WINDOWS 2008 GROUP POLICY TECHNIQUES

With the advent of windows server 2008 comes a wealth of new and improved group policy settings. (Approx 700). Some settings are in new categories and others are additional, corrected or more convenient settings in existing categories.

New Categories:
network access protection
device installation control
removable storage restrictions
power management
printer driver installation delegation
hybring hard disk
troubleshooting and diagnostics
user account control

Changes to existing categories
ipsec and firewall
ad-based printer deployment
taskbar and start menu
shell visualization
synchronization scheduling
customized help resources

Microsoft Spreadsheet listing all new and changed policy settings for windows 2008 can be found by searching vistagpsettings.xls @ microsoft.com

HOW 2008 Stores group settings
.adm file format is replaced with .admx format
admx offers benefits such as central-store management on domain controllers, multi-language support, and dynamic loading.

Vista and 2008 are required to read admx files.

You can obtain adm-to-admx migration tool from microsoft called ADMX Migrator

NETWORK ACCESS PROTECTION (NAP)
Lets administrators set conditions under which workstations are allowed to connect to the main network.

eg: laptop user turns off firewall over the weekend will not be granted access monday morning until the firewall is turned back on. Or NAP client will automatically turn the firewall back on without user intervention - called AUTO-REMEDIATION

NAP also provides for automatic redirection of 'unhealthy' clients to a separate subnet or subdomain where they could download security patches to bring themselves back into compliance.

system health policies can be enforced by dhcp running on windows 2008 for clients accessing the network locally and rras service for clients accessing network remotely.

3rd party antivirus software vendors are expected to create agents that can extend NAP to include rules for updated virus signatures

DEVICE INSTALLATION CONTROL
Allows admins to setup a driver store of known good/safe drivers any user is permitted to use and install.

REMOVABLE STORAGE RESTRICTIONS
To dny read access/write access or both to following device types:
cd/dvd; floppy; removable disks; tape drives; wpd devices; custom class (defined by device guid)

POWER MANAGEMENT
Allows control of power-management features of laptops

PRINTER DRIVER INSTALLATION DELEGATION
Frequently administrators need to keep users with administrative rights is due to printer driver instalaltion. Limited or standard users can not install printer drivers.

Windows 2008 you can delegate the ability for members of the Users group to install devices or particular setup class. (determined through guid)

Policy only works for signed device drivers. Unsigned drivers will still need to be insatlled by administrators