Group Policy Blog

Group Policy Tips, Tricks, and News from Darren Mar-Elia

Interesting Change to Group Policy in Server 2012/Windows 8

Fellow Group Policy MVP Alan Burchill brought this topic up on our GP MVP mailing list and I had to look into it. He pointed out that in the release candidate for Server 2012/Windows 8, the IE Maintenance Policy node can no longer be found within GP Editor, as shown below:

Missing IE Maintenance Policy in Windows 8

Now, if you’ve followed my blog postings and magazine articles in Windows IT Pro magazine over the years, you’ll know that there’s no love lost by me over this interesting development, but this IS the first time Microsoft has actually yanked an existing piece of functionality that has been around from the beginning, out of GP. I did some further testing by importing an existing GPO from my Server 2008-R2 test domain into my Server 2012 test domain. I half expected that the IE Maintenance node would magically appear when it detected those old settings in my imported GPO. However, to my great shock and amazement, it does not. Now that is swift and merciless! IE Maintenance is DEAD! Long live GP Preference Internet Settings!!!

I did notice that the IE Maintenance settings do appear within the GPMC settings report for that GPO, so it’s not like you can’t see those settings. But, once you move to Windows 8 and Server 2012 throughout your network, unless something changes by RTM, you won’t have a way of editing those settings. So, you’ll need to keep at least one Win7/Server 2008-R2 or earlier system around as your GP editing station for those special occasions when you need to keep editing those IE Maintenance policies!

Nevertheless, this is a BIG, BIG, BIG development in the world of GP. Finally, Microsoft has made a clear and bold statement–don’t use IE Maintenance Policy anymore. Of course, i’ve been saying that for about 7 years, but hey, things move at a difference pace in little old Redmond :-)

Enjoy!

Darren

There are 21 comments .

Gk —

Hi, I wish I could share your enthusiasm. Today I added a 2012 box to my existing 2008r2 domain which I thought would allow me to manage win 8 devices using GPO, configured via the newly added 2012 server. Unfortunately this wasn’t the case, well it seems that any of the new functionality delivered by this new server doesn’t work and that unfortunately includes Internet options through preferences. Come back IEM, at least it was reliable. Do I need to do anything else to my 2008r2 domain configuration to take advantage of the new 2012 GPO settings? And so allow me to get enthusiastic too.
Thanks

Reply »
    Darren Mar-Elia

    Gareth-
    I suspect something is going on in your environment, as that configuration is perfectly fine. I would check RSOP to make sure targeting is happening correctly and then look on the client’s GP Operational Logs for errors.

    Darren

    Reply »
      Gk —

      Thanks for the reply Darren, I checked RSOP and the logs. RSOP showed nothing, as if the GPO wast being applied although GPRESULTS Showed it was. So it looked like the contents was being ignored. The logs were even less helpful, and showed the GPO’s being process and that’s it. I also enabled Internet option preference logging but as that requires GP to work, that didn’t give me any results. I don’t normally struggle with GP, but this is really strange.

      Reply »
01 —

you need to raise the functional level of the domain to 2012, and that should give you the access needed to those new administrative templates.

Reply »
Tom —

Using the win7 or 2008 r2 machine for gp editing would not work if your domain was set to use a central GPO store……. or would it, I ask? haave been hesitant to test since I don’t have a test domain.

Reply »
    Darren Mar-Elia

    If you’re trying to edit Win8 Admin Template settings then you would have to upgrade the Central Store ADMXs to be the ones that ship with Win8. Those *should* be backward compatible with GP Editor on Win7 or Server 2008-R2, but what I would first do to test it, is to copy those Win8 ADMXs to a Win7 machine within it’s c:\windows\policydefinitions folder and then test it in isolation to make sure GP editor doesn’t throw errors. Then you should be safe to update your Central Store. Or alternatively, once you update the Central Store, just use Win8 as your GP editing system going forward.
    Darren

    Reply »
Tom —

I was specifically referring to the IE maintenance fucntion so I assumed an immediate “will not be compatible” for those settings. Even if I use a win7 machine it will get, by policy, directed to the central store regardless of the files it locally contains.

Reply »
Darren Mar-Elia

Tom-
IE Maintenance doesn’t use the Central Store or ADMX files at all–no impact at all there. So if you are concerned about continuing to edit IE Maintenance settings you would need to continue to use Win7 earlier GP management stations.
Darren

Reply »
Abdullah Al Masud —

I am using server 2008 r2 and I applied proxy setting using GPO (Internet explorer maintenance). When I switch to server 2012 I could not find IEM in 2012 GPO. can anyone suggest me how to configure IE proxy setting using 2012 GPO. Because I want to IE proxy in my network using 2012 GPO.

Reply »
George Maguire —

I need to update my 2008 R2 domain controller to IE 10 so I can manage IE 10 on Windows 7. I want to retain XP functionality but the problem is that I’m not seeing an option to configure the browser title in the Internet Settings group policy preference, you know, “Windows Internet Explorer provided by *Organisation*”. I am wondering how Microsoft wants us to do this now.

Reply »
Rob Gravesteijn —

This is all very nice, but I have a 2012 machine which is NOT a domain controller. It has been demoted. The preferences option does not appear in the User Configuration. How do I get around this? Hope you can help me.
Rob

Reply »
    Darren Mar-Elia

    Rob-
    Sadly, you don’t. You can’t configure GP Preferences on a non-domain-joined machine. At all :) You are stuck using Admin Templates or custom ADMX files to poke registry values.

    Darren

    Reply »
Rob Gravesteijn —

Hello Darren,

Thanks for your reply. I am new to server administration. What I am basically looking for is a way to disable my users from accessing the internet. I used to do this on Windwos 2008 server by setting the proxy server to 127.0.0.0. But surely there must be a better way to do this?

What is the best way to prevent users (not admnistrators) to access the internet? I am running a Windows 2012 multipoint server, which is not a domain controller.

Can you help me with that?
Best regards, Rob

Reply »
    Darren Mar-Elia

    Rob-
    The way I always recommend to do this is to use a “real” proxy server–and force all your users to go through the proxy server. Trying to use Group Policy to do this is an incomplete solution at best.

    Darren

    Reply »

Share Your Thoughts!

Copyright ©2013 SDM Software, Inc.
Site design by Social Media Ninjas | Sitemap