What’s New for Group Policy in Server 2012

Some of you that know me (through my www.gpoguy.com and www.sdmsoftware.com sites) know that I spend an inordinate amount of time exploring, developing against and helping customers with Group Policy. So I was anxious to see what changes Microsoft made in Server 2012 with respect to Group Policy. Of course, as a Group Policy MVP, I had a chance to see and even give input on these improvements months ago, but now that this stuff is live, let’s explore some cool new features that Microsoft has added to Group Policy. It’s important to note that while these are really evolutionary rather than revolutionary, they’ve added some key new capabilities to make Group Policy really your best friend for enterprise-class configuration management.

So here’s a rundown of the new GP features in Server 2012:

  • Improved Troubleshooting: This is a big one, as far as I’m concerned. Within GPMC in Server 2012, Microsoft has added some useful additional data to Resultant Set of Policy (RSoP) reporting,  to help you understand how your clients are processing GP. Namely the RSOP report now includes additional troubleshooting details and tips that can help users really get to the heart of any processing issues. As you can see in the screen below, the Summary tab on the Group Policy Results report now gives you a nice wrap-up of GP processing for a target machine and user, along with warnings on items that might be impactful to GP processing (such as Block Inheritance on an OU containing the target machine)

In addition the Details tab of this report now also includes timings for each Client Side Extension, which is extremely useful for knowing where GP processing might be spending too much time and can help you get at logon or startup delays in Windows 8 systems.

  • Remote Group Policy Update: This one is a long time coming and is finally here. Within the new GPMC in Server 2012, Microsoft has added the ability to trigger remote GP refreshes (i.e. gpupdate /force) from a central location. If you right-click an OU (note that it’s not available at the domain level) and choose “Group Policy Update”, a dialog appears that lets you send a remote GP Update command to all computers in that OU. Once the command starts, you get a success or failure indication for each machine in the OU (see the screen shot below).


In addition to this GPMC-based feature, the Group Policy PowerShell module (import-module grouppolicy) that comes with GPMC now provides a new invoke-gpupdate cmdlet that lets you perform command-line GP refreshes (note that I also provide this capability for free in my GP Refresh cmdlet at www.sdmsoftware.com/freeware and it can be run on pre-Win8 systems as well).

  • Group Policy Infrastructure Status: Many of you are probably familiar with GPOTool.exe, the command-line utility that has been around forever for checking replication health of GPOs across all DCs (remember that a GPO is composed of an AD piece and SYSVOL piece). Well that tool has been much improved upon with a new Status tab in GPMC, that is accessible by selecting the domain name node within that console. if you press the “Detect Now” button, the tool will go out to all your DCs and ensure that GPOs on each DC are in sync, as compared to the PDC emulator DC (you can change the baseline if needed), which is typically where GPO changes originate. The status tool checks not only GPO version numbers between AD and SYSVOL for each GPO, but also does a checksum of the file system content within SYSVOL. As you can imagine, this could take a while in large environments for checking all GPOs on all DCs, so keep in that mind when you’re waiting for results. The figure below shows a screenshot of this handy tool.

  • New Behavior for GP Client Service: Although this change is mostly under the covers, it’s important to know about nonetheless. Namely, the “Group Policy Client” service, which is the Windows Service responsible for processing policy, will now shut itself down after 10 minutes of inactivity (on Windows 8 clients only! The Server 2012 client stays running all the time). This is part of the new effort to reduce power consumption and resources on Windows 8. By and large this change will go unnoticed by most administrators but it’s an interesting feature to know about nonetheless.
  • Deprecation of IE Maintenance Policy: This is a rather large change that I blogged about a while back. Namely, Microsoft has removed support for editing and processing of IE Maintenance Policy in Windows 8 and Server 2012. While this is a pretty drastic step, it’s probably not a bad thing considering the problems that this client side extension has caused in the past, and the alternatives available (GP Preferences and Administrative Template settings for IE). Still, it’s one to be aware of when you start managing your downlevel clients from a Windows 8 or Server 2012 box.
  • Updates to Settings to Support Win8/Server 2012: This last big change is not too surprising–and that’s that Microsoft has added a ton of support for new Windows 8/Server 2012 specific features. The Administrative Templates settings are summarized in this spreadsheet, but beyond that, areas such as GP Preferences Internet Settinngs have been updated for new versions of IE (10), and new capabilties in core OS features.

All in all, while you won’t see any big new, groundbreaking features for Group Policy in this latest release of Windows, there have been some nice “fit and finish” changes that will make managing GP environments a little easier over time. And I can tell you that we’re busy getting all of our GP products updated to work with this latest release of Windows, so hopefully we can all get the most from this awesome in-the-box configuration management technology.



Comments (5)

  1. Useful information Darren. Thanks

  2. Moz says:

    does the new Group Policy for Win8 include the ability to block Xbox streaming music?

  3. Moz- There is no GP support for granular configuration of Windows 8-style apps. About all that GP can provide for you here is to use AppLocker to deny a user the ability to execute a particular Win8-style app. So you could deny execution of the Xbox Music app completely, but not control particular behavior within it using GP.


  4. Moz says:

    thanks for getting back on this – is there a URL set we could block as an alternative to stop music streaming in an office envioronment where bandwidth is limited?

  5. Peter Bruzzese discusses ways that Windows Server 2012 improves Group Policy in this InfoWorld blog. Do you find Group Policy easier to use in Windows Server 2012? Let us know what improvements stand out most to you.