Changes in Windows
Server 2008 and
Group Policy
Architecture
1-800-COURSES
www.globalknowledge.com
Expert Reference Series of White Papers
Introduction
Now that now that new Windows technology (in the dual garb of Windows Vista and the Windows 2008
Server) has arrived on the scene, many network planners are taking a closer look at some of the architectural
changes that Microsoft has made to the Group Policy structure.
The underlying concept of Group Policy hasn't changed – it's still fundamentally a Great Big Network Registry
Editor
. Mak
e a setting,
and Group Policy enforces it for you from that point forward. (Of course, Group Policy
goes beyond Registry settings to include a variety of security and software installation capabilities, too.)
Having said that, the implementation of Group P
olicy has evolved in several useful and interesting ways:
• New status as an operating system Service
• Network Location Awareness
• Improved log file viewing
• New source file format (ADMX)
• New migration/editing utility
• Central-store management
• Dynamic source file loading
• Multi-language support
• Multiple local Group Policy Objects (GPOs)
This paper takes a look at these nine structural changes. (If you'd like to read about some of the new Group
P
olicy settings that
Windows
Vista and Windows 2008 Server are bringing to the table, check out my white
paper titled
Windows 2008 Server and New Group Policy Settings.
)
New Status as a Service
Under previous versions of Windows, Group Policy ran in the context of the Winlogon process. In Vista and
Windows Server 2008,
Group P
olicy is its own operating system service
, running under SVCHOST. OK, but that
sounds a bit academic. Just what are the implications of Group Policy's newfound status?
For one thing, Group Policy security is enhanced. The service requires administrative rights to stop (even if
you're logged in as a local admin, you'll see an elevation prompt).
For another, like all services, you can configure how you would like Group Policy to behave in a failure sce-
nario. For example, you can specify that the service should automatically restart.
Glenn Weadock, MCSE, MCSA, A+, Instructor and Course Developer
Changes in Windows Server 2008 and
Group Policy Architecture
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 2
Figure 1. Group Policy now appears in the Services list.
Finally, shutdowns should be smoother. Windows' Service Control Manager (SCM) provides certain services
(including Group P
olicy) with a "pre-shutdown notification" so they can finish up whatever housek
eeping
chores they need to do before Windows shuts down. As long as such services remain responsive, the SCM will
wait until they finish – even if it takes well over the old 20-second time limit.
Network Location Awareness
In Windows XP/2003/2000, the Group Policy agent on the client didn't pay a whole lot of attention to whether
the computer on which it w
as running was connected to the network or not. If a policy refresh cycle failed, for
example, because the laptop was disconnected or no domain controller was available, Windows would simply
wait another cycle (90 minutes plus a random value from 0 to 30 minutes) and try again. Furthermore, when it
did try to pay attention to network conditions
,
it sometimes did so clumsily
.
F
or example, Group Policy would
attempt to detect slow links using ping (ICMP),
which many organizations block at the firew
all or router level.
Windows Server 2008/Vista is now more network-aware when it comes to policy processing. If a policy refresh
cycle fails when a computer is offline, and the computer (or domain controller) goes online, Vista doesn't wait
around;
instead,
it attempts to perform a policy refresh as soon as it can.
It also uses a different mechanism
than ping to determine the speed of the network connection.
T
hese enhancements fall under (of course) a new
acronym:
NLA, for Network Location Awareness.
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 3
Figure 2. Slow link detection no longer depends on PING.
Improved Log File Viewing
Before
Vista and Windows Server 2008, if you wanted to perform detailed logging of Group Policy events
beyond what you could get in the RSOP console (Resultant Set of Policy), you had to turn on the debug feature
in the USERENV
.DLL module
, which would generate a file USERENV
.LOG in the \windows\debug\usermode
folder.
With the new
Windows Server 2008 operating systems, the System event log contains "actionable" Group
Policy events, which is certainly more convenient. (This is one more side effect of the shift to Group Policy
being implemented as a service
.) These events are now more English-like and more informative. The source is
"Group Policy Service" and Microsoft promises to keep making the logs better, for example, with links to
online knowledge base articles.
T
he Operational event logs (you have to dig down further in the Event
V
iewer to see these) contain a lot of the
detail that the old USERENV.LOG file would provide. These log entries provide details that you could use to
examine policy processing performance from the speed standpoint, for example.
(If you still w
ant to view the USERENV trace log,
you can,
but the Registry k
ey is now
HKLM\Softw
are\Microsoft\Windows NT\CurrentV
ersion\Diagnostics
,
the DWORD value is GpSvcDebugLevel,
and you can set it to 10002.
Oh, and the filename is now named GPSVCLOG.LOG instead of USERENV.LOG.)
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 4
Figure 3. Group Policy events now appear with other system events.
A downloadable tool from Microsoft (search on GPLogV
iew.MSI) is handy for collecting Group Policy related
events from the event logs and exporting those events into
TXT, HTML, or XML formats. (This tool requires that
your system participate in the Genuine Windows program before you can download it.)
Finally, if you want to view Group Policy events from multiple computers in one place (e.g., on your own Vista
workstation), you can do it, as long as you and those other systems are running Vista or Windows server 2008
Server
. I don't have room to go through all the details here, but in a nutshell, you activate the Windows
Remote Management service on all the relev
ant machines, and then you set up a "subscription" in the Event
Viewer console (EVENTVWR.MSC). Note that when you do this, you must provide administrative credentials
with which to authenticate to the remote systems.
New Source File Format (ADMX/ADML)
Those readers who remember Windows NT may recall that .ADM files were present way back then, as part of
the old System Policy (POLEDIT) architecture which represented the klutzy beginnings of today's Group Policy
design.
Even though Group P
olicy in
Windows XP/2003/2000 is much more sophisticated than it w
as in the NT
days
,
the .ADM file format persisted,
providing text-based files that acted as the "source code" feeding the
Group Policy console. In other words, the ADM files laid out which Registry keys and values to modify, and they
provided the user-interface information ("explain" text, data entry format, minimum supported OS revision,
etc.) that the console needs in order to present appropriate options to GP administrators.
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 5