Managing Group Policy in a Windows 8 World
Now that Windows 8 is out (or almost out), the inevitable questions will arise about introducing it into your Group Policy Management world. As with previous versions of Windows, the approach with Windows 8 (and Server 2012) will be similar. Since Windows 8 and Server 2012 will be introducing more new settings into Group Policy, you’ll need to use the GPMC and GP Editor versions that come with those new OS versions to be able to see those new settings. There’s two main approaches that I typically recommend when introducing a new OS into your Group Policy management practice:
- The first approach is to introduce a Windows 8 or Server 2012 “management station” as your new, sole GP management platform, managing both new GPOs that you create specifically for Windows 8/Server 2012 machines, as well as existing GPOs that apply to downlevel OS. The advantage to this is that all of your GP management will now happen from this new version of the OS. This means that all of the new settings in Windows 8 will be available to you, and, you will still have *most* of the settings that you managed in downlevel versions available as well. I say “most” because, for the first time in a while, Microsoft has actually removed a policy area in the Windows 8 GP editor. Specifically, as I blogged about recently, Microsoft has removed Internet Explorer Maintenance Policy from the Win8/2012 GP Editor. So, if you have IE Maintenance settings in your existing GPOs, you won’t be able to see them from your Windows 8 GP editor (though those settings will still appear in GPMC settings reports on Windows 8). This means that you’ll need to keep around at least one downlevel management station for managing these settings. In addition to Windows 8, Microsoft will from time-to-time rename settings between OS releases, as they appear in GP editor. The underlying setting itself will not have changed but the name of the setting may. So, if you’re managing existing GPOs that implement renamed settings, and you view those settings in Windows 8, for example, they may appear different than they would in the GP Editor for Windows 7. It’s not a bad thing. It is just something to be aware of. The final thing to be aware of in this approach is that the ADMX files for Windows 8 and Server 2012 have been updated. As a result, if you are using the SYSVOL-based Central Store to keep your ADMX files in a central location, you would need to update those files with the new ones found under C:\windows\policydefinitions on your Windows 8 management station. Keep in mind that once you upgrade your Central Store, you should plan on using Windows 8 or Server 2012 for your management station for all GP tasks. Your Windows 7 GP tools will *probably* work reading those Windows 8/2012 ADMX/L files, but there have been episodes in the past where Microsoft made changes to the schema of these files and it required using the latest version of the OS to properly read them.
- The second approach is the more conservative one , but also potentially more complex. It calls for having both Windows 7/2008-R2 and Windows 8/2012 GP management stations on your network. You’ll use the Windows 7 tools to manage your existing GPOs targeted at downlevel machines and users, and use the Windows 8 tools to manage new GPOs that you create specifically to apply to Windows 8 clients and servers (and their users). Obviously, this approach has challenges. As you introduce more and more Windows 8/2012 systems, you may find users that cross between downlevel OS’ and Windows 8. So the distinction between what are Windows 8 GPOs and downlevel GPOs becomes less clear. But, in the beginning, it does provide a clear delineation between the various platforms and their Group Policy support.
So, which approach do I recommend? In general, approach #1 is best if you can make it work. The key to making it work is to test the different scenarios you’ll need to support. Obviously, if you have IE Maintenance settings in your environment, you’ll need to still keep around a downlevel GPMC install to support editing those settings. But beyond that, it should be fairly straightforward to shift from managing your new and existing GPOs using earlier OS versions to Windows 8/2012 GPMC and GP Editor.
Let me know if you have questions on this, since it always brings up lots of discussion when this topic comes up. Feel free to comment on this blog posting or join the GPTalk Mailing list at GPOGUY.COM to discuss.