New features in Windows Vista Multiple Local GPOs Network Awareness ADMX Files Improved Logging Coming in Windows Server 2008 Filters Comments Starter GPOs So, what about those DesktopStandard products? GPOVault PolicyMaker
Breakout Sessions CLI331: Using Group Policy with Windows Vista and Windows Server 2008 – Mark Williams (Wed 10:15am – 11:30am, Thu 1:00pm – 2:15pm) CLI316: Microsoft Desktop Optimization Pack: Advanced Group Policy Management – Derek Melber and Winni Verhoef (Tue 4:30pm – 5:45pm) CLI405: Deep Dive Into Windows Vista Group Policy Changes and Troubleshooting – Jeremy Moskowitz (Tue 8:30am – 9:45am, Thu 9:45am – 11:00am) Chalk Talk CLI103-TLC: ADMX File Creation and Management - Judith Herman (Wed 3:45pm – 5:00pm) Hands on Lab CLI13-HOL: Managing Windows Server 2008 and Windows Vista using Group Policy – Self Study lab, throughout the week CLI13-ILL: Managing Windows Server 2008 and Windows Vista using Group Policy – Gary Dunlop (Tue 10:15am – 11:30am, Wed 8:30am – 9:45am)
Heavily used… Majority of enterprise customers actively use Group Policy Around 1,800 policy settings in Windows XP But… Group Policy process was part of Winlogon Policy setting coverage wasn’t great and missed some important business scenarios Managing ADM files was “interesting” Limited awareness of changing network conditions Limited flexibility with a single local GPO Troubleshooting Group Policy was not a joyful experience Need to find settings? “Where is that spreadsheet?”
Group Policy ToolsGroup Policy Tools New GPOE & GPMC ToolsNew GPOE & GPMC Tools Use consistent versions!Use consistent versions! Group Policy ServiceGroup Policy Service GP now runs in a shared serviceGP now runs in a shared service Hardened Service, more reliableHardened Service, more reliable Group Policy TemplatesGroup Policy Templates ADM Templates now in ADMX files (ADMX, ADML) Network Location Awareness (NLA) NLA service provides the latest network information Applications can query or register with NLA for network change indications Group Policy LoggingGroup Policy Logging Administrative logAdministrative log Applications and Services logApplications and Services log XML based event logsXML based event logs New Tools - GPOLogViewNew Tools - GPOLogView Group Policy Central StoreGroup Policy Central Store Centralized repository for ADMXCentralized repository for ADMX Contains all ADMX templatesContains all ADMX templates Created in the Sysvol on DC in each domain Group Policy Enhancements Multiple Local GPOs Group Policy SettingsGroup Policy Settings Over 800 new policy changes with Windows Vista Extended GP for new Windows Vista features NLA Windows Vista/Windows Server 2008 ADMADMX LGPO’sLGPOAdminUser User Specified Group Policy Admin/Non-Admin Group Policy Local Computer Policy DC FRS/DFS-R SysVol ADMXADML + Policies + + GUID ADM Policy Definations ADMX, ADML Files +
More granular management of the local machine (for example differences for admin and non-admin users) Local GPOs still lower precedence than domain-based GPOs! Processed in the following order (least precedence first) Local Policy Object (as before Windows Vista and always exists) Processes both computer and user policy Admin/Non-Admin LGPOs (optionally created by admin) Mutually exclusive for any one user Processes only user policy Specific User LGPO (created by admin) Local user accounts Processes only user policy Create/Manage LGPOs through GPEdit.msc New policy in Windows Vista to turn off LGPO processing (only available for domain-joined machines - think about it!)
Slow Link Detection Used to be based on ICMP/PING Now uses NLA (no reliance on ICMP/PING) Policy Refresh When a DC is detected, NLA tells GP it can refresh If refresh did not occur within last interval, GP will automatically update If refresh did occur during last interval, GP will not refresh (waits for next scheduled refresh) When DC is not responsive, policy processing fails and uses the same state as last successful application Now responsive to VPN sessions being established
New logging based upon Windows Eventing Two new logs “Windows Log” “Applications and Services Log” Administrative events are created in the System log with “Group Policy” as the event source name Applications and Services Log: stores operational events Replaces userenv.log troubleshooting file New Event View options to report, filter and create customised log views GPLogView Tools Allows export to XML for event logging Real-time logging
DEMO
Why move away from ADM files? Language independence Sysvol bloat Ease of use (ADM “language”) So, what did we do? Introduced ADMX and ADML files Introduced the ADMX Central Store Moved to XML
ADM files include strings for a single language By comparison, with ADMX files: One ADMX file is associated with one or more ADML (Language) files ADMX files sit in the policydefinitions “root,” with ADML files in language-specific subdirectories Adding support for a language means adding an ADML file
Before Windows Vista, when you create a GPO an ADM subdirectory is created in the GPO automatically (Sysvol) If you merely view a GPO which does not have the ADM directory, it is recreated The ADM subdirectory includes five ADM files, totaling about 3.5 MB 100 GPOs? That’s about 350 MB of data, replicated to all DCs. That’s Sysvol Bloat!
The Central Store is a domain-wide directory In Sysvol at \Policies\PolicyDefinitions Stores ADMX files (normally one per component) One subdirectory for each supported language (en_us, fr, etc.), each storing ADML files If the Central Store exists, Windows Vista tools use it for locating ADMX/ADML files If the Central Store does not exist, Windows Vista tools use their local policydefinitions directory
Can manage all Group Policy operating systems Windows Vista and Windows Server 2008 Windows XP, Windows Server 2003 and Windows 2000 Can manage Windows XPWindows XP Windows Server 2003 Windows 2000Windows 2000 Can not manage Windows VistaWindows Vista Windows Server 2008Windows Server 2008
DEMO
Neither ADMX files or the central store have any dependency on Windows Server 2008 (works fine with Windows Server 2003, Windows 2000 and Windows Server 2008 domains). It’s just a directory! Windows Vista machines: Use Local ADMX files if the Central Store is not created or Use the Central Store if it exists, ignoring local ADMX files Windows Vista will consume any custom ADM files found in a GPO, but ignores the system ADM files ADMX files can be stored in the Central Store but not in individual GPOs; you can still add ADM files to a GPO
Search/Filters: Constrain list of settings based on… Text search of setting title, explain text and comments Platform and applications “supported on” Managed (true GP policy setting) Configured (enabled or disabled) Results of search is a filtered view in the editor Comments: Annotate per GPO or per setting
Starter GPOs: Encapsulate of best practices/scenarios Contain recommended policy settings and values Microsoft will make some available for download Anyone can create and share new custom templates Create new GPOs based on a Starter GPO
DEMO
Greatly extends number of settings Computer/user settings Control Panel/Windows settings New functionality for new settings Rich UI for easier administration Settings-level filtering Comments We are considering how and when to integrate into Windows
Shortcuts Windows Settings include: Drive Mapping FoldersRegistry Control Panel includes: Folder Options Local Users and Groups Scheduled Tasks
Previously DesktopStandard GPOVault Version 2.5 released in July as part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance customers Key Features Offline Editing Check In/Out Version Control Role-based Delegation Difference Reports (between GPO versions, archived vs. deployed)
DEMO
Link to Group Policy TechNet page Deploying Group Policy Using Windows Vista Group Policy Wiki Group Policy Team Blog Group Policy Settings Reference Windows Vista Step-by-Step Guide to Managing Multiple Local Group Policy Objects How to troubleshoot Group Policy using Event logs
Technical Communities, Webcasts, Blogs, Chats & User Groups Microsoft Developer Network (MSDN) & TechNet Trial Software and Virtual Labs Microsoft Learning and Certification
Q&A
Want to know more about Microsoft System Center? Come to the Yellow TLC area (MGT) and see the Microsoft System Center product family
Complete an evaluation on CommNet and enter to win!
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.