Thursday, November 02, 2006

Article: Getting Ready for Vista Group Policy

Windows Vista, the next operating system from Microsoft, is scheduled to be released next week on November 8th. One of the most important things that is different with Vista for the System Administrator is how Group Policy works.

Recently there was a good article on Vista's new Group Policy (GP) in Technet Magazine in the November issue written by Jeremy Moskowitz, MS GP MVP and webmaster of gpanswers.org.

As good as the article is, Jeremy glosses over and misses some key details of what you need to know to get Vista GPO working on your domain. I had to do some further research and quite a bit of reading to come across how to go about doing this. And of course this is my whole reason for writing this article to share what I have learned.

First and foremost, Windows Vista now uses policy template files that end in the extension ADMX instead of ADM. The ADMX file is written in XML, quite different than that of the text based ADM files. Vista will still read adm files but it is not optimal to use them. I found an article 918239 on the Microsoft site on how to write a sample ADMX file for Internet Explorer. As you can see it is not for the faint of heart.

There are over 800 new policies available for Windows Vista. The caveat is that Windows Vista Policies can be put on a Windows 2000 or 2003 server, but MUST be managed from a Windows Vista Machine.

In order to set up your Windows 2000/2003 Domain controller to manage Vista Group Policy you must set up a central store. I found the steps to do this on a Microsoft page in the technet library.

Here are the steps from the above Microsfot article to creating a Central Store on your Domain Controller in order to use the Vista Group Policies.


The central store has to be created manually once on a domain controller. This domain controller can be a Windows Server 2000/2003. The File Replication Service (FRS) will replicate it to the other domain controllers of this domain. It is recommended, though, to create the central store on the primary domain controller.
  1. First, you have to create the root folder of the central store:
    %systemroot%\sysvol\domain\policies\PolicyDefinitions

  2. Copy all ADMX files (also the .adml folders) from the local store of your Vista machine to the central store. The local store can be found under %systemroot%\PolicyDefinitions.

Older versions of group policy copied all template files into a new directory for every policy you created. Using a central store saves bunches of disk space. The old GPMC created a separate uuid for each policy you created that could go over 5 meg for each policy. A central store in vista uses the same templates for all policies. This is what makes using the new Vista policies beneficial and worth looking at.

In light of over 800 new policies Microsoft has produced a spreadsheet of the policies as of beta 2 available on their website here. Microsoft also has created a guide for Managing Vista Group Policy that you can get from this link. With another version of it in html found here.

So as you can see the information on ADMX templates and Vista Group Policy is already pretty spread out and available... it is just finding it and sorting it all out that is the problem. The frustration comes when you go to look for some sort of utility to help you create your own ADMX templates with XML or edit existing ones. No such utility exists and it is noted in the Technet magazine articel that Microsoft has no plans of releasing one. There is the XML Notepad 2006 utility that may be of use but that is not specifically made for editing policies..only XML files. You still have know what you are doing.

If anything I hope this article gives you the additional information and directions of where to go to get the information you need to get you started using Vista Group Policy.

Copyright Jim Kenzig

Here are Link resources from the Article:
Technet Magazine: More Powerful Group Policy In Windows Vista
http://www.microsoft.com/technet/technetmag/issues/2006/11/VistaGPO/default.aspx

MSKB Article 918239: How to write custom .adm and .admx administrative template files to provide an elevation policy for protected mode in Internet Explorer 7.0
http://support.microsoft.com/kb/918239

Editing Domain-Based GPOs Using ADMX Files
http://www.microsoft.com/technet/windowsvista/library/1494d791-72e1-484b-a67a-22f66fbf9d17.mspx

Group Policy Settings Reference Windows Vista Beta 2
http://www.microsoft.com/downloads/details.aspx?FamilyID=7812c9cb-e6ca-4144-98ab-2d78587462c5&DisplayLang=en

Managing Group Policy ADMX Files Step by Step Guide
http://download.microsoft.com/download/3/b/a/3ba6d659-6e39-4cd7-b3a2-9c96482f5353/Managing%20Group%20Policy%20ADMX%20Files%20Step%20by%20Step%20Guide.doc
and
http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx

XML NotePad 2006
http://www.microsoft.com/downloads/details.aspx?familyid=72D6AA49-787D-4118-BA5F-4F30FE913628&displaylang=en

No comments: