Windows Vista Group Policy (September 28, 2006)
Chat Topic: Windows Vista Group Policy
Date: Thursday, September 28, 2006
Please note: Portions of this transcript have been edited for clarity.
Reference Newsgroup for more information:
http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.group_policy
Reference Website for more information:
http://www.microsoft.com/GroupPolicy
Experts:
Mark Lawrence – Chat ModeratorMark Williams – Program Manager on the Group Policy teamJudith Herman – Programming Writer for Group PolicyDavid Power – Program Manager on the Group Policy teamMike Stephens – IT Pro Technical Writer for Group PolicyJeff Clark – IT Pro Technical Writer for Group Policy
mark_MSFT (Moderator):
Welcome to the Group Policy Technical Experts chat. This Chat gives you an opportunity to interact with members of the Group Policy Product Development teams, to post your questions about new Windows Vista Group Policy Features and Settings, Troubleshooting tools, and Best Practices.
Windows Vista introduces new and enhanced Group Policy features, including improved network awareness, Group Policy Management console (GPMC) in-box integration, XML-format Administrative Templates files (ADMX files), and a common console for Event Management and Troubleshooting (known by the code name of "Crimson").
We welcome your questions about managing existing Group Policy deployments with Windows Vista (including co-existence of both ADM and ADMX template files), creating Multiple Local GPOs, creating and populating the SYSVOL Central Store for ADMX and ADML files, and trouble-shooting using the Windows Vista Event Viewer and Task Scheduler -- here's your chance to ASK GROUP POLICY EXPERTS.
Now, will our Group Policy Experts for today’s chat please introduce themselves:
Introductions
Mark Williams [MSFT] (Expert):
Hello everyone - my name is Mark Williams and I am a Group Policy Program Manager. Thanks for joining us today.
JudithH [msft] (Expert):
I'm Judtith Herman, programming writer for Group Policy.
David [MSFT] (Expert):
David Power, Program Manager on the Group Policy team.
Mike [MSFT] (Expert):
Hi, I'm Mike Stephens, IT Pro Technical Writer for Group Policy
Jeff [msft] (Expert):
Hi, I'm Jeff Clark, IT Pro Technical Writer for Group Policy
Mark Williams [MSFT] (Expert):
OK everyone - hit us with your (Group Policy) questions...
Start of Chat
Mark Williams [MSFT] (Expert):
Q: I've had my share of writing admin templates and though notepad is nice, it could be really cool to have some GUI tool for editing ADMX files. Is anything being done on this front ?
A: Yes, this is an increasingly common question and I understand your perspective. We have nothing available right now but we are looking at this. As an aside, for anyone comfortable with Visual Studio the ADMX schema allows Intellisense to work so that it will help you out as you enter elements or attributes.
Mike [MSFT] (Expert):
Q: Kind of new to vista, what is windows vista group policy
A: We have a document you can read that highlights the new Group Policy features included in Windows Vista. You can view this document at http://go.microsoft.com/fwlink/?LinkId=55413
Mark Williams [MSFT] (Expert):
Q: I have a question. What ever happened with the decision as to whether ADMXs can be stored in individual GPOs? Which side did that come down on?
A: Thanks for the question, Darren. ADMX files can be consumed from either the local (administrative) machine or via the central store. These are mutually exclusive (once the central store is created the local ADMX files are no longer used). We have no plans to add support for ADMX files associated with individual GPOs but are very interested in understanding compelling scenarios where this would be beneficial.
Mike [MSFT] (Expert):
Q: We used to have the secedit.sdb hold settings. Will this remain the same in Vista?
A: The secedit.sdb file remains in Windows Vista and to the best of knoweldge provides the same functionality it did in Windows XP.
David [MSFT] (Expert) and Joe Gettys [MSFT]
Q: How many policies do we have in Vista? Any changes in the SMB signing
A: In RC1, Windows Vista has about 2490 administrative template settings.
JudithH [msft] (Expert):
Q: Are Policies for older systems corectly applied to Vista?
A: If the SupportedOn text confirms that the policy setting applies to Vista, then yes, it should correctly apply to Vista.
Mark Williams [MSFT] (Expert):
Q: Have not had a chance to look at it yet, but any search capabilities ? If yes, does the search include ADMX files that are not loaded?
A: Yes, we are planning to introduce this feature but the exact timing is not yet finalized. This will allow search of these ADMX files loaded in GPEdit but not those not loaded.
Mark Williams [MSFT] (Expert):
Q: Please, please... can you extend the search to unloaded ADMX files ? Add a nice checkbox maybe "Include unloaded..." ?
A: Interesting suggestion, Guy, and not one I have heard before. Can you expand a little on the scenario? For example, what location would the search capability search for unloaded ADMX files (by way of example, all ADMX files in the central store are loaded).
Mike [MSFT] (Expert):
Q: Large enterprises just won't move all workstations and the Active Directory domain controllers from one version to another just because. What is best to do? Move Active Directory to Longhorn, then gradually move to Vista? Or can you move to Vista first?
A: You can move to Windows Vista without updating your infrastructure. You can implement the majority of Windows Vista policy settings by simply editing the GPOs using GPMC from a domain joined computer running Windows Vista.
Seva Titov [MSFT] (Expert):
Q: Are there any changes to the operation of restricted groups? for example to allow a merge with existing local group rather than wholesale replacement every time?
A: There are no changes to the restricted groups policy behavior. The restricted groups deployed through Security Policy settings would merge with groups defined in other GPOs, it is the same behavior as in Windows XP and Windows Server 2003.
David [MSFT] (Expert):
Q: What are some of the new categories of Policy Management
A: A good starting point is here: http://www.microsoft.com/technet/windowsvista/library/gpol/a8366c42-6373-48cd-9d11-2510580e4817.mspx?mfr=true. Many new features of Windows Vista will have Group Policy, and existing features will have deeper coverage of settings.
mark_MSFT (Moderator):
Q: Hello there, I would like to know if you can do more on performance tweaking and server roles in Longhorn, right now I have to manually set all kinds of settings like lanmanserver, lanmanworkstation, server roles like minimize memory used, etc.
A: The Group Policy development team is a peer to Role-based Management (Longhorn Server Manager) team. But you'd likely get the best answer to this question at the Longhorn Server Management Forum - http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=575&SiteID=17 (the Server Manager team monitors this Forum).
Mark Williams [MSFT] (Expert):
Q: I am especially interesting in blocking devices like USB drives, firewire drives, etc... from being loaded in individual workstations on my company's network.
A: Yes, we have good coverage for this, at two levels. First, the ability to install device drivers for these (and other) types of devices is manageable through policy. Secondly, one can also manage how (and whether) installed devices can be used. For example, you can elect to allow such devices to be read-only, meaning users can't take data OFF your network onto these devices. You can also remove both read and write capability. And so on. These are under Administrative Policy \ System \ Removable Storage Access.
Seva Titov [MSFT] (Expert):
Q: Given that it is now possible to have multiple local policies, is there a way to provide computer policies which have user exceptions e.g. local admins? (and given that some settings are machine side not user side so loopback does not help for these)
A: Multiple Local GPOs is a new feature in Vista. This feature increases number of Local GPOs from one central GPO to any number you want. However Computer policy is only one, and it is defined in what used to be an LGPO. All additional Local GPOs only have user part. The computer policy settings are applied to the computer and affect all users who logged on the computer.
Mark Williams [MSFT] (Expert):
Q: Looking at ADML files for custom policies: If I create policy A.ADMX and ADML for say English and French, and I create policy B and an ADML only in English, what happens when someone tries to edit the policy from a French admin machine? Will it default out
A: We have a fallback mechanism (using new Windows Vista language semantics which are consistent across the OS). In your specific example, the French admin will see the policy settings in English, since English is the default fallback language. To describe another scenario, if only the French version (ADML file) was available, there is no "fallback path" from English to French and, as such, the policy setting would show up under Extra Registry Settings on an English machine.
Mike [MSFT] (Expert):
Q: Guys--would you say that its "best practice" that once Vista is introduced into an environment, that all subsequent GP management should happen from Vista?
A: Yes, that is correct.
JudithH [msft] (Expert):
Q: Say I have an existing policy which works for XPsp2. When I edit this policy from a Vista workstation will it still use the ADMs that are already in the GPT, or the central ADMX store? In other words, does it clean up old policies and reduce SYSVOL or not?
A: Vista Group Policy Editor only reads ADMX files. It will not clean up old ADM files from the SYSVOL.
Mike [MSFT] (Expert):
Q: Can a IT person on my staff use Group Policy to Deploy Vista on at least 20 workstations in my business. Make some kind of image or write a script or batch file to make installing vista easier?
A: Group Policy is not the ideal mechanism to deliver operating system to the desktop. You may want to investigate Windows Deployment Services. http://www.microsoft.com/technet/windowsvista/deploy/depenhnc.mspx
Mark Williams [MSFT] (Expert):
Q: Is there any chance to restrict editing GPOs from certain OS versions ? i.e.: restrict editing from anything below W2K3 ?
A: Technically, there a couple of ways to do this. Some customers segment their machines in their OU structure such that (for example) XP machines are in one OU, Windows Vista in another and so on, perhaps with a shared parent OU. That won't fit all customers, however, so another option is to use WMI Filters to ensure that application of a GPO is conditional on a WMI query (which may determine the OS). Note that if a policy setting is targeted, intentionally or otherwise, at an OS on which the policy setting is not supported then that OS will simply ignore the policy setting.
Seva Titov [MSFT] (Expert):
Q: I have another question; you can assign printers bases on location, but can you also assign printers with partly the same description as a computerdescription, then I will be really easy to assign printers nearby
A: I hope you are referring to the computer description attribute that this assigned to the computer object in active directory. I don't think it is possible to deploy printer based on the value of this attribute. One of the possible solutions would be to use Active Directory Sites. Normally sites are in different physical locations, so if you link GPO to AD Site, it would apply to the computers in the same physical location.
Seva Titov [MSFT] (Expert):
Q: I do refer to the description attribute, but a site can be quite big, with multiple floors etc. I have it scripted already, but it would be really useful for many organizations I guess, like a wildcard in the computerdescription or just room/floor/building
A: Yes, your solution using scripting is the best for this problem. One more thing you can try is using WMI filters. I don't have any example ready, but I think it is possible to do this assuming certain conventions on the value of the description field in computer object.
Mark Williams [MSFT] (Expert):
Q: Also, any books on the horizon about Group Policy
A: I understand books are "on the horizon" that will describe Group Policy and Windows Vista but I don't believe there is anything formally announced yet (no dates, etc). Sorry - but I think you'll get what you need in due course :-)
Jeff [msft] (Expert):
Q: I am completely new to this area, but very much interested in. Can you please give me some start up guidance to dive into deep?
A: There are a number of ways that you can start getting familiar with group policy. First, there are a number of links available on the Microsoft site:
Jeff [msft] (Expert):
Q: I am completely new to this area, but very much interested in. Can you please give me some start up guidance to dive into deep? Can you give me couple of links from where I can start looking into it?
A: There are a number of ways that you can start getting familiar with group policy. First, there are a number of links available on the Microsoft site:http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.mspx and http://go.microsoft.com/?linkid=5247636 There is a very good book available too: http://www.amazon.com/Microsoft-Windows-Group-Policy-Guide/dp/B000ANFDPO/sr=8-1/qid=1159466276/ref=sr_1_1/104-0594117-2491144?ie=UTF8&s=electronics
Mike [MSFT] (Expert):
Q: I could use group policy to turn off Games Explorer and limit internet use?
A: There is a policy setting to remove games from the Start menu. There are an additional two policy setting specific to Game Explorer, which control tracking Game Play history and downloading game information.
mark_MSFT (Moderator):
Well that wraps things up for our Group Policy Chat this morning. Thanks to our guests for participating and asking so many great questions, and also thanks to our Experts for being here to answer them.
FYI: A transcript of the complete chat text will be available shortly after this session, linked at the TechNet Community site: http://www.microsoft.com/technet/community/chats/trans/
MORE Group Policy RESOURCES:
Vista GP Settings Lab: http://go.microsoft.com/?linkid=5247636 Vista GP Event Log Lab: http://go.microsoft.com/?linkid=5247635
TechNet Step-By-Step Guide for ADMX Management:http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx
Microsoft Group Policy Public Homepage: http://www.microsoft.com/GroupPolicy
Microsoft Group Policy WIKI: http://www.GroupPolicyWIKI.com/
Microsoft Group Policy BLOG: http://blogs/technet.com/GroupPolicy
Thanks again - see you next time!
