1. Group Policy in Windows Vista Stephen Lamb IT Pro Evangelist, Microsoft Ltd http://blogs.technet.com/steve_lamb mailto://stephen.lamb@microsoft.com

2. Agenda What’s New - from 64,000 Feet Walkthrough Windows Vista as an Administrative Workstation Introducing the Central Store Multiple Local GPOs Troubleshooting - Event Viewer Log Enhancements New Policy Settings in Windows Vista Power Management, Removable Device Management, Internet Explorer, etc About the Desktop Standard Acquisition Pointers to Helpful Resources

3. All about the demo’s… This is a demo-driven presentation! For each area you’ll see: A DEMO Things you need to remember A pointer to useful resources

4. But First… Our New Features Far Greater Coverage for Group Policy Across Windows 35% increase in policy settings (2490 total) Important new areas now covered by policy – removable device management, power management, user access control and much more Improved Reliability and Network Awareness More responsive policy application as network conditions change (wireless, VPN, etc) More efficient application of policy (less need for synchronous application).admx/adml Files and the Central Store Replaces.adm files – XML based format with true language independence Centralized store for all ADMX files Full interop with Windows Server 2003 and XP administrative workstations

5. But First… Our New Features (2) Improved Event Logging and Troubleshooting Leveraging “Crimson” for event viewing & reporting Far more useful events and links to REAL content on the web Multiple Local GPOs Adds Administrator/Non-Administrator and per-user LGPOs Ability to disable local GPO processing for domain-joined machines GPMC Integration No need to download GPMC from the web Resources What's New in Group Policy in Windows Vista and Windows Server "Longhorn“ What's New in Group Policy in Windows Vista and Windows Server "Longhorn“

6. Setting The Scene - Our Scenario… Day 0 - Our Starting Point (Existing Environment) Windows Server 2003 domain and Windows XP Clients Day 1 – Initial use of Windows Vista and Group Policy Managing Group Policy from Windows Vista and XP Day 2 and Beyond – ongoing Group Policy management Managing Windows Vista – from Windows Vista

7. Using Windows Vista Group Policy tools to edit and create GPOs

8. Windows Vista as an Administrative Workstation for Group Policy Key Points Managing Group Policy With Windows Vista “It Just Works” (Start Managing Your Existing Environment Right Away) Use Windows Vista tools to manage new and existing GPOs By default, Windows Vista uses local ADMX files To manage new Windows Vista policy settings you must use a Windows Vista administrative machines You can mix-and-match “new and old” policy settings in a single GPO but Windows Server 2003 and Windows XP will not report new settings correctly For full Resultant Set of Policy reporting, use Group Policy Results and GPO Reports in GPMC (not rsop.msc) Backup/Restore – create new backups as some extensions may not restore properly from the version of GPMC for XP & Windows Server 2003 Resources KB 816662 - Recommendations for managing Group Policy administrative template (.adm) filesRecommendations for managing Group Policy administrative template (.adm) files

9. Creating and Managing the ADMX Central Store

10. Creating and Using the Central Store Key Points ADMX files and the central store have no dependency on Longhorn Server (works fine with Windows Server 2003 and Windows 2000 domains) All Windows Vista machines use local ADMX files before the central store is created The central store is merely a directory (on Sysvol, replicated across DCs in a domain) Once created, all Windows Vista administrative workstations in the domain use the central store (and ignore local ADMX files) Windows Vista will consume any custom ADM files found in a GPO ADMX files can be stored in the central store but not in individual GPOs. You can still add ADM files to a GPO Resources Managing Group Policy ADMX Files Step-by-Step Guide ADMX Migrator

11. Multiple Local GPOs in Windows Vista

12. Multiple Local GPOs Key Points Important for standalone PCs (kiosk machines, DMZ, etc) The regular machine wide LGPO remains (created by default, the others are created manually) LGPOs available for: Administrator and Non-Administrator (mutually exclusive for a particular user) Per User Create LGPOs via GPEdit New policy setting available to disable all processing of LGPOs - only processed for machine-joined machines (think about it…) Resources What's New in Group Policy in Windows Vista and Windows Server "Longhorn“ What's New in Group Policy in Windows Vista and Windows Server "Longhorn“

13. Using New Group Policy Event Logging in Windows Vista

14. Troubleshooting Sequence Start with “Admin Event Views” For each policy failure look at description, details tab and more info link Drill down into operational log Use Activity Id extracted from failure event and use it to correlate to the operational events: Use the extracted Activity Id from failure event and use it to filter the events in the Event Viewer Or with –a option as a parameter to GPlogview.exe Allows exporting data to XML or HTML Analyze output Review step by step policy processing scenario events to identify failure point and error codes Run GPUpdate.exe to see if problem still persists

15. Two types of events: Administrative & Operational Administrative log: Actionable set of events in ‘System’ log Hot web links that provide troubleshooting steps Source is “Group Policy Service” not “userenv” Success events are also published Operational log is the replacement of the userenv.log Step-by-step insight into GP processing GPLogView.exe – Windows Group Policy Log View Tool v1.0 GPLogView.exe Free tool available from the “download center”download center Scheduled availability is 11/30/06 Views - Create focused views for filtering Group Policy events from Admin and Operational channels Associate actions to events - Send e-mail, Execute script/WMI jobs Subscriptions - Use it to consolidate and remotely monitor GP errors occurring on multiple machines Resources for pre-Vista: How to enable user environment debug logging in retail builds of Windows Interpreting Userenv log files Fixing Group Policy problems by using log files Group Policy Event Logs in Windows Vista Key Points

16. The Right Set of Policy Settings

17. The Right Setting of Settings Removable Devices (Installation and Access) Step-by-Step Guide to Controlling Device Installation and Usage with Group Policy Step-by-Step Guide to Controlling Device Installation and Usage with Group Policy Power Management Internet Explorer Windows Firewall Resources: Group Policy Settings Reference Windows Vista Updated to include: Reboot, logoff and AD Schema update requirements Security settings with Explain text

18. About the Desktop Standard Acquisition Why We Did This? Microsoft is committed to helping customers leverage the value of policy-based management What It Means To The Group Policy Administrator? Customers will get increased coverage of their desktop environment through new extensions GPO lifecycle management with GPOVault – Now called “Advanced Group Policy Management” as part of the Desktop Optimization Pack for Software Assurance (DOPSA)Desktop Optimization Pack for Software Assurance Ease of administration – “PolicyMaker” provides more settings and greater control When Will You See Results? The product integration roadmap is being finalized, look for announcements… Resources: Press release for DOPSA - http://www.microsoft.com/presspass/features/2006/oct06/10- 17Desktop.mspx http://www.microsoft.com/presspass/features/2006/oct06/10- 17Desktop.mspx http://www.DesktopStandard.com

19. Useful documentation and resources Feedback - https://www.WindowsServerFeedback.com https://www.WindowsServerFeedback.com Group Policy on Microsoft.com: http://www.microsoft.com/GroupPolicy http://www.microsoft.com/TechNet/GroupPolicy Community: Blog - http://blogs.TechNet.com/GroupPolicyhttp://blogs.TechNet.com/GroupPolicy Wiki - http://www.GroupPolicyWiki.comhttp://www.GroupPolicyWiki.com MVP’s (Most Valuable Professional):Most Valuable Professional Darren Mar-Elia http://www.GPOGuy.comhttp://www.GPOGuy.com Jeremy Moskowitz - http://www.GPAnswers.comhttp://www.GPAnswers.com Mark Heitbrink - http://www.gruppenrichtlinien.dehttp://www.gruppenrichtlinien.de French Language site - www.GPOmasters.com www.GPOmasters.com Group Policy Newsgroup

20. Useful documentation and resources Feedback - https://www.WindowsServerFeedback.com https://www.WindowsServerFeedback.com Virtual Labs - http://www.microsoft.com/technet/traincert/virtuallab/windowsserver2003. mspx http://www.microsoft.com/technet/traincert/virtuallab/windowsserver2003. mspx Microsoft Press book - http://www.microsoft.com/MSPress/books/8763.asp http://www.microsoft.com/MSPress/books/8763.asp Group Policy in Vista specific: What's New in Group Policy in Windows Vista and Windows Server "Longhorn“ What's New in Group Policy in Windows Vista and Windows Server "Longhorn“ Managing Group Policy ADMX Files Step-by-Step Guide Step-by-Step Guide to Controlling Device Installation and Usage with Group Policy Step-by-Step Guide to Controlling Device Installation and Usage with Group Policy

22. ©2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.