Vista Promises Group Policy Overhaul

By Andrew Garcia  |  Posted 2006-04-18

Vista Promises Group Policy Overhaul

Whenever it officially ships, Windows Vista will bring a lot of new power and flexibility to Microsofts Group Policy. Some changes are sexy and obvious, while others remain under the covers, but all are significant and could cause some refocusing among third-party vendors that have sprouted up in the Microsoft ecosystem to deal with various deficiencies in previous iterations of Windows and Group Policy.

Vista will be the first Windows operating system to include the newer GPMC (Group Policy Management Console). Unlike previous generations of Microsofts Group Policy management tools, the GPMC coalesces all GPOs (Group Policy Objects) into a single interface and allows administrators to easily link the objects to Domains, Sites or OUs (Organizational Units) in AD (Active Directory).

Click here to read a review of Microsoft Vista Build 5308.

The GPMC also clearly displays all policies that are in effect for a particular AD node and shows which administrators have authority over objects and links. Lastly, the GPMC provides modeling tools to highlight the Resultant Set of Policy on an AD object once all applied GPOs are taken into account, allowing administrators to troubleshoot conflicts or other misconfigurations.

Although the GPMC was previously available as a free add-on for Windows XP- or Windows Server 2003-based machines, administrators had to separately download and install the component. With Vista, administrators can be confident that the GPMC will be the primary tool for domainwide GPO management for the foreseeable future and that the tool automatically will grow and evolve in step with the Windows operating system.

While the GPMC is a much-improved GPO organizational tool, the actual Group Policy editor remains largely the same in structure, although not in content.

The Group Policy editor has the same, familiar MMC (Microsoft Management Console)-based interface as it has had from Windows 2000 on, but the raw number of settings under the hood will be greatly increased in Vista: Whereas the initial version of Windows 2000 had about 650 Group Policy settings and Windows XP SP (Service Pack) 2 has about 1,500, Vista will have nearly 3,000.

There also are many new areas that IT administrators will be able to manage via Group Policy in Vista. Among the highlights weve seen in tests so far: the ability to dictate read/write/execute behavior to removable drives, new controls for Windows Firewall and IP Security encryption, printer deployment, power management controls, and Least Privilege User Account controls.

These new settings not only improve the overall granularity of control that administrators have over system security, but they also greatly enhance administrators ability to manage configurations across the domain. As the computing segment running Vista slowly grows in the enterprise, having these capabilities built into Group Policy could eventually obviate the need for many task- or hardware-specific management tools.

Given the raw number of policy settings that will be available, however, it will be that much harder to find the right setting within the GPO. Unfortunately, Vista does not yet include the ability to search for setting names or descriptions, but Microsoft officials are promising this feature in the future. We expect this capability to arrive in Vistas SP1 time frame.

Room for improvement

in the past, eweek labs has used Group Policys software deployment capabilities successfully in many situations, but theres still much room for improvement. Requiring Windows Installer packages limits the amount of software that can be deployed without repackaging; theres no way to target groups smaller than an OU for deployment; and theres a general inflexibility in terms of when a software package can be deployed.

Unfortunately, none of these issues will be resolved in Vista, nor do we expect such changes any time soon, since Microsoft looks to sell that kind of flexibility with its SMS (Systems Management Server) line.

Vista does improve the ability for clients to refresh applied policy. In current versions of Windows, Group Policies are refreshed only during the startup/shutdown and log-on/log-off processes or at periodic background refresh intervals. With the new Network Awareness feature, Group Policy now triggers a policy refresh whenever a new network connection is detected.

Next Page: A look under the covers.


Under the covers, Vista introduces a new file format for the administrative templates that contain all policy settings.

Previous Windows versions used ADM templates, which were written in a proprietary and hard-to-learn language. These templates tended to be very large but limited in number.

The new ADMX templates are written in XML. These templates tend to be much smaller than their ADM counterparts, and there are a lot more of them. Each ADMX template consists of two parts: one language-neutral component with the actual settings and a language-specific component (called ADML).

Click here to find out whats really behind the Vista delay.

The bifurcation of settings and language solves the problem where descriptive information in ADM templates could get overwritten in another language in a domain that crossed international (and linguistic) borders.

The new format also addresses the insidious problem of bloat in the System Volume, or SYSVOL, share. With the old ADM templates, each GPO in a domain includes its own copy of every ADM template—about 4MB per policy object.

In a domain with hundreds of policies in use, this can result in a significant waste of disk and network resources. And because the policy objects are stored in the SYSVOL, which is automatically replicated to all other Domain Controllers in the network via the File Replication Service, the waste can scale quickly in a large domain.

In contrast, each Vista client in the network retains its own copy of every relevant template, but administrators can add and distribute new or improved templates via a central store in the SYSVOL.

Click here to read about how corporations are preparing for Vista.

During eWeek Labs tests of the Vista beta (Build 5308, to be exact) in a Windows 2003 domain, we could create a single, specific folder in the SYSVOL to which we could copy our new templates, allowing Vista clients to automatically refresh their local template cache.

There is currently no specific interface to manage the store, but the process is easy and only needs to be done once, as the templates will automatically propagate to other Domain Controllers in the domain.

Older Windows clients will not be able to understand the new ADMX template format, so they will not be able to take advantage of the new settings. On the other hand, Vista is backward-compatible with older ADM templates. The truth is, as long as there are pre-Vista Windows versions in the domain and they are managed by Group Policy, ADM files will still be necessary—and the bloat will remain.

Legacy Windows clients also cannot manage ADMX-based policies, so Group Policy administrators will need to manage the new policies from a Vista-based machine.

On the consumer side of things, Vista can maintain multiple Local Policy objects. Previous Windows versions could maintain only a single Local Policy, so administrators were subject to the same policy restrictions as other users. Thus, administration on a tightly locked-down machine could be a cumbersome affair.

The Local Policy maintains the same basic structure, containing one User and one Computer Policy. But, in tests, we noted a new folder in the System32 directory where additional User policies are stored. We could apply User policies to individual users or to built-in groups (but not to groups we defined).

It is not that easy to figure out how to create these individual policies, as bringing up the Group Policy editor (gpedit.msc) only calls forth the primary Local Policy. We discovered we could create individual policies for individual Local users via the new Parental Controls applet in the Control Panel.

To create separate policies for built-in groups, we had to start a new MMC session, adding the Group Policy editor while selecting the User or Group object we wished to manage in the new Users tab in the browser (see screen, Page 46). This automatically creates the GPO if it does not already exist.

A cottage industry has grown up around Group Policy, with companies like FullArmor, Desktop Standard and NetIQ providing tools that improve Group Policy management and add greater functionality.

Vistas new Group Policy feature set brings both opportunity and threat to these vendors. AD and Group Policy adoption rates continue to climb steadily, and Microsofts renewed commitment to Group Policy indicates a healthy future for relevant tools. The key for third-party vendors will be to differentiate their products feature sets from what Vista brings.

Indeed, there are plenty of areas in which Vista will need to be shored up. Microsoft has yet to deliver such niceties as Group Policy change management, version control and reporting capabilities. Customers will also want backward-compatibility with legacy Windows versions for a long time to come.

Technical Analyst Andrew Garcia can be reached at

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.

Rocket Fuel