New Group Policy Features in Windows 7 and Windows Server 2008 R2
Windows 7 and Windows Server 2008 R2 build on the foundation of Group Policy improvements made in Windows Vista and Windows Server 2008. The key improvements to Group Policy in Windows 7 and Windows Server 2008 R2 are as follows:
- New categories of policy settings Windows 7 and Windows Server 2008 R2 include new categories of Group Policy policy settings and also some additional policy settings for existing policy categories. For more information on this improvement, see the section titled "Group Policy Policy Settings in Windows 7" later in this tutorial.
- Default Starter GPOs Windows 7 and Windows Server 2008 R2 now include a number of default Starter GPOs that you can use to help ensure compliance with security best practices for enterprise environments. In Windows Vista and Windows Server 2008, you had to download these Starter GPOs separately before using them. For more information on this improvement, see the section titled "Using Starter GPOs" later in this tutorial.
- Windows PowerShell cmdlets for Group Policy In Windows 7 and Windows Server 2008 R2, you can now use Windows PowerShell to create, edit, and maintain GPOs using the new Windows PowerShell cmdlets for Group Policy available within the Windows Server 2008 R2 GPMC. This allows administrators to automate many common Group Policy management tasks and to perform such tasks from the command line. Note that this feature does not work with Local Group Policy. Also, it only works with registry-based settings and not with security policies or other aspects of policy. For more information on this improvement, see the section titled "Creating and Managing GPOs Using Windows PowerShell" later in this tutorial.
- Enhancements to ADM Settings ADM policy settings (ADMX templates) are enhanced in Windows 7 and Windows Server 2008 R2 with an improved user interface that makes it easier to add comments to policy settings. Support for multi-string and QWORD registry value types is also now supported by ADMX templates for Windows 7. The overall authoring experience is also improved with the new ADMX user interface as the windows are more integrated and dialog boxes are now resizable. For information on configuring policy settings, see the section titled "Configuring Policy Settings" later in this tutorial.
- Enhancements to Group Policy Preferences Group Policy preferences has been enhanced in Windows 7 and Windows Server 2008 R2 with new capabilities for managing Power Plan settings in Windows Vista and later versions, creating scheduled tasks for Windows Vista and later versions, creating immediate tasks for Windows Vista and later versions that run immediately upon Group Policy refresh, and managing settings for Windows Internet Explorer 8. In addition, a new preference item called Immediate Tasks lets you create tasks. For information on configuring preference items, see the section titled "Configuring Preference Items" later in this tutorial.
- Advanced Audit Policy Configuration Group Policy in Windows 7 and Windows Server 2008 R2 now includes more than fifty Advanced Audit Policy Configuration settings that can be used to provide detailed control over 10 different areas of audit policies, and they can be used to identify possible attacks on your network or to verify compliance with your organization's security requirements. In Windows Vista and Windows Server 2008, these advanced audit policy categories can be managed from the command line using the Auditpol.exe utility. Starting in Windows 7 and Windows Server 2008, however, these advanced audit policy categories can be managed using Group Policy and are found under Computer Configuration\Policies\Windows Settings \Security Settings\Advanced Audit Policy Configuration.
- Application Control Policies Group Policy in Windows 7 and Windows Server 2008 R2 now includes Windows AppLocker, which replaces the Software Restriction Policies feature of Windows Vista and Windows Server 2008. AppLocker is found under Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies. AppLocker includes new capabilities and extensions that can help reduce administrative overhead and allow administrators to control how users access and use executable files, scripts, Windows Installer files (.msi and .msp files), and dynamic-link libraries (DLLs).
- Name Resolution Policy Group Policy in Windows 7 and Windows Server 2008 R2 has been enhanced with support for Name Resolution Policy, which can be used to store configuration settings for Domain Name System security (DNSsec) and DirectAccess in a Name Resolution Policy Table (NRPT) on client computers. This new policy setting can be found under Computer Configuration\Policies\Windows Settings\Name Resolution Policy.
In this tutorial:
- Managing the Desktop Environment
- Understanding Group Policy in Windows 7
- Group Policy Before Windows Vista
- Group Policy in Windows Vista and Windows Server 2008
- New Group Policy Features in Windows 7 and Windows Server 2008 R2
- Group Policy Policy Settings in Windows 7
- Understanding ADMX Template Files
- Types of ADMX Template Files
- Local Storage of ADMX Template Files
- Considerations When Working with ADMX Template Files
- Understanding Multiple Local Group Policy
- MLGPOs and Group Policy Processing
- Managing Group Policy
- Adding ADMX Templates to the Store
- Creating and Managing GPOs
- Using Starter GPOs
- Creating and Managing GPOs Using the GPMC
- Creating and Managing GPOs Using Windows PowerShell
- Editing GPOs
- Configuring Policy Settings
- Configuring Preference Items
- Managing MLGPOs
- Migrating ADM Templates to ADMX Format
- Converting ADM Template Files to ADMX Format
- Creating and Editing Custom ADMX Template Files
- Configuring Group Policy Processing
- Using Advanced Group Policy Management
- Troubleshooting Group Policy
- Enabling Debug Logging
- Using Group Policy Log View
- Using GPResult