PRC13: Group Policy in Win 7/2008R2

So this week I’m at once again making the trek to Microsoft TechEd 2011 in Atlanta, so I’ll be posting lots of session summaries and information that I want to pass along. First up is an all day pre-conference session by Jeremy Moskowitz on Group Policy. Here are some of the tips and highlights:

1. You don’t need Server 2008 R2 domain controllers to take advantage of Windows 7 or Server 2008 R2 group policy enhancements. You can use any version of domain controller, including Windows 2000. GPOs are client based technology, not server based.
2. The following policies are only applied at startup/login: software installation, folder redirection, disk quotas, drive mappings.
3. Use Windows 7 or Server 2008 R2 to manage all GPOs, even those for 2003 or XP. Do NOT use older GPMC versions to manage newer policies.
4. It is no longer recommended to tweak the “GPO status” (enabling or disabling user/computer sections). Just leave the entire GPO enabled.
5. Recommend you configure “Always wait for the network at computer startup and logon” policy located at ComputerAdmin TemplatesSystemLogon  for client operating systems. This forces synchronous GPO processing on clients, not the default of async. Provides a more consistent user experience.
6. The ADMX central store can work with any DC type (2000, 2003, etc.).
7. Comment your GPO policy settings and GPO to help document your settings.
8. Install the group policy preferences client for XP/Vista so you can use GP preferences. WSUS can deploy as well (optional software).
9. Group policy preferences can cover most of the tasks previously handled by logon scripts (mapping drives/printers, copying files to the client, configure shortcuts, etc.). Very powerful! You can also easily disable devices or device classes, such as CD-ROMs or USB sticks with a couple of clicks.
10. Group policy preferences are NOT a good place to store passwords, as you can reverse the encryption. So don’t use GP preferences to set local account passwords. MS published the encryption, and all computers use the same key.
11. GP preferences extensions only for IE 5,6,7, and 8. MS hasn’t released IE9 settings yet.
12. Use the F5, F6, F7, and F8 keys to ‘red’ and ‘green’ individual GP preference settings. All green settings get delivered to the client, so set to Red items that you don’t want delivered.
13. Applocker service (Application Identity) takes 2 minutes to initialize after it starts, so don’t immediately try your rules until it’s fully started. Applocker is a VERY flexible way to limit what users can run on their computers. Way cool auto rule generation and other ways to make life easier for configuring rules.

Overall, it was a good session. Group policy preferences are really a powerful tool, and can be used on Windows XP and higher systems. If you aren’t using GPPs, take a serious look at them.