Win Server 2008 Directory Services, Group Policy Enhancements

Win Server 2008 Directory Services, Group Policy Enhancements

May 15, 2009

In earlier versions of Windows, in-depth analysis of Group Policy processing involved enabling verbose logging (via registry modifications) of the core client engine (implemented as Userenv Dynamic Link Library) and each Client Side Extensions. This resulted in multiple log files. In addition, Userenv was also responsible for a number of non-Group Policy related features, making the troubleshooting process even more cumbersome. Similarly, server side logging — recording events generated by the Group Policy Management Console and Group Policy Editor related actions — had its own group of files and corresponding registry entries that needed to be modified. You can find more detailed information regarding this functionality in the Microsoft Technet article Fixing Group Policy problems by using log files.

In Vista SP1 and Windows Server 2008, inconsistent Userenv and CSE-level logging has been replaced by a new centralized system, with all relevant actions recorded in the System Event Log and Group Policy Operational Log (located in the Application and Services LogsMicrosoftWindowsGroup Policy section of the Windows Event Viewer), with the source identified clearly as "Group Policy". In addition, the content of each log entry has been supplemented with improved description of the corresponding event as well as, in case of a problem (indicated by the Error or Warning level), with suggestions regarding the most likely causes and potential remediation or resolution methods.

XML-based nodes in each entry designate individual characteristics of each event, such as ActivityID (assigned to each instance of a Group Policy refresh), type of processing (background or foreground, synchronous or asynchronous) or the name of target security principal and participating Active Directory domain controller. This, in turn, facilitates filtering and creation of custom views. You can further simplify your log analysis by taking advantage of GPLogView utility (downloadable from the Microsoft Download Center), which gathers all relevant events from both System and Group Policy Operational Event Logs. A comprehensive collection of troubleshooting information is included in the article Troubleshooting Group Policy Using Event Logs posted on the Microsoft Technet site.

When discussing the client side of Group Policy functionality in Windows Server 2008, it is also important to mention an innovative approach to its local implementation. More specifically, Windows Server 2008 (just like Vista) offers three types of Local Group Policy Objects (present on both stand-alone and domain member servers — but not on domain controllers). These MLGPOs (Multiple Local GPOs) can be assigned to individual users or pre-defined generic user types, which constitutes a significant departure from the approach employed in earlier version of Windows. It is limited to a single instance of Local Group Policy and applicable to all users, regardless of their privileges. As a result, you can define different settings for administrators and non-privileged users, or even separate them further on per user basis. The MLGPOs can be grouped into three categories, listed below in the order in which they are processed:

  • Local Group Policy - consisting of a single Group Policy Object that applies to local computers as well as to all users who log on to it. In essence, this is equivalent to the functionality built into the operating system since the release of Windows 2000 platform.
  • Administrators and Non-Administrators Local Group Policy - comprised of two GPOs (containing only user configuration settings) with one of them applied to members of local Administrators group and the other to all remaining, non-privileged users.
  • User-Specific Local Group Policy - containing only user configuration settings and targeting individual, arbitrarily selected users (which implies is one GPO per user, whose environment you decide to configure in this manner). Note that it is not possible to use local groups for this purpose.

Configuration of Local Group Policy is handled in the traditional manner by launching Group Policy Object Editor (which can be accomplished simply by running GPEDIT.MSC from the elevated Command Prompt or Run text box). To create or edit other MLGPOs, you must launch a Microsoft Management Console (e.g., by executing MMC within the security context of a privileged account), add the Group Policy Object Editor from the list of available snap-ins, and set its focus on a target user or group by clicking on Browse... command button in the Select Group Policy Object dialog box. Once the Browse for a Group Policy Object window appears, switch to Users tab and choose an appropriate account. Note that this interface also allows you remove or disable any existing MLGPOs. After you have confirmed your choices, you will be presented with the standard Group Policy Object Editor interface from which you simply apply desired settings. Note that it is possible to disable MLGPOs by using Turn Off Local Group Policy Object Processing Group Policy setting residing in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy node.

This concludes our coverage of the client-side Group Policy related enhancements available in Windows Server 2008. In our next article of this series, we will focus on the topics dealing with management of Active Directory-based Group Policies.