Win Server 2008 Directory Services, Group Policy Enhancements

One of the most important advantages offered by Active Directory since its inception coinciding with the release of Windows 2000 Server platform (besides its obvious benefits as an identity management solution) has been centralized administration of virtually every major facet of Microsoft-based computing environment. Christened initially as IntelliMirror (and incorporated into Zero Administration initiative for Windows), the original collection of rather loosely coupled technologies has evolved throughout the years, yielding a cohesive and highly integrated framework.

Windows Server 2008 brings a host of improvements to Active Directory Group Policies. This article introduces enhancements as well as other Active Directory-related implications.

However, despite a number of major new developments and drastic departures from some of its original concepts, the core of the management area still relies on Group Policies. Starting with this article of our series, we will introduce their enhancements incorporated into Windows Server 2008 (and corresponding Active Directory-related implications).

From the architectural standpoint, Group Policy constitutes a client-server methodology, which allows you to manage different aspects of software running on Windows operating system (with a broad impact on users’ computing experience, via both user- and computer-specific settings). Scope of control ranges from a single, stand-alone computer (via its Local Group Policy Objects) to entire Active Directory forest (or even beyond it, considering that Windows Server 2008 gives you ability to apply Group Policy-driven configuration across trusted forests). It can be highly granular, especially when using Item Level Targeting available in Group Policy Preference Extensions. Desired settings, assigned via a Microsoft Management Console-based utility running on an administrative workstation (interacting with Group Policy Server-Side Extensions) are reflected in corresponding changes to Active Directory configuration (in the form of Group Policy Objects residing within Group Policy Container) and to content of directory structure under SYSVOL share hosted on each domain controller (referred to as Group Policy Template).

These changes subsequently trigger appropriate actions on target computers, carried out by Group Policy Engine and utilizing software components (implemented as Dynamic Link Libraries) known as Client Side Extensions. You can identify CSEs present on a local computer by examining its HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonGPExtensions registry key. In both Vista and Windows Server 2008, Group Policy Engine and CSEs no longer leverage Winlogon process (as was the case with their predecessors), but function using a dedicated service, called Group Policy Client Service (gpsvc), operating within boundaries of the generic host process Svchost. This approach offers stability, security, responsiveness, and performance improvements.

To recognize other advantages of Group Policies that are of relevance in a Windows Server 2008 environment (as well as Vista, where they were introduced), it is helpful to understand the methodology used to apply their settings to intended targets. Its rules take into consideration the type of a group policy target (user or computer), its current status, and the type of settings. More specifically, domain members process group policies during their startup and subsequently attempt their refresh every 90 minutes (with a random, positive, up to 30-minute offset). For domain controllers, the equivalent interval is set at 5 minutes. Application of user-specific settings follows similar pattern, although they are initiated by a user logon — as opposed to computer startup. Note that all these values can be adjusted via Group Policies.

In general, the determination whether a refresh is needed is made based on comparison between the version of group policy recorded on the client (in the HKLMSOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyHistory registry key) and that present on a local domain controller hosting its Active Directory representation. There are, however, some exceptions to this rule. For example, security settings are always reapplied every 16 hours (with a 30 minute offset) to domain member computers and every 5 minutes to domain controllers.

In addition, since certain types of configuration options (such as folder redirection or software deployment) could potentially cause a variety of undesired side effects if deployed while a user is logged on, they are activated only during a computer startup or user logon. Note, however, that this is also dependent on whether Group Policy is processed synchronously, which happens as long as the Fast Logon Optimization is not in effect. Similarly, some settings, such as new disk quotas (existing ones remain valid since they are cached locally), folder redirection, scripts, software installation or deployed printer connections are not processed if the group policy engine detects limited network connectivity to a domain controller. By default, the threshold is set at 500 Kbps of effective bandwidth, although this value can be altered via Group Policies.

Unfortunately, since earlier versions of Windows based such detection on the outcome of a simple PING test, it frequently produced misleading results (frequently due to blocking of ICMP traffic somewhere along the network path). Windows Server 2008 (as well as Vista) employ for this purpose considerably more reliable Network Location Awareness mechanism, which is capable of evaluating connectivity to domain controllers based on a sampling of TCP traffic exchanged prior to initiation of Group Policy processing (performed by the Group Policy service), without relying on ICMP response. Furthermore, since Network Location Awareness is able not only to determine network throughput but also to detect changes in the connection state and availability of a domain controller, it facilitates dynamic adjustment of Group Policy refresh, triggering it during such events as recovery from hibernation or standby, newly enabled network adapter, or the start of a wireless or Virtual Private Network session.

Architectural and functional improvements of the Group Policy client-side components have also resulted in more effective troubleshooting techniques. In addition to the already familiar Resultant Set of Policies console and GPResult command line utility (displaying effective client settings derived from a combination of all Group Policy settings that apply to it), which are still available in Vista and Windows Server 2008, you can take advantage of enhanced Event Logs.