Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


January 2008

Windows Vista and Server 2008 Group Policy Enhancements

New features for GPOs and GPMC
From the January 2008 Edition
of Windows IT Pro
Darren Mar-Elia
Feature
InstantDoc #97623
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Windows OSs Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Executive Summary:

Group Policy has become more important in Windows Vista and Windows Server 2008--but also more complex. The more you learn about the changes to Group Policy, the better you'll be able to control it. Changes you'll learn more about include those made to Group Policy Client Services, slow link detection, and the ability to create three new types of Group Policy Objects (GPOs).

Now that Windows Vista has shipped and Windows Server 2008 is nearing release, it’s a good time to look more closely at some of the Group Policy enhancements these new versions of the OS introduce. Group Policy has taken on an important role as the key configuration management mechanism within Windows. That’s a good thing. It’s challenging though, because more enhancements mean more options, more options mean more choices, and more choices mean more complexity. The good news is that the enhancements Microsoft is making in Group Policy Management Console (GPMC) for Server 2008 will mitigate some of these complexities.

Group Policy Client Service
There are significant changes to some of the unseen aspects of Group Policy. Most importantly, the Group Policy engine has been moved out of the system Winlogon process, where it has run ever since Windows 2000, and into its own Group Policy Client service. The Group Policy Client service is a nonrestartable service in Vista and Server 2008 that runs the Group Policy processing engine. It runs outside of Winlogon and provides an isolated environment for Group Policy client-side extensions (CSEs) to run in. In fact, it even provides isolation between Microsoft CSEs and third-party ones, so if a third-party CSE crashes, Microsoft’s CSEs will not be affected during Group Policy processing. Feature

Slow Link Detection
The slow link detection process in Group Policy has also changed. If you’re familiar with slow link detection in previous versions of Windows, you know that, at the beginning of each Group Policy processing cycle, a client uses Internet Control Message Protocol (ICMP) to ping its Active Directory (AD) domain controller (DC) to determine its availability and compute the speed of the link between the client and DC. If this process fails for any reason (e.g., if ICMP is blocked or restricted by the network or if the DC is unavailable over ICMP), then Group Policy processing fails. Additionally, the calculation used for slow link detection was relatively crude and often resulted in a slow link being detected for no good reason.

In an effort to improve this process, Group Policy now leverages the new version of the Network Location Awareness (NLA) service provider that ships with Vista and Server 2008. NLA checks whether the DC is available and, if it is, determines the speed of the network link between client and DC. It uses robust protocols, such as remote procedure call (RPC), instead of the relatively simple and often-blocked ICMP. This results in better slow link detection and the ability to quickly determine whether a DC is available. As it turns out, whether or not a DC is available constitutes a very important factor in the next new feature I’ll talk about, namely the NLA-based refresh of Group Policy.

NLA Background
Refresh In addition to using NLA to improve slow link detection, the Group Policy engine relies on NLA to improve the background Group Policy update process. In Windows versions up to and including Vista and Server 2008, a background refresh occurs every 90 minutes on workstations and member servers. Plus, there’s an additional refresh of up to 30 minutes in a randomized value that ensures all systems don’t refresh at once. Say a laptop’s background refresh occurred while a user was travelling home with it on the train. Because the DC wasn’t available, the refresh would simply fail. Ten minutes later, when the user is home and has plugged into the corporate VPN, the DC is available, but depending upon when the last refresh occurred, it may be many minutes before the next Group Policy update via background refresh.

NLA provides a new kind of background refresh for Group Policy in Vista and Server 2008. If a system running one of these new versions of the Windows OS attempts to refresh Group Policy in the background and fails because the DC isn’t available, then the next time the DC becomes available, the client triggers a background Group Policy refresh as soon as NLA detects the DC. The NLA refresh appears in the new Vista Group Policy Operational log, as shown in Figure 1.

The NLA refresh can be useful when you’re trying to push out a new policy to affect some behavior on your client machines and you don’t want your users to wait for more than an hour after they get back on the network to receive the change. However, it’s important to note that this feature works only if the previous background refresh attempt failed.

Multiple Local GPOs
How many times have you wished you could set a local GPO on your Windows XP systems that wouldn’t affect administrators logging onto those systems or that applied only to a specific user on the local system? Multiple local GPOs in Vista and Server 2008 are the answer you’ve been waiting for. As the name implies, multiple local GPOs provide a way of having more than one local GPO on a given Windows system. Systems prior to Vista store the local GPO in the file system under C:\windows system32\grouppolicy. On Vista and Server 2008 systems, the default local GPO still exists in that location, but you can also create three new types of local GPOs:
• A non-administrator local GPO lets you define user-specific policy settings that apply only to any non-administrative user (such as a user who’s not a member of the local Administrators group) logging onto the computer.
• An administrator local GPO lets you define user-specific policy settings that apply only to any member of the local Administrators group logging onto the computer.
• A user local GPO lets you define user-specific policy settings that apply only to a particular local user account defined on the workstation or member server. This policy doesn't apply to domain accounts.

These new local GPOs are stored in folders based on the SID of the group or user to whom they apply, under C:\windows\system32\group policy users. In Windows OSs before Vista, Group Policy processing has an order of precedence that starts with the local GPO, then sitelinked GPOs, then domain-linked GPOs, and finally organizational unit (OU)-linked GPOs. When a user logs on, Windows applies the User Configuration portion of Group Policy. The order of precedence with multiple local GPOs on Vista and Server 2008 is
1. Default local GPO
2. Non-administrator or administrator local GPO (if any)
3. User local GPO (if any)
4. Domain-based GPOs (site, domain, and OU-linked)

How do you get to those multiple local GPOs on your Vista or Server 2008 system? Here are the steps you need to take to be able to edit the other local GPOs:
1. From the Start menu, choose Run, then type mmc to launch a blank Microsoft Management Console (MMC). (Because running MMC requires elevated privileges, when User Account Control—UAC—is enabled, you’ll be prompted for credentials.)
2. In MMC, choose File, Add/ Remove Snap-in and scroll down to Group Policy.
3. Select Add to add that snap-in to the console, and browse to the GPO you want to edit. The default is Local Computer, which refers to the default local GPO. However, at this point, click the Browse button to see other options.
4. In the Browse for a Group Policy Object dialog box, select the Users tab. You’ll see something similar to Figure 2. At this point, you can choose a specific local user, the general administrator, or the non-administrator and click OK to load the associated local GPO into the MMC Group Policy editor (GPE) snap-in for editing.

Figure 2 is a snapshot of my system; it lists several local users, plus Administrator, Administrators, and Non-Administrators. None of these local GPOs yet exists. But if I use the above instructions to add one of them to GPE and make modifications to it, it will exist within the local file system in the C:\windows\system32 GroupPolicyUsers folder.

ADMX Templates
You might have heard that the format for Administrative Templates, or ADM files, has changed in Vista and Server 2008. ADM files create the policy options you see under the Administrative Templates nodes in GPE. ADMX files in Vista perform the same role, but you won’t be able to work with them the same way. For example, if you created custom ADM files with Notepad or your favorite text editor, you’ll find it difficult to do the same thing with the new ADMX files. That’s because Microsoft has adopted a new XML data format for ADMX files, and their partners, ADML files. (Each ADMX file puts language-dependent string references in an ADML file for that specific language.)

Continued on Page 2

   Previous  [1]  2  3  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path Windows IT Pro Resources
"“How can I manage Group Policy for Windows Vista machines?”"

"“Managing Windows Vista Group Policy Options,”"

"“Converting an ADM File into an ADMX File,”"

"“Network Access Protection in Windows Server 2008,”"


Microsoft Resources
"Windows Server Group Policy,"

"Group Policy ADMX System Reference Guide,"

"ADMX Migrator,"

"Group Policy Log View,"
Top Viewed ArticlesView all articles
The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 24, 2008

An often irreverent look at some of the week's other news, including a Vista Capable dismissal request, Zune price reductions, Morrow musings, Novell and Microsoft sitting in a tree ... two years later, Yahoo!, IE 6 on Windows Mobile, and so much more ...
Windows OSs Whitepapers Why SaaS is the Right Solution for Log Management
Related Events Introduction to Identity Lifecycle Manager "2"

Configuration Manager SP1 and R2 Overview

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Is Your Approach to VMware Server Recovery Outdated?
Is your data protected from server failure? Download this white paper to find the best way to back up, recover, and restore your VMware ESX Server 3.x.

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Don't Miss 3 Introductory PowerShell Lessons!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing