Whats New for Group Policy in Windows Vista

Written by By Darren Mar-Elia for datacrash.net, Thursday, 28 December 2006

Every now and then we invite big names in various sectors of the ICT world to write a guest article on datacrash.net. This time it's Darran Mar-Elia, Darran is famous for the co-writing the "Microsoft windows group policy guide" from the 2003 resource kit books. Now Darran wrote a article what is new for group policy's in Windows Vista. Darran also started up his own company so you will find weblinks to it's firm (see it as a sponsored article). We hope you enjoy the read it's a big article but it gives a nice glimps in what vista has to offer in my opinion. Well enough from me time to read the article Darren wrote....

By Darren Mar-Elia, SDM Software Inc (www.sdmsoftware.com)

Overview

As Vista gets ready to ship to the general public, it’s a good time to look at how this new version of Windows improves upon the built-in configuration management technology found in the OS—namely, Group Policy. Group Policy has been around since Windows 2000, and with each successive OS version, its functionality and capabilities are improved. With the introduction of Windows Vista, Microsoft made substantive “under-the-cover” changes for the first time since its release. In addition, they’ve policy enabled a much greater percentage of the OS (including over 500 new Administrative Template settings), and with that, comes greater control over your Vista systems. In this article, we’ll look at these new features, starting off by discussing some of the “infrastructure” changes to Group Policy and then moving onto the highlights of the new policy settings that are now available.

Infrastructure Changes

The Group Policy Service

The first big change to Group Policy in Vista is probably something you would never notice if you weren’t told about it. In versions of Windows prior to Vista, the Group Policy processing “engine” was implemented as part of the system Winlogon process. As such, if there were bugs or poorly written Client Side Extensions (CSEs) that implemented the policy functionality, those bugs would cause Windows to blue screen (because Winlogon was a system process). As a result, to improve stability, Microsoft removed the GP processing engine from Winlogon in Vista and put it into its own separate service process. If you open a command shell on Vista and type net start you will see the new Group Policy Client Service, under which all Group Policy processing occurs. This service is a system service, and as such cannot be stopped while Windows is running. Attempts to kill the process underlying that service will simply result in the service being automatically restarted.

No More ICMP Slow-link Detection

In versions of Windows prior to Vista, each time GP processing occurred, the client would ping their closest DC to determine the effective link speed separating them. If a slow link was determined (default value of slow links was 500Kb/s) based on the response times of the pings, then GP processing behavior would change—some CSEs would run over a slow link and some would not (e.g. Software Installation did not, by default). Another side effect of this slow-link detection process was that, if ICMP was blocked between client and DC, GP processing would simply fail until the pings went through, or slow-link detection was disabled completely on the client.

Windows Vista introduces a new, non-ICMP based way of determining link speed between client and DC—using the updated Network Location Awareness (NLA) service. NLA uses different (presumably RPC) mechanisms to determine DC availability and link speed, and uses this information to determine if a slow link is found. This makes the slow-link detection process more robust, and as a by-product, leads to the next new feature.

NLA-based Refresh

If you had a Windows client that was off the corporate network for some period of time (e.g. a laptop travelling on a plane) when you connected back to your corporate network over VPN or from the office, you’d for Group Policy to refresh automatically. In Windows Vista, this behavior is now supported under certain circumstances. Specifically, thanks to the use of the NLA service, just mentioned above, if a Vista client attempts to refresh Group Policy and the refresh fails because the DC is unavailable, then, when the DC becomes available again, NLA will automatically trigger a background refresh of Group Policy. This is important because this allows you to enforce policy right away on Vista systems that have been off the network for a while. Note however, that a refresh failure must have previously occurred before this automatic refresh will be triggered. If a system is off the network for 5 minutes and then plugs back in, that will not necessarily trigger an NLA refresh unless during that 5 minutes, the system tried to refresh Group Policy and failed.

Changes to the Local GPO

In pre-Vista Windows versions, each system came with exactly one local GPO. When you set policy on that local GPO, it applied to all users who logged into that machine, and if you wanted to say, exclude members of the local Administrators group from processing that local GPO, you had to perform lots of tricks (e.g. permissioning parts of the local file system so that administrators couldn’t read them) to accomplish that. Windows Vista introduces the notion of multiple Local GPOs (MLGPOs). Specifically, you can now create 3 additional types of user-specific local GPOs on Vista. You can create a “non-administrators local GPO”, an “administrators local GPO” and individual user-account based local GPOs. And Vista still includes the default local GPO that you see when you type gpedit.msc from the Start menu. That means that you can have, at a minimum, 3 local GPOs that apply to different users on your Vista system. These are processed in order, with the default local GPO processing first for all users, then the non-administrators and administrators local GPO processing, followed finally by any user-specific local GPOs. Note that these additional local GPOs only provide the option to set per-user Group Policy settings, for obvious reasons. Figure 1 belows shows an MMC snap-in loaded with the default local GPO and the non-administrators and administrators local GPOs, and you can see that in the administrators local GPO. Only the “User Configuration” side of the GPO is shown.

Figure 1: Viewing multiple local GPOs in Vista.

Windows Vista Group Policy

GPMC part of the OS

The Group Policy Management Console (GPMC), which was a must have add-on for Windows administrators in the pre-Vista world, is now shipped as part of Vista. Simply typing gpmc.msc at the Start menu run dialog will start the GPMC on a Vista system. Note however that the GPMC scripts are no longer installed as part of the Vista GPMC version and so these must be downloaded separately from the Microsoft download website.

ADMX/ADML Templates and the Central Store

Since NT 4, Microsoft provided a way of modifying the Windows registry through policy. In Group Policy this capability is referred to as Administrative Templates policy, and the options you see when you are in Group Policy editor, focused on this node, were provided thanks to template files that shipped with the OS and had a .adm extension. These text-based template files had a documented syntax that you could then use to create your own custom ADM files that added additional registry management capabilities. However, this syntax was fairly difficult to use and was language-dependent. That is, if you created a GPO on a Dutch version of Windows and then tried to edit it using an German version, the German administrator would still see the Dutch text descriptions associated with each Administrative Template policy. Finally, ADMs had the additional burden of being stored along with the GPO settings in the SYSVOL folder on each DC in domain. So while each GPO probably used the same 5 ADM files, all 2+MB of those files were stored in every GPO and copied to every DC.

To resolve many of these problems, Microsoft introduced the .ADMX/.ADML file format to replace ADMs. These new file formats are XML-based, which means they are more structured and can benefit existing tools available for editing XML. They also separate policy settings from language-dependent strings into the .ADMX and .ADML files, respectively. So, the language-dependent strings are no longer embedded in the registry setting file and any localized version of Vista will present policy settings with their own localized language descriptions. You will notice that every .ADMX file comes with its own .ADML file, containing the localized strings for those policy settings. Additionally, to solve the storage problem. .ADMX/.ADML files are no longer stored with the GPO. When you create or edit a GPO in Vista, the GP Editor snap-in looks in c:\windows\policydefinitions for all of the .ADMX and .ADML files that are available and loads them into the GP Editor for that GPO. Additionally, if you don’t want to rely on each administrator editing GPOs with their own local (and perhaps modified) copies of .ADMX and .ADML files, you can create a “Central Store” within SYSVOL and copy all of your “official” .ADMX and .ADML files in there. When the “Central Store” is created, by simply creating a folder called PolicyDefinitions under the \Policies folder in SYSVOL, GP Editor and GPMC will always look there first for .ADMX/.ADML files before looking on the local hard drive!

The final thing I’ll mention is that, you’ll notice that there are quite a few more .ADMX/.ADML files shipped in Vista than there were ADM files in prior OS versions. This is because Microsoft broke out each OS component into its own policy file—resulting in a more granular way of shipping policy changes for a given component, but also with many more template files to keep track of! If you have custom ADM files that you want to convert to ADMX, Microsoft has a free converter tool on their download site. Just go to http://download.microsoft.com and search for ADMX Migrator.

Logging Improvements

One of the difficulties of troubleshooting Group Policy problems in pre-Vista Windows was getting useful information out of the event log. Indeed, if you really wanted to find out what was going on in GP, you usually had to turn to the cryptic userenv.log file to solve your problems. Vista changes all of this, with the introduction of the new “Crimson” event logging system and so-called Operational Logs. The Group Policy operational log now automatically logs all detailed events related to Group Policy processing and presents them in a nice, easy-to-read format. If you’re in the Event Viewer on Vista, you can drill into “Applications and Service Logs\Microsoft\Windows\Group Policy\Operational” and get a flavor of the kind of detail you can now get from a Group Policy processing session (see Figure 2 below).

With the new operational log, you no longer need to rely on userenv.log and indeed, all Group Policy trace events have been removed from that log file. You will no longer find it useful in Vista. In addition to the GP operational log, more general GP events have been moved from the Application event log to the System log, and now have a source name of Group Policy, so it is easy to get summary information about GP processing in the System log and then use the operational log to drill down and collect additional detail.

New Group Policy Areas

As I mentioned earlier, there are over 500 new policy settings in Vista Group Policy—too numerous to mention all here. But I do want to highlight some of the more important ones now:

· Power Management: Ability to control power schemes from GP

o Support for separate power plan when no user is logged into the machine

o Found in Computer Configuration\Admin. Templates\System\Power Management

· Remove Storage Management

o Ability to control read/write access to removeable media (e.g. USB devices, etc.)

o Ability to prevent device installation

o Found in Computer (and User) Configuration\Admin. Templates\System\Removable Storage Access

· Printer Management

o Per Computer and Per User printer mapping, based on location

o Similar to R2 feature but fully integrated into GP

o Ability to deploy trusted print drivers or prevent install of untrusted ones

o Ability to delegate print driver installation to un-privileged users

o Found in Computer (and User) Configuration\Windows Settings\Deployed Printers

· User Account Control (UAC) in Vista

o GP support for UAC lets you control how privilege is elevated for your users

o Behavior on elevation:

§ No prompt; Prompt for consent, Prompt for credentials

§ Run all users (Including admins) as UAC users

§ Elevate on application installs

o Found in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control

· IPSec and Firewall Policy

o In Vista, MS combines Windows Firewall Policy and IPSec policy into a single, easier network security policy section

o So you can do things like:

§ Allow communication only for certain applications and ports

§ Only for between computers in certain security groups

§ Or only if they are encrypted communications

§ Or enforce isolation by limiting resource access to only domain-joined computers

o Found in Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security

· Security Policy Improvements

o Policy support for Windows Defender (anti-spyware)

o Network Access Protection (NAP) support

o Support for IE 7’s new security capabilities

o Configuration management based on wired vs. wireless network connections

o Driver Installation Protection

Summary

In general, Vista introduces a number of long-awaited and oft-requested improvements in both the function and capability of Group Policy. These improvements definitely help sell the value of a Vista upgrade, when you consider that Group Policy can help manage the security, lockdown and user management of your desktop environment. If you consider elements such as power management, printer installation and removable device lockdown, three key problem areas in Windows today, Group Policy improvements in Vista will sell themselves!

About the Author:

Darren Mar-Elia is CTO & Founder of SDM Software, Inc. (www.sdmsoftware.com)-- a Group Policy solutions company, which recently released its first product—the GPHealth Reporter for Group Policy troubleshooting. In addition, he maintains the popular Group Policy resource site at www.gpoguy.com. Prior to starting SDM Software, Darren was CTO of Windows Management products at Quest Software and Sr. Director of Product Engineering at DesktopStandard.

Comments

Add New

RSS

EkilErif

Manager | 2006-12-29 11:10:43

Excellent article Darren, thank you!

There is a lot of speculation about whether or Vista is going to be any good. My personal experience so far from a Business perspective is that this software is going to be brilliant. From a home user perspective I had a lot of problems playing games and things like that because of Direct X10 and also the lack of OpenGL support. I've not yet installed the release version of Vista BUT am awfully tempted to try it out.

Reply | Quote

Playwell - Suprise

Manager | 2006-12-30 11:12:25

Hi Darren