One of my glorious privileges in IT is managing and enforcing security policy for the company I work for. Being a windows shop, one of the primary tools I use to that end is Group Policy.

For those of you not familiar with Group Policy, it is Microsoft’s gift (and sometimes curse) to admins such as myself. Group Policy, especially in a Domain, is an incredibly powerful tool. It can be used to do all kinds of things, from the simple to the bizarre… across your entire enterprise. The basic premise is that you have a “policy” for how you want your machines to work. For example, you might want to enforce strong passwords, or you might want to do something as granular as granting one particular group of people specific security rights to a local folder on all workstations, perhaps you need to make sure that inbound RDP sessions are disabled by default on a specific set of machines… whatever you want, particularly if it is a Microsoft feature, most likely it can be centrally controlled and administered via group policy. Suffice to say, it is an absolutely essential tool for any Windows Administrator in any large enterprise (you know, more than 2 servers and 10 endpoints…), particularly when it comes to security. That is as much as I will say about it in this post.

I was presented with a particular problem recently. We needed to disable a windows feature that was introduced in Server 2012/Widows 8. Group Policy should do the trick… however when I started digging around in the console I wasn’t finding the setting I needed. It quickly dawned on me that the majority of domain controllers are running Windows Server 2008 R2… and the server I am trying to edit policy on is referencing policy definitions for Server 2008 R2 / Windows 7 and therefore wouldn’t be aware of settings for Windows 8 / Server 2012 machine. What’s an admin to do?
(more…)