Opening Up New Vistas in Group Policy
Microsoft's latest OS wipes out a raft of nagging problems.
The good news is the interminably long wait for Vista is finally over.
The even better news? All 1,800 of the Windows XP Group Policy features and
settings of the past few years should be in your rearview mirror too.
Based on the finished product, it's clear Microsoft's Group Policy team has
worked a lot of overtime to fix a range of common issues involving Group Policy
that have plagued customers over the past few years. In fact, with Vista's arrival,
I believe the company has radically changed the Group Policy landscape for the
My mission here is to focus specifically on the changes Microsoft has made,
as well as the reasons why those changes were needed. I think I can convey why
it might be a good idea to get at least a few Vista desktops in your environment
that can take advantage of some of these new features.
If you deal with Group Policy for even a few minutes a week at your company,
you have to be aware of the major shortcomings and many issues surrounding the
technology. Don't get me wrong, Group Policy is one of the most spectacular
technologies delivered with Active Directory. It's one area where Microsoft
has taken the initiative to make a technology better, and all of it is based
on customer feedback. The majority of the issues that Group Policy had before
Vista fall under one of four categories:
- ADM templates that are used to customize Registry changes
- Slow link detection that is used to deliver key Group Policy settings to
- Error messaging that is used for troubleshooting when Group Policy is not
- GPMC that is used to manage all aspects of Group Policy and Group Policy
Group Policy Enhancements in Vista
It's no mystery why Microsoft has spent so much time integrating significant
new Group Policy changes into Vista: Over 60 percent of all companies that have
Active Directory installed are using Group Policy.
The first change you immediately encounter is the raw number of settings available
in a new GPO. With more than 1,600 settings in a Windows XP SP2 GPO, Microsoft
has taken the new number of settings to over 2,400 in Vista. (This number will
dramatically increase again in about a year when Microsoft includes Policy Maker
in the mix, which we touch on later in this article.) Beyond the raw number
of settings, the company has modified other areas as well.
Windows 2000 and XP used the Win-logon service to drive the Group Policy engine.
This didn't pose a problem as it was always nice to have a specific service
driving a key technology like Group Policy. With this in mind, the Group Policy
team has provided a new and hardened service to run Group Policy. The new engine
runs in a shared service host, which offers protection from typical users stopping
or altering the service. A local administrator needs to have elevated privileges
to stop the service. The service also comes standard with logic that provides
automatic recovery from any unexpected failures, thereby making it more stable
The GPMC Is Built Right In
Most of you reading this article likely use the GPMC every day when you work
with GPOs. However, there are plenty of administrators that have been reluctant
to embrace the GPMC. Many complaints surrounding the GPMC stem from it not being
included with the operating system. Consequently, many have the mindset that
it must not be important or reliable. But because the GPMC actually is
one of the most important tools you need to administer your GPOs, Microsoft
decided to put it in every installation of Vista. The company also plans to
put it in Longhorn server when that product becomes available.
There is a suite of settings in a pre-Vista GPO that allows you to control
slow link connections. These slow link connections are essential for applying
Group Policy. The reason is that only a portion of the Group Policy settings
are delivered over slow links, since some could bottle up the slow link connection
and take hours to apply. Slow link determination in Windows 2000 and Windows
XP were handled by ICMP, but a major problem with using ICMP to determine a
slow link was that many routers were not ICMP-enabled to help secure the network.
Even if ICMP did function well, the slow link determination was not savvy enough
to handle desktops that were either connected via a VPN or were coming out of
Microsoft changed the technology that determined slow links by using Network
Location Awareness in Vista. Now, Vista desktops rely on a "state of the
network" for the application and refreshing of GPOs. This ensures that
desktops get a refresh of GPOs when needed, not just at the 90-minute refresh
interval. This is accomplished by detecting when a desktop can communicate with
a domain controller after coming out of a situation where it could not communicate
with one before.
I don't know of a single Group Policy administrator who hasn't complained that
it's near impossible to trouble-shoot GPO issues. Every administrator has asked
for events to be centrally logged and for verbosity for the events that are
logged. Pre-Vista logs were stored in Event Viewer (userenv.log) and numerous
other log files were enabled manually.
In the new world of Vista logging, however, Microsoft is using the Event Viewer
and the built-in logging system for Group Policy events. The System Log now
tracks events serviced by the Group Policy Service, not the Userenv entries.
The Applications and Services Log is essentially a replacement of the userenv.log.
These changes also come with direct links to the Microsoft Knowledge Base in
hopes that the events can now be easily decrypted and solutions can be derived
faster than ever before.
No More ADM Templates?
One aspect of a GPO that has been around since the Windows NT 4.0 days is the
ADM template. ADM templates are the mechanism used to customize and deliver
Registry value modifications. Every single GPO in a pre-Vista environment has
about five ADM templates. These ADM templates provide the GUI environment in
the GP Editor labeled Administrative Templates.
These settings, of course, are essential, and contain a majority of the overall
settings in a GPO, yet there has been some controversy raging over these files
for some time. These files, about 4MB for the suite of five, are located in
every single GPO created. That means if you have 100 GPOs, you have 400MB of
ADM templates stored in the SYSVOL of every domain controller in that domain.
The critical concept here is that by default all 100 copies of the five ADM
templates are identical. This caused serious ADM "bloat" and in some
cases hectic replication traffic between domain controllers. Oh, and I almost
forgot: These ADM templates only support a single language at any one time.
The Group Policy team, working in concert with the Group Policy MVPs (such
as yours truly) worked to alter these issues. The solution is a new type of
file, called ADMX, which solves all of these issues and more.
First, ADMX files are XML-based and support multiple languages. Multiple languages
are handled by the ADML file in conjunction with the ADMX file. Second, ADMX
files are not stored in the GPO on the domain controller, but instead are stored
locally or in a central store. This concept of a central store is easily one
of the most important and innovative features the new Group Policy provides.
The central store is a one-time configuration that forces all administrators
to use a single instance or ADMX file. This eliminates the common issues that
ADM templates posed with such things as versioning and missing ADM templates.
Third, the old ADM templates are still supported on Vista, so all of the work
done on them is not lost. Fourth, you don't need Longhorn servers to support
the central store because Windows 2000 and Windows Server 2003 servers support
it. Fifth and finally, you don't need Vista installed on every desktop to take
advantage of ADMX files: You only need a single Vista desktop to take advantage
of the new format.
One side note: There are about 130 ADMX files that replace the default seven
ADM templates. This permits very granular control over the settings stored in
each file. If you want to convert your ADM templates to ADMX files, then you
can use the new ADMX
How Many Local GPOs Do You Want?
If you've been fighting with a single local GPO in order to control the different
users logging on to the desktop, you're not alone. Pre-Vista desktops only come
with a single local GPO, making it harder to have a different environment for
the local administrator logging on, compared to a standard user logging on.
The solution to this is the support for multiple local GPOs. The new implementation
of the local GPO structure is a multi-tier design. The local GPOs are applied
in a specific order, from the general to the specific.
There are a total of three different GPO settings that can be applied to the
new local GPO structure:
- Default local GPO: This is general for all users logging on to the
desktop. This does not delineate between standard users or administrators.
- Admin vs. non-admin local GPO: One of these two GPOs will apply
to every user at logon, depending on the membership in the Administrators
group. This allows you to have "admins" log on with a functioning
Run menu option, where non-admins will log on with a disabled Run menu option.
- Specific user local GPO: This provides very granular and targeted
GPO settings. A different set of GPO settings can be configured for different
users that log on to the desktop.
The default local GPO is applied first, followed by the admin/non-admin local
GPO, with the specific user local GPO coming last. Like normal GPO application,
any conflict will be resolved by the GPO that applies last, which has the highest
precedence. This resultant set of local GPO settings will function similarly
to the pre-Vista local GPO, where it will have the weakest precedence in the
overall application of GPOs from Active Directory.
(If you do not want to include any of the local GPOs on a Vista desktop, there
is a GPO that disables all of them.)
Just Give Me the Low Down
With over 800 new GPO settings, you have plenty of control over your Vista desktops.
There's not enough space here to cover all of the settings, but I'll cover what
I believe are some of the most important ones.
I've been inundated with questions about Power Options since Windows NT 4.0.
Now, with Vista, you have the ability to centrally control all of the power
settings through Group Policy. The bottom line, no pun intended, is the cost
savings. By blanking out the display and putting the computer into a standby
state, you can save about $50 to $75 per desktop, per year, according to the
Group Policy can now deliver printers to both computers and users with Vista.
It installs the correct printer driver and makes the printer available to the
user without any need for hoops or remote connections. You can also disable
specific printer drivers, making the desktops more secure and stable. If you
want to elevate the user to install their own printers (typically only allowed
by Administrators of the desktop), there is a Group Policy setting for that,
Removable Storage Devices
This is clear as can be. You can now control which devices users can have on
their desktops. No more bringing in viruses or malicious applications from a
CD or USB thumb drive. The Vista Group Policy allows you to control devices
under several classes including CD/DVD, tapes, USB plug-in devices, Windows
portable devices and all other external removable storage devices.
The Future Is Here (Finally)
In case you missed it, Microsoft has acquired three new Group Policy products
from a company called Desktop Standard, all of which should all be available
shortly. Those products include: GPOVault, PolicyMaker Standard Edition and
PolicyMaker Share Manager.
GPOVault is a change-management solution that is a snap-in to the GPMC. Some
of GPOVault's capabilities include offline editing, auditing, roll-back and
roll-forward, templates, delegation and work-flow. You can obtain your copy
of GPOVault in the new Desktop Optimization Pack for Software Assurance (DOPSA)
package. GPOVault will be called Advanced Group Policy Management (AGPM) in
DOPSA and will be accompanied by three other products in the package.
PolicyMaker was the primary reason Microsoft wanted to get its hands on Desktop
Standard. PolicyMaker is still available today in the same form it was before
the acquisition, but it won't be available from Microsoft for about a year.
At that time, it will either be delivered as part of a service pack, add-on
pack or possibly another form of distribution.
It has not yet been decided if the new implementation of PolicyMaker will be
backward compatible with Windows 2000 and Windows XP. Regardless, if you have
not seen the settings, features and overall benefits PolicyMaker provides for
controlling your desktop, you should download it soon.
Conclusion: A Thumbs Up
Vista is sure to make new and innovative changes to your network infrastructure
and production. Group Policy within Vista is by far one of the most important
changes you will see benefits from. With changes ranging from the core Group
Policy service to the way the files are structured, it figures to make enhancements
to your overall Group Policy administration. Changes to how the ADMX files are
handled in the central store should give your Administrators an immediate return
on investment (ROI) because they no longer need to fight with ADM templates
or their updates, or the mismatches in ADM templates.
The options that come standard with the additional 800 GPO settings are sure
to give you more immediate ROI because you can now save $75 per desktop, per
year, with just one of these settings. The other settings will also provide
immediate ROI, because you no longer need to worry about printer distribution
or removable storage device misuse.
Lastly, with the new acquisition of GPOVault and PolicyMaker, Microsoft is
delivering innovative Group Policy technology and incorporating it into their