Opening Up New Vistas in Group Policy -- Redmondmag.com

Opening Up New Vistas in Group Policy

Microsoft's latest OS wipes out a raft of nagging problems.

By Derek Melber
01/01/2007

The good news is the interminably long wait for Vista is finally over.

The even better news? All 1,800 of the Windows XP Group Policy features and settings of the past few years should be in your rearview mirror too.

Based on the finished product, it's clear Microsoft's Group Policy team has worked a lot of overtime to fix a range of common issues involving Group Policy that have plagued customers over the past few years. In fact, with Vista's arrival, I believe the company has radically changed the Group Policy landscape for the better.

My mission here is to focus specifically on the changes Microsoft has made, as well as the reasons why those changes were needed. I think I can convey why it might be a good idea to get at least a few Vista desktops in your environment that can take advantage of some of these new features.

If you deal with Group Policy for even a few minutes a week at your company, you have to be aware of the major shortcomings and many issues surrounding the technology. Don't get me wrong, Group Policy is one of the most spectacular technologies delivered with Active Directory. It's one area where Microsoft has taken the initiative to make a technology better, and all of it is based on customer feedback. The majority of the issues that Group Policy had before Vista fall under one of four categories:

ADM templates that are used to customize Registry changes
Slow link detection that is used to deliver key Group Policy settings to remote desktops
Error messaging that is used for troubleshooting when Group Policy is not working properly
GPMC that is used to manage all aspects of Group Policy and Group Policy Objects (GPOs)

Group Policy Enhancements in Vista
It's no mystery why Microsoft has spent so much time integrating significant new Group Policy changes into Vista: Over 60 percent of all companies that have Active Directory installed are using Group Policy.

The first change you immediately encounter is the raw number of settings available in a new GPO. With more than 1,600 settings in a Windows XP SP2 GPO, Microsoft has taken the new number of settings to over 2,400 in Vista. (This number will dramatically increase again in about a year when Microsoft includes Policy Maker in the mix, which we touch on later in this article.) Beyond the raw number of settings, the company has modified other areas as well.

Windows 2000 and XP used the Win-logon service to drive the Group Policy engine. This didn't pose a problem as it was always nice to have a specific service driving a key technology like Group Policy. With this in mind, the Group Policy team has provided a new and hardened service to run Group Policy. The new engine runs in a shared service host, which offers protection from typical users stopping or altering the service. A local administrator needs to have elevated privileges to stop the service. The service also comes standard with logic that provides automatic recovery from any unexpected failures, thereby making it more stable and reliable.

The GPMC Is Built Right In
Most of you reading this article likely use the GPMC every day when you work with GPOs. However, there are plenty of administrators that have been reluctant to embrace the GPMC. Many complaints surrounding the GPMC stem from it not being included with the operating system. Consequently, many have the mindset that it must not be important or reliable. But because the GPMC actually is one of the most important tools you need to administer your GPOs, Microsoft decided to put it in every installation of Vista. The company also plans to put it in Longhorn server when that product becomes available.

There is a suite of settings in a pre-Vista GPO that allows you to control slow link connections. These slow link connections are essential for applying Group Policy. The reason is that only a portion of the Group Policy settings are delivered over slow links, since some could bottle up the slow link connection and take hours to apply. Slow link determination in Windows 2000 and Windows XP were handled by ICMP, but a major problem with using ICMP to determine a slow link was that many routers were not ICMP-enabled to help secure the network. Even if ICMP did function well, the slow link determination was not savvy enough to handle desktops that were either connected via a VPN or were coming out of hibernation.

Microsoft changed the technology that determined slow links by using Network Location Awareness in Vista. Now, Vista desktops rely on a "state of the network" for the application and refreshing of GPOs. This ensures that desktops get a refresh of GPOs when needed, not just at the 90-minute refresh interval. This is accomplished by detecting when a desktop can communicate with a domain controller after coming out of a situation where it could not communicate with one before.

I don't know of a single Group Policy administrator who hasn't complained that it's near impossible to trouble-shoot GPO issues. Every administrator has asked for events to be centrally logged and for verbosity for the events that are logged. Pre-Vista logs were stored in Event Viewer (userenv.log) and numerous other log files were enabled manually.

In the new world of Vista logging, however, Microsoft is using the Event Viewer and the built-in logging system for Group Policy events. The System Log now tracks events serviced by the Group Policy Service, not the Userenv entries. The Applications and Services Log is essentially a replacement of the userenv.log. These changes also come with direct links to the Microsoft Knowledge Base in hopes that the events can now be easily decrypted and solutions can be derived faster than ever before.

No More ADM Templates?
One aspect of a GPO that has been around since the Windows NT 4.0 days is the ADM template. ADM templates are the mechanism used to customize and deliver Registry value modifications. Every single GPO in a pre-Vista environment has about five ADM templates. These ADM templates provide the GUI environment in the GP Editor labeled Administrative Templates.

These settings, of course, are essential, and contain a majority of the overall settings in a GPO, yet there has been some controversy raging over these files for some time. These files, about 4MB for the suite of five, are located in every single GPO created. That means if you have 100 GPOs, you have 400MB of ADM templates stored in the SYSVOL of every domain controller in that domain. The critical concept here is that by default all 100 copies of the five ADM templates are identical. This caused serious ADM "bloat" and in some cases hectic replication traffic between domain controllers. Oh, and I almost forgot: These ADM templates only support a single language at any one time.

The Group Policy team, working in concert with the Group Policy MVPs (such as yours truly) worked to alter these issues. The solution is a new type of file, called ADMX, which solves all of these issues and more.

First, ADMX files are XML-based and support multiple languages. Multiple languages are handled by the ADML file in conjunction with the ADMX file. Second, ADMX files are not stored in the GPO on the domain controller, but instead are stored locally or in a central store. This concept of a central store is easily one of the most important and innovative features the new Group Policy provides. The central store is a one-time configuration that forces all administrators to use a single instance or ADMX file. This eliminates the common issues that ADM templates posed with such things as versioning and missing ADM templates. Third, the old ADM templates are still supported on Vista, so all of the work done on them is not lost. Fourth, you don't need Longhorn servers to support the central store because Windows 2000 and Windows Server 2003 servers support it. Fifth and finally, you don't need Vista installed on every desktop to take advantage of ADMX files: You only need a single Vista desktop to take advantage of the new format.

One side note: There are about 130 ADMX files that replace the default seven ADM templates. This permits very granular control over the settings stored in each file. If you want to convert your ADM templates to ADMX files, then you can use the new ADMX Migrator.

How Many Local GPOs Do You Want?
If you've been fighting with a single local GPO in order to control the different users logging on to the desktop, you're not alone. Pre-Vista desktops only come with a single local GPO, making it harder to have a different environment for the local administrator logging on, compared to a standard user logging on. The solution to this is the support for multiple local GPOs. The new implementation of the local GPO structure is a multi-tier design. The local GPOs are applied in a specific order, from the general to the specific.

There are a total of three different GPO settings that can be applied to the new local GPO structure:

Default local GPO: This is general for all users logging on to the desktop. This does not delineate between standard users or administrators.
Admin vs. non-admin local GPO: One of these two GPOs will apply to every user at logon, depending on the membership in the Administrators group. This allows you to have "admins" log on with a functioning Run menu option, where non-admins will log on with a disabled Run menu option.
Specific user local GPO: This provides very granular and targeted GPO settings. A different set of GPO settings can be configured for different users that log on to the desktop.

The default local GPO is applied first, followed by the admin/non-admin local GPO, with the specific user local GPO coming last. Like normal GPO application, any conflict will be resolved by the GPO that applies last, which has the highest precedence. This resultant set of local GPO settings will function similarly to the pre-Vista local GPO, where it will have the weakest precedence in the overall application of GPOs from Active Directory.

(If you do not want to include any of the local GPOs on a Vista desktop, there is a GPO that disables all of them.)

Just Give Me the Low Down
With over 800 new GPO settings, you have plenty of control over your Vista desktops. There's not enough space here to cover all of the settings, but I'll cover what I believe are some of the most important ones.

Power Options
I've been inundated with questions about Power Options since Windows NT 4.0. Now, with Vista, you have the ability to centrally control all of the power settings through Group Policy. The bottom line, no pun intended, is the cost savings. By blanking out the display and putting the computer into a standby state, you can save about $50 to $75 per desktop, per year, according to the EPA.

Printer Installation
Group Policy can now deliver printers to both computers and users with Vista. It installs the correct printer driver and makes the printer available to the user without any need for hoops or remote connections. You can also disable specific printer drivers, making the desktops more secure and stable. If you want to elevate the user to install their own printers (typically only allowed by Administrators of the desktop), there is a Group Policy setting for that, too.

Removable Storage Devices
This is clear as can be. You can now control which devices users can have on their desktops. No more bringing in viruses or malicious applications from a CD or USB thumb drive. The Vista Group Policy allows you to control devices under several classes including CD/DVD, tapes, USB plug-in devices, Windows portable devices and all other external removable storage devices.

The Future Is Here (Finally)
In case you missed it, Microsoft has acquired three new Group Policy products from a company called Desktop Standard, all of which should all be available shortly. Those products include: GPOVault, PolicyMaker Standard Edition and PolicyMaker Share Manager.

GPOVault
GPOVault is a change-management solution that is a snap-in to the GPMC. Some of GPOVault's capabilities include offline editing, auditing, roll-back and roll-forward, templates, delegation and work-flow. You can obtain your copy of GPOVault in the new Desktop Optimization Pack for Software Assurance (DOPSA) package. GPOVault will be called Advanced Group Policy Management (AGPM) in DOPSA and will be accompanied by three other products in the package.

PolicyMaker
PolicyMaker was the primary reason Microsoft wanted to get its hands on Desktop Standard. PolicyMaker is still available today in the same form it was before the acquisition, but it won't be available from Microsoft for about a year. At that time, it will either be delivered as part of a service pack, add-on pack or possibly another form of distribution.

It has not yet been decided if the new implementation of PolicyMaker will be backward compatible with Windows 2000 and Windows XP. Regardless, if you have not seen the settings, features and overall benefits PolicyMaker provides for controlling your desktop, you should download it soon.

Conclusion: A Thumbs Up
Vista is sure to make new and innovative changes to your network infrastructure and production. Group Policy within Vista is by far one of the most important changes you will see benefits from. With changes ranging from the core Group Policy service to the way the files are structured, it figures to make enhancements to your overall Group Policy administration. Changes to how the ADMX files are handled in the central store should give your Administrators an immediate return on investment (ROI) because they no longer need to fight with ADM templates or their updates, or the mismatches in ADM templates.

The options that come standard with the additional 800 GPO settings are sure to give you more immediate ROI because you can now save $75 per desktop, per year, with just one of these settings. The other settings will also provide immediate ROI, because you no longer need to worry about printer distribution or removable storage device misuse.

Lastly, with the new acquisition of GPOVault and PolicyMaker, Microsoft is delivering innovative Group Policy technology and incorporating it into their own offerings.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.