What's New in Group Policy

Опубликовано: Август 2012 г.

Обновлено: Август 2012 г.

Назначение: Windows 8, Windows Server 2012

This topic describes the new and changed functionality of the Group Policy feature in Windows Server 2012

Group Policy is an infrastructure that enables you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local computer or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack, which provides a way for you to administer Group Policy settings from your desktop. For more information about Group Policy, see the Обзор групповой политики.

The following table lists functionality in Group Policy that is new for this release or has been changed.


Feature/functionality New or Updated

Remote Group Policy Update


Group Policy Results report improvements


Group Policy infrastructure status


Local Group Policy support for Windows RT


optimizations


Fast Startup


New Group Policy starter GPOs


Group Policy cmdlet changes


Registry.pol changes


Group Policy Client service idle state


Group Policy settings in Internet Explorer 10


Group Policy Preferences for Internet Explorer 10


In Windows Server 2012, you can refresh Group Policy settings, including security settings that are set on a group of remote computers, by using the functionality that is added to the context menu for an organizational unit (OU) in the Group Policy Management Console (GPMC). This functionality schedules a task on all computers in a selected OU, which refreshes the computer and user Group Policy settings.

What value does this change add?

When you troubleshoot Group Policy issues for a specific computer or user, you can run gpupdate.exe to verify that the most current Group Policy settings have been applied. This command-line utility needs to be run on a specific computer. In Windows Server 2012, you can schedule gpupdate.exe to run on multiple computers from the GPMC or from a Windows PowerShell session by using the new Invoke-GPUpdate cmdlet.

What works differently?

Prior to Windows Server 2012, you would have to remote to a specific computer and run gpupdate.exe from the command-line. In Windows Server 2012 you can update Group Policy for all computers in a specific OU and the OUs that it contains. For more information about the new remote Group Policy update feature, see Принудительное удаленное обновление групповой политики (GPUpdate)

Group Policy Results in Windows Server 2012 includes more information to help determine if a Group Policy setting was applied to a computer or user. If the results do not match the expected results, there is information about why this happened.

What value does this change add?

It is sometimes hard to determine why Group Policy applied the specific policy settings and Preferences. The Group Policy Results report includes the following new information to help you understand why a particular Group Policy result was achieved:

  • Whether the connection was determined to be a slow link or fast link

  • Whether block inheritance has been set

  • Whether loopback has been set

  • The processing time for each client-side extension

  • The GPO name is now displayed with each Group Policy setting and preference item. This identifies which is the winning GPO for a particular policy setting or preference item.

What works differently?

The following applicable conditions are displayed on the Group Policy Results Summary tab:

  • If a slow link or fast link is detected

  • If block inheritance is set

  • If loopback is enabled

The Group Policy Results Details tab displays:

  1. The OU that contains the computer or user.

  2. The Component Status section displays the amount of time each client-side extension took to process and the last time each client-side extension processed.

  3. The Component Status section provides a link in the Event Log column that displays the event log messages from the last Group Policy refresh. This functionality is equivalent to the information that is returned from the GPLogview.exe utility.

  4. The Winning GPO name is displayed in a table with each Policy setting name and the value that is set for each policy setting and preference item.

To view the Group Policy Results for a specific computer, the following firewall rules must be set on each client computer to allow the following connections:

  • Remote Event Log Management (NP-IN)

  • Remote Event Log Management (RPC)

  • Remote Event Log Management (RPC-EPMAP)

  • Windows Management Instrumentation (WMI-IN)

If you do not want to allow the connections on computers, you can also run Gpresult.exe /h<filename.html> from the command line on the each local computer, where filename.html is the name of a file to which Gpresult writes the output.

Display the status of Active Directory and SYSVOL replication as it relates to all Group Policy Objects or a single Group Policy Object.

What value does this change add?

Group Policy relies on being stored and replicated to all domain controllers in a domain. There can be a lag time after a change is made on one domain controller before the change is replicated to all other domain controllers. Until changes to a GPO are replicated to the domain controller that a client computer is accessing, that computer will receive the earlier version of the GPO during Group Policy refresh. In earlier versions of the Windows operating system, administrators had to download GPOtool.exe to diagnose these issues.

What works differently?

In Windows Server 2012, you no longer need to download and run a separate tool for monitoring and diagnosing replication issues related to Group Policy at the domain level. Potential differences that can be viewed by using the Group Policy infrastructure status are:

  • Active Directory and SYSVOL security descriptor (ACL details)

  • Active Directory and SYSVOL GPO version details

  • Number of GPOs listed in Active Directory and SYSVOL for each domain controller

For more information about the new Group Policy infrastructure status, see Проверка состояния инфраструктуры групповой политики.

You can configure Group Policy on devices that run Windows RT.

What value does this change add?

Local Group Policy is available for Windows RT. It is off by default, but can be turned on by the local administrator.

What works differently?

For Windows RT devices, the Group Policy Client service is disabled by default. The Group Policy Client service must be set to Automatic and started by the administrator before Group Policy is processed on the device.

  1. From the start screen, type Services.msc.

  2. Double-click Group Policy Client to open the Group Policy Client Properties (Local Computer) dialog box.

  3. Set the Startup type to Automatic, and then click the Start button.

Slow link processing during sign-in is improved.

What value does this change add?

More control to determine if the network connection should be processed as a slow link improves the sign-in experience for users by allowing users to sign-in faster.

What works differently?

For DirectAccess connections, when the network connection speed cannot be determined, Group Policy processing defaults to slow-link mode. During sign-in, if a slow link is detected, Group Policy automatically switches to asynchronous processing. A new policy setting enables administrators to configure all 3G connections so that they are treated as a slow link. To disable 3G slow-link connections, select the Always treat WWAN connections as a slow link check box after you have enabled the Configure Group Policy slow link detection policy setting.

The Configure Group Policy slow link detection policy setting is located under Computer Configuration\Policies\Administrative Templates\System\Group Policy in the Group Policy Management Editor.

Improvement in start times affects Group Policy processing.

What value does this change add?

Fast Startup decreases the time it takes to shut down and start a computer by causing the computer to enter a hibernate state instead of performing a full shutdown.

What works differently?

Group Policy settings or scripts that are applied during start or shutdown might not be applied when computers are configured to use Fast Startup. For more information about the impact of this change, see Влияние оптимизации быстрого входа и быстрого запуска на групповую политику.

You can configure firewall port requirements to allow Group Policy remote RSoP reporting and remote Group Policy update.

What value does this change add?

The two starter GPOs make configuring Group Policy firewall port requirements easier. You can import the starter GPOs at the same time that you create a new GPO for this purpose.

What works differently?

For more information about the new Starter GPOs, see Настройка требований к портам брандмауэра для групповой политики.

Automate the remote Group Policy update by using the new Invoke-GPUpdate cmdlet.

Group Policy cmdlets can also run on the Server Core installation option.

What value does this change add?

The new Invoke-GPUpdate cmdlet provides more functionality than applying remote Group Policy update through the GPMC interface. For example, the Invoke-GPUpdate cmdlet enables you to refresh computers located in the default computer container, while the remote Group Policy update functionality in the GPMC enables you to remotely refresh only computers that are located in an OU.

On a Server Core installation, you can manage GPMC functionality by using Group Policy cmdlets. This provides you with more flexibility for managing Group Policy.

The Get-GPPermissions cmdlet and the Set-GPPermissions cmdlet are renamed to the singular form: Get-GPPermission and Set-GPPermission. Both cmdlets have aliases for their previous names to support backward compatibility.

What works differently?

For more information about all Group Policy cmdlets, see Group Policy Cmdlets in Windows PowerShell.

An increase in the maximum size allowed for registry.pol enables faster downloads of registry.pol files from domain controllers.

What value does this change add?

With this change, there should be very few situations where the maximum size of the registry.pol file restrains administrators from adding new Administrative Template settings to a GPO. With the faster download of registry.pol files, Group Policy processing should increase.

What works differently?

The registry.pol file maximum size is increased to 100 MB. The Group Policy processing has been changed to read larger amounts of data from a registry.pol file when processing the Administrative Template settings. This change results in less network access for reading the registry.pol file from the domain controller, which speeds up Group Policy processing.

The Group Policy Client service will sleep when the Group Policy service is idle for more than 10 minutes.

What value does this change add?

Group Policy processes approximately every 90 minutes, by default. Setting the Group Policy Client service to sleep in between processing helps create better performance for client computers.

What works differently?

Group Policy background refresh starts as a scheduled task, not as a service that continuously checks to determine when it is time to run the background refresh. The scheduled task model requires less overhead processing, which creates better performance for client computers.

Group Policy Administrative Template settings that support Internet Explorer 10 are added.

What value does this change add?

New Group Policy settings in the Internet Explorer 10 Administrative Template support new features.

What works differently?

For more information about the new and changed policy settings that can be used to manage and control your Internet Explorer 10 configuration, see Group Policy Settings in Internet Explorer 10.

Windows Server 2012 and Windows 8 include Group Policy Preferences support for Internet Explorer 10.

What value does this change add?

Group Policy Preferences consolidates multiple ways to configure Internet Explorer preference settings.

What works differently?

The Internet Explorer Maintenance (IEM) snap-in is replaced by the Internet Explorer 10 preference extension. Administrators can use the Internet Explorer 10 preference extension or the Internet Explorer Administration Kit (IEAK) to configure Group Policy settings. Information about the Internet Explorer 10 preference extension can be found at:

The following features and functionalities have been removed from this release of Group Policy. Applications, code, or usage that depends on these features will not function in this release unless you employ an alternate method. For more information about removed or deprecated functionality in this release, see Features Removed or Deprecated in the Windows Server 2012.

The following table provides additional resources for evaluating Group Policy.


Content type References

Product evaluation

Обзор групповой политики | Group Policy Techcenter

Community resources

Group Policy Team Blog | TechNet Wiki

Related technologies

Обзор доменных служб Active Directory