Windows

First look at Windows Server 8 Setting Sync in Group Policy

Windows Server 8 brings a lot of new features for the server OS as well as the client experience. Rickatron peeks into one new Group Policy setting for Windows Server 8 in this post.

Windows 8 will bring a lot of new features to the client experience, specifically the new capability of a Windows Live ID account to allow the personal settings and experience of users to be replicated across Windows 8 systems. What piques my interest, however, is the management aspect of this new feature.

Windows 8 and Windows Server 8 are at the center of a very critical pass in the relevance of the operating system. This is due to the influx of cloud applications and competition from other platforms. So, I’ve taken a look at some of the management aspects surrounding this feature in Windows Server 8. Specifically, I’m looking at Group Policy. I’ve long believed that Group Policy is one of the best products that Microsoft has ever made, and I am hoping that it will stay relevant in this new era of BYOD and cloud applications.

With Windows Server 8, there are a number of new Group Policy Objects (GPOs). They are easy to spot in the Group Policy Management Console, as they indicate that the Developer Preview (or higher) is required to use these features. Figure A below shows one such setting: Figure A

Click to enlarge.

With this new functionality, Group Policy has seven settings for the Setting Sync feature to be centrally managed by administrators. These settings control which features of the synchronization experience are available on the domain computer. While I’m looking only at the developer preview, these are a good starting point, but I feel I would want a few more settings on this option. On the other hand, this is just what client experience is really all about -- being able to manage it from the end user perspective and take it with you. So, domain level granularity could really just be an on or off option.

The Group Policy settings for the Setting Sync options are located in Computer Configuration | Administrative Templates | Windows Components | Settings Sync and are shown in Figure B below: Figure B

Click to enlarge.

Does the capability of having the user experience move with users from work to home computers (or possibly other work sites) appeal to you? At knee jerk reaction, I’m fine with it. It’s the data that we need to govern more closely, in my opinion. Share your comments on the experience replication feature below.

Also see:

ZDNet: How Microsoft's Windows 8 will sync users' settings and apps

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

3 comments
Skruis
Skruis

I'd imagine more admin's would have a problem with the fact that you can login to their devices with a 3rd party managed authentication mechanism. That and if someone is allowed to login to their account on a corporate device using Live, will they also be able to choose, at the time of login to switch to the standard "Active Directory" username/password authentication similiar to how you can switch between standard login and picture password? I would probably disable Live authentication completely, and the built in live sync, if I can't login to an account on a corporate owned device using the standard username/password combo for a user when they're using Live authentication with the understanding that if I logged in via the standard Domain method that I'd have to authenticate to Live secondarily to enable Live synchronization. We have to be able to get access to their profile on their computer via their corporate assigned credentials without having to know their private Live account info (some situations with heightened security may prohibit an admin from loggin in but in those situations, I can't imagine that Live authentication would be allowed regardless). If that situation is addressed, I'd be more likely to allow Live auth and Live sync on my tablets. I'd be more inclined to have the user create a corporate Live account, allow the settings to sync and instruct them to enable sharing of their SkyDrive storage areas between the 2 accounts...possibly and probably even with a 3rd account, a corporate live account that we can use to backup their personal corporate docs that may be stored on SkyDrive because hey...you never know if SkyDrive will crash and/or that employee may decide to delete our documents that are stored on their SkyDrive. If Microsoft had a nice solution for integrating Live/SkyDrive with our private onsite "clouds", that'd be nice too...that's probably a feature of 360. Note to self, look into that...

pgit
pgit

liability. And don't forget your wifi hot spots, the airport, hotels, restaurants etc etc. The only mitigation I can imagine is only sync settings (and enable data access) after logging in to HQ via VPN.

jdb
jdb

I could see having some problems with syncing some settings. Especially credentials and application settings. I could also see some cooperate shops turning these off as support of settings coming from non-domain home systems could introduce interesting liability issues.