP, or Windows 2000 machines will not display
new Windows Vista Administrative Template policy settings
that may be enabled or disabled within a GPO.

9
Microsoft Confidential - For Internal Use Only
Implications of ADMX files in your environment
continued
 The Windows Vista or Windows Server 2008 versions of Group
Policy Object Editor and Group Policy Management Console
can be used to manage all operating .
 Administrative Template policy settings that currently exist in
ADM files from Windows Server 2003, Windows XP, and
Windows 2000 can be configured from all operating systems .
 The Windows Vista or Windows Server 2008 versions of Group
Policy Object Editor and Group Policy Management Console
support interoperability with versions of these tools on
Windows Server 2003, and Windows XP
 The Windows Vista or Windows Server 2008 versions of Group
Policy Object Editor support interoperability with versions of
Group Policy Object Editor on Windows Server 2000

10
Microsoft Confidential - For Internal Use Only
Searching for Policy Settings

To search for a Group Policy object

11
Microsoft Confidential - For Internal Use Only
Keyword Filters for Policy Objects

 The Group Policy Management Console allows you to

change the criteria for displaying Administrative Template
policy settings. By default, the editor displays all policy
settings, including preference settings (previously referred
as unmanaged policy settings). However, you can use
keyword filters to change how the Group Policy
Management Editor displays Administrative Template policy
settings. 

12
Microsoft Confidential - For Internal Use Only
Starter Group Policy Objects

 Starter Group Policy objects derive from a Group Policy

object, and provide the ability to store a collection of
Administrative Template policy settings in a single object.
You can import and export Starter GPOs, which makes
them easy to distribute to other environments. When you
create a new Group Policy object from a Starter GPO, the
new Group Policy object has all of the Administrative
Template policy settings and their values that were defined
in the Starter GPO.
 The Group Policy Management Console stores Starter
GPOs in a folder named StarterGPOs located on the
shared sysvol folder found on domain controllers.

13
Microsoft Confidential - For Internal Use Only
Steps to create a Starter GPO

 
1. Open the Group Policy Management Console.
2. Right-click Starter GPOs and then click New.
3. In the New Starter GPO dialog box, type the name of the
Starter GPO in the Name box. Optionally, you can type
comments in the Comments box.
4. Click OK.

14
Microsoft Confidential - For Internal Use Only
To create a new GPO from a Starter GPO

1. Open the Group Policy Management Console. Expand the

Starter GPOs node.
2. Right-click the Starter GPO you want to use to create a
new Group Policy object and then click New GPO from
Starter GPO.
3. In the New GPO dialog box, type the name of the new
Group Policy object in the Name box.
4. Click OK.

15
Microsoft Confidential - For Internal Use Only
To import a Starter GPO

1. Open the Group Policy Management Console. Click the

Starter GPOs node.
2. Click Load Cabinet. Then click Browse for CAB.
3. Use the Load Starter GPO dialog box to locate the Starter
GPO cabinet you want to load. Click the file name and then
click Open.
4. Click OK to complete the import.

16
Microsoft Confidential - For Internal Use Only
To Export a Starter GPO

1. Open the Group Policy Management Console. Click the

Starter GPOs node.
2. Click Save as Cabinet.
3. In the Save Starter GPO as Cabinet window, type the name
of the file in the File name box. Optionally, you can click
Browse Folders if you want to change the location where
the cabinet file is saved.
4. Click Save.

17
Microsoft Confidential - For Internal Use Only
Backing up and Restoring Starter GPO’s

1. Open the Group Policy Management Console. Expand the

Starter GPOs node.
2. To back up a single Starter GPO, right-click the Starter GPO, and
then click Back Up. To back up all Starter GPOs in the domain,
right-click Starter GPOs and click Back Up All.
3. In the Backup Starter GPO dialog box, in the Location box, enter
the path to the location in which you want to store the Starter
GPO backups, or click Browse, locate the folder in which you
want to store the Starter GPO backups, and then click OK.
4. In the Description box, type a description for the Starter GPOs
that you want to back up, and then click Back Up. If you are
backing up multiple Starter GPOs, the description will apply to all
Starter GPOs you back up.
5. After the operation completes, click OK.
18
Microsoft Confidential - For Internal Use Only
 Restoring a Starter GPO

 
1. Open the Group Policy Management Console. Expand the
Starter GPOs node.
2. Right-click Starter GPOs and then click Manage Backups.
3. In the Manage Backups dialog box, in the Backup location
box, type the path to the backup folder. You can also use
Browse to locate the backup folder.
4. In the Backed up Starter GPOs box, select the Starter GPO
that you want to restore from the list of Starter GPO
backups shown, and then click Restore.
5. When prompted to confirm the restore operation, click OK.
6. After the operation completes, click OK and then click Close

19
Microsoft Confidential - For Internal Use Only
Lesson 2: Introduction to Group Policy Preference
Extensions (Formerly Policy Maker)
 Overview of Policy Maker
 GPMC Preference extensions for GPMC
 New Nodes
 Preferences versus Policy Settings

20
Microsoft Confidential - For Internal Use Only
Group Policy Preferences

 Group Policy extends its functionality in Windows Server

2008 by introducing Group Policy preferences. Preferences
provide more than twenty Group Policy extensions that
expand the range of configurable preference settings within
a Group Policy object. Group Policy allows you to manage
drive mappings, registry settings, local users and groups,
services, files, and folders without the need to learn a
scripting language.

21
Microsoft Confidential - For Internal Use Only
Preference Extensions under Windows Settings

 Applications
 Drive Maps
 Environment
 Files
 Folders
 Ini Files
 Internet Explorer
 Registry
 Network Shares
 Shortcuts

22
Microsoft Confidential - For Internal Use Only
Preference Extensions under Control Panel
Settings
 Data Sources
 Devices
 Folder Options
 Internet Settings
 Local Users and Groups
 Network Options
 Power Options
 Printers
 Regional Options
 Scheduled Tasks
 Services
 Start Menu
23
Microsoft Confidential - For Internal Use Only
Configuring Common Options

 Common options include:

 Stop processing items in this extension if an error occurs on this
item
 Run in logged-on user's security context (user policy option)
 Remove this item when it is no longer applied
 Apply once and do not reapply
 Item-level targeting

24
Microsoft Confidential - For Internal Use Only
Enable or Disable Settings in a Preference Item

 A setting with a solid green underline or a green circle is

enabled..
 A setting with a dashed red underline or red circle with a
slash is disabled.

25
Microsoft Confidential - For Internal Use Only
Resources

 Group Policy Settings:

http://www.microsoft.com/downloads/details.aspx?familyid=7821C32
F-DA15-438D-8E48-45915CD2BC14&displaylang=en
 
 Group Policy Inventory (GPInventory.exe) allows administrators to
collect Group Policy and other information from any number of
computers in their network.
http://www.microsoft.com/downloads/details.aspx?familyid=1D24563
D-CAC9-4017-AF14-8DD686A96540&displaylang=en
 ADMX Syntax Guide
http://technet2.microsoft.com/windowsserver2008/en/library/ea9aca8
8-4971-42ad-86d7-c9a58d4f975e1033.mspx?mfr=true
 Enabling UserEnvLogging on Widows 2000, XP, 2003
http://support.microsoft.com/kb/221833
 3rd Party Tools and Extensions for Group Policy
http://support.microsoft.com/kb/221833
26 Troubleshooting Group Policy using Event logs
Microsoft Confidential - For Internal Use Only