Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. What's New in Group Policy in Windows Server
In this articleApplies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8 This topic describes the new and changed functionality of the Group Policy feature in Windows Server 2012 R2 and Windows Server 2012. Group Policy is an infrastructure that enables you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local computer or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools, which provides a way for you to administer Group Policy settings from your desktop. In this topic:
What’s new in Group Policy in Windows Server 2012 R2In Windows Server 2012 R2, Group Policy offers enhanced support in the following areas.
IPv6 supportWindows Server 2012 R2 expands support for IPv6 in Group Policy. This expanded support encompasses printers, item-level targeting, and VPN networks. The following procedures describe how you can use this expanded support. Printers
Item-level targeting
VPN connections
Policy cachingIn Windows Server 2012 R2, when Group Policy gets the latest version of a policy from the domain controller, it writes that policy to a local store. Then if Group Policy is running in synchronous mode the next time the computer reboots, it reads the most recently downloaded version of the policy from the local store, instead of downloading it from the network. This reduces the time it takes to process the policy. Consequently, the boot time is shorter in synchronous mode. This is especially important if you have a latent connection to the domain controller, for example, with DirectAccess or for computers that are off premises. This behavior is controllable by a new policy called Configure Group Policy Caching. Event loggingWindows Server 2012 R2 provides more detailed events for Group Policy settings in the operational event log. The logged events include more information about how long it takes to download and process policies. There are also details about WMI processing. This can help you analyze and diagnose long sign-in times. What’s new in Group Policy in Windows Server 2012In Windows Server 2012, Group Policy offers enhanced support for the following scenarios.
See also Removed or deprecated functionality. Remote Group Policy updateIn Windows Server 2012, you can refresh Group Policy settings, including security settings that are set on a group of remote computers, by using the functionality that is added to the context menu for an organizational unit (OU) in the Group Policy Management Console (GPMC). This functionality schedules a task on all computers in a selected OU, which refreshes the computer and user Group Policy settings. What value does this change add? When you troubleshoot Group Policy issues for a specific computer or user, you can run gpupdate.exe to verify that the most current Group Policy settings have been applied. This command-line utility needs to be run on a specific computer. In Windows Server 2012, you can schedule gpupdate.exe to run on multiple computers from the GPMC or from a Windows PowerShell session by using the new Invoke-GPUpdate cmdlet. What works differently? Prior to Windows Server 2012, you would have to remote to a specific computer and run gpupdate.exe from the command-line. In Windows Server 2012 you can update Group Policy for all computers in a specific OU and the OUs that it contains. For more information about the new remote Group Policy update feature, see Force a Remote Group Policy Refresh (GPUpdate) Group Policy Results report improvementsGroup Policy Results in Windows Server 2012 includes more information to help determine if a Group Policy setting was applied to a computer or user. If the results do not match the expected results, there is information about why this happened. What value does this change add? It is sometimes hard to determine why Group Policy applied the specific policy settings and Preferences. The Group Policy Results report includes the following new information to help you understand why a particular Group Policy result was achieved:
What works differently? The following applicable conditions are displayed on the Group Policy Results Summary tab:
The Group Policy Results Details tab displays:
Important To view the Group Policy Results for a specific computer, the following firewall rules must be set on each client computer to allow the following connections: Remote Event Log Management (NP-IN) Remote Event Log Management (RPC) Remote Event Log Management (RPC-EPMAP) Windows Management Instrumentation (WMI-IN) If you do not want to allow the connections on computers, you can also run Gpresult.exe /h <filename.html> from the command line on the each local computer, where filename.html is the name of a file to which Gpresult writes the output. Group Policy infrastructure statusDisplay the status of Active Directory and SYSVOL replication as it relates to all Group Policy Objects or a single Group Policy Object. What value does this change add? Group Policy relies on being stored and replicated to all domain controllers in a domain. There can be a lag time after a change is made on one domain controller before the change is replicated to all other domain controllers. Until changes to a GPO are replicated to the domain controller that a client computer is accessing, that computer will receive the earlier version of the GPO during Group Policy refresh. In earlier versions of the Windows operating system, administrators had to download GPOtool.exe to diagnose these issues. What works differently? In Windows Server 2012, you no longer need to download and run a separate tool for monitoring and diagnosing replication issues related to Group Policy at the domain level. Potential differences that can be viewed by using the Group Policy infrastructure status are:
For more information about the new Group Policy infrastructure status, see Check Group Policy Infrastructure Status. Local Group Policy support for Windows RTYou can configure Group Policy on devices that run Windows RT. What value does this change add? Local Group Policy is available for Windows RT. It is off by default, but can be turned on by the local administrator. What works differently? For Windows RT devices, the Group Policy Client service is disabled by default. The Group Policy Client service must be set to Automatic and started by the administrator before Group Policy is processed on the device. To turn on the Group Policy Client service
Sign-in optimizationsSlow link processing during sign-in is improved. What value does this change add? More control to determine if the network connection should be processed as a slow link improves the sign-in experience for users by allowing users to sign-in faster. What works differently? For DirectAccess connections, when the network connection speed cannot be determined, Group Policy processing defaults to slow-link mode. During sign-in, if a slow link is detected, Group Policy automatically switches to asynchronous processing. A new policy setting enables administrators to configure all 3G connections so that they are treated as a slow link. To disable 3G slow-link connections, select the Always treat WWAN connections as a slow link check box after you have enabled the Configure Group Policy slow link detection policy setting. Note The Configure Group Policy slow link detection policy setting is located under Computer Configuration\Policies\Administrative Templates\System\Group Policy in the Group Policy Management Editor. Fast StartupImprovement in start times affects Group Policy processing. What value does this change add? Fast Startup decreases the time it takes to shut down and start a computer by causing the computer to enter a hibernate state instead of performing a full shutdown. What works differently? Group Policy settings or scripts that are applied during start or shutdown might not be applied when computers are configured to use Fast Startup. For more information about the impact of this change, see Understand the Effect of Fast Logon Optimization and Fast Startup on Group Policy. New Group Policy starter GPOsYou can configure firewall port requirements to allow Group Policy remote RSoP reporting and remote Group Policy update. What value does this change add? The two starter GPOs make configuring Group Policy firewall port requirements easier. You can import the starter GPOs at the same time that you create a new GPO for this purpose. What works differently? For more information about the new Starter GPOs, see Configure Firewall Port Requirements for Group Policy. Group Policy cmdlet changesAutomate the remote Group Policy update by using the new Invoke-GPUpdate cmdlet. Note Group Policy cmdlets can also run on the Server Core installation option. What value does this change add? The new Invoke-GPUpdate cmdlet provides more functionality than applying remote Group Policy update through the GPMC interface. For example, the Invoke-GPUpdate cmdlet enables you to refresh computers located in the default computer container, while the remote Group Policy update functionality in the GPMC enables you to remotely refresh only computers that are located in an OU. On a Server Core installation, you can manage GPMC functionality by using Group Policy cmdlets. This provides you with more flexibility for managing Group Policy. The Get-GPPermissions cmdlet and the Set-GPPermissions cmdlet are renamed to the singular form: Get-GPPermission and Set-GPPermission. Both cmdlets have aliases for their previous names to support backward compatibility. What works differently? For more information about all Group Policy cmdlets, see Group Policy Cmdlets in Windows PowerShell. Registry.pol changesAn increase in the maximum size allowed for registry.pol enables faster downloads of registry.pol files from domain controllers. What value does this change add? With this change, there should be very few situations where the maximum size of the registry.pol file restrains administrators from adding new Administrative Template settings to a GPO. With the faster download of registry.pol files, Group Policy processing should increase. What works differently? The registry.pol file maximum size is increased to 100 MB. The Group Policy processing has been changed to read larger amounts of data from a registry.pol file when processing the Administrative Template settings. This change results in less network access for reading the registry.pol file from the domain controller, which speeds up Group Policy processing. Group Policy Client service idle stateThe Group Policy Client service will sleep when the Group Policy service is idle for more than 10 minutes. What value does this change add? Group Policy processes approximately every 90 minutes, by default. Setting the Group Policy Client service to sleep in between processing helps create better performance for client computers. What works differently? Group Policy background refresh starts as a scheduled task, not as a service that continuously checks to determine when it is time to run the background refresh. The scheduled task model requires less overhead processing, which creates better performance for client computers. Group Policy settings in Internet Explorer 10Group Policy Administrative Template settings that support Internet Explorer 10 are added. What value does this change add? New Group Policy settings in the Internet Explorer 10 Administrative Template support new features. What works differently? For more information about the new and changed policy settings that can be used to manage and control your Internet Explorer 10 configuration, see Group Policy Settings in Internet Explorer 10. Group Policy Preferences for Internet Explorer 10Windows Server 2012 and Windows 8 include Group Policy Preferences support for Internet Explorer 10. What value does this change add? Group Policy Preferences consolidates multiple ways to configure Internet Explorer preference settings. What works differently? The Internet Explorer Maintenance (IEM) snap-in is replaced by the Internet Explorer 10 preference extension. Administrators can use the Internet Explorer 10 preference extension or the Internet Explorer Administration Kit (IEAK) to configure Group Policy settings. Information about the Internet Explorer 10 preference extension can be found at:
Removed or deprecated functionalityThe following features and functionalities have been removed from this release of Group Policy. Applications, code, or usage that depends on these features will not function in this release unless you employ an alternate method. For more information about removed or deprecated functionality in this release, see Features Removed or Deprecated in the Windows Server 2012.
See also
Additional resources
Additional resourcesIn this articleHow to check GPO in Windows Server 2012?In 'GPO Management' section click on the 'GPO Management' link. In the 'Group Policy Management' pane on the left hand side, click on 'All Domains' to expand the link and view all the configured domains. Click on the required Domain/OU. This will display all the GPOs that are linked to that specific container.
What is Group Policy in Windows Server 2012?Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. Microsoft provides a program snap-in that allows you to use the Group Policy Management Console (GPMC).
How can I see all group policies applied?By executing the command gpresult.exe, the administrator of the OS can locate the group policies applied on the computer along with the redirected folders and the registry settings on that system. gpresult Command: To see the Gpresult commands, go to the command prompt and type the command: “gpresult /?”
How many group policies are there?There are three types of GPOs: local, nonlocal, and starter.
|