Group policies are old friends to system administrators. These handy rules have been around for years, providing centralized management and configuration of operating systems, applications, and users’ settings in an Active Directory environment since the days of Windows NT. But, says Jason Leznek, Microsoft group product manager, Windows client, “We always grow them over time, as we get feedback from customers on what they want to manage.”
With Windows 7, Group Policies have stretched their wings yet again. There are over 150 new standard policy settings available to Windows 7 administrators. Plus, the company has tucked in some enhancements to the management console: searching, adding comments to GPOs, and managing Group Policy Preferences. Windows 7 also adds the ability to manage Group Policies from the Windows PowerShell command line, and to run PowerShell scripts during login and shutdown. And Windows 7 (Professional, Enterprise, and Ultimate editions only) includes native support for Group Policy Preferences (GPP).
First, let’s have a peek at a few of the new policies.
The System Starter GPOs, according to Leznek, is a set of read-only baseline GPOs for specific scenarios. Among them are the computer and group policy settings recommended for certain clients. For example, the settings recommended for the Windows Vista Enterprise client (EC) client environment are in the Windows Vista EC Computer and Windows Vista EC User System Starter GPOs. Settings for the Windows Vista Specialized Security – Limited Functionality (SSLF) client environment are in the Windows Vista SSLF Computer and Windows Vista SSLF User System Starter GPOs. The computer and user Group Policy settings recommended for the Windows XP SP2 EC environment are found in the Windows XP SP2 EC Computer and Windows XP SP2 EC User System Starter GPOs. And settings for the Windows XP SP2 SSLF client environment are in the Windows XP SP2 SSLF Computer and Windows XP SP2 SSLF User System Starter GPOs.
These recommended settings were configured by Microsoft in consultation with experts and can be either used as-is or copied and modified. Formerly only available by download, they’re now included in Windows 7 with RSAT and in Windows Server 2008 R2.
Individual new policies include entries in multiple GPO templates. For example, entries in the AppCompat.admx template turn off application telemetry, the Problem Steps Recorder, Program Inventory (which sends information about applications to Microsoft), and the Switchback compatibility engine (which provides old behaviors to old applications and new behaviors to newer applications).
ControlPanelDisplay.admx now lets the administrator require the load of a specific theme. It also contains additional policies to lock down mouse pointers and sounds as well as the existing lockdowns for themes, color schemes, backgrounds, icons, and screen savers.
Explorer.admx‘s new components let an admin set the target of the “More information” link provided when a program is blocked by policy, and another that lets some legacy plugins function by disabling data execution protection.
A new Biometrics.admx template contains policies to configure biometric devices, and a new DeviceRedirection.admx prevents loading of alternate drivers for USB devices.
Doing More Without Scripting
Moving on, Group Policy Preferences (GPP) came out of Microsoft’s acquisition of DesktopStandard Corporation (where it was known as PolicyMaker). GPP was an optional download for Windows Vista, but is now part of Windows 7 Remote Server Administration Tools (RSAT).
GPPs let administrators do much more without needing to resort to scripting. For example, GPPs let you manage drive mappings, registry settings, local users and groups, services, files, and folders, and do so granularly, reducing the number of Group Policy Objects (GPOs) you need. Old news, you say? Well, in Windows 7, there are a few additions to the GPP: support for power plans, scheduled tasks, and immediate tasks for Windows 7, Windows Server 2008, Windows Vista, and preferences for Internet Explorer 8.
Let’s look at the new items individually.
Power Plan provides preference items for configuring default sleep and display power options on Windows 7, Windows Server 2008, or Windows Vista. The admin can also permit users to adjust the defaults if need be, which can’t be done from an ordinary GPO. That’s really handy if, for example, users need to turn off power management on their laptops during presentations.
Scheduled Task preference items also work on Windows Vista or later, through a user interface similar to the Task Scheduler in Windows 7 (an older version of this functionality, with fewer options, is still available). Admins can create, replace, update, and delete tasks and their associated properties, on all or a subset of managed computers.
Immediate Task preference items create tasks that run as soon as Group Policy is refreshed, and are then removed.
Internet Explorer 8 preference items allow you to update IE8 Internet options.
The glory of GPPs, however, is that they support management of non-GPO enabled applications, providing a lot more flexibility for administrators. Tasks like mapping network drives and copying files can be performed without scripting.
If you would rather get the job done with a few lines of typing that can be saved and used to script repetitions of a series of actions, Windows PowerShell Cmdlets let you build new GPOs directly from the command line. The Microsoft Group Policy Team blog provides a basic example to show how quick and easy it can be; with one or two clicks, and two lines of typing, an admin can build a GPO that would take six to eight clicks and one line of typing (that cannot be saved and re-used) in the Group Policy Management Console.
This is just a tiny subset of the Windows 7 Group Policy goodies. Want to see the whole list? You’ll find this Microsoft’s Group Policy reference sheet useful. In addition, a Microsoft white paper has an excellent chart explaining how GPPs differ from plain old GPOs.
Want more like this? Sign up for the weekly IT Expert Voice newsletter so you don’t miss a thing!