Group Policy Administrative Mysteries: Solved!

By /

Introduction

Group Policy seems like a common and easy technology, until you get knee deep and start trying to make things happen. Then, you realize that Group Policy can be complex, difficult, and in some cases nearly impossible to understand. With each iteration of Microsoft operating system, the Group Policy Management Console (GPMC), and the Group Policy Management Editor (GPME) there seems to be something new, which is not always backwards compatible! So, the question becomes “How do I deal with these changes and where can I go to get the insight into them?” That answer is not very pleasant, which is why I am writing this article. There is no centralized place to get a “change list” for Group Policy. The Group Policy MVPs try to keep blogs, posts, articles, videos updated to help, but there are just too many changes, too many differences, and not enough time to keep everything up to date.

ADM Templates vs ADMX Files

There was a major change from Windows XP/2003 to Windows Vista/2008 with regard to the core Registry modification capabilities of Group Policy. Group Policy has always been able to update the Registry. The portion of Group Policy that changes the Registry is the Administrative Templates node, which is located under both the Computer Configuration and User Configuration portions in the GPME. This can be seen in Figure 1.  

Image
Figure 1: Administrative Templates nodes under both Computer Configuration and User Configuration.

Starting with Windows NT (system policy) through Windows XP/2003, all of the default settings located under the Administrative Templates nodes within the GPME were defined by the ADM template files that came with the operating system. Over time the number of ADM templates changed, but with XP/2003 there were 5 primary ADM templates.

Now with Windows Vista/2008 and greater, the ADM templates are no longer used. Now, I am not saying that they can’t be used; rather they are not used by default. Instead, Microsoft now uses ADMX files. These ADMX files are XML based and provide for greater flexibility for management of the Registry changes that the files control. The ADMX files provide support for different languages, where ADM templates only supported English. Each ADMX file is matched with an ADML file, which is the language file. There are over 150 ADMX/ADML file combinations, with a varying number of files per operating system starting with Windows Vista/2008 through Windows 8/2012.

The best advice I can provide for you is to use the latest operating system to manage Group Policy and don’t go back. Once you go back you might not be able to see all of the settings you made in the newer operating system, even though the settings are configured correctly.

Group Policy Preferences

You might have noticed that when you edit Group Policy from one computer you see the Group Policy Preferences nodes, seen in Figure 2, where on a different computer the Group Policy Preferences nodes are not there. This is an easy one to explain, but not so easy when you are in the middle of a disaster trying to put fires out.

Image
Figure 2: Group Policy Preference nodes visible in the new GPMC.

Microsoft acquired Group Policy Preferences from a third party vendor in October 2006. They released them to the public in early 2007. Since the old GPMC did not support Preferences, the only way to get them out to the masses was to produce a new GPMC. The new GPMC does not work on Windows Vista without a SP, rather it does with Windows Vista SP1 and Windows Server 2008.

Power Management

Microsoft made some efforts to make power management possible via Group Policy in and around the Windows Vista time frame. If you look at a Group Policy from a Windows Vista/2008 computer, you will see that the power management only affects Windows XP computers, as shown in Figure 3.

Image
Figure 3: Power Management for Windows XP only.

Then, Microsoft got some grief from the community due to the fact that power management was not only needed for XP, but also for newer operating systems. So, when the next generation of Group Policy management came around (which was the next update to Group Policy), there was something new in the Power Management controls. The change is that you can now control power on Windows XP, Vista, and greater. You can see this as long as you are managing the GPO from a Windows 7 or Windows 2008 R2 computer.

In my opinion, you should stay clear of this power management setting. The reason is that this setting is “one size fits all”, which is just not a good option for power management. You don’t want the power options kicking in during the work day, when users don’t need to save power on their laptop/desktop. The power management is key when users are not working or working intermittently. This is after the work day is done.

The way to manage power with the time of day considered is using Group Policy Preferences. There is a power management client side extension that allows for time of day controls. In order to manage time of day controls in a GPO using preferences, you use Item-Level Targeting.

Internet Explorer

The controls for Internet Explorer have never been that good over the years if you decided to use Group Policy for this management. You had internet Explorer Maintenance, shown in Figure 4, which was clumsy to configure.

Image
Figure 4: Internet Explorer Maintenance in Group Policy.

Microsoft introduced new Internet Explorer controls when they introduced Group Policy Preferences, which you can see in Figure 5.

Image
Figure 5: Internet Explorer controls using Group Policy Preferences.

Since Group Policy Preferences were obtained from a third party company, these controls don’t control every aspect of Internet Explorer. Also, depending on which operating system you are using to manage Group Policy, you might see different versions of Internet Explorer as an option.

Also, in Windows Server 2012 and Windows 8 Microsoft removed the Internet Explorer Maintenance options in the GPME. They realized the problems that these caused and removed the issue from even the realm of configuration options!

Summary

Group Policy is not complex… but the details can really get to you. The issues with most Group Policy problems stem from admins that need to work in environments that have different operating systems. These different operating systems behave differently, even though we want them to work the same. I ran into a school district a few months ago that were struggling greatly with roaming profiles, since roaming profiles differ so much from Windows XP to Windows 7. The interface is nearly the same, but the behavior of the folder structure is different, so Group Policy seems to not work correctly. If you take the time to research, test, and ask questions (I love questions!), you can get the bottom of most of your issues related to managing and deploying Group Policy.

About The Author

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top