Microsoft have provided several documents detailing the usage of the latest group policy settings for a Server 2008r environment, with Windows7. Sadly they havent released a list of 'new' group policy settings for windows 7. I've been able to identify around 200, which I am listing below;
NOTE: These will only work with a server 2008r2 backend, and Windows 7 desktop. If your looking to roll out windows 7 after upgrading your DCs, these are the group policies you should be looking to apply, in addition to ones you are already using.
AppCompat.admx Turn off Application Telemetry
AppCompat.admx Turn off Problem Steps Recorder
AppCompat.admx Turn off Program Inventory
AppCompat.admx Turn off SwitchBack Compatibility Engine
AutoPlay.admx Turn off Autoplay for non-volume devices
AutoPlay.admx Turn off Autoplay for non-volume devices
Biometrics.admx Allow domain users to log on using biometrics
Biometrics.admx Allow the use of biometrics
Biometrics.admx Allow users to log on using biometrics
Biometrics.admx Timeout for fast user switching events
Bits.admx Do not allow the BITS client to use Windows Branch Cache
Bits.admx Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers
Bits.admx Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers
ControlPanelDisplay.admx Load a specific theme
ControlPanelDisplay.admx Prevent changing mouse pointers
ControlPanelDisplay.admx Prevent changing sounds
Desktop.admx Turn off Aero Shake window minimizing mouse gesture
DeviceInstallation.admx Configure device installation time-out
DeviceInstallation.admx Prevent device metadata retrieval from the Internet
DeviceInstallation.admx Prevent Windows from sending an error report when a device driver requests additional software during installation
DeviceInstallation.admx Specify search order for device driver source locations
DeviceInstallation.admx Time (in seconds) to force reboot when required for policy changes to take effect
DeviceRedirection.admx Prevent redirection of devices that match any of these device Ids
DeviceRedirection.admx Prevent redirection of USB devices
EnhancedStorage.admx Allow Enhanced Storage certificate provisioning
EnhancedStorage.admx Allow only USB root hub connected Enhanced Storage devices
EnhancedStorage.admx Configure list of Enhanced Storage devices usable on your computer
EnhancedStorage.admx Configure list of IEEE 1667 silos usable on your computer
EnhancedStorage.admx Do not allow non-Enhanced Storage removable devices
EnhancedStorage.admx Do not allow password authentication of Enhanced Storage devices
EnhancedStorage.admx Lock Enhanced Storage when the computer is locked
Explorer.admx Set a support web page link
Explorer.admx Turn off Data Execution Prevention for Explorer
fthsvc.admx Configure Scenario Execution Level
Help.admx Turn off Data Execution Prevention for HTML Help Executible
kdc.admx Use forest search order
kerberos.admx Require strict target SPN match on remote procedure calls
kerberos.admx Use forest search order
LanmanServer.admx Hash Publication for BranchCache
Logon.admx Always use custom logon background
MSDT.admx Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider
NCSI.admx Corporate DNS Probe Host Address
NCSI.admx Corporate DNS Probe Host Name
NCSI.admx Corporate Site Prefix List
NCSI.admx Corporate Website Probe URL
NCSI.admx Domain Location Determination URL
NetworkConnections.admx Do not show the "local access only" network icon
NetworkConnections.admx Require domain users to elevate when setting a network's location
NetworkConnections.admx Route all traffic through the internal network
NetworkProjection.admx Network Projector Port Setting
OfflineFiles.admx Configure Background Sync
OfflineFiles.admx Enable Transparent Caching
OfflineFiles.admx Exclude files from being cached
PeerToPeerCaching.admx Configure BranchCache for network files
Power.admx Allow Applications to Prevent Automatic Sleep (On Battery)
Power.admx Allow Applications to Prevent Automatic Sleep (Plugged In)
Power.admx Allow Automatic Sleep with Open Network Files (On Battery)
Power.admx Allow Automatic Sleep with Open Network Files (Plugged In)
Power.admx Reduce Display Brightness (On Battery)
Power.admx Reduce Display Brightness (Plugged In)
Power.admx Reserve Battery Notification Level
Power.admx Specify the Display Dim Brightness (On Battery)
Power.admx Specify the Display Dim Brightness (Plugged In)
Power.admx Specify the Unattended Sleep Timeout (On Battery)
Power.admx Specify the Unattended Sleep Timeout (Plugged In)
Power.admx Turn On Desktop Background Slideshow (On Battery)
Power.admx Turn On Desktop Background Slideshow (Plugged In)
Printing.admx Execute print drivers in isolated processes
Printing.admx Extend Point and Print connection to search Windows Update
Printing.admx Override print driver execution compatibility setting reported by print driver
RacWmiProv.admx Configure Reliability WMI Providers
ReAgent.admx Allow restore of system to default state
RemovableStorage.admx CD and DVD: Deny execute access
RemovableStorage.admx Floppy Drives: Deny execute access
RemovableStorage.admx Removable Disks: Deny execute access
RemovableStorage.admx Tape Drives: Deny execute access
scripts.admx Run Windows PowerShell scripts first at computer startup, shutdown
scripts.admx Run Windows PowerShell scripts first at user logon, logoff
scripts.admx Run Windows PowerShell scripts first at user logon, logoff
sdiageng.admx Configure Security Policy for Scripted Diagnostics
sdiageng.admx Troubleshooting: Allow users to access and run Troubleshooting Wizards
sdiageng.admx Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)
sdiagschd.admx Configure Scheduled Maintenance Behavior
SearchOCR.admx Force TIFF IFilter to perform OCR for every page in a TIFF document
SearchOCR.admx Select OCR languages from a code page
Sensors.admx Turn off location
Sensors.admx Turn off location
Sensors.admx Turn off location scripting
Sensors.admx Turn off location scripting
Sensors.admx Turn off sensors
Sensors.admx Turn off sensors
ShapeCollector.admx Turn off handwriting personalization data sharing
ShapeCollector.admx Turn off handwriting personalization data sharing
Sharing.admx Prevent the computer from joining a homegroup
SmartCard.admx Allow ECC certificates to be used for logon and authentication
SmartCard.admx Notify user of successful smart card driver installation
SmartCard.admx Turn on Smart Card Plug and Play service
StartMenu.admx Add Search Internet link to Start Menu
StartMenu.admx Change Start Menu power button
StartMenu.admx Remove Downloads link from Start Menu
StartMenu.admx Remove Homegroup link from Start Menu
StartMenu.admx Remove Recorded TV link from Start Menu
StartMenu.admx Remove See More Results / Search Everywhere link
StartMenu.admx Remove Videos link from Start Menu
SystemRestore.admx Turn off Configuration
SystemRestore.admx Turn off System Restore
TabletPCInputPanel.admx Disable text prediction
TabletPCInputPanel.admx Disable text prediction
Taskbar.admx Do not allow pinning items in Jump Lists
Taskbar.admx Do not allow pinning programs to the Taskbar
Taskbar.admx Do not display or track items in Jump Lists from remote locations
Taskbar.admx Remove pinned programs from the Taskbar
Taskbar.admx Remove the Action Center icon
Taskbar.admx Turn off automatic promotion of notification icons to the taskbar
Taskbar.admx Turn off feature advertisement balloon notifications
tcpip.admx 6to4 Relay Name
tcpip.admx 6to4 Relay Name Resolution Interval
tcpip.admx 6to4 State
tcpip.admx IP-HTTPS State
tcpip.admx ISATAP Router Name
tcpip.admx ISATAP State
tcpip.admx Teredo Client Port
tcpip.admx Teredo Default Qualified
tcpip.admx Teredo Refresh Rate
tcpip.admx Teredo Server Name
tcpip.admx Teredo State
TerminalServer.admx Limit audio playback quality
TerminalServer.admx Limit maximum display resolution
TerminalServer.admx Limit maximum number of monitors
TerminalServer.admx Optimize visual experience for Remote Desktop Services sessions
TerminalServer.admx Use Remote Desktop Easy Print printer driver first
TerminalServer.admx Use Remote Desktop Easy Print printer driver first
TouchInput.admx Turn off Touch Panning
TouchInput.admx Turn off Touch Panning
UserProfiles.admx Background upload of a roaming user profile's registry file while user is logged on
VolumeEncryption.admx Allow enhanced PINs for startup
VolumeEncryption.admx Choose how BitLocker-protected fixed drives can be recovered
VolumeEncryption.admx Choose how BitLocker-protected operating system drives can be recovered
VolumeEncryption.admx Choose how BitLocker-protected removable drives can be recovered
VolumeEncryption.admx Configure minimum PIN length for startup
VolumeEncryption.admx Configure use of passwords for fixed data drives
VolumeEncryption.admx Configure use of passwords for removable data drives
VolumeEncryption.admx Configure use of smart cards on fixed data drives
VolumeEncryption.admx Configure use of smart cards on removable data drives
VolumeEncryption.admx Control use of BitLocker on removable drives
VolumeEncryption.admx Deny write access to fixed drives not protected by BitLocker
VolumeEncryption.admx Deny write access to removable drives not protected by BitLocker
VolumeEncryption.admx Provide the unique identifiers for your organization
VolumeEncryption.admx Require additional authentication at startup
VolumeEncryption.admx Validate smart card certificate usage rule compliance
WindowsAnytimeUpgrade.admx Prevent Windows Anytime Upgrade from running.
WindowsAnytimeUpgrade.admx Prevent Windows Anytime Upgrade from running.
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow OpenSearch queries in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer
WindowsExplorer.admx Disable Known Folders
WindowsExplorer.admx Pin Internet search sites to the "Search again" links and the Start menu
WindowsExplorer.admx Pin Libraries or Search Connectors to the "Search again" links and the Start menu
WindowsExplorer.admx Remove the Search the Internet "Search again" link
WindowsExplorer.admx Turn off display of recent search entries in the Windows Explorer search box
WindowsExplorer.admx Turn off numerical sorting in Windows Explorer
WindowsExplorer.admx Turn off numerical sorting in Windows Explorer
WindowsExplorer.admx Turn off the display of snippets in Content view mode
WindowsExplorer.admx Turn off Windows Libraries features that rely on indexed file data
WindowsExplorer.admx Verify old and new Folder Redirection targets point to the same share before redirecting
Upgrading a 2008 Domain to 2008r2
This document is presuming current domain level is 2008, with all 2008 Domain Controllers.
Step 1 ? Upgrade the schema
The tools for this are provided on the Server 2008 r2 DVD, in the \support\adprep folder First copy this entire folder onto the C:\ drive of the Forest?s schema master. There are various tools online to locate your infrastructure master (if you don?t know it), but you can easily identify it using AD Users & Computers Console. Just right click on the tree root, select all tasks, and operations masters.
From an elevated command prompt, go into the adprep folder which was previously copied;
Cd c:\adprep
Type in the following command;
Adprep /forestprep
If you plan to implement any read only DCs, also run;
Adprep /rodcprep
Before doing anything else, wait at least 10 minutes. It can take up to 5 minutes for changes to replicate through the forest
Next copy the folder adprep to the infrastructure master, onto the local C:\ drive. Open up an elevated command prompt, and go into the adprep folder;
Cd c:\adprep
Type in the following command;
Adprep /domainprep /gpprep
Keep ad changes to a minimum for at least 10 minutes. The schema is now upgraded to Server 2008 r2, and can support Server 2008 r2 Domain Controllers.
Step 2 ? Upgrade each domain controller
Once the upgraded schema is in place, you can begin to upgrade your DCs.
The most import issue to address is that your DCs cannot be 32 bit. Server 2008r2 is only available in 64 bit. If you do have 32 bit DCs you will need to demote/remove and rebuild them as 64 bit Server 2008r2 DCs.
The good news is that 2008 64bit DCs can be upgraded, without having to be removed from AD. The only thing you must do first is transfer any roles off the DC whilst the upgrade takes place. This is essential, as if the upgrade fails and your server dies, you are safe in the knowledge that AD will still function.
The following article describes which AD tools can be used to identify which server?s are holding roles, and how to move them to other servers;
http://support.microsoft.com/kb/324801
You may currently have certain services running in your environment which point to specific DCs because that DC holds a specific role. As such, I would advise that after upgrading a DC you reinstate the roles onto it which it previously held. This will minimize impact. I?d also suggest doing this out of hours, or during a quiet period, so that AD changes are minimal during the process.
Once you have removed the roles from the first server you want to upgrade, just stick the Server 2008r2 DVD into the drive (or mount the ISO).
Step 3 ? The Install
Firstly, Microsoft suggests running their memory (RAM) checker before performing an upgrade, this can be found here;
http://go.microsoft.com/fwlink/?LinkId=50362
The disc should auto-run, if it doesn?t just run setup.exe from the root.
The only option you have when the flash screen appears is INSTALL. Click on Install.
You will get an option next to go online for the latest updates to the installation. I would always suggest choosing this option. As of 27 Jan 2010, choosing the option to download the latest updates took an extra 1 second, and downloaded around 1Mbs worth of updates.
Next you get a list of versions of 2008r2 server available on the DVD. Changing varieties can be tricky/impossible. For example you can?t go from Data Centre edition to Enterprise Edition. In most cases you will simply be choosing the same version as the server is already running. Eg, your DC is currently running 2008 Enterprise 64 bit Full Install (not core), so choose the 2008 R2 Enterprise Full Installation.
After you click next accept the license terms.
You will then get two options. Upgrade or Custom. Choose upgrade.
You will get a warning about any issues which may exist. The generic one seems to be that you should check that any software installed on the server is supported to run on Server 2008 r2. It would be very unlikely that software which works on 2008 wouldn?t work on 2008r2, but the warning is there. If any windows updates have been performed you may also be told that you need to reboot the server before running the upgrade.
Once you?re ready click next, and Windows will start copying files and upgrading. The warning indicates that this can take several hours, but in practice seems to complete in around 60 minutes, as the upgrade only copies around 2Gb of data. The server will reboot part way through expanding files (around 18%). After the ?installing features and updates? step the server will reboot again, during which the machines registry settings will be updated. One final reboot will take place after ?Transferring Programs & Settings?. The loading screen will state ?Setup Is Preparing Your Computer For First Use?. Don?t worry, it?s still the same DC, just a slightly ambiguous message.
Once the boot up completes the server is ready to use, and you can restore any roles back onto it which you might have transferred away.
Thats it.
This document is presuming current domain level is 2008, with all 2008 Domain Controllers.
Step 1 ? Upgrade the schema
The tools for this are provided on the Server 2008 r2 DVD, in the \support\adprep folder First copy this entire folder onto the C:\ drive of the Forest?s schema master. There are various tools online to locate your infrastructure master (if you don?t know it), but you can easily identify it using AD Users & Computers Console. Just right click on the tree root, select all tasks, and operations masters.
From an elevated command prompt, go into the adprep folder which was previously copied;
Cd c:\adprep
Type in the following command;
Adprep /forestprep
If you plan to implement any read only DCs, also run;
Adprep /rodcprep
Before doing anything else, wait at least 10 minutes. It can take up to 5 minutes for changes to replicate through the forest
Next copy the folder adprep to the infrastructure master, onto the local C:\ drive. Open up an elevated command prompt, and go into the adprep folder;
Cd c:\adprep
Type in the following command;
Adprep /domainprep /gpprep
Keep ad changes to a minimum for at least 10 minutes. The schema is now upgraded to Server 2008 r2, and can support Server 2008 r2 Domain Controllers.
Step 2 ? Upgrade each domain controller
Once the upgraded schema is in place, you can begin to upgrade your DCs.
The most import issue to address is that your DCs cannot be 32 bit. Server 2008r2 is only available in 64 bit. If you do have 32 bit DCs you will need to demote/remove and rebuild them as 64 bit Server 2008r2 DCs.
The good news is that 2008 64bit DCs can be upgraded, without having to be removed from AD. The only thing you must do first is transfer any roles off the DC whilst the upgrade takes place. This is essential, as if the upgrade fails and your server dies, you are safe in the knowledge that AD will still function.
The following article describes which AD tools can be used to identify which server?s are holding roles, and how to move them to other servers;
http://support.microsoft.com/kb/324801
You may currently have certain services running in your environment which point to specific DCs because that DC holds a specific role. As such, I would advise that after upgrading a DC you reinstate the roles onto it which it previously held. This will minimize impact. I?d also suggest doing this out of hours, or during a quiet period, so that AD changes are minimal during the process.
Once you have removed the roles from the first server you want to upgrade, just stick the Server 2008r2 DVD into the drive (or mount the ISO).
Step 3 ? The Install
Firstly, Microsoft suggests running their memory (RAM) checker before performing an upgrade, this can be found here;
http://go.microsoft.com/fwlink/?LinkId=50362
The disc should auto-run, if it doesn?t just run setup.exe from the root.
The only option you have when the flash screen appears is INSTALL. Click on Install.
You will get an option next to go online for the latest updates to the installation. I would always suggest choosing this option. As of 27 Jan 2010, choosing the option to download the latest updates took an extra 1 second, and downloaded around 1Mbs worth of updates.
Next you get a list of versions of 2008r2 server available on the DVD. Changing varieties can be tricky/impossible. For example you can?t go from Data Centre edition to Enterprise Edition. In most cases you will simply be choosing the same version as the server is already running. Eg, your DC is currently running 2008 Enterprise 64 bit Full Install (not core), so choose the 2008 R2 Enterprise Full Installation.
After you click next accept the license terms.
You will then get two options. Upgrade or Custom. Choose upgrade.
You will get a warning about any issues which may exist. The generic one seems to be that you should check that any software installed on the server is supported to run on Server 2008 r2. It would be very unlikely that software which works on 2008 wouldn?t work on 2008r2, but the warning is there. If any windows updates have been performed you may also be told that you need to reboot the server before running the upgrade.
Once you?re ready click next, and Windows will start copying files and upgrading. The warning indicates that this can take several hours, but in practice seems to complete in around 60 minutes, as the upgrade only copies around 2Gb of data. The server will reboot part way through expanding files (around 18%). After the ?installing features and updates? step the server will reboot again, during which the machines registry settings will be updated. One final reboot will take place after ?Transferring Programs & Settings?. The loading screen will state ?Setup Is Preparing Your Computer For First Use?. Don?t worry, it?s still the same DC, just a slightly ambiguous message.
Once the boot up completes the server is ready to use, and you can restore any roles back onto it which you might have transferred away.
Thats it.
Subscribe to:
Posts (Atom)
