Using Starter GPOs
Starter GPOs, introduced in the GPMC for Windows Server 2008 and Windows Vista SP1 with RSAT, are read-only collections of configured Administrative Template (.admx) policy settings that you can use to create a live GPO. Starter GPOs provide baselines of Group Policy settings designed for specific scenarios. By using Starter GPOs as templates for creating domain-based GPOs, you can deploy Group Policy quickly in different kinds of environments. Note that Starter GPOs can contain only policy settings (ADM settings); they cannot include preference items, security settings, or other types of Group Policy settings.
In Windows Vista SP1 and Windows Server 2008, you had to download Starter GPOs before using them. Now, however, a default set of Starter GPOs are included in RSAT for Windows 7 and in the GPMC feature of Windows Server 2008 R2.
RSAT for Windows 7 includes two different categories of Starter GPOs:
- Enterprise Client (EC) Client computers in this type of environment are members of an AD DS domain and need to communicate only with systems running Windows Server 2003. The client computers in this environment may include a mixture of Windows versions, including Windows 7, Windows Vista, and Windows XP.
- Specialized Security Limited Functionality (SSLF) Client computers in this type of environment are members of an AD DS domain and must be running Windows Vista or later. Concern for security in this environment is a higher priority than functionality and manageability, which means that the majority of enterprise organizations do not use this environment. The types of environments that might use SSLF are military and intelligence agency computers.
In addition to these two categories, the default Starter GPOs in RSAT for Windows 7 can also be categorized by whether they do the following:
- Apply only to clients running Windows XP SP2 or later or Windows Vista SP1 or later.
- Apply to users or to computers.
The result of this categorization is the following eight types of Starter GPOs included in RSAT for Windows 7:
- Windows Vista EC Computer
- Windows Vista EC User
- Windows Vista SSLF Computer
- Windows Vista SSLF User
- Windows XP EC Computer
- Windows XP EC User
- Windows XP SSLF Computer
- Windows XP SSLF User
For more information concerning the default configuration of policy settings in Starter GPOs designed for Windows Vista SP1 or later, see the Windows Vista Security Guide at http://go.microsoft.com/?linkID=5744573. For more information concerning the default configuration of policy settings in Starter GPOs designed for Windows XP SP2 or later, see the Windows XP Security Compliance Management Toolkit at http://go.microsoft.com/fwlink/?LinkId=14839. Updated information on Starter GPOs should also be available; search for Windows 7 Security Guide on the Microsoft Download Center.
Before you can use Starter GPOs, you must prepare your environment by creating a separate folder for these GPOs in the SYSVOL share on your domain controllers. If your forest has more than one domain, you must create a separate Starter GPOs folder in each domain of your forest. To create the Starter GPOs folder, perform the following steps:
- Open the GPMC and select the Starter GPOs node in the console tree for the domain.
- Click the Create Starter GPOs Folder button in the details pane.
- Repeat for each domain in your forest.
After you create your Starter GPOs folder, you can use the default Starter GPOs as templates when you create new GPOs, as described in the next section. You can also create and manage your own Starter GPOs by right-clicking the Starter GPOs node in the console tree of the GPMC.
In this tutorial:
- Managing the Desktop Environment
- Understanding Group Policy in Windows 7
- Group Policy Before Windows Vista
- Group Policy in Windows Vista and Windows Server 2008
- New Group Policy Features in Windows 7 and Windows Server 2008 R2
- Group Policy Policy Settings in Windows 7
- Understanding ADMX Template Files
- Types of ADMX Template Files
- Local Storage of ADMX Template Files
- Considerations When Working with ADMX Template Files
- Understanding Multiple Local Group Policy
- MLGPOs and Group Policy Processing
- Managing Group Policy
- Adding ADMX Templates to the Store
- Creating and Managing GPOs
- Using Starter GPOs
- Creating and Managing GPOs Using the GPMC
- Creating and Managing GPOs Using Windows PowerShell
- Editing GPOs
- Configuring Policy Settings
- Configuring Preference Items
- Managing MLGPOs
- Migrating ADM Templates to ADMX Format
- Converting ADM Template Files to ADMX Format
- Creating and Editing Custom ADMX Template Files
- Configuring Group Policy Processing
- Using Advanced Group Policy Management
- Troubleshooting Group Policy
- Enabling Debug Logging
- Using Group Policy Log View
- Using GPResult