Win Server 2008 Directory Services, Group Policy Enhancements
May 15, 2009
In earlier versions of Windows, in-depth analysis of Group Policy processing involved enabling verbose logging (via registry modifications) of the core client engine (implemented as Userenv Dynamic Link Library) and each Client Side Extensions. This resulted in multiple log files. In addition, Userenv was also responsible for a number of non-Group Policy related features, making the troubleshooting process even more cumbersome. Similarly, server side logging recording events generated by the Group Policy Management Console and Group Policy Editor related actions had its own group of files and corresponding registry entries that needed to be modified. You can find more detailed information regarding this functionality in the Microsoft Technet article Fixing Group Policy problems by using log files.
In Vista SP1 and Windows Server 2008, inconsistent Userenv and CSE-level logging has been replaced by a new centralized system, with all relevant actions recorded in the System Event Log and Group Policy Operational Log (located in the
XML-based nodes in each entry designate individual characteristics of each event, such as ActivityID (assigned to each instance of a Group Policy refresh), type of processing (background or foreground, synchronous or asynchronous) or the name of target security principal and participating Active Directory domain controller. This, in turn, facilitates filtering and creation of custom views. You can further simplify your log analysis by taking advantage of GPLogView utility (downloadable from the Microsoft Download Center), which gathers all relevant events from both System and Group Policy Operational Event Logs. A comprehensive collection of troubleshooting information is included in the article Troubleshooting Group Policy Using Event Logs posted on the Microsoft Technet site.
When discussing the client side of Group Policy functionality in Windows Server 2008, it is also important to mention an innovative approach to its local implementation. More specifically, Windows Server 2008 (just like Vista) offers three types of Local Group Policy Objects (present on both stand-alone and domain member servers but not on domain controllers). These MLGPOs (Multiple Local GPOs) can be assigned to individual users or pre-defined generic user types, which constitutes a significant departure from the approach employed in earlier version of Windows. It is limited to a single instance of Local Group Policy and applicable to all users, regardless of their privileges. As a result, you can define different settings for administrators and non-privileged users, or even separate them further on per user basis. The MLGPOs can be grouped into three categories, listed below in the order in which they are processed:
Configuration of Local Group Policy is handled in the traditional manner by launching Group Policy Object Editor (which can be accomplished simply by running
This concludes our coverage of the client-side Group Policy related enhancements available in Windows Server 2008. In our next article of this series, we will focus on the topics dealing with management of Active Directory-based Group Policies.