Group Policy Frequently Asked Questions (FAQ)

Group Policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory environment. This infrastructure consists of a Group Policy engine and multiple client-side extensions (CSEs) responsible for writing specific policy settings on target client computers.

More information: Core Group Policy Technical Reference

Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template. The Group Policy container is an Active Directory container that stores GPO properties, including information on version, GPO status, and a list of components that have settings in the GPO. The Group Policy template is a folder structure within the file system that stores Administrative Template-based policies, security settings, script files, and information regarding applications that are available for Group Policy Software Installation. The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its domain.

More information: Core Group Policy Technical Reference

Group Policy preference extensions are more than 20 Group Policy extensions that expand the range of configurable settings within a Group Policy object (GPO). These extensions, formerly known as the DesktopStandard PolicyMaker Family, provide greater manageability of the Windows platform by bringing increased detail and control to IT professionals.

More information:

• Group Policy Preferences Frequently Asked Questions
• Group Policy Preferences Overview White Paper

Group Policy is an infrastructure in which IT administrators can implement standard computing environments for groups of users and computers and includes both Registry-based and Security Policy. Registry-based policy is one of the many features of Group Policy that uses Administrative templates to modify the registry settings for policy-enabled components included in Windows. Security Policy, another feature delivered by Group Policy, includes a variety of security-related settings for Microsoft Windows.

More information: Core Group Policy Technical Reference

A good starting point would be the Microsoft Group Policy TechCenter. There, you can view a variety of information on Group Policy, including a 14-part webcast series on the Fundamentals of Group Policy.

More information:

• Group Policy TechCenter Web Site
• Group Policy Webcasts

Yes, virtual labs are available on the Microsoft TechNet Virtual Lab Web site. There are more than ten different Group Policy virtual labs that cover basic topics such as basic administration and planning and deployment, and advanced topics such as processing and troubleshooting.

More information: Microsoft TechNet Virtual Lab Web Site

First, read the Introduction to Group Policy in Windows Server 2003 white paper, which will give you a basic understanding of Group Policy and its dependencies. Next, follow the instructions to download the Group Policy Management Console (GPMC). You use GPMC to manage and view Group Policy objects (GPOs). You use Group Policy Object Editor to edit policy settings. With more than 1,700 policy settings, knowing where to begin can be challenging. For ideas about planning how to use policy settings for specific management goals, see Implementing Common Desktop Management Scenarios with Group Policy Management Console.

More information:

• Introduction to Group Policy in Windows Server 2003 White Paper
• Group Policy Management Console (GPMC)
• Implementing Common Desktop Management Scenarios with Group Policy Management Console

You can join a Windows Vista workstation to your existing domains in order to benefit from the new features in GPMC. GPMC is integrated directly into the Windows Vista operating system (Business, Enterprise, and Ultimate versions only) and is the standard tool for managing Group Policy along with Group Policy Object Editor. New Windows Vista features are not included in the current version of GPMC, downloadable from the Microsoft Download Center.

More information: Group Policy Management Console

The current version of GPMC operates on the 32-bit versions of Windows XP and Windows Server 2003 and can manage remote Group Policy objects on 64-bit domain controllers. The current version of GPMC does not include a 64-bit version, and the 32-bit version does not run on 64-bit platforms. Windows Vista includes 32-bit and 64-bit versions of GPMC.

More information: Group Policy Management Console

Creating a Group Policy object will create a Group Policy container object, stored in Active Directory, and a Group Policy template, stored on the Sysvol of the domain controller. Both are limited only to the amount of free disk space.

More information: Introduction to Group Policy in Windows Server 2003 White Paper

A user or computer cannot process more than 999 Group Policy objects. Windows Vista writes a Windows-GroupPolicy error event with an event ID of 1088 to the system event log when a user or computer attempts to process more than 999 Group Policy objects.

More information: Troubleshooting Group Policy Using Event Logs

The Microsoft Information Technology Group has published an IT Security at Microsoft white paper that describes designs, troubleshooting, and lifecycle management of Group Policy.

More information: IT Security at Microsoft White Paper

At Microsoft, Group Policy objects (GPOs) tend to contain a small number of individual settings, typically 5–20 settings. Microsoft has found it easier to manage a large number of GPOs, each with a small group of settings, than to manage a few Group Policy objects with a large number of settings. This approach maximizes flexibility in defining who gets a set of settings and minimizes the need for frequent changes of core policies.

More information: Core Group Policy Technical Reference

You cannot apply a Group Policy object directly to a security group. However, you can use security filtering to refine which users or computers will receive and apply Group Policy settings. The Group Policy Management Console (GPMC) is the tool to manage security filtering. For more information about security filtering, see the Core Group Policy Technical Reference.

More information: Core Group Policy Technical Reference

Microsoft provides two management consoles to administer Group Policy. The Group Policy Management Console (GPMC) consists of a Microsoft Management Console (MMC) snap-in and a set of scriptable interfaces for managing Group Policy objects (but not Group Policy settings). Group Policy Object Editor, also a Microsoft Management Console, is used to edit the individual settings contained within each Group Policy object.

More information: Group Policy Management Console

Microsoft has a dedicated list of third party tools and extensions for Group Policy on the Group Policy TechCenter.

More information: Third-Party Tools and Extensions for Group Policy

See the Group Policy Settings Reference for documentation of available policy settings. You can also search for policy settings using the Help and Support Center on Microsoft Windows XP.

More information: Group Policy Settings Reference

The Group Policy Management Console provides a way to import, export, back up, and restore Group Policy objects. In addition, there are several script files that provide this same functionality using the command line.

More information: Group Policy Management Console

Yes, you can audit changes to Group Policy objects. However, the data that is included in the audit is limited. The Microsoft Developers Network contains an excellent blog on how to enable auditing for Group Policy and explains how to interpret the event log messages.

More information: How to Enable Auditing for Group Policy

The former GPOVault Enterprise offering from DesktopStandard has been replaced by the new Microsoft Advanced Group Policy Management (AGPM). AGPM is included as part of the Microsoft Desktop Optimization Pack for Software Assurance.

More information:

• AGPM
• Third-Party Tools and Extensions for Group Policy

Administrative Template (ADM) files are included by default in each Windows operating system. These are: System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. An archive of all previous Administrative Template files is also available from the Microsoft Download Center.

More information: Group Policy ADM Files

Group Policy for computers is triggered at computer startup. For users, Group Policy is triggered when they log on. Versions of Windows before Windows XP as well as Windows Server 2003 use synchronous processing, meaning that computer Group Policy is completed before the logon dialog box is presented. User Group Policy is completed before the shell is active and available for the user to interact with it. Windows XP defaults to asynchronous policy processing. By default, Group Policy is refreshed every 90 minutes with a randomized delay of up to 30 minutes, for a total maximum refresh interval of up to 120 minutes. This interval can be changed using the computer policy setting Group Policy refresh interval for Computer located in the Computer Configuration\Administrative Templates\System\Group Policy namespace. The processing of Group Policy is explained in the Core Group Policy Technical Reference.

More information: Core Group Policy Technical Reference

Under synchronous processing, there is a time limit of 60 minutes for all of Group Policy to finish processing on the client computer. Any client side extensions (CSE) that are not finished after 60 minutes are signaled to stop, in which case the associated policy settings might not be fully applied.

More information: Group Policy TechCenter Web Site

The Security client side extension will process policy on the computer startup, and the extension will refresh with every Group Policy refresh. Most client side extensions, including the security extension, will not attempt to read or write settings on a refresh unless the version number of the policy has increased, which would indicate the policy has been modified. The security extension will process the security settings on the next refresh after 16 hours have expired without any policy changes. In addition, this value and refresh values for other CSEs may be modified using Group Policy Object Editor. Information that is more detailed can be found in the Security Settings Extension Technical Reference.

More information: Security Settings Extension Technical Reference

Group Policy can apply to any user or computer with access control entry for Read and Apply Group Policy.

More information: Group Policy TechCenter Web Site

There is a section in the Microsoft Platform Software Developer Kit (SDK), which details how to interact with Group Policy objects and Group Policy Object Editor. The Group Policy Management Console SDK provides detailed information about how to manage Group Policy objects.

More information:

• Microsoft Platform SDK
• General Information About Group Policy
• Group Policy Management Console SDK

Administrative Templates and Security Settings are applied over a slow link and the behavior cannot be changed. By default, Software Installation, Scripts, and Folder Redirection will not process over a slow link. You can change the default Policy process behavior for these client side extensions using Group Policy Object Editor. These settings are located at Computer Configuration\Administrative Templates\System\Group Policy.

More information: Group Policy TechCenter Web Site

You can manage Internet Explorer in two ways.

You can use Administrative Template policy settings located in Administrative Templates\Windows Components\Internet Explorer. For example, you can use policy settings to manage Internet Explorer security options. These are the same options that you see in the Internet Explorer UI when you click Tools, point to Internet Options, and then click Security. There are more than 500 policy settings delivered by the Inetres.adm file, which is included by default in the operating system. For more information about managing Internet Explorer with registry-based policy, see Managing Windows XP Service Pack 2 Features Using Group Policy.

In addition, you can use the Internet Explorer Maintenance Extension to manage Internet Explorer settings in a domain-computing environment using Group Policy. You can customize the appearance of the browser, preset and manage browser connection settings, set the default URLs displayed by the browser, and set the default programs used for each Internet service. Additionally, you can preset the security zone, content rating, certification authority, and Authenticode settings. For more information, see Internet Explorer Maintenance Extension Technical Reference.

It is recommended to manage Internet Explorer using Administrative Template policy settings whenever possible because these policy settings are always written to a secure tree in the registry, which means users cannot change them either by using the UI or modifying the registry.

More information:

• Managing Windows XP Service Pack 2 Features Using Group Policy
• Internet Explorer Maintenance Extension Technical Reference

In normal mode, policy settings are mandatory and used to enforce security, interface, and other Internet Explorer settings, ensuring users cannot change those settings. In preference mode, you can configure default settings, but allow users to change their own settings by using the Internet Explorer user interface. This mode provides users with the same starting configuration for their browsers, but enables them to personalize the configuration.

More information: Group Policy TechCenter Web Site

Trusted sites policies can be set at the computer or user level and are located at the relative path of administrative templates: \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone.

More information: Group Policy TechCenter Web Site

Internet Explorer Maintenance (IEM) settings need to be imported before they can be modified. They are read from the current Internet Explorer settings located on the current computer from which you are editing from-usually your administrative workstation. This explains why you can see different settings when editing IEM policy settings when you move to a different computer or change the Internet Explorer settings on your current computer.

More information: Group Policy TechCenter Web Site

There are some settings the Group Policy Management console will partially report or will not report at all. The reports indicate only whether Content Ratings and Connections are deployed and do not report the details of those settings. New settings only available in Preference mode will not be displayed. Details of customized Java settings, if specified, are not shown. Customized Java settings will appear as “Custom.” For more information, see Administering Group Policy with Group Policy Management Console.

More information: Administering Group Policy with Group Policy Management Console

Security policies are rules that administrators configure on a computer or multiple computers for protecting resources on a computer or network. The Security Settings extension of the Group Policy Object Editor snap-in allows you to define security configurations as part of a Group Policy object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and enable administrators to manage security settings for multiple computers from any computer joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization.

More information: Group Policy TechCenter Web Site

Domain password policies may be enabled and linked at the domain only. This limitation is because of the design of where these values are stored in Active Directory. Password policy settings, such as Minimum Password age, Maximum Password age, and Minimum Password length are stored as attributes on the domain object in Active Directory. The current design does not allow these values to read from any other object. Password policy settings linked at other containers will not affect domain users, but will apply to local users of the computer.

More information: Group Policy TechCenter Web Site

The security database in Windows 2000 had a specific table to store local security policy settings. This approach was changed in Windows XP and Windows Server 2003. Local security policy settings are written directly to their respective locations in the registry.

More information: Group Policy TechCenter Web Site

Under some circumstances, Windows Security Settings remain in effect after being set to undefined. In some cases, these security settings need to be explicitly overwritten to be removed. For more information, see Windows Security Settings remain in effect after removal.

More information: Windows Security Settings Remain in Effect After Removal

Registry-based policy is a way to use Group Policy to centrally manage client registry keys. Registry-based policy is a combination of a server side snap-in for configuring registry-based policy and a client side extension designed to apply the registry-based policy by creating and configuring the client registry keys.

Registry-based policy settings are stored in any of the four Group Policy keys listed below. The approved registry locations for policy settings are listed below.

For computer policy settings: HKLM\Software\Policies (the preferred location); HKLM\Software\Microsoft\Windows\CurrentVersion\Policies

For user policy settings: HKLM\Software\Policies (the preferred location); HKLM\Software\Microsoft\Windows\CurrentVersion\Policies

More information: Administrative Templates Extension Technical Reference

ADM files are UNICODE text files that Group Policy uses to describe where registry-based policy settings are stored in the registry. All registry-based policy settings appear and are configured in Group Policy Object Editor under the Administrative Templates node. ADM files do not apply policy settings; they simply enable administrators to view the policy settings in Group Policy Object Editor. Administrators can then create Group Policy objects (GPOs) containing the policy settings that they want to use.

ADM files can only support setting the registry under the HKLM or HKCU locations of the registry. If the ADM file contains registry settings for registry keys outside the approved registry locations for policy settings, the settings will be preferences instead of policies. ADM files are being replaced in Windows Vista and Windows Server 2008 operating systems.

More information:

• Administrative Templates Extension Technical Reference
• Using Administrative Template Files with Registry-Based Group Policy

Windows Vista and Windows Server 2008 operating systems introduce a new format for displaying registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category) are defined using a standards-based, XML file format, known as ADMX files. These new files replace ADM files, which used their own markup language. The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain largely unchanged. In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks.

To download the Administrative template files for Windows Server 2008, see Administrative Templates (ADMX) for Windows Server 2008 ( http://go.microsoft.com/fwlink/?LinkId=116434).

More information:

• Administrative Templates Extension Technical Reference
• Step-by-Step Guide to Managing Group Policy ADMX Files

In addition to ADMX files, Windows Server 2008 and Windows Vista include ADML files, which are XML-based ADM files that contain language-specific settings. All ADML files are stored in a language-specific folder. For example, English (United States) ADML files are stored in a folder that is named “en-US.” By default, the %Systemroot%\PolicyDefinitions folder on a local computer stores all ADML files for all languages that are enabled on the computer; the same folder also stores ADMX files, which are language-neutral. ADML files can be changed to support any new language without the need to modify ADMX files. When you edit a Group Policy object (GPO), the Group Policy Object Editor will detect the language version of Windows that is being used and will load the appropriate ADML files.

To download the Administrative template files for Windows Server 2008, see Administrative Templates (ADMX) for Windows Server 2008 ( http://go.microsoft.com/fwlink/?LinkId=116434).

More information:

• Administrative Templates Extension Technical Reference
• Step-by-Step Guide to Managing Group Policy ADMX Files

Yes. Group Policy Object Editor and Group Policy Management Console continue to recognize other earlier ADM files you have in your existing environment; specifically any custom ADM files or any ADM files not delivered by default in the operating system found in a GPO will be consumed by Group Policy Object Editor and Group Policy Management Console. The tools will not recognize earlier ADM files that were included by default in the operating system, such as System.adm and Inetres.adm.

More information: Step-by-Step Guide to Managing Group Policy ADMX Files

You can administer Group Policy settings affecting Windows Vista and earlier operating systems from a Windows Vista workstation. ADMX files are supported only on the Windows Vista operating system. Copying ADMX files to earlier operating systems will have no effect.

More information:

• Administrative Templates Extension Technical Reference
• Step-by-Step Guide to Managing Group Policy ADMX Files

No. Earlier versions of the Group Policy Management Console and the Group Policy Object Editor do not support ADMX files; they support only ADM files. To take advantage of the benefits of ADMX files, you should use the Group Policy Management Console included with Windows Vista.

More information: Deploying Group Policy Using Windows Vista

Administrative Template files are included by default in each Windows operating system. These are: System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. An archive of all previous Administrative Template files is also available from the Microsoft Download Center.

More information: Group Policy Administrative Template File Download

By default, Group Policy Object Editor will show only Group Policy settings that can be fully managed. This will result in the Group Policy Object Editor only displaying settings from an ADM file that are policies corresponding to the four registry locations mentioned in the "What is registry-based policy?" section of this FAQ.

If your custom ADM file contains preference settings whose registry locations are outside of the four registry locations for policy settings, then you must follow this procedure to display the ADM file settings.

To view preference settings for all ADM files in the Group Policy Object Editor:

1. Right-click any administrative template node and then click View.
2. Click Filtering and in the filtering dialog box, clear the check box for Only show policy settings that can be fully managed.
3. Click OK.

More information: Using Administrative Template Files with Registry-Based Group Policy

In Group Policy for versions of Windows earlier than Windows Vista, if you modify Administrative template policy settings on local computers, the Sysvol share on a domain controller within the domain is automatically updated with the new ADM files. In Group Policy for Windows Server 2008 and Windows Vista, if you modify Administrative template policy settings on local computers, Sysvol will not be automatically updated with the new ADMX or ADML files (ADML files are XML-based ADM files that contain language-specific settings). This change in behavior was implemented to reduce network load and disk storage requirements, and to prevent conflicts from occurring between ADMX files and ADML files when edits to Administrative template policy settings are made across different locales. To ensure that any local updates are reflected in Sysvol as well, you must manually copy the updated ADMX or ADML files from the PolicyDefinitions folder on the local computer to the Sysvol\PolicyDefinitions folder on the appropriate domain controller.

Important: Updates to Sysvol are replicated to all domain controllers in the domain, which results in increased network traffic and load placed on the domain controllers. Therefore, to minimize the impact of this operation in your domain, we recommend that you schedule the copying of updated Administrative templates to Sysvol outside core business hours.

To download the Administrative template files for Windows Server 2008, see Administrative Templates (ADMX) for Windows Server 2008 ( http://go.microsoft.com/fwlink/?LinkId=116434).

More information:

• Administrative Templates Extension Technical Reference
• Step-by-Step Guide to Managing Group Policy ADMX Files

Administrative Template policy settings do not support binary values.

More information: Using Administrative Template Files with Registry-Based Group Policy

The registry.pol file contains the current set of registry policy settings defined in the computer or user portion of a GPO. You can find the registry.pol file inside a GPO under the machine or user directory. You can use the regview.exe tool provided in the Windows 2003 Resource Kit Tools to view the contents of any registry.pol file.

More information: Windows Server 2003 Resource Kit Tools

See the Group Policy Settings Reference for documentation of available registry-based or Administrative Template policy settings. You can also search for policy settings using the Help and Support Center on Windows XP.

More information: Group Policy Settings Reference

The software installation extension of Group Policy enables you to provide on-demand software installation and automatic repair of applications. Group Policy offers a convenient method for distributing software, especially if you are already using Group Policy for other purposes such as securing your client and server computers. However, a Group Policy-based software installation has some basic limitations, including difficulties with scheduling installation, consistently managing network bandwidth, and providing feedback on the status of the installation. If you need to carefully schedule installations, manage network use, perform hardware and software inventory, or monitor installation status, consider using Microsoft Systems Management Server (SMS). For more information about software distribution, see Deploying a Managed Software Environment.

More information: Deploying a Managed Software Environment

Group Policy is not designed to deliver security updates. Microsoft Update Services was specifically developed to enable information technology administrators to deploy the latest Microsoft product updates to Microsoft Windows Server 2000, Windows Server 2003, and Windows XP operating systems. Windows Server Update Services allows you to fully manage the distribution of updates that are released through Microsoft Update to computers in your network.

More information: Microsoft Windows Server Update Services

The software installation extension assigns a Globally Unique Identifier (GUID) to each application. Applications are then installed in GUID order without any preference. Microsoft Systems Management Server (SMS) provides server-side and client-side scheduling. For more information, see the SMS 2.0 Web site.

More information: Systems Management Server 2.0 Web Site

You can use Group Policy to configure Terminal Services connection settings, set user policies, configure terminal server clusters, and manage Terminal Services sessions. You can set user policies for Terminal Services to create a consistent logon experience for all Terminal Services users by employing loopback processing for evaluating Group Policy objects (GPOs).

More information: Introduction to Loopback Processing

Group Policy loopback processing can be used to alter the application of GPOs to a user by including GPOs based on the location of the computer object. The typical way to use loopback processing is to apply GPOs that depend on the computer to which the user logs on.

More information: Introduction to Loopback Processing

For the latest information, see Troubleshooting Group Policy Problems.

More information: Troubleshooting Group Policy Problems

There could be several factors that can affect changes not applying to your computer. One of the more common reasons is because domain-joined computers require contacting a domain controller to update policy. If a domain controller is not available, policy stops processing. For more information, see the section Background Refresh of Group Policy in the Core Group Policy Technical Reference.

More information: Core Group Policy Technical Reference

If the computer is a member of a domain, it will still need to contact a domain controller to apply new policy settings. Non-domain computers will apply new policy settings only when the version numbers have increased. Copying the registry.pol will not increase the version number in the GPT.INI. You will need to increase this value by one for new settings to apply.

More information: Core Group Policy Technical Reference

Microsoft Knowledge Base Article 842933 describes these symptoms and resolutions for Windows Server 2003, Windows XP, and Windows 2000 Service Pack 3 operating systems.

More information: Microsoft Knowledge Base Article 842933

If there is no change to a GPO, policy does not apply. If users change their trusted sites, policy will not change them back unless you actually update the GPO and trigger a refresh. Without a change, Group Policy will not process.

More information: Group Policy TechCenter Web Site

Group Policy in Windows Vista includes over 700 new policy settings. As a result, greater coverage of policy settings is provided across:

• Multiple components of Windows Vista.
• The Group Policy service.
• Support for multilingual environments by using ADMX files.
• Improved network awareness and reliability.
• Easier administration by including the Group Policy Management console (GPMC).

More information: What's New in Group Policy for Windows Vista

The Group Policy service no longer records information in the userenv.log. You can find detailed logging of Group Policy processing in the Group Policy operational log.

More information: How to Troubleshoot Group Policy Using Event Logs

Earlier version of Windows used ADM files to define registry-based policy settings. ADMX/ADML files replace earlier ADM files and are divided into language-neutral (ADMX) and language-specific (ADML) resource files. These new file types allow Group Policy tools to adjust their user interface according to the administrator's configured language.

More information: Managing Group Policy ADMX Files Step-by-Step Guide

You can convert ADM files to the ADMX format by using the ADMX Migrator. You can select multiple ADM files for conversion. Additionally, the ADMX Migrator provides an ADMX editor with a graphical user interface for creating and editing administrative templates. You can select settings from menus rather than entering them manually in a text file, speeding template creation and reducing the chance for error.

More information: ADMX Migrator

Yes. Windows Vista provides two new layers of Local Group Policy. You can apply Local Group Policy to local administrators or non-administrators and specific local users. These new layers compliment Local Computer policy, which remains from earlier versions of Windows.

More information: Step-by-Step Guide to Managing Multiple Local Group Policy Objects

The Group Policy tools included in Windows Vista can manage Group Policy objects for Windows Vista, Windows Server 2003, Windows XP, and Windows 2000. It is a best practice to continue to use the Group Policy tools included in Windows Vista, after you have started to use them.

More information: Deploying Group Policy Using Windows Vista

The central store is a folder created on the SYSVOL of an Active Directory domain controller and provides a single centralized storage location for ADMX and ADML files for the domain. You can create a central store on a domain controller running Windows Server 2003 R2, Windows Server 2003 SP1, or Windows 2000 Server. The creation of the central store does not require Windows Server 2008.

More information: Managing Group Policy ADMX Files Step-by-Step Guide

Windows Vista SP1 changes the tools that administrators use to manage Group Policy. Administrators requested features in Group Policy that simplify Group Policy management. To do this, Windows Vista SP1 uninstalls the GPMC; GPEdit.msc edits local Group Policy by default. GPMC for Windows Server 2008 as well as the Remote Server Administration Tools (RSAT) for Windows Vista SP1 are available. The updated GPMC includes new features such as Group Policy preferences, Starter GPOs, comments, and search and filter capabilities.

More information: Group Policy Preferences Overview

GPOVault Enterprise was transformed into Microsoft Advanced Group Policy Management (AGPM) and included as part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance beginning in summer 2007. For more information, see Microsoft Desktop Optimization Pack for Software Assurance.

PolicyMaker Standard Edition, Share Manager, and Registry Extension are integrated into the Group Policy Management Console for Windows Server 2008 and the Remote Server Administration Tools (RSAT) for Windows Vista with Service Pack 1 as Group Policy preferences.

More information:

• Group Policy Preferences Frequently Asked Questions
• Download: RSAT for Windows Vista SP1 32-Bit Edition
• Download: RSAT for Windows Vista SP1 64-Bit Edition

PolicyMaker Standard Edition and PolicyMaker Share Manager are no longer for sale as of January 31, 2008. Microsoft will continue to support existing customers of GPOVault; PolicyMaker Standard Edition, Share Manager, Registry Extension, and Software Update; and ProfileMaker products according to the terms and conditions of existing agreements.

GPOVault Enterprise was no longer sold as of January 1, 2007, and was transformed into Microsoft Advanced Group Policy Management (AGPM). It is now available as part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance. For more information, see MDOP.

PolicyMaker Standard Edition, PolicyMaker Share Manager, and PolicyMaker Registry Extension are integrated into the Group Policy Management Console for Windows Server 2008 and RSAT for Windows Vista with Service Pack 1 as Group Policy preferences. For more information, see Group Policy Preferences Frequently Asked Questions.

ProfileMaker is no longer available for purchase. Customers who need the functionality provided by this product should explore Group Policy preferences in Windows Server 2008 and Windows Vista with Service Pack 1 as alternatives.

PolicyMaker Software Update is no longer available for purchase, and update information is no longer available. Customers who need the functionality provided by this product should explore Windows Server Update Services as an alternative. For more information, see Windows Server Update Services on TechNet.

Microsoft did not acquire the PolicyMaker Application Security application in its acquisition of DesktopStandard. The PolicyMaker Application Security application was acquired by BeyondTrust Corporation.

Existing DesktopStandard customers can request additional licenses, or make changes to existing PolicyMaker or ProfileMaker licenses: Acquisition support Web site.

Because of the availability of Group Policy preferences in Windows Server 2008 and RSAT for Windows Vista SP1, PolicyMaker license keys stopped being sold after January 31, 2008. If you were an existing PolicyMaker Standard Edition or PolicyMaker Share Manager customer as of November 12, 2007, you are entitled to an unlimited license key for the PolicyMaker license you own. To request additional licenses, see the acquisition support Web site.

Microsoft discontinued ProfileMaker as of October 1, 2007. If you were an existing ProfileMaker customer as of October 1, 2007, you are entitled to an unlimited license key for the ProfileMaker license you own. To request additional licenses, see the acquisition support Web site.