Vista Promises Group Policy Overhaul

Tech Analysis: The Group Policy Management Console will be the primary tool for domainwide Group Policy Objects management for the foreseeable future and that the tool automatically will grow and evolve in step with the Windows operating system.

Whenever it officially ships, Windows Vista will bring a lot of new power and flexibility to Microsofts Group Policy. Some changes are sexy and obvious, while others remain under the covers, but all are significant and could cause some refocusing among third-party vendors that have sprouted up in the Microsoft ecosystem to deal with various deficiencies in previous iterations of Windows and Group Policy.

Vista will be the first Windows operating system to include the newer GPMC (Group Policy Management Console). Unlike previous generations of Microsofts Group Policy management tools, the GPMC coalesces all GPOs (Group Policy Objects) into a single interface and allows administrators to easily link the objects to Domains, Sites or OUs (Organizational Units) in AD (Active Directory).

/zimages/4/28571.gifClick here to read a review of Microsoft Vista Build 5308.

The GPMC also clearly displays all policies that are in effect for a particular AD node and shows which administrators have authority over objects and links. Lastly, the GPMC provides modeling tools to highlight the Resultant Set of Policy on an AD object once all applied GPOs are taken into account, allowing administrators to troubleshoot conflicts or other misconfigurations.

Although the GPMC was previously available as a free add-on for Windows XP- or Windows Server 2003-based machines, administrators had to separately download and install the component. With Vista, administrators can be confident that the GPMC will be the primary tool for domainwide GPO management for the foreseeable future and that the tool automatically will grow and evolve in step with the Windows operating system.

While the GPMC is a much-improved GPO organizational tool, the actual Group Policy editor remains largely the same in structure, although not in content. /zimages/4/127650.jpg

The Group Policy editor has the same, familiar MMC (Microsoft Management Console)-based interface as it has had from Windows 2000 on, but the raw number of settings under the hood will be greatly increased in Vista: Whereas the initial version of Windows 2000 had about 650 Group Policy settings and Windows XP SP (Service Pack) 2 has about 1,500, Vista will have nearly 3,000.

There also are many new areas that IT administrators will be able to manage via Group Policy in Vista. Among the highlights weve seen in tests so far: the ability to dictate read/write/execute behavior to removable drives, new controls for Windows Firewall and IP Security encryption, printer deployment, power management controls, and Least Privilege User Account controls.

These new settings not only improve the overall granularity of control that administrators have over system security, but they also greatly enhance administrators ability to manage configurations across the domain. As the computing segment running Vista slowly grows in the enterprise, having these capabilities built into Group Policy could eventually obviate the need for many task- or hardware-specific management tools.

Given the raw number of policy settings that will be available, however, it will be that much harder to find the right setting within the GPO. Unfortunately, Vista does not yet include the ability to search for setting names or descriptions, but Microsoft officials are promising this feature in the future. We expect this capability to arrive in Vistas SP1 time frame.

Room for improvement

in the past, eweek labs has used Group Policys software deployment capabilities successfully in many situations, but theres still much room for improvement. Requiring Windows Installer packages limits the amount of software that can be deployed without repackaging; theres no way to target groups smaller than an OU for deployment; and theres a general inflexibility in terms of when a software package can be deployed.

Unfortunately, none of these issues will be resolved in Vista, nor do we expect such changes any time soon, since Microsoft looks to sell that kind of flexibility with its SMS (Systems Management Server) line.

Vista does improve the ability for clients to refresh applied policy. In current versions of Windows, Group Policies are refreshed only during the startup/shutdown and log-on/log-off processes or at periodic background refresh intervals. With the new Network Awareness feature, Group Policy now triggers a policy refresh whenever a new network connection is detected.

Next Page: A look under the covers.