Skip to main content

Managing Group Policy with Windows Vista (June 1, 2006)

Chat Topic: Windows Vista Group Policy
Date: Thursday, June 01, 2006

Please note: Portions of this transcript have been edited for clarity.

moderator_mark (Moderator):
This Chat gives you an opportunity to interact with members of the Group Policy Product Development teams, to post your questions about new Windows Vista Group Policy Features and Settings.

Windows Vista introduces new and enhanced Group Policy features, including improved network awareness, Group Policy Management console (GPMC) in-box integration, and XML-format Administrative Templates files (ADMX files)

We welcome your questions about managing existing Group Policy deployments with Windows Vista (including co-existence of botgh ADM and ADMX template files), creating Multiple Local GPOs, creating and populating the SYSVOL Central Store for ADMX and ADML files -- here's your chance to ask the GP experts.

Introductions

JudithH [msft] (Expert):
Hi! My name is Judith Herman. I'm a Programming Writer for Group Policy. I've been working on Group Policy since Windows 2000.

rahulg [msft] (Expert):
Hi I am Rahul Gupta. I am developer in Group Policy team.

Mark Williams[MSFT] (Expert):
I am Mark Williams, a Program Manager on the Group Policy team. Good morning/afternoon everyone - thanks for joining in.

moderator_mark (Moderator):
…and I'm your moderator, Mark Lawrence, also a Program Manager on the Group Policy Team. Let's get started with answering your questions...

Start of Chat

Mark Williams[MSFT] (Expert):
Q:
Please pardon my ignorance, but will there be an audio or video portion along with the Chat Room? I apologize for not figuring this out prior to the session. :$
A: This is a web-based tool (no audio) so please feel free to post your questions and we'll do our best to answer them. Thanks.

Mark Williams[MSFT] (Expert):
Q:
How does a Vista workstation handle group policy objects that are based on Windows 2000 or Windows XP Administrative Templates?
A: Two parts to this - Windows Vista will use its ADMX files (the next version of ADM files) to present all policy settings (for XP, Windows 2000, Windows Server 2003 and Windows Vista itself). However, if it happens to find a custom ADM file in the GPO being edited then it will also display the policy settings defined in that ADM file, albeit without the multi-lingual benefits of ADMX files.

Mark Williams[MSFT] (Expert):
Q:
I do understand that. I was wondering how a Vista workstation applies policy settings that were set using Windows XP ADM templates?
A: There is a distinct seperation between the administrative experience (which is where ADMX/ADM files are relevant) and the application of policy. GPEdit will use ADMX / ADM files to create a registry.pol file in the GPO. That file is essentially just a record of the specific registry settings that need to be set and, as such, is completely decoupled from whether the associated policy settings was configured via ADMX or ADM file. So, a Vista CLIENT you manage will have no awareness as to whether the policy settings were configured from Vista, XP, Windows 2000 or Windows Server 2003.

JudithH [msft] (Expert):
Q:
When will a listing of available GPO be available.
A: There is no ETA on when the administrative template spreadsheet will be updated to include the Vista settings prior to RTM. The current location of the spreadsheet is http://www.microsoft.com/downloads/details.aspx?FamilyID=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en

Mark Williams[MSFT] (Expert):
Q:
Are the GPO settings in Vista Beta 2 the final GPO settings for Vista that will be in RTM, or will new items possibly be added based on feedback?
A: The latter :-) We do expect that the number of settings is pretty much what we'll deliver at RTM but if there is compelling rational while we need to consider additional policy settings then we'll consider this (since it's a beta). However, most teams we have worked with (>100) have been very engaged in considering their policy support so we anticipate few, if any, additions from here.

rahulg [msft] (Expert):
Q:
What is the major difference between the Gp in Xp and Vista
A: Please take a look at http://www.microsoft.com/technet/windowsvista/library/gpol/a8366c42-6373-48cd-9d11-2510580e4817.mspx?mfr=true for new vista GP features. The new vista GP features include responsiveness to network changes, new format ADMX for administrative templates [multilingual support], new categories of policy management.

Mark Williams[MSFT] (Expert):
Q:
what improvements bring the ADMX files compared to the current ADM?
A: a) They are multi-lingual (associated with a single ADMX file are one or more ADML files - one per required language) b) We support the "central store" - a domain-wide repository of ADMX files (for example, when Longhorn Server / Vista SP1 comes along you'll be able to update this single store and all your admins will see any new policy settings) c) Use XML - we use a less-obscure syntax, as compared to ADM files. For example, Intellisense works in Visual Studio to walk you through the available elements...

Mark Williams[MSFT] (Expert):
Q:
Can make feature suggestions here as well?
A: By all means

Mark Williams[MSFT] (Expert):
Q:
Do you get any additional benefits with regards to GPO if both the server and the client are Lognhorn and Vista systems as compared to Server 2003 and Vista
A: Aside from the general benefits of Longhorn Server, we have no dependency at all on that platform. Any and all of our new features will run on Longhorn Server, Windows 2000 and Windows Server 2003 domain.

JudithH [msft] (Expert):
Q:
Do you still have my favorite thing about GPO were sometimes you enable to disable and other times you disable to enable. That gets very confusing and users just do not get it
A: We have made a large effort for Vista to standardize the titles and descriptions for the policy settings. This was an effort to get rid of the enable and disable in the titles. Hopefully, it take away some of the confusion.

Mark Williams[MSFT] (Expert):
Q:
hey guys.., I have a quick question... is there any search feature we are providing to search for any of group policies in the machine... i believe there are more than 1800 policy configurations being deployed
A: Short answer is no - for Windows Vista. But... We are planning significant functionality in the Longhorn Server / Vista SP1 timeframe. We'll have search, filtering, comments and "templates". By the way, we'll be above 2,400 policy settings in Windows Vista so I do understand the value in this :-)

RhynierM [MSFT] (Expert):
Q:
Do we still have the issue if editing a GPO on a vista machine that the server sucks up the templates off of that machine if they are newer automatically.
A: Given the complexity of all the ADM automatic behaviors (especially when you get into the policy settings that control them :)), we have simplified it by ripping out all automatic behavior around ADM files. Since there won't be any ADM files on a newly installed Vista machine anyway, this is not an issue ... we are moving to ADMX files as the preferred file format anyway.

Mark Williams[MSFT] (Expert):
Q:
Are there GPO for managing the local groups on a workstation. For example I would like to make sure that a certain AD group is always a member of the Administartors group on a local PC.
A: Windows Vista introduces a new feature called Multiple LGPO. Aside from the "regular" LGPO you have today, you can also optionally create LGPOs for individual users or one of two groups - admins or non-admins. We do not have support for "ad hoc" local groups (just the two I mentioned).

JudithH [msft] (Expert):
Q:
Is there a way for the Restricted Groups function in Security Policy to be modified to allow a restricted group plus the ability to add individuals when needed.
A: The work on security settings for Vista is being handled by a different team. However, we'll follow up with that team and include an answer to this question in the chat transcript.

Mike [MS] (Expert):
Q:
Are there GPO for managing the local groups on a workstation. For example I would like to make sure that a certain AD group is always a member of the Administrators group on a the local PC.
A: You can use Restricted Groups to add Domain Groups to Local groups. Restricted Groups settings are located under Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Mark Williams[MSFT] (Expert):
Q:
If we are using some custom ADMX templates and they enable certain registry settings, when we unlink the policy do they revert back or do we still have the problem as earlier windows where we need to have a reverse policy set
A: This depends on the application that responds to the policy settings. A "true policy setting" is one that is for an application that is policy aware - it knows about Group Policy and how to correctly implement policy-beats-preference logic. If your registry settings are like this they will be under <HKLM | HKCU>\Software\Policies and will have the "correct" behavior. However, if you target ad-hoc registry keys then you'll see "preference" behavior, as you describe. So, at one level, the question is really about whether the apps you wish to manage are policy aware.

RhynierM [MSFT] (Expert):
Q:
I Just entered the chat, sorry for my ignorance, but when we are mentioning about the Group Policy, are we talking about Vista Group Policy(On client) or are we talking about Longhorn group policy on server(Longhorn server/AD Group Policies)?
A: All of the above. Since GP is mostly a client architecture just using AD and the sysvol share to store data, any new features/changes are implemented on the client.

JudithH [msft] (Expert):
Q:
Is there going to be info published about the new group policies added under Vista/Longhorn?
A: YES – please see http://www.microsoft.com/technet/windowsvista/default.mspx

JudithH [msft] (Expert):
Q:
Is there going to be info published about the new group policies added under Vista/Longhorn?
A: The general Vista information is at: http://www.microsoft.com/technet/windowsvista/default.mspx - You can find the "What's New in Group Policy" and information on ADMX files at this location.

Mark Williams[MSFT] (Expert):
Q:
what is the migration story from server 2003 to LH server?
A: In relation to Group Policy, none specifically. None of our features are Longhorn Server-dependent so a Longhorn Server - in THIS context - is no different to Windows Server 2003. Of course, it has lots other great advantages :-)

Mark Williams[MSFT] (Expert):
Q:
Is there a way to programmatically alter the settings for a single GPO entry? Example - if I want to add multiple port exceptions to a Desktop Firewall policy. I would like to right a script to add them in to a GPO then deploy the new GPO.
A: No new capabilities in Windows Vista. However, this may be of interest (relates only to Administrative Templates) from the Group Policy WIKI: http://grouppolicy.editme.com/DeveloperIssues

Mike [MS] (Expert):
Q:
Will there be a GPO for changing the Local Admin Password?
A: This is not an option as of Beta 2 however, these policies are owned and maintain by a group outside of Group Policy.

Mark Williams[MSFT] (Expert):

A:
By the way, note that the Windows Firewall team as a new administrative extension in Windows Vista. Although I am unsure of programmatic access to that extension, it's perhaps worth pointing out that the administrative UI is considerably improved over what you see in XP Sp2.

rahulg [msft] (Expert):
Q:
What are the top 3 things an IT Pro should know about what is coming in Vista/LH? What are your favorite new features or changes to existing features?
A: Please take a look at http://www.microsoft.com/technet/windowsvista/library/gpol/a8366c42-6373-48cd-9d11-2510580e4817.mspx?mfr=true

Mark Williams[MSFT] (Expert):
Q:
Another stupid question maybe If I have a Longhorn Server Active Directory and clients are only Win XP, will all the group policies take effected or its must to have Vista on client desktop for all Longhorn Server based policies to take effect on client?
A: Windows XP clients will receive policy just fine in a Longhorn Server domain.

Mark Williams[MSFT] (Expert):
Q:
With the larger expansion of managed items available in Windows Vista for policies, would it be better to separate groups of policy settings (Firewall, Interface, IE, etc.) into separate policy objects?
A: I'm afraid this is an "it depends" response :-) Many customers prefer to isolate functionally seperate GPOs in the manner in which you describe. I tend to prefer that approach but we also know of customers who have a less granular approach and have GPOs with "broad scope". It really depends on what you are managing through policy and your administrative model.

rahulg [msft] (Expert):
Q:
The current method of finding what policy to apply is tedious & time-consuming. It takes a lot of testing to figure out what to apply for a given effect. Many policies tend to cancel out one another. Is there any improvement planned?
A: There is not much improvement in Vista over xpsp2. You can use RSOP.msc or GPMC [Group Policy Modeling or Group Policy Results] to view the policies that are in effect on the client.

Mike [MS] (Expert):
Q:
How do you handle replacing the old IEAK Preference Mode policy settings for Internet Explorer to using the new Managed settings (introduced with XP SP2, expanded in Vista).
A: The IE team has slowly migrated most of the IEM setting to Registry-based policy. We expect more setting to transition as we get closer to RTM.

JudithH [msft] (Expert):
Q:
Will each individual product group be responsible for maintaining and updating GPO's or is that centrally handled by the Vista team. For example who makes polcy updates to WMP, IE, LCS, Office.
A: Each individual product group team will be responsible for their policy settings. However, we do have a program manager centrally managing this effort for Vista.

RhynierM [MSFT] (Expert):
Q:
Are we getting advanced version of GPMC for group policy configuration in VISTA
A: If, with "advanced version" you mean more features than the current version of GPMC, then the answer is a qualified "no". There are no big new features for GPMC in Vista. However, the big news is that GPMC is now part of the operating system. For the Longhorn Server / Vista SP1 timeframe we will have a few cool new features such as keyword searching/filtering for ADMX based settings and support for GPO templates (only registry-based, though).

Mark Williams[MSFT] (Expert):
Q:
Will it still be a best practice with the new GPO service to keep Computer settings and User settings seperate.
A: Yes.

Mark Williams[MSFT] (Expert):
Q:
Thanks Mike. I asked the IEAK Preference Mode in GPO question because when SP2 first came out we were told the only way was to delete the GPO and create a new one. That is what I am looking for?
A: The move towards ADMX files (under Administrative Templates) by the IE team is partially motivated by a desire to "play ball" with more traditional processing semantics. All of the IE settings under Admin Templates will have consistent behaviors with other such policy settings.

Mark Williams[MSFT] (Expert):
I'd like to slip in a quick mention of my TechEd 2006 presentations. I am delivering a "What's New In Group Policy for Windows Vista" presentation on Wednesday June 14th and Friday June 16th (same presentation). I'll be running through our new features, including demo's of some of the additional features we'll be shipping in Longhorn Server / Vista SP1. For any of you who happen to be in Boston for TechEd it would be great to see you there.

Can’t attend TechEd? Then watch the simulcast (Webcast) of "What's New in Group Policy for Windows Vista": http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032298090&Culture=en-US

Ad over!!

RhynierM [MSFT] (Expert):
Q:
XP-SP2 firewall blocks my ability to remotely manage workstations on my domain. I don't want to have to involve the user to repair the registry or delete a file. Is there a work-around for this?
A: There's no work-around in the sense that it is standard practice to open any ports in the firewall that you as administrator need opened for accessing a workstation. To do this you use the firewall policies to open the file share and registry access ports. For more information you can go to http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?dg=microsoft.public.windowsxp.security_admin&lang=en&cr=US

moderator_mark (Moderator):
Q:
Is it possible to get a email of this chat session?
A: A transcript of the complete chat text will be available shortly after this session - and linked at the TechNet and Windows Vista Community sites.

http://www.microsoft.com/technet/community/chats/trans/ http://www.microsoft.com/windowsvista/community/default.mspx

Mike [MS] (Expert):
Q:
Why would I want my users to have GPMC as part of their desktop? Quit loading un-necessary/unwanted software in the OS!
A: You can use Group Policy to restrict users from using/opening GPMC while still allowing administrators to open GPMC. GPMC has value reporting features which are useful for troubleshooting.

RhynierM [MSFT] (Expert):
Q:
You may have answered this already, but is the ADMX file in XML format? If so, then could we manipulate the XML file programmatically and then import the file into a GPO?
A: Yes, ADMX files are in XML format. The schemas will be available so you can not only create your own ADMX files manually (as with ADM files), but you can now also use XML tools or programmatic XML libraries (e.g. .Net Framework) to create new ADMX files.

Mark Williams[MSFT] (Expert):
Q:
Is there any reason why you are already adding features to Vista SP1 when Vista isn't finsihed why not add them to regular Vista.
A: We have some important features that need to be done - based on significant customer feedback - but they are beyond scope for what we can realistically ship in Windows Vista. That said, we'll well on track to getting our Vista features done and dusted to this is all under control :-)

Mark Williams[MSFT] (Expert):
Q:
The Device Driver policy settings allow you choose devices by ID or GUID. Will this give the ability to only allow selected devices for installation, or will it allow just a class of devices? Also, how does this allow non-administrators to install them?
A: I'm not overtly familiar with the specifics of setting these policy settings (yet!) but I do know they support class IDs as well as individual device IDs.

moderator_mark (Moderator):
Time reminder: a few more minutes remaining for our chat today. Our Experts will try to answer as many of your questions as possible in the time remaining. If you are interested, here are some documents to read TODAY from the TechNet Windows Vista Technical Library:

What’s new in Group Policy in Windows Vista -
http://www.microsoft.com/technet/windowsvista/library/a8366c42-6373-48cd-9d11-2510580e4817.mspx

New Windows Vista Group Policy settings -
http://www.microsoft.com/technet/windowsvista/library/2b8dc2fd-eafe-4c74-914c-ec101133feb4.mspx

Managing the new Windows Vista ADMX files: A step by step guide -
http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx

Mark Williams[MSFT] (Expert):
Q:
Thank you for the information. Good session and very good information.
A: Thank you. The questions asked here are very helpful to us too in understanding where we need to focus efforts in terms of docs, etc so we very much appreciate your participation.

moderator_mark (Moderator):
...and that's the end of today's Windows Vista Group Policy chat!

Thanks to all of our Guests for joining us in today's Group Policy Chat, and of course, to our Experts for being here to answer questions.

We always welcome YOUR feedback - you can send your feedback to http://www.WindowsServerFeedback.com