Windows DevCenter    
 Published on Windows DevCenter (http://www.windowsdevcenter.com/)
 See this if you're having trouble printing code examples


An Inside Look at Group Policy in Windows Vista

by Mitch Tulloch, author of Windows Server Hacks
03/07/2006

Group Policy is the primary method for remotely managing the security and configuration of computers throughout an Active Directory-based network. With the upcoming release of Windows Vista, many aspects of Group Policy will remain the same, but a few important things will change. This article takes a quick look at these changes and how they impact day-to-day administration of a Windows network.

Under the Hood

A significant change to how Group Policy works is the new format for files controlling registry-based settings. In earlier versions of Windows, these settings are exposed to the Group Policy Object Editor (GPOE) by plain text files called administrative template (ADM) files, which are located by default in the folder %Windir%\inf. Examples of ADM files include system.adm (operating system settings), inetres.adm (Internet Explorer restrictions), and so on. The syntax of these ADM files is documented and can be used to create your own custom ADM files to lock down registry settings not exposed to the GPOE by default. Here's a small slice of system.adm to illustrate what it looks like:

"SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts"
                    VALUENAME "Enabled"
                    VALUEON NUMERIC 1
                    VALUEOFF NUMERIC 0

                    PART !!WF_OpenPorts_Show
                        LISTBOX
                        KEYNAME

What's changed in Vista is that the syntax for these files that expose registry-based settings in the GPOE now uses XML, and the associated files themselves are now called ADMX files. These ADMX files are found on the local machine in the folder %Windir%\PolicyDefinitions, and a slice of system.admx corresponding to the portion above looks like this:


    <policy xsi:type="reg:RegistryPolicyDefinition" name="WF_OpenPorts_Name_1" class="Machine" 
         displayName="$(resource.WF_OpenPorts_Name)" explainText="$(resource.WF_OpenPorts_Help)" 
         presentation="$(presentation.WF_OpenPorts_Name_1)" key="SOFTWARE\Policies\Microsoft\
         WindowsFirewall\DomainProfile\GloballyOpenPorts" valueName="Enabled">
      <memberOf ref="WF_Profile_Domain" />
      <supportedOn ref="SUPPORTED_WindowsXPSP2" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
      <element xsi:type="reg:RegistryPolicyElement" key="SOFTWARE\Policies\Microsoft\
         WindowsFirewall\DomainProfile\GloballyOpenPorts\List">
        <list id="WF_OpenPorts_Show" additive="true" />
      </element>
    </policy>

Related Reading

Windows Server Hacks
100 Industrial-Strength Tips & Tools
By Mitch Tulloch

What's the advantage of using this new ADMX format? First, Longhorn Server will give you the option of centrally storing all ADMX files in your SYSVOL share. Specifically, you'll be able to store ADMX files in the folder %systemroot%\sysvol\domain\policies\PolicyDefinitions\ if you want to, as opposed to storing ADM files within each Group Policy Object (GPO) in SYSVOL. Recall that existing versions of Windows in a domain environment store ADM files in %SystemRoot%\SYSVOL\sysvol\domain name\Policies\{GPO_GUID}\Adm, where {GPO_GUID} is a folder named after the globally unique identifier (GUID) of each particular GPO. So if you have twenty GPOs (which is not unusual in a medium-sized single-domain environment) then there will be twenty copies of each ADM file stored in SYSVOL. This adds unnecessarily to the replication traffic when the File Replication Services (FRS) replicates the contents of SYSVOL between domain controllers in your domain. In Longhorn Server, however, you'll be able to store a single copy of each ADMX file in SYSVOL and replication traffic will thus be reduced, which is good. Of course, this only works if your client machines are running Windows Vista since earlier versions of Windows don't support ADMX files.

Second, the new ADMX format allows for GPOE to display registry-based policy settings in any language, specifically, in the language of the user viewing the GPO. So a German administrator in Berlin could open GPOE and modify a GPO setting displayed in German, and when a French admin in Paris opens the same GPO using her GPOE, the settings are displayed in French. And that's not just gut, it's bon! This functionality should also be available when Vista itself is released (that is, prior to Longhorn Server being released) but will likely require some manual steps to set it up properly, for example copying the ADMX files to a folder you create in SYSVOL.

Group Policy Processing

Next, in terms of how Group Policy is processed, the new Network Location Awareness feature of Vista will provide a lot more flexibility to ensure Group Policy is properly applied in a variety of situations. For example, in earlier versions of Windows, Group Policy is processed when the computer starts up (machine policies), when the user logs on (user policies), and periodically during background refresh (both machine and user policies, usually). In Vista, however, policy can be processed when your computer establishes a VPN connection with a remote site (a big security improvement), when it comes out of hibernation or standby, when you dock your laptop, and so on. This means your computer is more likely to always have the latest Group Policy settings applied to it, which ensures greater security. Additionally, the Network Location Awareness feature doesn't use ping, which means that administrators can configure firewalls to block ICMP messages without any worry that doing so may cause problems with how Group Policy is processed.

At the Policy Level

Finally, at the level of specific Group Policy settings, Vista (and Longhorn) will introduce some changes and some new kinds of policies you can configure. One notable change is that Windows Firewall policy settings will be moved from Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall to Computer Configuration\WindowsSettings\Windows Firewall With Advanced Security (see Figure 1):

Thumbnail, click for full-size image.
Figure 1. Configuring Windows Firewall using Group Policy--click for full-size image.

Another change in Vista is the addition of a number of new kinds of policy settings for features like power management, blocking installation of devices like USB storage keys, assigning printers to users based on their location on the network, and so on. These additional settings make Vista more manageable and more securable than previous versions of Microsoft Windows and are another good reason why businesses should consider upgrading their desktops to Vista once it's released. For example, simply being able to configure power management settings using Group Policy could save you around $50 per year per desktop computer on your network, and in a medium or large network that can add up to substantial savings.

Conclusion

Group Policy is a powerful tool for managing the security and configuration of computers throughout your enterprise, and with Windows Vista (and ultimately Longhorn Server), Group Policy gets even better.

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to the Windows DevCenter.

Copyright © 2009 O'Reilly Media, Inc.