Windows Vista/Windows Server 2008 Process Group Policy Service Templates Group Policy Templates ADM ADMTemplates templates now difficult in to manage GP now in a shared service Part ofruns Winlogon Hardened Service, more reliable ADMX files (ADMX, ADML) Local GPOs LimitedLocal flexibility Multiple GPOswith a single.
Download ReportTranscript Windows Vista/Windows Server 2008 Process Group Policy Service Templates Group Policy Templates ADM ADMTemplates templates now difficult in to manage GP now in a shared service Part ofruns Winlogon Hardened Service, more reliable ADMX files (ADMX, ADML) Local GPOs LimitedLocal flexibility Multiple GPOswith a single.
Windows Vista/Windows Server 2008
Process
Group Policy Service
Templates
Group
Policy Templates
ADM
ADMTemplates
templates
now
difficult
in
to manage
GP
now
in a shared service
Part
ofruns
Winlogon
Hardened Service, more reliable
ADMX files (ADMX, ADML)
Local GPOs
LimitedLocal
flexibility
Multiple
GPOswith a single local GPO
Settings
Group
Policy Settings
Lots of new
policy settings
settings in XP
~1,800
policy
with Windows Vista and Windows 7
Incomplete
coverage means
Extended GP for new Windows
scenarios
Vista and Windows 7 features
Network Location
Awareness
(NLA)
Limited awareness
of changing network
NLA service provides the latest
conditions
network information
Applications can query or register with
NLA for network change indications
Troubleshooting
Group
Policy Logging
Administrative
log
User.env log
Applications and Services log
GP
XML Result
based event logs
New Tools - GPOLogView
ADM
ADM
ADM
ADM
ADM
ADMX
ADM
LGPO’s
LGPO
LGPO
missing key
LocalComputer
Computer Policy
Local
Policy
Admin
Admin/Non-Admin Group Policy
User
User Specified Group Policy
Storing
and Finding
Group Policy
Central Store
Centralized
repository
for ADMX
Need
to find
settings?
Where is that
Contains
all
ADMX
templates
spreadsheet?
Created in the Sysvol on DC
in each domain
DC
SysVol
+
FRS/DFS-R
Policies
+ GUID
+ ADM
+ Policy Definations
ADMX, ADML Files
ADMX
ADML
Q:
A:Use automation to run exhaustive tests
Sales GPO
Sales GPO
Hklm\uninstall\googletoolbar
Set-GPRegistryValue
Hklm\uninstall\googletoolbar
Accounting GPO
Hklm\uninstall\googletoolbar
Hklm\uninstall\googletoolbar
HKLM\Uninstall\GoogleToolbar
Hklm\uninstall\googletoolbar
Hklm\uninstall\googletoolbar
Hklm\uninstall\googletoolbar
Configure a registry key
Hklm\uninstall\googletoolbar
Finance GPO
Hklm\uninstall\googletoolbar
Hklm\uninstall\googletoolbar
Hklm\uninstall\googletoolbar
Hklm\uninstall\googletoolbar
Configure
GPO
Manage thethe
set of
GPOs with scripts
Save energy and time with automation
GP PowerShell Cmdlets
Import-module GroupPolicy
get-help *-gp*
Get
New
• New-GPLink
• New-GPO
• New-GPStarterGPO
Set
•Get-GPInheritance
•Get-GPO
•Get-GPOReport
•Get-GPPermissions
•Get-GPPrefRegistryValue
•Get-GPRegistryValue
•GetGPResultantSetofPolicy
•Get-GPStarterGPO
Remove
• Remove-GPLink
• Remove-GPO
• RemoveGPPrefRegistryValue
• Remove-GPRegistryValue
• Set-GPInheritance
• Set-GPLink
• Set-GPPermissions
• SetGPPrefRegistryValue
• Set-GPRegistryValue
Misc
• Backup-GPO
• Copy-GPO
• Import-GPO
• Rename-GPO
• Restore-GPO
GP PowerShell Examples
Backup all GPO’s in current
domain to directory
• Backup-GPO –all –path
‘C:\BackupFiles\’
Get RSoP for local computer
and logged on user in html
form
• Get-GPResultantSetofPolicy
ReportType -html
Path D:\ConfigDocs\Reports\
Copy a GPO across domains
• Copy-GPO -SourceName TestGpo1
-SourceDomain
test.contoso.com
-TargetName TestGpo1
-TargetDomain sales.contoso.com
Configure a registry key to
policy with a set of values
•Set-GPRegistryValue -Name "TestGPO“
-key
HKCU\Software\Policies\ExampleKey"
-ValueName
"One", "Two", "Three“
-Type String
-Value "String1", "String2", "String3"
-
-
More GP PowerShell Examples
Links a GPO to a
different domain
• $domain = get-ADDomain test.contoso.com
• new-gplink -name testgpo -target $domain
enforced yes
List GPOs that are
linked to the "MyOU"
organizational unit.
• (Get-GPInheritance -Target
"ou=ou1,dc=contoso,dc=com") .GpoLinks
foreach-object
GPO -Name ($_.DisplayName)}
-
{Get-
• $keypath = “HKCU\Software\Policies\
Microsoft\Windows\Control Panel\Desktop”
Compare registry
values across GPO’s
• $A =get-GPRegistryValue –Name GPO1 –key $keypath
ValueName ScreenSaveTimeOut
• $B =get-GPRegistryValue –Name GPO2 –key $keypath
ValueName ScreenSaveTimeOut
• ($A.value).equals($B.value)
–
…and more GP PowerShell Examples
Grant permission to ‘Apply’ to a GPO for all users
belonging to a group
• Get-ADGroupMember DlgtdAdmins | where
{$_.objectclass -eq "user"} | %{SetGPPermissions -Name 'Test GPO' PermissionLevel Apply -TargetName
$_.SamAccountName -TargetType User}
New
Targeting and configuration beyond policy
Configuring
Item level targeting, not
GPO level
Intuitive UI
No need to learn query
languages
Granular item level targeting
Robust targeting
29 types
Boolean logic (And, Or, Not)
Collections
Printer
GPO_1
Printer
GPO_2
Printer
GPO_3
Printer
GPO_4
Printer
5
Printer GPO
GPO_6
Printer GPO
HP Lobby Printer
Users: ExecAssistants
HP Lobby Printer
HP Lobby Printer
Users:
HP Lobby
ExecAssistants
Printer
Users:
HP Lobby
ExecAssistants
Printer
Users: ExecAssistants
Users:
HP Lobby
ExecAssistants
Printer
Users: ExecAssistants
HP Lobby Printer
Users: ExecAssistants
IP range: 10.0.0.1-.23
Hours: 9am-5pm, Mon-Fri
DEFAULT
HP Lobby Printer
Users: ExecAssistants
IP
IP
IP
IP
range:
range:
range:
range:
10.0.0.24-.72
11.0.0.1-.37
11.0.0.38-.77
12.0.0.1-.37
Easy to author, easy to understand
Easy to Set up, Report, Maintain
Use cases:
drive mappings, default printers, shortcuts, local users and groups,
file and folder options…
Fewer scripts = less complicated, less time to apply
Time
Money
Headache
GPMC
Windows Server 2008
Windows Vista SP1 + RSAT
Windows Server 2008 R2
Windows 7 + RSAT
Client Side Extension (CSE)
Download: XP+, Server 2003, Vista
Update: Windows Vista Sp1
In box: Windows 7
Group Policy Team Blog
http://blogs.technet.com/grouppolicy
RSAT Windows Vista SP1 32-bit Edition (KB941314):
http://go.microsoft.com/fwlink/?LinkId=115118
RSAT Windows Vista SP1 64-bit Edition (KB941314):
http://go.microsoft.com/fwlink/?LinkId=116472
Group Policy TechNet page
http://www.microsoft.com/technet/grouppolicy
Group Policy Settings Reference Windows Vista SP1
http://www.microsoft.com/downloads/details.aspx?familyid
=2043B94E-66CD-4B91-9E0F68363245C495&displaylang=en
Group Policy Preferences : Getting Started
http://technet.microsoft.com/enus/library/cc731892.aspx
Recording and Resources for
This Academy Live Session
http://Academy
www.microsoft.com/teched
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Your input is important!
https://www.MyTechReady.com
For more information please refer to your Pocket Guide
Speaker – Click Here
to Launch Video
Product Overview:
www.microsoft.com/online/windows-intune.mspx
TechCenter:
http://social.technet.microsoft.com/Forums/enUS/category/microsoftonlineservices/
Windows Intune Team Blog:
http://blogs.technet.com/windowsintune
What is the Springboard Series?
Inside of Microsoft we are
To the IT pro, our goal is
• A turnkey IT pro engagement platform for depth and breadth
• The program to mobilize MS marketing and field to
focus on desktop OS IT pros
• Be the definitive resource for Desktop IT pros
• Open, honest; show don’t tell
• Information at right time, right level across Adoption Lifecycle
Virtual Roundtable Events
Straight-talk Monthly Feature
Articles and Overview Guides
Springboard Technical Experts
Panel Event Support
and Resources
TalkingAboutWindows
Video Blogs
one-Windows
TechCenter in 10 languages
www.microsoft.com/teched
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Sign up for Tech·Ed 2011 and save $500
starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registration
Join us in Atlanta next year