Group Policy Objects, or GPOs, give administrators control over end-user behaviors in Windows. As different versions of Windows have been introduced, the list of GPOs that can be set has also changed. Many GPOs exist in Windows Vista and 7 that weren't in Windows XP or 2000. (The earliest version of Windows that supports Group Policy is Windows 2000 Service Pack 5; with Windows 98, you must use the older System Policy technology.)
Because of the number of Windows revisions, on both the client side and the server side, many GPOs have been added or revised. It's not quite as problematic if you're dealing with only one basic tier of revisions (such as if you're only using Windows Server 2008 R2 or Windows 7). But if you have a heterogeneous setup with multiple servers and multiple clients, it can be difficult to quickly determine what supports what.
Microsoft has taken some of the drudgework out of figuring out which GPOs are available in which versions of Windows by publishing all this information in four spreadsheets. Each spreadsheet deals with the GPOs available to a different revision level of Windows.
- Windows Server 2003 SP2 and Windows XP SP3
- Windows Vista (no service packs)
- Windows Server 2008 and Windows Vista SP1+
- Windows Server 2008 R2 and Windows 7
Note that the release candidate of Windows Vista needs its own document because of the different GPOs introduced in SP1. If you're running the gold release of Windows Vista, you should apply Service Pack 1. This not only brings the GPOs up to date but also fixes a host of other flaws in Vista. Also, these sheets don't include security settings that are handled outside of the Security Setting extension, such as software-restriction policies.
One of the major new features in Windows Server 2008 that affects how GPOs can work in all Windows' versions is Group Policy Preferences (GPPs). This batch of about 20 client-side extensions to Group Policy adds, among other things, the ability to deploy preferences that can subsequently be changed by the end user. This includes settings for folder options, drive mappings, scheduled tasks and many other similar options that are not explicitly governed by GPOs. Preferences are not enforced in the top-down way that policy settings are; these settings can be further modified by the user, and the user interfaces for changing those settings are not disabled.
GPPs can be added to any Windows workstation as long as it's running Windows XP SP2 or higher, although they need to be managed centrally from a Vista/2008 or newer machine. (The same functionality was originally provided through a tool named PolicyMaker, which you can migrate to Group Policy with the aid of a provided tool.)
Microsoft has separate documentation for GPPs that can help you figure out what kinds of policies work best for your environment, especially if you're not dealing with the same operating system version on every machine.
ABOUT THE AUTHOR:
Serdar Yegulalp has been writing about personal computing and IT for over 15 years for a variety of publications, including (among others) Windows Magazine, InformationWeek and the TechTarget family of sites.
Dig deeper on Endpoint security management tools