Exam Ref 70-417 Upgrading Your Skills to Windows Server 2012 R2 (2014)
Chapter 9. Configure and manage Group Policy
Windows Server 2012 and Windows Server 2012 R2 include a varied assortment of enhancements to Group Policy, but only the narrow topic of configuring Group Policy processing has been singled out for the 70-417 exam. As it turns out, the most important new Group Policy feature is the only one to fall within this “processing” objective: remote Group Policy updating. This chapter introduces you to this useful new functionality introduced in Windows Server 2012.
In addition, Windows Server 2008 R2 introduced a new GroupPolicy module for Windows PowerShell. The module includes 26 cmdlets, and some of them are likely to appear on the exam. The chapter introduces these cmdlets as a reference for your exam preparation.
Finally, Windows 8.1 introduces a new feature you need to know called Group Policy Caching. Even though Group Policy Caching relates specifically to Windows 8.1, you still might see an exam question on this topic.
Objectives in this chapter:
Objective 9.1: Configure Group Policy processing
Objective 9.1: Configure Group Policy processing
Remote Group Policy updating is the most important new Group Policy feature you need to learn about for the 70-417 exam. It appears in two guises: GUI and Windows PowerShell. The GUI feature might be a bit too straightforward by itself to serve as the basis for exam questions, so be sure to learn the extra, “complicating” details explained next, such as how the feature actually works, and which service and open ports are required for the feature to function. In Windows PowerShell, the feature hits a “sweet spot” of exam-level difficulty, so it’s more likely you’ll see exam questions based on this version of the feature. As a result, make sure you can understand the syntax and the various options that can accompany the Invoke-GPUpdate cmdlet.
You don’t need to understand the syntax of other Windows PowerShell cmdlets in the Group Policy module. You just need to be able to recognize their purpose.
This section covers the following topics:
Remote Group Policy update
Group Policy cmdlets in Windows PowerShell
Group Policy caching
Remote Group Policy update
Windows Server 2012 and Windows Server 2012 R2 introduce a handy feature that is sure to please network administrators: the ability to perform a Group Policy update on many remote computers at once. You can accomplish this task by using either the Group Policy Management Console or Windows PowerShell. Before now, of course, you had to use the GPUpdate command on a local computer to refresh policy for just that computer and the locally logged-on user. If you wanted to update many computers at once, you had to use a script or a third-party tool.
Updating Group Policy in an organizational unit with Group Policy Management Console
To remotely refresh Group Policy in the Group Policy Management Console, simply right-click an organizational unit (OU) container in the console tree and select Group Policy Update from the shortcut menu, as shown in Figure 9-1. This step schedules GPUpdate.exe to be run within 10 minutes on all clients running Windows Vista or later and on all servers running Windows Server 2008 or later in that OU.
FIGURE 9-1 Updating Group Policy on all computers in an OU
Note the limitations: You can force a Group Policy refresh on all computers within a single OU and all subcontainers only. You cannot single out specific computers or update Group Policy on computers that are not located in an OU. (This restriction applies only to the Group Policy Management Console, not to Windows PowerShell.) Also, you cannot use this feature to update computers running operating systems earlier than Windows Vista and Windows Server 2008, whether through Group Policy Management or through Windows PowerShell.
After you select the Group Policy Update option, a message box appears indicating the number of computers that will be affected and asking you to confirm the update, as shown in Figure 9-2.
FIGURE 9-2 A remote update in Group Policy Management forces the update for all computers in an OU
When you give your consent, a window (shown in Figure 9-3) appears, indicating the success or failure of the scheduling of the update. The update itself is not immediate. As shown in Figure 9-3, the message indicates that a Group Policy update will be forced on all computers in the OU and all subcontainers within 10 minutes. This slight delay is a good thing when there are many computers in the OU: The computers will not all update at the same time and strain the resources of domain controllers.
FIGURE 9-3 Updating Group Policy on all computers in an OU
Updating Group Policy with Invoke-GPUpdate
You can update Group Policy on computers in a much more flexible way if you use the Invoke-GPUpdate cmdlet in Windows PowerShell.
Used by itself without any parameters, the cmdlet is similar to GPUpdate.exe; it updates Group Policy on the local computer only. The difference with GPUpdate.exe is that, as with the Group Policy Management Console, the task is not performed immediately but is scheduled to be completed within 10 minutes by default.
Used with the -Computer parameter however, the Invoke-GPUpdate cmdlet lets you update a remote computer, as in the following example:
Invoke-GPUpdate -Computer WS12-B
Other options you can use with Invoke-GPUpdate include -Force and -RandomDelayInMinutes. The -Force parameter resembles the /Force option with GPUpdate.exe: It reapplies all policy settings regardless of whether they have changed. The -RandomDelayInMinutes parameter allows you to specify a random interval in minutes up to the number of minutes specified, before the Group Policy update will be run. The purpose of this option is typically to reduce the network load on domain controllers when many remote computers are updated with a scripted command, but it can also be used with a single computer to reduce or remove the default delay of 10 minutes. A value of 0 will, in fact, cause the Group Policy refresh to run immediately. The following example therefore causes all Group Policy settings to be updated immediately on a computer named WS12-B:
Invoke-GPUpdate -Computer WS12-B -RandomDelayInMinutes 0 -Force
As mentioned, you can also leverage Windows PowerShell to execute the Invoke-GPUpdate cmdlet on more than one computer. You can begin with the Get-ADComputer cmdlet to retrieve any group of computer objects and then pipeline the results to a “ForEach” construction that includes Invoke-GPUpdate.
For example, the following command displays all of the computers in the container named Computers, in the Fabrikam.local domain:
Get-ADComputer -Filter * -Searchbase "CN=Computers,DC=Fabrikam,DC=local"
If you pipe the results of this command to a ForEach statement, you can execute the Invoke-GPUpdate cmdlet on each computer returned by the command. The net result of the following command, for example, is to schedule GPUpdate.exe to run on every computer in the Computers container within 10 minutes.
Get-ADComputer -Filter * -Searchbase "CN=Computers,DC=Fabrikam,DC=local" | ForEach
{Invoke-GPUpdate -Computer $_.name}
You don’t need to target computers in any specific container or OU. The following example attempts to schedule GPUpdate.exe to run on every computer in the domain within 10 minutes:
Get-ADComputer -Filter * | ForEach {Invoke-GPUpdate -Computer $_.name}
This next example schedules GPUpdate.exe to run immediately on every computer in the domain with a description that includes the term “finance”.
Get-ADComputer -Filter 'Description -like "*finance*"' | ForEach {Invoke-GPUpdate
-Computer $_.name -RandomDelayInMinutes 0}
One final example: The following schedules GPUpdate.exe to run immediately on all computers in the domain with an operating system name that includes the string “Vista”:
Get-ADComputer -Filter 'OperatingSystem -like "*Vista*"' | ForEach {Invoke-GPUpdate
-Computer $_.name -RandomDelayInMinutes 0}
Exam Tip
You might see questions that use the Get-ADComputer or Get-ADUser cmdlets with the -Filter parameter in the way illustrated above: as a way to either search for objects with specific properties or to perform an operation on objects with specific properties.
You should review the list of user and computer properties that are searchable in Windows PowerShell. Some of these properties include Description, OperatingSystem, LastLogonDate, and Name. For a full list of the properties that you can include in such a search, run the following commands at a Windows PowerShell prompt, specifying the name of any domain computer in place of “ComputerName” and of any domain user in place of “UserName”:
Get-ADComputer ComputerName -Properties *
Get-ADUser UserName -Properties *
Remote Group Policy update and Task Scheduler
Remote Group Policy update works by remotely creating scheduled tasks for GPUpdate.exe. You can see these scheduled tasks for GPUpdate if you open Task Scheduler on the target computer and navigate in the console tree to Task Scheduler (Local)\Task Scheduler Library\Microsoft\Windows\Group Policy, as shown in Figure 9-4.
FIGURE 9-4 GPUpdate configured as a scheduled task
The connection between remote Group Policy update and Task Scheduler has implications for troubleshooting. If you are unable to successfully schedule a remote Group Policy update on a remote computer, you should verify that the Task Scheduler service is running on that remote machine. More important, for some computers, remote Group Policy update requires you to enable firewall rules related to remote scheduled tasks, as described in the next section.
Firewall rules for remote Group Policy update
Remote Group Policy update relies on remote management, which is enabled by default in Windows Server 2012 and Windows Server 2012 R2 in a domain environment. Although remote Group Policy update works by default on domain-joined computers that are started and running Windows Server 2012 and later, you might have to enable firewall rules for scheduled tasks on other operating system types, such as Windows clients or earlier versions of Windows Server that do not have Windows Management Framework 3.0 installed.
Fortunately, there’s a new starter Group Policy Object (GPO) for remote Group Policy updates that makes the process of enabling the required firewall rules easy. The starter GPO, named Group Policy Remote Update Firewall Ports, is shown in Figure 9-5.
FIGURE 9-5 A starter GPO for remote Group Policy updates
After you create a GPO from the starter GPO and link the new GPO to the domain, you can view the three firewall rules enabled by this GPO, as shown in Figure 9-6:
Both rules in the Remote Scheduled Tasks Management rule group:
Remote Scheduled Tasks Management (RPC)
Remote Scheduled Tasks Management (RPC-EPMAP)
Windows Management Instrumentation (WMI-In)
FIGURE 9-6 Inbound firewall rules for remote Group Policy update
Windows PowerShell cmdlets for Group Policy
The Group Policy questions that appear on the 70-417 exam will not be limited to remote Group Policy update. It’s likely you will encounter questions that draw upon the same knowledge of Group Policy that you needed to earn your last certification—with one twist: The answer choices provided will refer to Windows PowerShell cmdlets.
To prepare for the 70-417 exam, you must understand the function of each Group Policy cmdlet by name. (You don’t need to memorize their names because the test is multiple choice, not fill-in-the-blank.) These cmdlets and their associated functions are shown in Table 9-1.
TABLE 9-1 Group Policy cmdlets in Windows Server 2012 and Windows Server 2012 R2
Exam Tip
Even though they aren’t new to Windows Server 2012 and Windows Server 2012 R2, make sure you know the commands Dcgpofix and Gpfixup and how to use them. You can use Dcgpofix to re-create or restore the original version of the Default Domain Policy GPO, the Default Domain Controllers Policy GPO, or both GPOs at once. Gpfixup, for its part, fixes domain links after a domain rename operation. Search for these commands on TechNet to learn about their syntax.
More Info
For more information about features related to Group Policy introduced in Windows Server 2012, visit http://technet.microsoft.com/en-us/library/jj574108.
Group Policy caching
Windows 8.1 introduces a new feature called Group Policy caching. Computers running Windows 8.1 will—under certain circumstances—cache to a local datastore GPOs that are read from a domain controller. (The datastore is located in C:\Windows\system32\GroupPolicy\Datastore.) Later, the Group Policy client will again—only under specific circumstances—read GPOs from this local datastore instead of from the domain controller.
One essential fact to clarify about Group Policy caching is that it is not used when the client cannot contact the domain controller. The purpose of Group Policy caching is not to act as a backup source of GPOs but to speed up synchronous processing of GPOs. So, to understand Group Policy caching, you first need to understand the difference between synchronous GPO processing and asynchronous GPO processing. If you’ve forgotten this detail about Group Policy, here’s a quick summary: Synchronous processing can occur only upon startup and upon user logon. When processing is synchronous, the user doesn’t see the logon screen until computer policy has 100 percent completed processing, and the user doesn’t see the desktop until user policy has 100 percent completed processing. That is why synchronous processing can make the startup process and the logon process seem slow. With asynchronous processing, the logon screen and desktop can appear before all GPOs have finished being read and applied. Asynchronous processing generally appears faster as a result.
Here’s how the Group Policy caching feature works in Windows 8.1: When Group Policy is processed asynchronously, GPOs are read from the domain controller and cached to the local datastore. Then, if Group Policy is processed synchronously, these cached GPOs are read from the local datastore instead of from the domain controller. (There is one exception to this rule involving Drive Mapping that is mentioned in the following note.)
So when are GPOs processed asynchronously and when are they processed synchronously? In Windows 8.1, almost all GPO processing is asynchronous. In fact, only two Group Policy policy settings (as opposed to Group Policy preferences) automatically trigger synchronous processing: Software Installation and Folder Redirection. A third policy setting, Disk Quotas, can trigger synchronous processing when used in conjunction with another policy setting, “Always Wait For The Network At Computer Startup And Logon.”
Note
Drive Mapping, which is a Group Policy preference setting, also triggers synchronous processing. However, this setting is not used with caching.
The only other time synchronous Group Policy processing occurs in Windows 8.1 is when you run the command Gpupdate /sync and then restart the computer. In this case, Group Policy processing is synchronous regardless of which settings are configured in the GPOs.
There’s one other fact you need to know about Group Policy caching. It is enabled by default in Windows 8.1, but you can disable it by disabling the Group Policy setting named Configure Group Policy Caching. You can also use this policy setting to define slow link and timeout values which, if exceeded, will prevent the Windows 8.1 client from caching GPOs that are read from the domain controller.
What do you need to remember about Group Policy caching for the 70-417 exam? First, remember the purpose of the feature: to speed up synchronous Group Policy processing. Second, remember that Group Policy caching is a feature of Windows 8.1, not of Windows 8. Third, remember conceptually how it works: GPOs are cached to a local datastore during asynchronous processing and read from this cache during synchronous processing. Finally, remember that Group Policy caching is enabled by default but can be disabled through a Group Policy setting.
Exam Tip
On the 70-417 exam you’re likely to see questions about older Group Policy topics that have not changed since Windows Server 2008. As a result, make sure you still have a firm grasp on the foundational Group Policy concepts, such as the order of Group Policy processing, WMI filtering, security filtering, blocking inheritance, slow link detection, and enforcing a GPO.
Objective summary
In Windows Server 2012 and Windows Server 2012 R2, you can use the Group Policy Management Console to schedule Group Policy to be updated on all computers in a single OU at a random point within 10 minutes. To perform this task, simply right-click an OU and select the Group Policy Update option.
Windows Server 2012 and Windows Server 2012 R2 introduce the Invoke-GPUpdate cmdlet in Windows PowerShell. This cmdlet allows you to update Group Policy on remote computers in a flexible way.
In both Group Policy Management and Windows PowerShell, remote Group Policy updates work through remote task scheduling. The feature schedules GPUpdate to run on remote computers.
To receive scheduled tasks from remote computers, all clients and domain-joined servers running an operating system earlier than Windows Server 2012 might need to have certain inbound firewall rules enabled: both rules in the Remote Scheduled Task Management group, and Windows Management Instrumentation (WMI-In).
You can easily enforce the inbound rules required by using the starter GPO named Group Policy Remote Update Firewall Ports. Use the starter GPO to create a new GPO that enables the required firewall rules, and then link the new GPO to the domain.
Windows Server 2012 and Windows Server 2012 R2 include a GroupPolicy module for Windows PowerShell that includes 26 cmdlets. You need to be able to recognize the function of these cmdlets by name.
Group Policy caching is a feature in Windows 8.1 that is enabled by default. When Group Policy is processed asynchronously, GPOs are cached in a local datastore on the client after they are read from the domain controller. Then, if Group Policy is processed synchronously, the client will read GPOs from the local datastore instead of from the domain controller. The purpose of the feature is to speed up the startup and logon processes during synchronous processing.
Objective review
Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of the chapter.
1. You are a network administrator for Cpandl.com. The Cpandl.com network consists of 25 servers running Windows Server 2012 R2 and 300 clients running Windows 8.1. You are administering the network by using Remote Server Administration Tools on a computer running Windows 8.1.
You have recently implemented a change to Group Policy that affects only the servers and computers in the Marketing OU. The Marketing OU includes three servers and 40 clients. You now want to update Group Policy on all computers in the Marketing OU within the next 10 minutes.
All computers in the Marketing OU are capable of having Group Policy updated remotely. Which of the following tools should you use to accomplish this task most efficiently?
A. Group Policy Management
B. Invoke-GPUpdate
C. GPUpdate.exe
D. Server Manager
2. You are a network administrator for Adatum.com. The Adatum.com network consists of 20 servers running either Windows Server 2012 or Windows Server 2008 R2, and 250 clients running either Windows 8 or Windows 7. You are administering the network by using Remote Server Administration Tools on a computer running Windows 8.
You have recently implemented a change to Group Policy that affects only the computers running Windows Server 2012 or Windows 8. You now want to update Group Policy on all of these computers over the next hour.
All computers running Windows Server 2012 and Windows 8 in the domain are capable of having Group Policy updated remotely. You want to update Group Policy on these computers without triggering a Group Policy update on computers running Windows Server 2008 R2 or Windows 7. Which of the following tools should you use to accomplish this task most efficiently?
A. Update Group Policy with Group Policy Management
B. Windows PowerShell
C. GPUpdate.exe
D. Server Manager
3. You are a network administrator for Proseware.com. The Proseware.com network consists of 20 servers running either Windows Server 2012 R2 or Windows Server 2008 R2, and 300 clients running either Windows 8.1 or Windows 7. You are administering the network by using Remote Server Administration Tools on a computer running Windows 8.1.
You have recently implemented a change to Group Policy that affects only computers in the Finance OU. When you choose to update Group Policy on all computers in the Finance OU, you receive a message indicating that the update is not successful on a number of computers that you know to be running.
You want to be able to update Group Policy on all running computers in the Finance OU without receiving an error. Which of the following actions should you take? (Choose all that apply.)
A. Enable the inbound firewall rules for Remote Scheduled Tasks Management on all computers in the OU.
B. Enable an inbound firewall rule for Windows Management Instrumentation (WMI) on all computers in the OU.
C. Enable the Remote Registry service on all computers in the OU.
D. Enable the Windows Event Collector service on all computers in the OU.
4. Which of the following statements is true about Group Policy caching?
A. It is a feature of Windows 8 and Windows 8.1 only.
B. It must be enabled in Group Policy.
C. It can speed up the computer startup process when Folder Redirection is assigned through Group Policy.
D. It allows a client to apply Group Policy when the connection to a domain controller is unstable.
Thought experiment: Configuring and managing Group Policy at Woodgrove Bank
You are a network administrator for Woodgrove Bank. The woodgrovebank.com private network spans seven branch offices in seven cities throughout New York State. The network includes 50 servers running Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008, and 700 clients running Windows 8, Windows 7, or Windows Vista. Each of the seven offices is assigned its own OU in Active Directory and at least two domain controllers, all of which are running Windows Server 2012.
Your manager has asked you to investigate the requirements for remote updates to Group Policy. He wants to implement this capability within the next few weeks.
With this background information in mind, answer the following questions. You can find the answers to these questions in the “Answers” section.
1. How can you most efficiently create the firewall rules required to allow all of your servers and clients to receive remote Group Policy updates?
2. Besides firewall settings, which other setting could you enforce through Group Policy to ensure that your servers and clients will be able to receive remote Group Policy updates?
3. How can you most efficiently update Group Policy on all computers in one of the seven branch offices?
4. Your manager wants to be able to force all running computers in the domain to update Group Policy at random points over the course of four hours. He wants you to write a Windows PowerShell command for this very purpose. Which Windows PowerShell command would achieve this goal when executed?
5. Your manager wants to be able to force all computers in the domain that are started and running Windows 8 to update Group Policy within 10 minutes. He wants you to write a Windows PowerShell command for this very purpose. Which Windows PowerShell command would achieve this goal when executed?
Answers
This section contains the answers to the Objective Review and the Thought Experiment.
Objective 9.1: Review
1. Correct answer: A
A. Correct: The Group Policy Management Console allows you to schedule an update Group Policy on all computers in an OU. To do so, right-click the OU and select Group Policy Update. The update occurs on all computers in the OU within 10 minutes of choosing this option.
B. Incorrect: The Invoke-GPUpdate cmdlet by itself does not allow you to perform a Group Policy update on all computers in an OU. You can create a scripted command in Windows PowerShell that combines Get-ADComputer and Invoke-GPUpdate to achieve this same result, but it is not the most efficient solution if you are managing the network by using Remote Server Administration Tools.
C. Incorrect: GPUpdate.exe refreshes Group Policy on one computer only. To update Group Policy on all computers in the Marketing OU, you would need to run this command 43 times. This solution is much less efficient than using the Group Policy Management Console.
D. Incorrect: Server Manager does not provide an option to refresh Group Policy on multiple computers at once.
2. Correct answer: B
A. Incorrect: You can use Group Policy Management to remotely update Group Policy only in a particular OU. The update applies to all computers in the OU, and the update occurs within 10 minutes. You cannot use Group Policy Management to remotely update Group Policy on computers running any particular operating systems, and you cannot use this tool to specify that these updates should occur over the next hour.
B. Correct: You can use a single scripted command in Windows PowerShell that will invoke a remote Group Policy update over the next hour only on computers running either Windows Server 2012 or Windows 8. The following command is one way to accomplish this task:
Get-ADComputer -Filter {(OperatingSystem -like "*Windows 8*") -or (OperatingSystem
-like "*Windows Server 2012*")} | ForEach {Invoke-GPUpdate -Computer $_.name
-RandomDelayInMinutes 60}
C. Incorrect: GPUpdate.exe refreshes Group Policy on one computer only. To update Group Policy on all computers running Windows Server 2012 and Windows 8, you would need to run this command many times either locally on each computer or through a Remote Desktop connection. This solution is much less efficient than using Windows PowerShell.
D. Incorrect: Server Manager does not provide an option to refresh Group Policy on multiple computers at once.
3. Correct answers: A, B
A. Correct: Certain operating systems such as clients and older versions of Windows Server without Windows Management Framework 3.0 do not allow you to remotely update Group Policy by default. To allow remote Group Policy updates, you need to enable inbound ports for Remote Scheduled Tasks Management and WMI.
B. Correct: An inbound rule allowing WMI is one of the three firewall rules needed to allow various clients to receive remote Group Policy updates.
C. Incorrect: This service enables remote users to modify registry settings on the local computer. It is not needed to allow a remote computer to schedule GPUpdate.exe to run locally.
D. Incorrect: This service manages persistent subscriptions to events from certain remote sources. It is not needed to allow a remote computer to schedule GPUpdate.exe to run locally.
4. Correct answer: C
A. Incorrect: Group Policy caching is a feature that is new to Windows 8.1.
B. Incorrect: Group Policy caching is enabled by default. It doesn’t need to be enabled in Group Policy.
C. Correct: The purpose of Group Policy caching is to speed up synchronous processing. Folder Redirection is a policy setting that triggers synchronous processing.
D. Incorrect: Group Policy caching is not used as a secondary source of GPOs when the connection to a domain controller is unstable.
Thought experiment
1. Use the Group Policy Remote Update Firewall Ports starter GPO to create a new GPO. Link the new GPO to the domain.
2. You could use Group Policy to ensure that the Task Scheduler service is set to Automatic on all computers in the domain.
3. Use the Group Policy Management Console to update Group Policy on the OU corresponding to the branch office.
4. Get-ADComputer -Filter * | ForEach {Invoke-GPUpdate -Computer $_.name -RandomDelayInMinutes 240}
5. Get-ADComputer -Filter ‘OperatingSystem -like “*Windows 8*”’ | ForEach {Invoke-GPUpdate -Computer $_.name}