Posts Tagged ‘Group Policy Management’

Summary:  Group Policy application seems straightforward enough: Group Policy Objects (GPOs) are linked to organizational units (OUs); users and computers are in OUs. All the GPOs from a user’s OU hierarchy filter down to the user.

Things get more complicated, though, when you remember that GPOs can be linked to a domain and to sites—meaning you’ll have to open a whole new console to see what’s going on. You also have to consider local security policies, which exist solely on the client computer and are applied before any domain-based policies arrive. Throw in options such as Block Policy Inheritance, No Override, and loopback processing, and it’s no wonder why there’s such a robust market for third-party GPO tools. However, with some patience and a methodology, you can do quite a bit of quality troubleshooting on your own.

Start from the Scratch

Too many administrators try to start at the top, working their way down the hierarchy of GPOs and figuring out which ones apply. That method is time-consuming, error-prone, and just plain boring. It’s a lot easier to start at the bottom—the client—and work your way up the tree. Windows XP’s Gpresult tool, for example, is a great troubleshooting tool. Run from the command line, it will tell you which groups the current user is a member of (which can affect GPO application), and give you a list of every GPO that is currently affecting the user. You’ll also see the last time that GPOs were applied to the computer. What Gpresult is displaying is called resultant set of policy (RSOP). It sorts through all the blocked inheritance, no overrides, and conflicting policies to sort out exactly which policies are being applied.

By default, Gpresult doesn’t show you which individual policies are applied or what they are set to; because GPOs successively overwrite one another as they are applied, you can still be left with a troubleshooting task to figure out which of the GPOs listed is responsible for the settings you’re seeing. Fortunately, Gpresult has a “superverbose” mode, enabled by running

Gpresult /z

This mode not only displays which GPOs have been applied, but lists every single policy that’s enabled in each GPO, allowing you to see which GPO modified which setting, and which GPO finally won out in the end. Figure 36.1 shows a portion of Gpresult’s superverbose output. In this example, the GPO being applied is Local Group Policy, and you can see exactly which registry keys each setting is modifying.

Superverbose mode also breaks down the user and computer policies, allowing you to see every setting that is affecting the current users or their machines.


.NET Framework 3.0


Provides .NET Framework 3.0 APIs for application development. Additional sub features include .NET Framework 3.0 Features, XPS Viewer, and Windows Communication Foundation (WCF) Activation Components.


Bit Locker Drive Encryption


Provides hardware-based security to protect data through full-volume encryption that prevents disk tampering while the operating system is offline. Computers that have Trusted Platform Module (TPM) can use BitLocker Drive Encryption in Startup Key or TPM-only mode. Both modes provide early integrity validation.


Background Intelligent Transfer Service (BITS) Server Extensions


Provides intelligent background transfers. When this feature is installed, the server can act as a BITS server that can receive file uploads by clients. This feature isn’t necessary for downloads to clients using BITS.


Connection Manager Administration Kit (CMAK)


Provides functionality for generating Connection Manager Profiles.


Desktop Experience


Provides additional Windows Vista desktop functionality on the server. Windows Vista features added include Windows Media Player, desktop themes, and Windows Photo Gallery. Although these features allow a server to be used like a desktop computer, they can reduce the server’s overall performance.


Failover Clustering


Provides clustering functionality that allows multiple servers to work together to provide high availability for services and applications. Many types of services can be clustered, including file and print services. Messaging and database servers are ideal candidates for clustering.


Group Policy Management


Installs the Group Policy Management Console (GPMC), which provides centralized administration of Group Policy.


Internet Printing Client


Provides functionality that allows clients to use HTTP to connect to printers on Web print servers.


Internet Storage Name Server (iSNS)


Provides management and server functions for Internet SCSI (iSCSI) devices, allowing the server to process registration requests, de-registration requests, and queries from iSCSI devices.


Line Printer Remote (LPR) Port Monitor


Installs the LPR Port Monitor, which allows printing to devices attached to UNIX-based computers.


Message Queuing


Provides management and server functions for distributed message queuing. A group of related sub features is available as well.


Multipath I/O (MPIO)


Provides functionality necessary for using multiple data paths to a storage device.


Network Load Balancing (NLB)


NLB provides failover support and load balancing for IP-based applications and services by distributing incoming application requests among a group of participating servers. Web servers are ideal candidates for load balancing.


Peer Name Resolution Protocol (PNRP)


Provides Link-Local Multicast Name Resolution (LLMNR) functionality that allows peer-to-peer name-resolution services. When you install this feature, applications running on the server can register and resolve names using LLMNR.


Remote Assistance


Allows a remote user to connect to the server to provide or receive Remote Assistance.


Remote Server Administration Tools (RSAT)


Installs role- and feature-management tools that can be used for remote administration of other Windows Server 2008 systems. Options for individual tools are provided or you can install tools by top-level category or subcategory.


Removable Storage Manager (RSM)


Installs the Removable Storage Manager tool, which you can use to manage removable media and removable media devices.


Remote Procedure Call (RPC) over HTTP Proxy


Installs a proxy for relaying RPC messages from client applications over HTTP to the server. RPC over HTTP is an alternative to having clients access the server over a VPN connection.


Simple TCP/IP Services


Installs additional TCP/IP services, including Character Generator, Daytime, Discard, Echo, and Quote of the Day.


Simple Mail Transfer Protocol (SMTP) Server


SMTP is a network protocol for controlling the transfer and routing of e-mail messages. When this feature is installed, the server can act as a basic SMTP server. For a full-featured solution, you’ll need to install a messaging server such as Microsoft Exchange Server 2007.


Simple Network Management Protocol (SNMP) Services


SNMP is a protocol used to simplify management of TCP/IP networks. You can use SNMP for centralized network management if your network has SNMP-compliant devices. You can also use SNMP for network monitoring via network management software.


Storage Manager For SANs


Installs the Storage Manager for SANs console. This console provides a central management interface for storage area network (SAN) devices. You can view storage subsystems, create and manage logical unit numbers (LUNs), and manage iSCSI target devices. The SAN device must support Visual Disk Services (VDS).


Subsystem for UNIX based Applications (SUA)


Provides functionality for running UNIX-based programs. You can download additional management utilities from the Microsoft Web site.


Windows Internal Database


Installs SQL Server 2005 Embedded Edition. This allows the server to use relational databases with Windows roles and features that require an internal database, such as AD RMS, UDDI Services, Windows Server Update Services (WSUS), Windows SharePoint Services, and Windows System Resource Manager.


Windows PowerShell


Installs Windows PowerShell, which provides an enhanced command-line environment for managing Windows systems.


Windows Process Activation Service


Provides support for distributed Web-based applications that use HTTP and non-HTTP protocols.


Windows Recovery Environment


You can use the recovery environment to restore a server using recovery options if you cannot access recovery options provided by the server manufacturer.


Windows Server Backup


Allows you to back up and restore the operating system, system state, and any data stored on a server.


Windows System Resource Manager (WSRM)


Allows you to manage resource usage on a per-processor basis.


WINS Server


WINS is a name-resolution service that resolves computer names to IP addresses. Installing this feature allows the computer to act as a WINS server.


Wireless Networking


Allows the server to use wireless networking connections and profiles.