What’s New for Group Policy in Windows 8.1
I have to admit. It’s hard, as a ten-year Group Policy MVP, to write “what’s new” articles around GP these days. The hard truth is that Microsoft has underinvested in this technology for years. That said, with the release of Windows 8.1 (and Server 2012-R2) there are a few interesting Group Policy changes in Windows 8.1 that are worth mentioning. Some of these changes are very much under the covers, but could have a big impact on how you use GP. SO, without further ado, let’s get into them.
Group Policy Changes in Windows 8.1
1. Group Policy Caching
The first “under-the-covers” feature I’ll talk about is the introduction of a Group Policy caching feature. In the past, policies were never really cached. Specifically, if a Domain Controller (DC) is available, Group Policy is read from the closest DC and processed (i.e. applied to the system). Those policy settings were not cached and available for processing when the DC was not available (e.g. the client is off the network).
That behavior hasn’t changed in Windows 8.1. The Group Policy caching feature that’s been introduced is primarily meant to address a particular performance issue. Namely, caching will kick in when a “synchronous” foreground policy processing cycle is detected. A synchronous foreground processing cycle is one in which at computer boot, the logon screen isn’t presented until all computer GP processing has finished, and at user logon, the user’s desktop isn’t presented until all user GP processing has finished. The result of a synchronous foreground processing cycle is that it takes longer for the user to go from boot up, to be able to be productive. As a result, starting with Windows XP, the default foreground processing mode was asynchronous – this was also called Fast Logon Optimization. However, there are certain client side extensions (aka policy areas) that will force a synchronous processing cycle, so that they may run successfully. Prior to Windows 8.1, these included the following four areas:
- Software Installation
- Folder Redirection
- Disk Quota
- GP Preferences Drive Mappings
If a GPO implementing any of these four policy areas was found by the client it would signal that the next foreground processing cycle would run synchronously. What Microsoft did for Windows 8.1 is say that, if a foreground processing cycle was detected as a result of one of these extensions needing to run, that instead of reading GP settings anew from the DC, they would save time and process policy from a local copy of what was on the DC. Figure 1 below shows the event that appears in the Group Policy Operational Log when caching is used.
Viewing the event that shows GP caching in use.
That local copy, held in the folder c:\windows\system32\GroupPolicy\Datastore, would have been populated during the last background refresh of policy, when caching was not being used.
This new caching feature does not allow policy to be processed when the machine is not in contact with a DC. It is strictly for improving performance around these synchronous scenarios. And another related change in Windows 8.1 no longer requires the last two policy extensions in the list above – Disk Quota and GP Preferences Drive Mappings – to run synchronously. What that means is that the only time caching will be used is when either Software Installation or Folder Redirection requires a synchronous foreground cycle. So, this feature will have limited impact on most networks.
That said, if you want to turn off caching completely in Windows 8.1, you can disable the policy under Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Group Policy Caching for your 8.1 computers and it will no longer kick in.
Note that caching is not enabled by default on Windows Server 2012-R2. However, you can enable it for that version using the policy at Computer Configuration\Policies\Administrative Templates\System\Group Policy\Enable Group Policy Caching for Servers. In that case, the same rules apply in terms of when caching kicks in. You might find that you want to do this, for example, on servers running Remote Desktop Services (RDS).
2. Group Policy Preferences Drive Mappings Run in the Background
This is related to the previous bullet, but it provides a significant new capability in GP preferences. In prior versions of Windows, Group Policy Preferences Drive Mapping policy would only apply at logon. Meaning that you could only map drives for the user if they logged onto their system. Now in Windows 8.1, Group Policy Preferences Drive Mappings will apply in the background while the user is logged on. So if you add, make a change, or remove a drive mapping in a GPO while the user is logged into their session, that drive mapping will be updated during the next background GP refresh (or manually if the user types gpupdate). The one interesting behavior here that I observed in my testing is that removal of an existing drive mapping (because the policy no longer applies, for example) does not seem to occur in the background and still requires a foreground refresh to take effect.
3. Support for IPV6 in Group Policy Preferences Item-Level Targeting
This may not be applicable to very many folks, but it’s important to point out that support for IPv6 is making its way into Group Policy. First and foremost, Group Policy Preferences Item-Level Targeting can now use IPv6 address in the IP range targeting feature. In addition, the Group Policy Preferences Network Options feature now supports creating VPN connections that have IPv6 addresses.
4. Logon Scripts Now Run Delayed
Another change Microsoft made related to desktop performance is that now any logon scripts defined under User Configuration\Policies\Windows Settings\Scripts\Logon, will not actually execute until five minutes after the user has logged on. This is actually quite a significant change, because it means tasks executed in logon scripts, like drive mappings or registry changes, may not appear right after the user becomes functional on his or her desktop. This change was done to reduce contention between logon scripts running and other tasks that occur at user logon. However, it’s important to be aware of it because it could significant impact on your user population. There is, fortunately, a way to either disable this feature altogether, or reduce the delay between user logon and when scripts run: the policy at Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Logon Script Delay, as shown in Figure 2 below.
Controlling Logon Script delay through policy.
5. Better Instrumentation
The last major improvement I’ll talk about is the improvement in instrumentation around Group Policy processing. Microsoft has added more events to the Group Policy Operational Log within the Event Viewer, related to GP processing. These events provide additional timing data around processing events like querying AD to get the list of GPOs, time taken to download settings, time taken to process a WMI filter, and time taken for each client side extension to run. This additional data should finally give good insight into where time is being spent within Group Policy.
6. Just More…
Finally, there are of course, more Administrative Template settings available in this update to the Operating System, covering everything from new features that appear in Windows 8.1 to improvements to existing features (like policy support for Group Policy caching!). As of this writing, Microsoft has not yet published the familiar spreadsheet of settings available in Windows 8.1/Server 2012-R2. But I’m sure it is coming shortly.
More in Active Directory
How to Fix the "An Active Directory Domain Controller for the Domain Could Not Be Contacted" Error
Jun 20, 2022 | Michael Reinders
How to Delete a Protected OU in Active Directory
Jun 8, 2022 | Michael Reinders
Learn How Organizations Are Using Semperis Purple Knight to Secure Active Directory
Jun 7, 2022 | Russell Smith
Microsoft Announces Entra, A New Identity and Access Management Suite
May 31, 2022 | Rabia Noureen
Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues
May 20, 2022 | Rabia Noureen
Cloud Conversations – Ståle Hansen on Digital Wellbeing and Viva Explorers
May 19, 2022 | Laurent Giret
Most popular on petri