One of my glorious privileges in IT is managing and enforcing security policy for the company I work for. Being a windows shop, one of the primary tools I use to that end is Group Policy.
For those of you not familiar with Group Policy, it is Microsoft’s gift (and sometimes curse) to admins such as myself. Group Policy, especially in a Domain, is an incredibly powerful tool. It can be used to do all kinds of things, from the simple to the bizarre… across your entire enterprise. The basic premise is that you have a “policy” for how you want your machines to work. For example, you might want to enforce strong passwords, or you might want to do something as granular as granting one particular group of people specific security rights to a local folder on all workstations, perhaps you need to make sure that inbound RDP sessions are disabled by default on a specific set of machines… whatever you want, particularly if it is a Microsoft feature, most likely it can be centrally controlled and administered via group policy. Suffice to say, it is an absolutely essential tool for any Windows Administrator in any large enterprise (you know, more than 2 servers and 10 endpoints…), particularly when it comes to security. That is as much as I will say about it in this post.
I was presented with a particular problem recently. We needed to disable a windows feature that was introduced in Server 2012/Widows 8. Group Policy should do the trick… however when I started digging around in the console I wasn’t finding the setting I needed. It quickly dawned on me that the majority of domain controllers are running Windows Server 2008 R2… and the server I am trying to edit policy on is referencing policy definitions for Server 2008 R2 / Windows 7 and therefore wouldn’t be aware of settings for Windows 8 / Server 2012 machine. What’s an admin to do?
The answer was actually quite simple… If you ended up here via a Google Search, hopefully this will save you some time. From your domain controller, hop on over to Microsoft’s site and download the newest policy definitions for both Server 2012/Windows 8 and 2012R2/8.1. You can get those from here:
http://www.microsoft.com/en-us/download/details.aspx?id=36991 (Server 2012/8)
http://www.microsoft.com/en-us/download/details.aspx?id=41193 (Server 2012R2/8.1)
Install those two MSI packages and you will then have access to specific policy settings to the latest versions of Windows Server and Desktop.
PS… I was trying to disable the little UI button that appears at login for revealing the typed in password in plain-text… I had a hard time finding this setting because when you edit it via local policies on Windows 8 it appears in:
Computer Configuration –> Administrative Templates –> Windows Components –> Credential User Interface –> “Do not display the password reveal button”
Yea.. it doesn’t display there when modifying a domain policy on a domain controller. Instead I had to search all policy templates and I found that Microsoft put the setting here instead (thank you Microsoft for having me dig around for an hour thinking that my new templates weren’t being read…):
Computer Configuration –> Administrative Templates –> Windows Components –> Internet Explorer –> Security Features –> “Do not display the reveal password button”
Glad I finally found it… hopefully this will save someone the time it took me 🙁
References:
http://msdn.microsoft.com/en-us/library/bb530196.aspx – Excellent overview of ADMX Template Files and the way group policy management works in a domain! Must read for Windows Admins…
http://everythingshouldbevirtual.com/upgrade-gpo-templates-on-server-2008-r2-with-windows-8server-2012
http://www.eightforums.com/tutorials/8074-password-reveal-button-enable-disable-windows-8-a.html
If you are running a central store, wouldn’t you need to delete the language folders you don’t want from C:\Program Files (x86)\Microsoft Group Policy\Windows 8.1-Windows Server 2012 R2\PolicyDefinitions and then copy the PolicyDefinitions folder to \\yourdomain\sysvol\policies?
are the new policies backwards compatible with windows 7 clients?
To your first question – I don’t think you want to try to do anything manually as that could lead to disaster and long term problems (forgive me if I am on the wrong track here, I wrote this article a while back…). You should be able to just install the MSI packages on a domain controller you are using to manage group policy (I think it is whichever server is holding FISMO roles?). Those will update your Group Policy Templates with new settings for the newer OS’s.
To your second question – My best guess is that the new settings, if applied to an older OS – won’t hurt anything, most likely they just won’t have any effect. I don’t think there is any concern with breaking things as long as you install using the MSI packages referenced in the article.
Kind regards and good luck!