Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs

In this article, I will discuss the issues related to GPOs that are included with Windows Server 2008 - Starter GPO.With Starter GPO you can be able to save basic templates to use when creating new Group Policy objects (GPOs).These templates can be exported to other domain environments, allowing you great flexibility.

In the next part of this article, I will introduce you to the new features of Group Policy Management Console (GPMC) version 2.0, New Windows Server 2008 Policy Settings, and Group Policy Preferences Extensions and more. another way.

One thing to note here is that the information used in this article is based on information gathered from test versions of Windows Server 2008 (Beta 3, RC0 and RC1). So some features and some dialogs may vary slightly from the final release .

GPMC - in and out?

Built in Windows Server 2008 with a new interface - Group Policy Management Console (GPMC) version 2.0, it looks and feels a lot like the old versions but it has some new features added in the version. this.

As you may know, Service Pack 1 for Windows Vista may uninstall the GPMC version as part of the operating system - making you have no tools to manage any domain GPOs . Should be disappointed: around SP1 release for Windows Vista, GPMC version 2.0 will be provided as a separate download from Microsoft's website.

To use GPMC version 2 you need to have one of the following two components:

1. Microsoft Windows Vista Service Pack 1 with download GPMC 2.0 or

2. Microsoft Windows Server 2008 has the Group Policy Management feature

Source Starter GPO

When you open GPMC 2.0 you may see a new (empty) container named "Starter GPOs". This section can keep what I call 'templates' for the purpose of creating new GPOs - with the limitation that only ' Administrative Templates ' settings are provided - from 'Computer Configuration' and 'User Configuration' . Settings like 'Software Settings' and 'Windows Settings' (scripts, account policies, user rights, software restriction policies, .). Not available in Starter GPOs, see Figure 1.

Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 1
Figure 1: Settings from 'Administrative Templates'

When creating new GPOs, you can choose to use the Starter GPO as a Source Starter GPO (aka template) - to make it easy to create multiple GPOs with the same base configuration, see Figure 2.

Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 2
Figure 2: Source Starter GPO

A new GPO will include all 'Administrative Templates' policy settings from the Starter GPO, which will be used as a template throughout the creation process and the additional features that we normally have inside GPOs. (like the 'Security Settings' security settings, .). Everything other than 'Administrative Templates' policy settings must then be created from many other complex steps like the current version is still doing. Here is the value of Advanced Group Policy Management (AGPM) templates. However, that product is not in the scope of this article, so we will introduce it to you on another occasion in other articles.

New folder in SYSVOL

If this is the first time you want to test or use Starter GPOs, you will have to enable features in the domains associated with it. This is done by clicking the ' Create Starter GPOs Folder ' button or simply right-clicking on the ' Starter GPOs ' item and selecting ' New . ', see Figure 3. The option will then create you a Starter GPOs folder.

Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 3
Figure 3: Use for the first time

The 'New Starter GPO' dialog box will appear, asking you to enter a name and a comment, see Figure 4.

Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 4
Figure 4: Create a new Starter GPO

Note that anything you type in the 'Comment' field will be inherited to any GPO created with this Starter GPO as a root resource. The text will be recorded as a comment of the GPO. When you activate the first Starter GPOs in the domain, there will be a folder called "StarterGPOs" created inside the SYSVOL folder with the path below:
' domain.comSYSVOLdomain.comStarterGPOs ' - this is where all the 'magic tricks' are done (see Figure 5)

Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 5
Figure 5: StarterGPOs folder in SYSVOL

For every newly created Starter GPO, you will see a new folder inside this directory - each of them will have a unique GUID (just like regular GPOs). So when you create a new GPO with Starter GPO as a source, the simple COPY process will be performed under the script. The subfolders and files under the Starter GPOs directory are copied to the domain.comSYSVOLdomain.comPolicies [SomeNewGUID] folder (the only GUID created in the process), so be prepared to deploy a GPO now. new.

Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 6
Figure 6: Prepare to create a new GPO, but not from any 'mess'

When right-clicking on the Starter GPO, see Figure 6, you can choose to create 'New GPO From Starter GPO .'. Most similar dialogs will appear when you choose to create a new GPO from the 'Group Policy Objects' section (see Figure 4) - or when right-clicking an organizational unit - Organizational Unit (OU), or the domain itself and select the option: 'Create a GPO in this domain, and Link it here .' - only this time the 'Source Starter GPO' checkbox will be disabled.

Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 7
Figure 7: Source Starter GPO turns gray

Cabinet and things inside

There are very interesting things that you can export GPOs (Starter GPOs) to Cabinet files (.CAB) and then import this cabinet into another environment - completely independent of the source domain / forest!

So now you can create a perfect Starter GPO, export it (see the 'Save as Cabinet .' button in Figure 8) and then take it outside, share it with your friends, on the Website. Your, deploy it on all systems that you can keep control of, . After the import process is done very easily (see the 'Load Cabinet .' button in Figure 8), be prepared to create new GPOs with Starter GPOs as the basis.

Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 8
Figure 8: Download and Save the Cabinet file

If you are as curious as I am, it can be very tiring with everything inside the .CAB file . Please allow me to answer your concern: each file will contain at least 2 (if not configured) to 6 compressed files, depending on what settings you have configured in your own Starter GPO:

File name Content StarterGPO.tmplx Include GUID, version information, name, description . (XML format)

This file is always included in the CAB Report.html Report settings created and included as an HTML file for every 'export'. Made to create easy references and review documents.

This file is always in the CAB Machine_Registry.pol file. Part of the 'Computer Configuration' (CC) of the GPO

This file is only present if any CC settings are present in Starter GPO. User_Registry.pol A 'User Configuration' part (UC) of a GPO

This master file is present if any UC settings are present in the Starter GPO. Machine_Comment.cmtx Includes comments (comments) created on the settings within the CC section of Starter GPO (XML format).

This file is only present if there is at least one CC setting with the comment associated with it. User_Comment.cmtx Includes comments (comments) created on the settings within the UC section of Starter GPO (XML format).

This file is only present if there is at least one UC setting that has comments associated with it.

Table 1

One drawback to the Cabinet export is that you can only export a Starter GPO on a Cabinet file. So this procedure is not taken over from a normal backup procedure, which will be introduced in the next section.

Backup Starter GPOs are separate

You must create a separate backup process for Starter GPOs. This is because they are not backed up through the GPMC "Backup All" method that you can perform with regular GPOs - but they have a separate backup procedure. If you right-click on 'Starter GPOs' you will see an option to 'Back Up All .'. This option will backup all Starter GPOs (see Figure 9).

Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 9
Figure 9: Backup all Starter GPOs at once

If you just right-click the Starter GPO in the right pane of GPMC, you will see the 'Back Up .' option. This option will create a backup only for this Starter GPO.

Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 10
Figure 10: Select a local backup

Power of attorney

As with many other Windows features, you can delegate permissions to a specific user or group. In this case, you can delegate permissions to create Starter GPOs in the domain. This is done from the 'Delegation' tab, which is a tab that shows when the 'Starter GPOs' item is selected in the left menu tree, inside the GPMC (see Figure 11).

Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 11
Figure 11: Delegation tab for Starter GPOs

This tab reflects the NTFS security terms named 'StarterGPOs'- directory under SYSVOL (see above); Only users or authorized groups will show up here.

Conclude

Starter GPOs are templates that can be used as bases for new GPOs - making it quick and easy to create, export, and import ' Administrative Templates ' policy settings. They may not have the same features as the GPO templates we have with AGPM - but even if you don't have a DOP / SA subscription on demand, there may still be some free points with Starter GPOs. .

Jakob H. Heidelberg

Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 12 Part 2: GPMC Version 2
Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 13 Part 3: Preference Group Policy
Group Policy in Windows Server 2008 - Part 1: What is Starter GPOs Picture 14 Part 4: Group Policy Preference (cont.)