Group Policy Central

I have just come across an issue with the Group Policy Item Level Targeting feature in Windows 8 with relation to the IP Address Range filter option. Namely that computers in an IP Address range are evaluations are not passed even though they are within the IP Address range…

According the the forum post the following ranges have the following results however I suspect that there are more combinations that might not work correctly.

0.0.0.0                ->   255.255.255.255    PASSED

1.0.0.0                ->   255.255.255.255    PASSED

2.0.0.0                ->   255.255.255.255    FAILED

1.168.156.0        ->   255.255.255.255    PASSED

1.168.156.0        ->   192.255.255.255    PASSED

1.168.156.0        ->   192.168.156.255    PASSED

2.168.156.0        ->   255.255.255.255    FAILED

2.168.156.0        ->   192.168.156.255    FAILED

192.0.0.0            ->   255.255.255.255    FAILED

192.168.156.0    ->   255.255.255.255    FAILED

192.168.156.0    ->   192.168.156.255    FAILED

Taking a deeper look at the issues I below are the details log of a Windows 8 computer with an IP of 192.0.0.11. As you can see with the IP Filter is set to 192.0.0.0 to 255.255.255.255 it evaluates to false even though it SHOULD evaluate as true as its IP is between these two addresses.

Compared to a logging on to a Windows 7 computer with an IP of 192.0.0.12 the same IP filter with the same policy applied evaluate as passed.

In both cases the computer accounts were in the same OU and I was logged on with the same user account.

Then… after changing the IP Address Filter to 1.0.0.0 to 255.255.255.255 the policy evaluates as TRUE again on Windows 8.

Admittedly that the IP Address filters that are having issues evaluating are not all that practical (1.0.0.0 to 255.255.255.255). But it would seem there is a problem with how the IP Address filter evaluation works in Windows 8.

My only recommendation for now is that if you have any IP Filtered Group Policy Preferences applied to a Windows 8 computer I would recommend that you manually verify they are working correctly.

One of the changes with Windows 8 and Group Policy was that the Internet Explorer Maintenance section of GPMC was removed from under Windows Settings (see Interesting Change to Group Policy in Server 2012/Windows 8). However people have been noticing that the same Internet Explorer Maintenance option is removed from GPMC when they now install IE 10 on Windows 7 / Serve 2008 R2 (See image below).

So if you still use the Internet Explorer Maintenance section in Group Policy be aware that you will lose access to the ability to edit these policy setting if you update to IE10.

Alternatively you can simply reset the Internet Explorer Maintenance settings (see How to remove imported Internet Explorer Group Policy Settings) and just use the standard Group Policy Administrative Templates or Group Policy preferences. In which case you will also want to read my other post about controlling IE Site Zone mappings using preferences How to configuring IE Site Zone mapping using group policy without locking out the user 

TIP: I have not verified this but some people say that un-installing IE10 will restore the Internet Explore Maintenance option in GPMC

Warning: Some people are having issues with just removing IE10. So if you are having issues check out the comment in Darren Mar-Elia blog post WARNING: Installing IE 10 on your Windows 7 Workstation Removes IE Maintenance Policy from Group Policy

Microsoft has recently released some new Administrative Templates that allow you to configure their newest software on down level Operating Systems. The Internet Explore 10 ADM files are useful if you want to edit Internet Explorer Administrative Settings from a computer that is still running Windows XP or Server 2003. Don’t be confused however as this does not mean you can install Internet Explorer 10 on XP it just means you will be able to edit the policy settings.

The Windows 8 / Server 2012 ADMX files are also released and it allows you to easily load up the new Windows 8 Group Policy Administrative templates on a Windows Vista/7 computer with GPMC. Again this is very handy if you still edit your Group Policy settings from a Windows 7 computer but you have a few Windows 8/2012 computers in your organisation.

To install both of these administrative template simply install them on the computer that you are editing the GPO’s. Then the GPO’s you edit from the computer will be automatically upgrade next time you open the via GP Editor. As always it is still the best idea as it is always recommend to edit Group Policy Objects from the most recent OS in your environment but at least the template updates allows this scenario if you need to edit GPO’s from older computers.

Links:

IE 10 http://www.microsoft.com/en-us/download/details.aspx?id=37009
Windows 8 / 2012 http://www.microsoft.com/en-us/download/details.aspx?id=36991

If you are like me and are forever forgetting where exactly a group policy setting is location or what it was exactly called then you probably have frequented the Group Policy Search Engine (previous at gps.cloudapp.net). However this web site no longer exists but thankfully it has move to http://gpsearch.azurewebsites.net/.

If you have never used this web site before you then you should definitely check it out as it is a fantastic way to look up all the group policy setting that Microsoft have created for their products. I find the site very handy for finding the registry keys that policy setting configure and to link to in my documentation…. Hmm… i am going to have to update those links…

Other than the address change it is still the same great site so check it out at http://gpsearch.azurewebsites.net/ 

Microsoft has just release the Office 2013 ADMX/ADML file that allow you to manage the program using Group Policy. You might note that the only the ADMX/ADML (not ADM) files are released for this version of the Office as the program is no longer supported on Windows XP.

Get the ADMX/ADML from: http://www.microsoft.com/en-au/download/details.aspx?id=35554\

If you are after the settings spread sheet that details all the policy setting for the Office 2013 still download them from the here http://www.microsoft.com/en-au/download/details.aspx?id=30341