group policy – what's new in vista and longhorn server sean rooney microsoft consulting...
TRANSCRIPT
Group Policy – What's Group Policy – What's New In Vista And New In Vista And Longhorn ServerLonghorn Server
Sean RooneySean RooneyMicrosoft Consulting ServicesMicrosoft Consulting Services
State Of Group Policy TodayState Of Group Policy TodayHeavily used and with broad Heavily used and with broad coverage…coverage…
Of those that have deployed the Active Directory, Of those that have deployed the Active Directory, Group Policy isGroup Policy is
Actively used by 90%+ of large Actively used by 90%+ of large organizations/ enterprisesorganizations/ enterprises
Actively used by 60%+ of mid-market customersActively used by 60%+ of mid-market customers
Policy settings coverage at last major releasePolicy settings coverage at last major release1,800+ registry-based policy settings1,800+ registry-based policy settings
Many more in security, IE and other extensionsMany more in security, IE and other extensions
Customers want more Policy settings in the Customers want more Policy settings in the areas of security and desktop managementareas of security and desktop management
GPO InfrastructureGPO Infrastructure
Active Active DirectoryDirectory
Policy TargetingPolicy Targeting
Policy Policy TroubleshootingTroubleshooting
Policy EnforcementPolicy Enforcement
Policy DefinitionPolicy Definition
GPMC and GPEdit – GPMC and GPEdit – GPO Management GPO Management and Operationsand Operations
GPO Infrastructure – Customer PainsGPO Infrastructure – Customer Pains
ADAD Policy TargetingPolicy Targeting
Policy Policy TroubleshootingTroubleshooting
Policy EnforcementPolicy Enforcement
Policy DefinitionPolicy Definition
GPMC and GPEdit – GPMC and GPEdit – GPO Management GPO Management and Operationsand Operations
Difficult to locate Difficult to locate settingssettings
Lack of best Lack of best practice practice knowledgeknowledge
ADM File format ADM File format and storage issuesand storage issues
Sysvol bloatSysvol bloat
Ping Issues, VPN Ping Issues, VPN scenariosscenarios
Kiosk ScenariosKiosk Scenarios
Error MessagesError Messages
Complicated Complicated Diagnostic log Diagnostic log (Userenv)(Userenv)
What and Where is What and Where is GPMC?GPMC?
Change Management, Change Management, Auditing and Auditing and WorkflowWorkflow
Windows Vista Improvements In Group PolicyWindows Vista Improvements In Group PolicyMore settings, applied more reliably, easier to useMore settings, applied more reliably, easier to use
CategoryCategory
GPMC integration into the operating systemGPMC integration into the operating systemImproved syntax and multilingual support for Admin Improved syntax and multilingual support for Admin Templates policy settings (ADMX files)Templates policy settings (ADMX files)A solution to “sysvol bloat”A solution to “sysvol bloat”Searching, Filtering and Templates (SP1)Searching, Filtering and Templates (SP1)
Extending Extending the Coveragethe Coverage
Reliable and Reliable and Efficient Efficient
Application of Application of Policy Policy
Ease of UseEase of Use
More secure, stable infrastructure (Group Policy More secure, stable infrastructure (Group Policy Service)Service)Responsiveness to changing network conditions for GP Responsiveness to changing network conditions for GP processingprocessingEnhanced troubleshooting experienceEnhanced troubleshooting experienceMultiple Local GPOsMultiple Local GPOs
Extended Group Policy to cover new Windows Vista Extended Group Policy to cover new Windows Vista featuresfeaturesImproved coverage in key areas like Security and Improved coverage in key areas like Security and Desktop managementDesktop management
Key Features and EnhancementsKey Features and Enhancements
Group Policy Client ServiceGroup Policy Client Service
Reliability – A fundamental Vista goalReliability – A fundamental Vista goalPrior to Windows Vista, Group Policy processing was Prior to Windows Vista, Group Policy processing was implemented within the Winlogon processimplemented within the Winlogon process
Group Policy now runs in a shared service host on Group Policy now runs in a shared service host on the client the client
Service has been hardenedService has been hardenedA local administrator needs elevated privilege to stop A local administrator needs elevated privilege to stop the service the service
Service restart configuration provides recovery from any Service restart configuration provides recovery from any unexpected failuresunexpected failures
Isolation of third-party Client Side ExtensionsIsolation of third-party Client Side Extensions
Note: This is transparent to usersNote: This is transparent to users
Network AwarenessNetwork AwarenessProblems todayProblems today
Policy application is not network sensitivePolicy application is not network sensitiveVPN ScenarioVPN Scenario
Laptop Hibernate/Standby recoveryLaptop Hibernate/Standby recovery
Slow Link detection failuresSlow Link detection failuresICMP turned off at routersICMP turned off at routers
Failures in high bandwidth high latency Failures in high bandwidth high latency (Satellite connection) scenarios(Satellite connection) scenarios
Improved Network AwarenessImproved Network Awareness
More Responsive to Network ChangesMore Responsive to Network ChangesNo longer just 90 minutes or soNo longer just 90 minutes or so
If previous policy application cycle was skipped or If previous policy application cycle was skipped or failed then it retries whenever network connectivity failed then it retries whenever network connectivity (Ability to reach DC) is available(Ability to reach DC) is available
Leverages NLA v2.0 Leverages NLA v2.0 (Network Location Awareness)(Network Location Awareness)
Subscribe for DC availability notificationSubscribe for DC availability notification
Removal of dependence on ICMP (no more Ping!)Removal of dependence on ICMP (no more Ping!)
Improved bandwidth determination (through NLA)Improved bandwidth determination (through NLA)
Note: Network Quarantine scenario needs Note: Network Quarantine scenario needs additional configurationadditional configuration
Local GPOLocal GPOCustomer requestCustomer request
Local GPOs are primarily usedLocal GPOs are primarily usedNon AD environmentsNon AD environments
for non-domain joined, shared-use machines like for non-domain joined, shared-use machines like Kiosks, Task stationsKiosks, Task stations
Customer Request: Ability to set different Customer Request: Ability to set different configurations for different users using just configurations for different users using just Local GPOLocal GPO
Common example is where local admins need a less Common example is where local admins need a less locked down configuration than regular userslocked down configuration than regular users
Cannot accomplish this today since there is not Cannot accomplish this today since there is not concept of ‘Security Filtering’ on LGPOsconcept of ‘Security Filtering’ on LGPOs
Multiple Local GPOsMultiple Local GPOs
Supports having different policy settings for different Supports having different policy settings for different local userslocal users
LGPOs forLGPOs forThe machine (same LGPO as today)The machine (same LGPO as today)
NEW: Local groups (Admin or Non-Admin)NEW: Local groups (Admin or Non-Admin)
NEW: Individual local usersNEW: Individual local users
Application Order is same as aboveApplication Order is same as aboveNote: Any single user receives either the Admin or the Non-Note: Any single user receives either the Admin or the Non-Admin LGPO (not both)Admin LGPO (not both)
Domain GPOs still have greater precedence than Domain GPOs still have greater precedence than LGPOs (as today)LGPOs (as today)
New policy setting – ability to exclude all local New policy setting – ability to exclude all local GPO processingGPO processing
Troubleshooting Group Policy Troubleshooting Group Policy Some challengesSome challenges
Cryptic Error messagesCryptic Error messagesNo consistent diagnosis or resolution informationNo consistent diagnosis or resolution information
Error help link broken Error help link broken
Not ActionableNot Actionable
Userenv.logUserenv.logNot many users aware of this optionNot many users aware of this option
Not IT Admin friendlyNot IT Admin friendly
Each GP extension has a different format and Each GP extension has a different format and location of its loglocation of its log
No consolidated centralized reportingNo consolidated centralized reporting
Windows VistaWindows VistaGP Logging enhancementsGP Logging enhancements
Leverages new ‘Crimson’ event Leverages new ‘Crimson’ event management featuremanagement feature
XML based event logsXML based event logs
Supports application ‘channels’Supports application ‘channels’
Simple event consolidation using ‘Subscription’Simple event consolidation using ‘Subscription’
Can associate actions to events (Send e-mail, execute Can associate actions to events (Send e-mail, execute script/WMI jobs)script/WMI jobs)
Two levels of loggingTwo levels of loggingAdmin eventsAdmin events
Operational eventsOperational events
GPMC IntegrationGPMC Integration
GPMC is the one-stop shop for managing Group Policy GPMC is the one-stop shop for managing Group Policy (has been our recommendation for almost 3 years)(has been our recommendation for almost 3 years)
Why Integrate GPMC Into The Operating System? Why Integrate GPMC Into The Operating System? The perception is…The perception is…
““It’s just a little utility”It’s just a little utility”
““Great, but it’s not part of the Operating System”Great, but it’s not part of the Operating System”
““What’s GPMC?”What’s GPMC?”
Will be available on client and server – no need to Will be available on client and server – no need to download/installdownload/install
No major feature updates; Just bug fixes and localizationNo major feature updates; Just bug fixes and localization
Some feature updates will be available in “Longhorn” Some feature updates will be available in “Longhorn” Server (Vista SP1)Server (Vista SP1)
ADMX FilesADMX Files
Some Challenges with ADM Files?Some Challenges with ADM Files?No support for multi-lingual environmentsNo support for multi-lingual environments
Sysvol bloat (4Mb+ per GPO – not a Sysvol bloat (4Mb+ per GPO – not a good thing!)good thing!)
A rather obscure and somewhat A rather obscure and somewhat limited syntaxlimited syntax
ADMX BenefitsADMX BenefitsMulti-lingual support built-in (Associated ADML files)Multi-lingual support built-in (Associated ADML files)
Improved storage of files (Uses either local ADMX Improved storage of files (Uses either local ADMX files or the “central store”)files or the “central store”)
More extensible language (XML-based)More extensible language (XML-based)
No Central StoreNo Central Store%windir%\policydefinitions%windir%\policydefinitions Printing.admxPrinting.admx inetres.admxinetres.admx … …%windir%\policydefinitions \en-us%windir%\policydefinitions \en-us
Printing.admlPrinting.adml inetres.admlinetres.adml
%windir%\policydefinitions%windir%\policydefinitions Printing.admxPrinting.admx inetres.admxinetres.admx … …%windir%\policydefinitions \fr%windir%\policydefinitions \fr
Printing.admlPrinting.adml inetres.admlinetres.adml
Windows VistaWindows VistaAdministrative MachineAdministrative Machine
(English)(English)
Windows VistaWindows VistaAdministrative MachineAdministrative Machine
(French)(French)
Using The Central StoreUsing The Central Store
<sysvol>\policies\policydefinitions Printing.admx inetres.admx .. \en-us Printing.adml inetres.adml \fr Printing.adml inetres.adml \ ..
Windows VistaWindows VistaAdministrative MachineAdministrative Machine
(English)(English)
Windows VistaWindows VistaAdministrative MachineAdministrative Machine
(French)(French)
Windows Vista Interop Scenarios Windows Vista Interop Scenarios (ADMX/ADM Co-Existence)(ADMX/ADM Co-Existence)
Windows Vista does not ship with any ADM files. Windows Vista does not ship with any ADM files. ADMX files are superset of older ADM filesADMX files are superset of older ADM files
Both ADMX and ADM files can co-exist. You Both ADMX and ADM files can co-exist. You can use “Add/Remove Templates” dialog for can use “Add/Remove Templates” dialog for ADM filesADM files
You can leverage this feature in existing You can leverage this feature in existing Win2k3/Win2k environments.Win2k3/Win2k environments.
Just Admin workstations need to run Vista Just Admin workstations need to run Vista
Note: No plan currently to ship ADM to ADMX Note: No plan currently to ship ADM to ADMX conversion toolconversion tool
ADM ADM TemplatesTemplates – Usability Improvements – Usability ImprovementsWindows Vista SP1/“Longhorn” ServerWindows Vista SP1/“Longhorn” Server
CommentsCommentsEnable per GPO and per setting commentsEnable per GPO and per setting comments
Search/Filter – locate settings based onSearch/Filter – locate settings based onText search of setting title, explain text and commentsText search of setting title, explain text and commentsPlatform and applications “supported on”Platform and applications “supported on”Managed (true GP policy setting)Managed (true GP policy setting)Configured (enabled or disabled)Configured (enabled or disabled)Results of search is a filtered GPedit viewResults of search is a filtered GPedit view
TemplatesTemplatesEncapsulation of best practices/scenariosEncapsulation of best practices/scenariosWill contain recommended Policy settings and valuesWill contain recommended Policy settings and valuesMicrosoft will ship some initial scenario-based templates Microsoft will ship some initial scenario-based templates Anyone can create and share new custom templatesAnyone can create and share new custom templatesCreate new GPOs based on a templateCreate new GPOs based on a templateGPMC will provide ‘Template management’ supportGPMC will provide ‘Template management’ support
Prototype UI For Templates And Prototype UI For Templates And Search And Filter FeaturesSearch And Filter Features
GPMC Template IntegrationGPMC Template IntegrationFilter Options DialogFilter Options Dialog
Migration/UpgradeMigration/Upgrade
Reliable/seamless migration for both typesReliable/seamless migration for both typesSame machine Upgrade (2000/XP to Vista)Same machine Upgrade (2000/XP to Vista)
PC – PC Migration(2000/XP/Vista to Vista)PC – PC Migration(2000/XP/Vista to Vista)
Stand Alone WorkstationStand Alone Workstation
Domain Joined Client or Server machineDomain Joined Client or Server machineAll Policy settings are retained and reapplied on first All Policy settings are retained and reapplied on first boot as if they just joined the domainboot as if they just joined the domain
Domain Joined Admin workstationDomain Joined Admin workstationOld version of GPMC is removed and since GPMC is Old version of GPMC is removed and since GPMC is on every client it is no longer accessible via ARPon every client it is no longer accessible via ARP
GPMC preferences will be retainedGPMC preferences will be retained
Data Included In The Data Included In The Migration/UpgradeMigration/Upgrade
Local GPOLocal GPO
Group Policy engine preference keys and valuesGroup Policy engine preference keys and values
Registration info for any third-party extensionsRegistration info for any third-party extensionsPotentially their settings will notPotentially their settings will not
Software Installation packages installed using GPOsSoftware Installation packages installed using GPOs
Any registry (ADM* template) based Policy settingAny registry (ADM* template) based Policy setting
All Policy settings are retained and reapplied on first boot as if All Policy settings are retained and reapplied on first boot as if they just joined the domainthey just joined the domain
All RSoP data will NOT be migrated and will be regeneratedAll RSoP data will NOT be migrated and will be regenerated
Domain Joined Admin workstationDomain Joined Admin workstationOld version of GPMC is removed and since GPMC is on every Old version of GPMC is removed and since GPMC is on every client it is no longer accessible via ARPclient it is no longer accessible via ARP
GPMC preferences will be retainedGPMC preferences will be retained
The The RightRight Set Of Policy Settings Set Of Policy Settings
1,800+ policy settings today – and hundreds more in Windows Vista1,800+ policy settings today – and hundreds more in Windows Vista““Groundswell” of support across the Operating SystemGroundswell” of support across the Operating System
Group Policy is a Windows ‘Manageability’ basicGroup Policy is a Windows ‘Manageability’ basic
Policy Settings Greatly Expanded in a Number of AreasPolicy Settings Greatly Expanded in a Number of Areas
Some Examples…Some Examples…
Removable Removable Storage Storage DevicesDevices
IPSec/ IPSec/ Windows Windows FirewallFirewall
Power Power ManagementManagement
Printer Printer ManagementManagement
Troubleshooting Troubleshooting and Diagnosticsand Diagnostics
Windows Windows DefenderDefender
Network Network Access Access
ProtectionProtection
Internet Internet ExplorerExplorer Tablet PCTablet PC
Windows Error Windows Error ReportingReporting
User Account User Account Control (UAC)Control (UAC)
Wired and Wired and Wireless Wireless
PolicyPolicyDesktop ShellDesktop Shell GlobalizationGlobalization
Remote Remote AssistanceAssistance
SecuritySecurityOver privileged usersOver privileged users
Most end users have higher privilege on their Most end users have higher privilege on their system than what is requiredsystem than what is required
Security is relaxed to run Line-of-Business ApplicationsSecurity is relaxed to run Line-of-Business Applications
ProblemsProblemsSecurity Risks: Spyware, Virus can run in context of high Security Risks: Spyware, Virus can run in context of high privilege/administrator accountprivilege/administrator account
Lost productivity and increased help desk costsLost productivity and increased help desk costs
Customers want “secure by default” behaviorCustomers want “secure by default” behavior
User Account Control (UAC) User Account Control (UAC) Policy SettingsPolicy Settings
Only a per machine setting; Can be found underOnly a per machine setting; Can be found underComputer Configuration\Windows Settings\Security Settings\Local Computer Configuration\Windows Settings\Security Settings\Local Policies\Security OptionsPolicies\Security Options
UAC SettingsUAC SettingsBehavior of elevation prompt for administrators in Admin Behavior of elevation prompt for administrators in Admin Approval ModeApproval Mode
Behavior of elevation prompt for standard usersBehavior of elevation prompt for standard users
Detect application installs and prompt for elevation Detect application installs and prompt for elevation
Elevate executables only if signed and validatedElevate executables only if signed and validated
Run all administrators in Admin Approval ModeRun all administrators in Admin Approval Mode
Switch to secure desktop when prompting for elevationSwitch to secure desktop when prompting for elevation
Windows Firewall And IPsecWindows Firewall And IPsec
Unifies management concepts into a single consoleUnifies management concepts into a single consoleStreamlines configuration of core scenariosStreamlines configuration of core scenarios
Restrict network resource access to domain-joined computersRestrict network resource access to domain-joined computers
Combines Windows Combines Windows Firewall and IPsec Firewall and IPsec management into management into a single user a single user experienceexperience
Simplify Simplify ManagementManagement
Enforce Isolation Enforce Isolation ScenariosScenarios
Provide More Provide More Intelligent FirewallIntelligent Firewall
Specify allowed applications and portsSpecify allowed applications and portsAllow connections only if they are securedAllow connections only if they are securedAllow connections only from a specified Active Directory groupAllow connections only from a specified Active Directory group
SecuritySecurityOther new policy settingsOther new policy settings
Windows Defender (Anti-Spyware)Windows Defender (Anti-Spyware)Enable/Disable real-time protection/scanningEnable/Disable real-time protection/scanningManage signature download configurationManage signature download configuration
Device Installation controlDevice Installation controlPrevent driver installation for specific devicesPrevent driver installation for specific devices
Wireless and Wired Service configurationWireless and Wired Service configurationDifferent Policy settings for Wired and Wireless 802.1xDifferent Policy settings for Wired and Wireless 802.1x
Network Access ProtectionNetwork Access ProtectionControl Quarantine setting Control Quarantine setting
Enhanced Public Key Policy configurationEnhanced Public Key Policy configurationMore Policy settings for CertificatesMore Policy settings for Certificates
Enhanced Internet Explorer Security ConfigurationEnhanced Internet Explorer Security ConfigurationSupport for IE7 security featuresSupport for IE7 security features
Desktop ManagementDesktop ManagementPower managementPower management
Group Policy control Group Policy control over Power Settings over Power Settings allow businesses to allow businesses to control energy costscontrol energy costs
Windows Vista includes extensive power management Windows Vista includes extensive power management capabilitiescapabilities
•All power settings are per-user and per-machineAll power settings are per-user and per-machine•Group Policy support for all in-box power settingsGroup Policy support for all in-box power settings•Separate power plan for when no user is logged into the Separate power plan for when no user is logged into the
systemsystem
Default settings enable energy-saving features on all PCsDefault settings enable energy-saving features on all PCsSleep is the default “off” behavior for the systemSleep is the default “off” behavior for the systemSystem sleep idle timeouts are enabledSystem sleep idle timeouts are enabledDisplay blanking timeouts are enabledDisplay blanking timeouts are enabled
Extensive Power Extensive Power ManagementManagement
Energy Savings Energy Savings by Defaultby Default
Desktop ManagementDesktop Management
Printer ManagementPrinter ManagementDeploy Printers to machines or usersDeploy Printers to machines or users
Per Machine: Shared Use ComputersPer Machine: Shared Use Computers
Per User: Printers follow UsersPer User: Printers follow Users
Roll out trusted printer drivers, prevent install of untrusted Roll out trusted printer drivers, prevent install of untrusted printer driversprinter drivers
Delegate Printer installation rightsDelegate Printer installation rights
Internet ExplorerInternet ExplorerConverting most settings away from Internet Explorer Converting most settings away from Internet Explorer Maintenance (IEM) to registry-basedMaintenance (IEM) to registry-based
Shell Team Shell Team Classic Shell, Logon, Start Menu, and Control PanelClassic Shell, Logon, Start Menu, and Control Panel
Screen Saver: Define timeout, restrict to “built in”Screen Saver: Define timeout, restrict to “built in”
Secure Conscious: Force prompting, don’t save credentialsSecure Conscious: Force prompting, don’t save credentials
Sync and Sharing: Item sharing, PC-PC, folder redirectionSync and Sharing: Item sharing, PC-PC, folder redirection
SecuritySecurityRemovable storage devicesRemovable storage devices
Significant security risk due to small removable Significant security risk due to small removable storage devicesstorage devices
USB storage devicesUSB storage devices
MP3 playersMP3 players
CD/DVD burnersCD/DVD burners
RisksRisksUnwanted data in (Spyware, Virus)Unwanted data in (Spyware, Virus)
Confidential data out (sales data, product design, price Confidential data out (sales data, product design, price quotes, etc.)quotes, etc.)
Customers want granular controlCustomers want granular control
Removable Storage Devices Removable Storage Devices Policy SettingsPolicy Settings
Computer- and User-based Policy to controlComputer- and User-based Policy to controlRead and Write Access Read and Write Access
Removable Storage Device classesRemovable Storage Device classesCD/DVDCD/DVDTapesTapesUSB plug-in devicesUSB plug-in devicesWindows Portable Devices (WPD)Windows Portable Devices (WPD)All other external removable storage devicesAll other external removable storage devices
Only Computer settings are applicable on Only Computer settings are applicable on Terminal ServerTerminal ServerNOTE: This feature work came in after the 5270 NOTE: This feature work came in after the 5270 CTP buildCTP build
Removable Removable Storage AccessStorage Access
ResourcesResources
Group Policy on Microsoft.comGroup Policy on Microsoft.comhttp://www.microsoft.com/GroupPolicyhttp://www.microsoft.com/GroupPolicy
Group Policy FAQGroup Policy FAQhttp://technet2.microsoft.com/windowsserver/en/technologies/feathttp://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/faq.mspxured/gp/faq.mspx
What's New in Group Policy in Windows Vista and What's New in Group Policy in Windows Vista and Windows Server "Longhorn"Windows Server "Longhorn"
http://www.microsoft.com/technet/windowsvista/library/a8366c42-http://www.microsoft.com/technet/windowsvista/library/a8366c42-6373-48cd-9d11-2510580e4817.mspx6373-48cd-9d11-2510580e4817.mspx
Managing ADMX Files Step by Step GuideManaging ADMX Files Step by Step Guidehttp://www.microsoft.com/technet/windowsvista/library/02633470-http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx396c-4e34-971a-0c5b090dc4fd.mspx
Group Policy Feature Suggestions, New Policy Setting Group Policy Feature Suggestions, New Policy Setting Ideas, etc.Ideas, etc.
http://www.WindowsServerFeedback.comhttp://www.WindowsServerFeedback.com
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.