Group Policy

Group Policy

This article discusses the new and enhanced features of Group Policy that appear in Windows Vista®. These enhancements are designed to extend Group Policy capabilities, make Group Policy easier to use, and make application of Group Policy more reliable and efficient.

Group Policy provides an infrastructure for the centralized configuration and management of policy settings that are targeted to specific groups of users and computers. A Group Policy object (GPO) is a virtual collection of policy settings that control such things as network access, power management, and device installation. A GPO can be locally based or linked to an Active Directory container.

The Group Policy infrastructure consists of a Group Policy engine and individual components known as client-side extensions that apply the policy settings. The most extensive client-side extension is the Administrative Templates extension, which stores policy settings in the registry and uses ADMX files for presentation. The new ADMX files are an XML replacement for the ADM files available in previous versions of Windows®.

Group Policy is managed and edited using two tools. The first tool, Group Policy Management Console (GPMC), lets users create, view, and manage GPOs. The second tool, Group Policy Object Editor (GPOE), lets users configure and modify settings within a GPO.

This discussion of the changes to Group Policy is divided into two main sections. The first section focuses on the improvements to the Group Policy infrastructure and the second highlights the new Group Policy settings.

Improvements to the Group Policy Infrastructure

The Group Policy infrastructure has changed significantly in Windows Vista. The following sections discuss these changes:

Better responsiveness to changing network conditions during Group Policy processing.
Reduction of System Volume (Sysvol) size and replication traffic.
New Group Policy Client service.
New event and logging structure.
Multiple local Group Policy objects.
Enhanced management tools.
New XML-based Administrative Template files with multi-language functionality.
A central store for the new Administrative Template files.

Better Responsiveness to Changing Network Conditions

Application of Group Policy settings relies heavily on the availability of a network connection and the connection speed. In previous versions of Windows, the Group Policy engine determines the state and speed of a network connection by sending Internet Control Message Protocol (ICMP) ping packets to domain controllers. However, this approach is unreliable over high-latency networks and complicated by host-based firewalls that block ping messages.

In Windows Vista, Group Policy no longer relies on ICMP to determine the connection speed, but instead uses the new Network Location Awareness service. This service alerts the Group Policy engine to whether a Network Interface Card (NIC) is enabled or disabled, alerts the engine when a network connection is available, and improves the ability of the client to detect a domain controller when a network becomes available after a period of being offline. As a result, Windows Vista provides faster boot times, more reliable application of policy, and better support for roaming.

With Network Location Awareness, Group Policy also has access to resource detection and event notification capabilities in the operating system, such as recovery from hibernation or standby, establishment of VPN sessions, and moving in or out of a wireless network.

For more information, see Network Location Awareness.

Reduction of Sysvol Size and Replication Traffic

In previous versions of Windows, when a GPO is created, all the default Administrative Template files are added to the GPO. The storage cost is approximately 4 MB per GPO for the default templates, but can be larger if there are custom templates. In Windows Vista, each GPO does not contain its own Administrative Template files, resulting in a savings of about 4 MB per GPO in Sysvol (a shared folder on a domain controller) size and less replication traffic.

New Group Policy Client Service

Windows XP® implements client-side Group Policy processing within the system boot/logon process. In some cases, this enables users to log on to their computers before the application of Group Policy is complete. In Windows Vista, Group Policy processing occurs through the new Group Policy Client service and is isolated from the logon process, eliminating this problem.

For increased security, users cannot start or stop the Group Policy Client service. In the Services snap-in, the options to start, stop, pause, and resume the Group Policy client are unavailable.

The Group Policy Client service includes the following additional benefits:

Group Policy files can be updated without requiring a restart of the operating system.
The application of policy is more efficient because of the reduction of resources used for background processing.

New Event and Logging Structure

In Windows XP and Windows Server® 2003, the Group Policy infrastructure writes function trace statements and supporting data to the user environment log file (userenv.log); however, the log is shared with user profile functions, which sometimes make the file difficult to use.

In Windows Vista, Group Policy logging is made to the new Group Policy Operational log, which provides improved messages specific to Group Policy processing.

Another change is the location of Group Policy event messages, which previously appeared in the Application log and now appear in the System log with an event source of "GroupPolicy."

For more information, see Troubleshooting Group Policy Using Event Logs.

Multiple Local Group Policy Objects

Windows XP supports only one local Group Policy object, so changes made to its settings affect all users and administrators who use that computer. This behavior can be a nuisance for local administrators who have to explicitly disable or remove Group Policy settings that interfere with their ability to manage the workstation before performing administrative tasks.

Windows Vista addresses this problem by allowing the use of multiple local GPOs. For example, one GPO can be assigned to the Administrators group, and another GPO, with different settings can be assigned to a specific local user. This feature works with domain-based Group Policy and can be disabled through a Group Policy setting.

For more information, see Step-by-Step Guide to Managing Multiple Local Group Policy Objects.

Enhanced Management Tools

The Group Policy Management Console (gpmc.msc) and Group Policy Object Editor (gpedit.msc) are the standard tools for managing Group Policy. GPMC is a scriptable Microsoft Management Console snap-in and is integrated into the Windows Vista operating system. GPMC provides a single administrative tool for managing Group Policy across the enterprise, including the creation and viewing of GPOs. GPMC also provides direct access to the GPOE, which is used to edit the individual policy settings contained within each GPO.

The enhanced GPMC available with Windows Vista provides the following benefits over the downloadable component that is available for Windows XP and Windows Server 2003:

Support for Windows Vista.
Multi-language support.
Use of the central store.

For more information, see Microsoft Management Console (MMC) and Deploying Group Policy Using Windows Vista.

New Administrative Template Files with Multi-language Functionality

Windows Vista introduces two new file types for displaying Administrative Template settings in the GPOE. The new file types, ADMX language-neutral (.admx) and ADMX language-specific (.adml), replace the ADM (.adm) files used in Windows XP and Windows Server 2003. The new ADMX files are defined using a standards-based, XML file format and are installed locally in the %systemroot%\PolicyDefinitions folder as opposed to the %systemroot%\System32\GroupPolicy\Adm folder for ADM files. The ADMX files are recognized only by the Group Policy tools in Windows Vista.

A language-neutral ADMX file determines the number and types of policy settings, and their location by category in the GPOE display. ADML files provide the language-specific information needed by the language-neutral ADMX file. The ADMX file references a specific ADML file in order to display a policy setting in the correct language. Adding a new language is achieved by adding a new ADML file in the specified language.

The following example demonstrates the benefit of this new multi-language functionality. A Group Policy administrator creates a Group Policy object from a Windows Vista administrative workstation configured for English, saves the GPO, and links it to a domain deployed across geographic boundaries. A colleague in Paris on a Windows Vista workstation configured for French can browse the same domain using the GPMC, select the GPO created in English, and view and edit the policy settings in French. All the while the Group Policy administrator who created the GPO can still see the settings in English, including those changes from the French administrator.

For more information, see Managing Group Policy ADMX Files Step-by-Step Guide.

New Central Store

The central store is an administrator-created folder on the Sysvol of an Active Directory domain controller that provides a single centralized storage location for all Administrative Template files (ADMX and ADML) for the domain. Using the central store, all administrators who edit domain-based Group Policy objects have access to the same set of files. Once the central store is created, the Group Policy tools use only the ADMX files in the central store and ignore ADMX versions stored locally. The central store is optional; if it is not created, the Group Policy tools use the local ADMX files. The root folder for the central store must be named "PolicyDefinitions" and must be located at %systemroot%\sysvol\domain\policies\PolicyDefinitions.

Note Reading ADMX files from the central store might have an impact on the response speed of the Group Policy tools if the domain controllers are located in a site separated from the administration machine by Wide Area Network (WAN) links.

For more information, see Managing Group Policy ADMX Files Step-by-Step Guide.

New Group Policy Settings

Windows Vista adds more than 800 new Administrative Template settings to the roughly 1,800 available with Windows XP, including new settings for security, power management, device installation, and Internet Explorer management. Besides the new Administrative Template settings, Windows Vista provides new policy settings for deployed printers, policy-based Quality of Service (QoS), remote installation services, and additional security. For detailed information, see Summary of New or Expanded Group Policy Settings.

The following sections describe some of the new and enhanced Group Policy settings in Windows Vista:

Security enhancements.
New power management.
New device installation control.
New Windows Firewall with Advanced Security.
New printer assignment based on location.
New management for Internet Explorer.

New Security Settings

Windows Vista provides many new security settings in the following areas:

Windows Defender (anti-malware)—used for enabling or disabling real-time protection and scanning. Also used for managing signature download configuration. Located under Computer Configuration\Administrative Templates\Windows Components\Windows Defender in the GPOE.
Network Access Protection—provides policy to establish and enforce configuration requirements for computers accessing the corporate network. Located under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options in the GPOE.
Public Key Policies—provides policy settings for digital certificates. Located under Computer Configuration\Windows Settings\Security Settings\Public Key Policies in the GPOE.
Windows Firewall with Advanced Security—includes support for Internet Protocol security (IPsec) rules. Located under Computer Configuration\Windows Settings\Security Settings\Firewall with Advanced Security in the GPOE.

New Power-Management Settings

A key area of configuration that customers have requested is the ability to control electrical power consumption. Microsoft has added this capability to Group Policy in Windows Vista. Application developers and administrators can use Group Policy to control how computers, peripheral devices, and portable devices use power.

Controlling power can provide an immediate financial benefit to companies by establishing power-management settings on desktops. For example, reducing the occurrence of having computers in a full power state when users are away for hours or days can save a significant amount of money in energy and other resource consumption.

Battery life is a limitation of many portable devices. Although hardware manufacturers continually improve the effective battery life of portable devices, application developers have to take proactive steps to improve the power usage of their applications on these devices. Applications that run on portable devices need to recognize whether the power source is battery or AC, and use computer resources appropriately. For example, if the power source is a battery, nonessential features such as animations and polling loops can be minimized, screens can be made less bright, hard drives can be spun down, and CPUs can be put into a power-savings mode until needed.

It is important for applications developed for portable devices to be aware when the state of the power changes and notify users to take appropriate action—for instance, to save data before a loss of power occurs. Applications should not use a device that is powered down; instead, they should wait until the device is powered up for general use. Also, applications should minimize system restarts, which are very power-consuming operations.

Windows Vista includes extensive power-management capabilities. All power policy settings are based on per-user and per-machine settings. These power-management features include:

Group Policy enforcement of manufacturer or corporate custom (in-box) power settings.
Separate power plan configurations for users logged into the system.
Default settings that enable energy-saving features on all computers.
Sleep mode that turns the system off by default.
Display idle timeouts enabled.
System sleep idle timeouts enabled.

Administrators can modify specific power policy settings through individual Group Policy settings, or they can construct, deploy, and enforce a custom power plan.

Power-management policy settings are located under Computer Configuration\Administrative Templates\System\Power Management in the GPOE. There also is a single setting under the User Configuration node.

New Device Installation Settings

Many IT professionals who work in the area of security are concerned about removable media devices such as USB, CD-RW, and DVD-RW drives. The installation and use of these devices can pose a threat to desktops and networks through the introduction of viruses, worms, and other malicious applications. They also can expose data to theft. Windows Vista provides policy settings that control device installation and use.

Windows uses a device identification string and device setup classes to control device installation and configuration. Windows communicates with a device through a device driver. When installing a device, Windows detects the device, recognizes its type, and then locates the device driver that matches that type. Group Policy settings can specify which of these device installations to allow or block.

The ability to restrict the devices that users can install provides the following benefits:

Reduces the risk of malware, such as viruses, worms, and other malicious applications.
Reduces support cost. For example, a system administrator can ensure that users install only those devices that an organization's help desk is trained and equipped to support.
Reduces the risk of data theft. For example, if users cannot install a CD-R device, they cannot burn copies of company data onto a recordable CD.

Examples of device-installation policy settings include:

Prevent users but not administrators from installing any device.
Allow installation only of authorized devices.
Prevent installation of prohibited devices.
Deny write access to removable media devices, but allow read access.

Device installation policy settings are located under Computer Configuration\Administrative Templates\System\Device Installation in the GPOE. For more information, see Step-By-Step Guide to Controlling Device Installation Using Group Policy.

Windows Firewall with Advanced Security Settings

Windows Vista has combined two security-related technologies: host firewall and Internet Protocol security (IPsec). The configuration settings of these technologies are integrated into a single Microsoft Management Console named Windows Firewall with Advanced Security (WFAC).

WFAC is a host-based firewall that blocks incoming and outgoing connections based on its configuration. While basic end-user configuration still takes place through the Windows Firewall tool in Control Panel, advanced configuration now takes place in WFAC. The combination of host firewall and IPsec Group Policy settings leverages the advantages of both technologies while eliminating the need to create and maintain duplicate functionality.

WFAC adds a number of new and enhanced features to the previous versions of Windows Firewall. The important new features include:

Windows service hardening.
Granular rules.
Outbound filtering.
Location-aware profiles.
Authenticated bypass.
Active Directory user, computer, and groups support.
IPv6 support.

Windows Vista provides the ability to configure Windows Firewall for three domains (profiles): Domain, Private, and Public. In addition, it adds outbound blocking and more granular rule setting.

WFAC policy settings are located under Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security in the GPOE.

Windows service hardening

Windows service hardening helps prevent critical Windows services from being used for potentially malicious activity in the file system, registry, or network. A service can stipulate a set of rules that define expected network traffic from the service. Windows Firewall enforces these rules and blocks unexpected behavior. In addition, services can be limited to writing only to specific areas of the file system or registry based on Access Control Lists (ACLs). This limitation helps prevent a compromised service from changing important configuration settings in the file system or registry, or infecting other computers on the network.

Granular rules

By default, Windows Firewall is enabled for both inbound and outbound connections. The default policy is to block most inbound connections and allow outbound connections. Administrators can use the WFAC interface to configure rules for both inbound and outbound connections. WFAC also supports the filtering of any protocol numbers, while previous versions of Windows Firewall supported filtering only on User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Internet Control Message Protocol (ICMP).

Outbound filtering

The Windows Firewall can manage outbound filtering as well as inbound. This feature helps administrators limit which applications can send traffic to the network, thus enforcing corporate policies for compliance.

Location-aware profiles

Different rules and settings can be configured for the following firewall profiles:

Domain—used when a computer is connected to an Active Directory domain of which the computer is a member. Outbound filtering is disabled by default.
Private—used when a computer is connected to a private network behind a private gateway or router. Only a user with administrative privileges can designate a network as Private.
Public—used when a computer is connected directly to the Internet or any network that has not been selected as Private or Domain.

Authenticated bypass

With IPsec authentication, administrators can configure bypass rules for specific computers so that connections from those computers bypass other rules set up in WFAC. This feature enables administrators to block a particular type of traffic, but allow authenticated computers to bypass the block. With Windows Vista, the Windows Firewall can allow more granular authenticated bypass rules, allowing administrators to specify which ports, programs, computer, or group of computers can have access.

Active Directory user, computer, and groups support

Administrators can create firewall rules that filter connections by user, computer, or groups in Active Directory. For these types of rules, the connection must be secured with IPsec using a credential that carries the Active Directory account information, such as Kerberos version 5 (v5).

IPv6 support

The Windows Firewall with Advanced Security fully supports a pure (meaning no IPv4 addresses) Internet Protocol version 6 (IPv6) environment.

New Printer Assignment Based on Location Settings

Printer management can be a difficult task for almost every company and network administrator. For companies that use a brigade of laptop computers, printer management can be more complex as users move from building to building or campus to campus. Windows Vista addresses this issue by providing the ability to configure printers based on the current Active Directory site where the computer belongs. The ability to assign printers based on geography or location in an organization is a new feature. Because Active Directory sites typically map out the geographical or physical network topology, this ability creates a perfect solution for delivering printers to laptop users.

Administrators can assign printers based on location. When mobile users move to a different location, Group Policy can update their printers for the new location. Mobile users returning to their primary locations see their usual default printers.

Note:
Group Policy will not automatically refresh the printer policy settings when a computer moves to a new location. New printer assignments will be available after a Group Policy refresh following the location change.

The Printer Assignment Based on Location policy settings are located under Computer Configuration\Windows Settings\Deployed Printers and User Configuration\Windows Settings\Deployed Printers in the GPOE.

New Internet Explorer Settings

In Windows Vista, Internet Explorer can be managed in one place using Group Policy, eliminating the need for the Internet Explorer Administration Kit (IEAK). The majority of the policy settings are under Administrative Templates in the GPOE, including most of those previously under the Internet Explorer Maintenance (IEM) extension.

The Internet Explorer policy settings are located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer and in User Configuration\Administrative Templates\Windows Components\Internet Explorer in the GPOE.