Group Policy Improvements in Vista

As always, we're going to focus on the basics first, describing how the group policy works. After we've grown familiar with the group policy terminology, we will be ready to go further, and see the new improvements and fixes that Vista brought with its launch.

Microsoft introduced the technology of Group Policies with the very first Windows NT release. At the heart of these policies there stands at least one GPO (Group Policy Object). This GPO holds the collection of policies, which are templates, settings, and configuration options that apply to registries, NTFS security, audit security, software installation, folder redirection, logon/logoff scripts, IE options, etc.

Basically, the system administrator is able to enforce these policies to a specific GPO. This means that all of the computers, users, and objects of any kind (such as printers) will behave the same way. The most common scenario is the one with logon scripts or remote software installations. Objects must be present only once in the Active Directory (duplicates aren't allowed), but can fall into more than one GPO, too.

Moreover, the GPOs are stored along with their policies on the Active Directory Domain Controller in the case of domains. This way the policies are enforced each time a computer joins the domain. With local computers that aren't in a domain, the local group policy editor is really minimalist, since it is limited compared to AD's GPOs.

Throughout this article we will focus on group policies that are linked to an Active Directory container. This is where the largest number of improvements were wrought; approximately 800 new policies and templates were included, and now their total count has reached 2495. We're going to point out the major changes as well. Turn the page!

Let's check out the major changes to the Group Policy architecture. The file format that until this time stored the policy settings was ADM, but Microsoft has now introduced the new policy definition file format called ADMX, which is XML-based. This format holds the configurations for stand-alone GPOs. It allows language-specific resources to be stored as well. So it's more "complete."

As with earlier versions, these files can be stored centrally on the domain controller; they are deployed using a revamped File Replication service. Moreover, earlier versions of Group Policy were "attached" to the Winlogon service. This doesn't apply anymore; a new, dedicated service was introduced to alleviate further problems.

Multiple Local Group Policy Objects [MLGPO] represent yet another new functionality that allows system administrators to create and manage different levels of local group policy objects. This is astonishingly useful in those situations where the GPO isn't linked to a domain container, since domain-based management doesn't exist.

Now let's see the group policy categories where noticeable improvements can be seen. It's quite a laundry list:

Antivirus, Background Intelligent Transfer Service (BITS), Client Help, Deployed Printer Connections, Device Installation, Disk Failure Diagnostic, DVD Video Burning, Enterprise Quality of Service (QoS), Hybrid Hard Disk, Internet Explorer 7, Networking: Quarantine, Networking: Wired Wireless, Power Management, Removable Storage, Security Protection, Shell Application Management, Shell First Experience, Logon, and Privileges, Shell Sharing, Sync, and Roaming, Shell Visuals, Tablet PC, Terminal Services, Troubleshooting and Diagnostics, User Account Protection, Error Reporting.

You surely recall that at the beginning of this article, I claimed that the total count of policies has reached 2495. Well, Microsoft published an .xls-based Excel spreadsheet listing all of the policies with their scope, path, and full name. You can download the 2MB file from this page; it's called VistaGPSettings.xls.

On the next page we'll describe a few scenarios that are supported with the new policies that Vista brought, but until then, we still need to tackle a few extra additions regarding the "inner working" of the new Vista GPOs. First of all, the replication traffic and the size of Sysvol were reduced by quite a respectable amount.

A new Group Policy Client Service also increases overall performance, but we already mentioned this (before Vista it was attached to Winlogon). Furthermore, the event logging structure was totally revamped. This equates to improved logs (i.e. Group Policy Operational log), thus easier and much clearer all-around administration.

And finally, some of the most dramatic changes were reported from the so-called Network Location Awareness [NLA] service. The introduction of this service literally sped up network responsiveness thanks to faster boot times, more reliable policy application (combined with the new Client Service), and better roaming support.

The aforementioned service improved the way clients communicate with the domain controller. With earlier versions the group policy relied on ICMP packets to determine connection specifications in order to deliver the policies. This sometimes produced high latency lags. This service eliminated the reliance on ICMP packets; now the NLA service handles and reports everything itself. It is much faster!

Now let's see some real-world applicable scenarios that are supported right away by different group policy options and/or templates, which simply couldn't have been done using earlier Group Policies. With Vista, they're supported "out of box."

First and foremost, companies all around the world were coming up with ingenious solutions to increase their security in terms of removable media such as USB sticks, optical media (due to the sudden spread of CD/DVD burners), and so forth. One of the most viable options was to block USB access as well as disable the burning capability of the optical drive. These were possible by relying on third party applications.

However, Vista's new Group Policy brings administration policies (Local Security Policy -> Computer Configuration -> Administrative Templates -> System -> Removable Storage Access) that can do this right away. Microsoft always claims that they're doing their best in terms of listening to the feedback they receive and acting accordingly. This time their new set of improvements surely means something.

As you can see, there are various configurable templates in that group policy node. Ultimately it all comes down to your requirements (such as read or write permissions). Moreover, improvements were also made to the Power Management and Printer templates. There are numerous options that can be configured in order to fine tune the power management specs. Enforcing "sleep" and "standby" states is useful.

Aside from the removable media control and power management settings, there are lots of new security templates that enforce policies based on the UAC (User Account Control). UAC is a new technology introduced in Vista. It targets the all-around security of the operating system by limiting the permission of users to install and launch applications which an administrator doesn't approve beforehand.

The new group policy templates allow more than a few options to be enforced throughout a GPO. This once again increases the security of the computers connected to the company's infrastructure. Furthermore, improvements were also made to Vista's notification system. With the new group policies you can fine tune the amount (their frequency along with their types) of notifications shown.

A bit earlier we mentioned new policies regarding printers. That's right, what we mean here is that you can enforce the use of specific printers at particular locations. Thus people/employees won't just print anywhere they'd like. This can turn into quite an issue when an employee unintentionally prints a test document on the boss' printer. Admittedly, this is an extreme case; it applies better in the case of shared printers.

The QoS (Quality of Service) centralized traffic management can also be enforced via the new group policies. Moreover, lots of additional options were included to let you easily configure the Internet options of Internet Explorer 7.0, just as the management of NAP (Network Access Protocol) is also possible. The security of Remote Desktop was thoroughly enhanced and new useful policies can be enforced on it as well.

Summing these up, ultimately it's up to the system administrators to decide which of these 2495 policies and/or templates are going to be used. However, we'd like to point out that it is generally an excellent idea to re-use and leverage the ready-to-apply GPO settings and configurations published by Microsoft as "samples."

It's stated right in the Microsoft documentation that you shouldn't be surprised when you find out that your very own needs don't differ that much from the needs of other companies and usually other IT infrastructures located anywhere in the world.

Sometimes it's most efficient and cost-effective to grab an already-prepared solution instead of designing everything from scratch. This, once again, depends on your needs. As you will see, updates and modifications can be applied later on, totally seamlessly.

You've reached the end of this article. By now you should know about the most important changes, additions and new features that Vista brought in terms of centralized management and configuration. Group Policies are quite easily understandable, but also a powerful part of the Active Directory environment.

System administrators all over the world rely on group policies in their endeavors, because working with them is quite easy once you understand the basics regarding GPOs and know where to find what you really need (e.g. options). In the real world, a company's infrastructure is almost always already designed, so your task is just to add finishing touches and apply modifications here and there.

It is definitely worthwhile when a major migration takes place, such as changing your Windows Server Operating Systems from 2003 to 2008, and the FSMO roles are transferred onto the new Active Directory domain controller, to look in the changelogs to get the most out of the new functionalities and improvements. The same applies to the new Vista's (and Windows 2008 Server) Group Policy.

The beauty of group policies is that they offer a centralized solution that comes "right out of box" since it integrates seamlessly into the Active Directory. Therefore, we can just set the necessary settings and work on the templates. Ultimately, it comes down to the system administrators to look into the issues and find out what's going on. 

Windows Vista features over 800 totally new policy settings. Imagine what the chances are that what you need is already supported and can be enabled and/or configured with just a few clicks! For example, speaking from personal experience, some of our earlier workarounds weren't necessary anymore because native support was added.

And finally, we can't really finish without inviting you to join our helpful forums at DevHardware Forums. We've a strong base of resident professionals, enthusiasts, and tech experts. If you want to hear opinions on some service or ask some clarifications regarding some details just shoot us with your questions. We'll do our best to help. And you should also want to pay a visit to the forums of our "sister:" DevShed Forums.