By Andrew Garcia  |  Posted 2006-04-18 Print this article Print

Under the covers, Vista introduces a new file format for the administrative templates that contain all policy settings.

Previous Windows versions used ADM templates, which were written in a proprietary and hard-to-learn language. These templates tended to be very large but limited in number.

The new ADMX templates are written in XML. These templates tend to be much smaller than their ADM counterparts, and there are a lot more of them. Each ADMX template consists of two parts: one language-neutral component with the actual settings and a language-specific component (called ADML).
Click here to find out whats really behind the Vista delay. The bifurcation of settings and language solves the problem where descriptive information in ADM templates could get overwritten in another language in a domain that crossed international (and linguistic) borders.

The new format also addresses the insidious problem of bloat in the System Volume, or SYSVOL, share. With the old ADM templates, each GPO in a domain includes its own copy of every ADM template—about 4MB per policy object. In a domain with hundreds of policies in use, this can result in a significant waste of disk and network resources. And because the policy objects are stored in the SYSVOL, which is automatically replicated to all other Domain Controllers in the network via the File Replication Service, the waste can scale quickly in a large domain.

In contrast, each Vista client in the network retains its own copy of every relevant template, but administrators can add and distribute new or improved templates via a central store in the SYSVOL. Click here to read about how corporations are preparing for Vista. During eWeek Labs tests of the Vista beta (Build 5308, to be exact) in a Windows 2003 domain, we could create a single, specific folder in the SYSVOL to which we could copy our new templates, allowing Vista clients to automatically refresh their local template cache. There is currently no specific interface to manage the store, but the process is easy and only needs to be done once, as the templates will automatically propagate to other Domain Controllers in the domain.

Older Windows clients will not be able to understand the new ADMX template format, so they will not be able to take advantage of the new settings. On the other hand, Vista is backward-compatible with older ADM templates. The truth is, as long as there are pre-Vista Windows versions in the domain and they are managed by Group Policy, ADM files will still be necessary—and the bloat will remain.

Legacy Windows clients also cannot manage ADMX-based policies, so Group Policy administrators will need to manage the new policies from a Vista-based machine.

On the consumer side of things, Vista can maintain multiple Local Policy objects. Previous Windows versions could maintain only a single Local Policy, so administrators were subject to the same policy restrictions as other users. Thus, administration on a tightly locked-down machine could be a cumbersome affair.

The Local Policy maintains the same basic structure, containing one User and one Computer Policy. But, in tests, we noted a new folder in the System32 directory where additional User policies are stored. We could apply User policies to individual users or to built-in groups (but not to groups we defined).

It is not that easy to figure out how to create these individual policies, as bringing up the Group Policy editor (gpedit.msc) only calls forth the primary Local Policy. We discovered we could create individual policies for individual Local users via the new Parental Controls applet in the Control Panel.

To create separate policies for built-in groups, we had to start a new MMC session, adding the Group Policy editor while selecting the User or Group object we wished to manage in the new Users tab in the browser (see screen, Page 46). This automatically creates the GPO if it does not already exist.

A cottage industry has grown up around Group Policy, with companies like FullArmor, Desktop Standard and NetIQ providing tools that improve Group Policy management and add greater functionality.

Vistas new Group Policy feature set brings both opportunity and threat to these vendors. AD and Group Policy adoption rates continue to climb steadily, and Microsofts renewed commitment to Group Policy indicates a healthy future for relevant tools. The key for third-party vendors will be to differentiate their products feature sets from what Vista brings.

Indeed, there are plenty of areas in which Vista will need to be shored up. Microsoft has yet to deliver such niceties as Group Policy change management, version control and reporting capabilities. Customers will also want backward-compatibility with legacy Windows versions for a long time to come.

Technical Analyst Andrew Garcia can be reached at

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel