CLI331

Using Group Policy with Windows and Windows Server 2008

Mazhar MohammedDevelopment ManagerDerek MelberDesktopStandard

New features in Windows Vista Multiple Local GPOs Network Awareness ADMX Files Improved Logging

Coming in Windows Server 2008 Filters Comments Starter GPOs

So, what about those DesktopStandard products? GPOVault PolicyMaker

Session Objectives and Agenda

Breakout SessionsCLI331: Using Group Policy with Windows Vista and Windows Server 2008 – Mark Williams (Wed 10:15am – 11:30am, Thu 1:00pm – 2:15pm)CLI316: Microsoft Desktop Optimization Pack: Advanced Group Policy Management – Derek Melber and Winni Verhoef (Tue 4:30pm – 5:45pm)CLI405: Deep Dive Into Windows Vista Group Policy Changes and Troubleshooting – Jeremy Moskowitz (Tue 8:30am – 9:45am, Thu 9:45am – 11:00am)

Chalk TalkCLI103-TLC: ADMX File Creation and Management - Judith Herman (Wed 3:45pm – 5:00pm)

Hands on LabCLI13-HOL: Managing Windows Server 2008 and Windows Vista using Group Policy – Self Study lab, throughout the weekCLI13-ILL: Managing Windows Server 2008 and Windows Vista using Group Policy – Gary Dunlop (Tue 10:15am – 11:30am, Wed 8:30am – 9:45am)

Lots of Group Policy Content This Week…

Group Policy Before Windows Vista

Heavily used…Majority of enterprise customers actively use Group PolicyAround 1,800 policy settings in Windows XP

But…Group Policy process was part of WinlogonPolicy setting coverage wasn’t great and missed some important business scenariosManaging ADM files was “interesting”Limited awareness of changing network conditionsLimited flexibility with a single local GPOTroubleshooting Group Policy was not a joyful experienceNeed to find settings? “Where is that spreadsheet?”

Group Policy ToolsNew GPOE & GPMC ToolsUse consistent versions!

Group Policy ServiceGP now runs in a shared serviceHardened Service, more reliable

Group Policy TemplatesADM Templates now in ADMX files (ADMX, ADML)

Network Location Awareness (NLA)

NLA service provides the latest network informationApplications can query or register with NLA for network change indications

Group Policy LoggingAdministrative logApplications and Services logXML based event logsNew Tools - GPOLogView

Group Policy Central StoreCentralized repository for ADMXContains all ADMX templatesCreated in the Sysvol on DC in each domain

Group Policy Enhancements

Multiple Local GPOs

Group Policy SettingsOver 800 new policy changes with Windows VistaExtended GP for new Windows Vista features

NLA

Windows Vista/Windows Server 2008

ADM ADMX

LGPO’s

LGPO

Admin

UserUser Specified Group Policy

Admin/Non-Admin Group Policy

Local Computer Policy

DC

FRS/DFS-R

SysVol

ADMXADML

+ Policies++

GUIDADM

Policy DefinationsADMX, ADML Files

+

A Summary of New Features in Windows Vista

Multiple Local GPOs

More granular management of the local machine (for example differences for admin and non-admin users)Local GPOs still lower precedence than domain-based GPOs!Processed in the following order (least precedence first)

Local Policy Object (as before Windows Vista and always exists)Processes both computer and user policy

Admin/Non-Admin LGPOs (optionally created by admin)Mutually exclusive for any one userProcesses only user policy

Specific User LGPO (created by admin)Local user accountsProcesses only user policy

Create/Manage LGPOs through GPEdit.mscNew policy in Windows Vista to turn off LGPO processing (only available for domain-joined machines - think about it!)

Network Awareness

Slow Link DetectionUsed to be based on ICMP/PINGNow uses NLA (no reliance on ICMP/PING)

Policy RefreshWhen a DC is detected, NLA tells GP it can refresh

If refresh did not occur within last interval, GP will automatically updateIf refresh did occur during last interval, GP will not refresh (waits for next scheduled refresh)

When DC is not responsive, policy processing fails and uses the same state as last successful application

Now responsive to VPN sessions being established

Improved Group Policy Logging

New logging based upon Windows EventingTwo new logs

“Windows Log”“Applications and Services Log”

Administrative events are created in the System log with “Group Policy” as the event source nameApplications and Services Log: stores operational events Replaces userenv.log troubleshooting fileNew Event View options to report, filter and create customised log viewsGPLogView Tools

Allows export to XML for event loggingReal-time logging

DEMOUsing Multiple LGPOs and Viewing Group Policy Logs

From ADM to ADMX/L

Why move away from ADM files?Language independenceSysvol bloatEase of use (ADM “language”)

So, what did we do?Introduced ADMX and ADML filesIntroduced the ADMX Central StoreMoved to XML

Language Independence

ADM files include strings for a single languageBy comparison, with ADMX files:

One ADMX file is associated with one or more ADML (Language) filesADMX files sit in the policydefinitions “root,” with ADML files in language-specific subdirectoriesAdding support for a language means adding an ADML file

Sysvol Bloat

Before Windows Vista, when you create a GPO an ADM subdirectory is created in the GPO automatically (Sysvol)If you merely view a GPO which does not have the ADM directory, it is recreatedThe ADM subdirectory includes five ADM files, totaling about 3.5 MB100 GPOs? That’s about 350 MB of data, replicated to all DCs. That’s Sysvol Bloat!

ADMX, ADML Files and the Central Store

The Central Store is a domain-wide directoryIn Sysvol at \Policies\PolicyDefinitionsStores ADMX files (normally one per component)One subdirectory for each supported language (en_us, fr, etc.), each storing ADML files

If the Central Store exists, Windows Vista tools use it for locating ADMX/ADML filesIf the Central Store does not exist, Windows Vista tools use their local policydefinitions directory

Interop

Can manage all Group Policy operating systems

Windows Vista and Windows Server 2008

Windows XP, Windows Server

2003 and Windows 2000

Can manage

Windows XP Windows Server 2003 Windows 2000

Can not manage

Windows Vista Windows Server 2008

DEMOCreating The Central Store(SysVol Bloat And How To Avoid it)

Things You Should Know About ADMX Files

Neither ADMX files or the central store have any dependency on Windows Server 2008 (works fine with Windows Server 2003, Windows 2000 and Windows Server 2008 domains). It’s just a directory!Windows Vista machines:

Use Local ADMX files if the Central Store is not created orUse the Central Store if it exists, ignoring local ADMX files

Windows Vista will consume any custom ADM files found in a GPO, but ignores the system ADM filesADMX files can be stored in the Central Store but not in individual GPOs; you can still add ADM files to a GPO

Coming in Windows Server 2008

Search/Filters: Constrain list of settings based on…

Text search of setting title, explain text and commentsPlatform and applications “supported on”Managed (true GP policy setting)Configured (enabled or disabled)Results of search is a filtered view in the editor

Comments: Annotate per GPO or per setting

Coming in Windows Server 2008

Starter GPOs:Encapsulate of best practices/scenariosContain recommended policy settings and valuesMicrosoft will make some available for downloadAnyone can create and share new custom templatesCreate new GPOs based on a Starter GPO

DEMOFilters, Comments and Starter GPOs

PolicyMaker Functionality

Greatly extends number of settingsComputer/user settingsControl Panel/Windows settings

New functionality for new settingsRich UI for easier administrationSettings-level filteringComments

We are considering how and when to integrate into Windows

Shortcuts

Windows Settings include:

PolicyMaker Settings Examples

Drive Mapping Folders Registry

Control Panel includes:

Folder Options Local Users and Groups

Scheduled Tasks

Advanced Group Policy Management

Previously DesktopStandard GPOVaultVersion 2.5 released in July as part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance customersKey Features

Offline EditingCheck In/OutVersion ControlRole-based DelegationDifference Reports (between GPO versions, archived vs. deployed)

DEMOAdvanced Group Policy Management and What-Was-PolicyMaker

Helpful ResourcesLink to Group Policy TechNet page http://www.microsoft.com/technet/grouppolicy

Deploying Group Policy Using Windows Vista http://go.microsoft.com/fwlink/?LinkId=77080

Group Policy Wikihttp://grouppolicy.editme.com

Group Policy Team Bloghttp://blogs.technet.com/grouppolicy

Group Policy Settings Reference Windows Vista http://go.microsoft.com/fwlink/?LinkId=54020

Step-by-Step Guide to Managing Multiple Local Group Policy Objects http://go.microsoft.com/fwlink/?LinkId=73434

How to troubleshoot Group Policy using Event logs http://go.microsoft.com/fwlink/?LinkId=74139

ResourcesTechnical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx

Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet

Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx

Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx

Q&A

Want to know more about Microsoft System Center?

Come to the Yellow TLC area (MGT) and see the Microsoft System Center product family

Complete an evaluation on

CommNet and enter to win!

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.