Windows Server 2008 R2 : GPO Administrative Tasks (part 1)

Before Group Policy can be managed, the Group Policy Management Tools must be installed. These tools are installed by default on Windows Server 2008 R2 domain controllers, but for other systems, they must be manually installed. The following sections detail installation steps for Windows Server 2008 R2 and Windows 7 systems.

Installing the Group Policy Management Tools on Windows Server 2008 R2

Before group policies can be managed from a Windows Server 2008 R2 system, the Group Policy Management feature must be installed, as detailed in the following steps:

Installing the Group Policy Management Tools on Windows 7

To manage domain group policies from a Windows 7 system, the administrator must download the “Remote Server Administration Tools for Windows 7” from the Microsoft download site. After the tool is downloaded, it must be installed on the Windows 7 system by an administrator. Once the tool is installed, the Group Policy Management feature can be installed from Control Panel, as detailed in the following steps:

After these steps are completed, the Group Policy Management feature can be accessed from the Administrative Tools menu. Installing these tools also installs the Group Policy module for PowerShell.

Managing Group Policy with Windows PowerShell

From a Windows 7 or a Windows Server 2008 R2 system with the Group Policy Management Tools installed, several new Windows PowerShell cmdlets can be leveraged to manage Group Policy. To access these Group Policy cmdlets, follow these steps:

Creating a GPO Central Store

Starting with Windows Vista and Windows Server 2008, administrators now have the ability to manually create a folder on the Active Directory domain controller that contains all of the necessary ADMX and ADML files. This folder is referred to as the GPO central store and will need to be created and managed manually. The GPO central store can be created in a domain that contains at least Windows Server 2003 domain controllers or greater.

By default, with Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, when a GPO is opened for editing on one of these operating systems, the system first checks the domain controller to which the GPO management tool is connected for the existence of a GPO central store. If the folder exists, the GPO loads the templates stored in the folder. If the central store does not exist, the local copies of the ADMX and ADML files are loaded to view the GPO.

The creation of the GPO central store provides a simple, yet effective way for administrators to manage administrative templates from the server. To create the GPO central store, perform the following steps:

The preceding steps create the central store and populate the store with the ADML language files of the administrative workstation. If additional language files are required, the language subfolder within the PolicyDefinitions folder of the administrative workstation can be copied into the domain’s central store now located at \\companyabc.com\sysvol\companyabc.com\policies\PolicyDefinitions.

Verifying the Usage of the GPO Central Store

To verify whether the central store is actually being used, perform the following steps:

1.	Log on to a designated administrative system.
2.	Open the Group Policy Management Console.
3.	Expand the domain to expose the Group Policy Objects container and expand it.
4.	Select any existing GPO that contains at least one configured setting within the Administrative Templates section of either the Computer Configuration or User Configuration node.
5.	In the right pane, select the Settings tab to view the settings of the GPO, similar to the settings shown in Figure 1. Figure 1. Examining Group Policy settings.
6.	Under Administrative Templates, it will state whether policy definitions (ADMX) files were retrieved from the local machine or from the central store.
7.	Close the Group Policy Management Console.