460 likes | 645 Views
Group Policies in Windows Vista. ROGGEN Kurt Consultant – System Architect Guidance – DevoTeam http://free-blog-site.com/roggenk. Agenda. The State of Group Policy today In Microsoft Windows Vista New features New and updated policy settings More features (coming later). Agenda.
E N D
Group Policies in Windows Vista ROGGEN Kurt Consultant – System Architect Guidance – DevoTeam http://free-blog-site.com/roggenk
Agenda • The State of Group Policy today • In Microsoft Windows Vista • New features • New and updated policy settings • More features (coming later)
Agenda • The State of Group Policy today • In Microsoft Windows Vista • New features • New and updated policy settings • More features (coming later)
State Of Group Policy TodayHeavily used and with broad coverage… • Of those that have deployed the Active Directory, Group Policy is • Actively used by 90%+ of large organizations • Actively used by 60%+ of mid-market customers • Policy settings coverage at last major release • 1,800+ registry-based policy settings • Many more in security, IE and other extensions • Customers want more Policy settings in the areas of security and desktop management
GPO Infrastructure Policy Enforcement Active Directory Policy Targeting Policy Troubleshooting Policy Definition GPMC and GPEdit – GPO Management and Operations
ADM File format and storage issues SYSVOL bloat Ping Issues, VPN scenarios Kiosk Scenarios Error Messages Complicated Diagnostic log (Userenv) Difficult to locate settings Lack of best practice knowledge What and Where is GPMC? Change Management, Auditing and Workflow GPO Infrastructure – Customer Pains Policy Enforcement AD Policy Targeting Policy Troubleshooting Policy Definition GPMC and GPEdit – GPO Management and Operations
Windows Vista Improvements In Group PolicyMore settings, applied more reliably, easier to use Category Key Features and Enhancements • Extended Group Policy to cover new Windows Vista features • Improved coverage in key areas like Security and Desktop management Extending the Coverage • GPMC integration into the operating system • Improved syntax and multilingual support for Admin Templates policy settings (ADMX files) • A solution to “sysvol bloat” • Searching, Filtering and Templates * Ease of Use • More secure, stable infrastructure (Group Policy Service) • Responsiveness to changing network conditions for GP processing • Enhanced troubleshooting experience • Multiple Local GPOs Reliable and Efficient Application of Policy
Agenda • State of Group Policy today • In Windows Vista • New features • New and updated policy settings • More features (coming later)
Group Policy Client Service • Reliability – A fundamental Vista goal • Prior to Windows Vista, Group Policy processing was implemented within the Winlogon process • Group Policy now runs in a shared service host on the client • Service has been hardened • A local administrator needs elevated privilege to stop the service • Service restart configuration provides recovery from any unexpected failures • Isolation of third-party Client Side Extensions • Note: This is transparent to users
GPMC Integration • GPMC is the “one-stop shop” for managing Group Policy (recommendation for past three years) • Why integrate GPMC into the OS? The perception is: • “It’s just a neat little utility, right?” • “Great, but it’s not part of the OS” • “What’s GPMC?” • Available on client and server - No need to download/install. • In Windows Vista: No major feature updates specifically in GPMC (beyond those necessary to support other new features) • In Windows Server “Longhorn” timeframe: Templates, Comments, Search/Filters
Network AwarenessProblems today • Policy application is not network sensitive • VPN Scenario • Laptop Hibernate/Standby recovery • Slow Link detection failures • ICMP turned off at routers • Failures in high bandwidth high latency (Satellite connection) scenarios
Improved Network Awareness • More Responsive to Network Changes • No longer just 90 minutes or so • If previous policy application cycle was skipped or failed then it retries whenever network connectivity (Ability to reach DC) is available • Leverages NLA v2.0 (Network Location Awareness) • Subscribe for DC availability notification • Removal of dependence on ICMP (no more Ping!) • Improved bandwidth determination (through NLA)
Local GPO • Local GPOs are primarily used • Non-AD environments • Non-domain joined, shared-use machines like Kiosks, Task stations • Customer Request: Ability to set different configurations for different users using just Local GPO • Common example is where local admins need a less locked down configuration than regular users • Cannot accomplish this today since there is not concept of ‘Security Filtering’ on LGPOs
Multiple Local GPOs • LGPOs can be created for: • The machine (same LGPO as today) • NEW: Admin or non-Admin local groups • NEW: Individual local users • Application order is as above (machine LGPO processed first, etc), so individual user GPO “wins” • Any single user receives either the Admin or the Non-Admin LGPO (not both) • No change with LGPO vs. Domain GPO priority • Domain-based GPOs still have greater precedence than LGPOs • New policy setting: Exclude processing of all local GPOs
Troubleshooting Group Policy Some challenges • Cryptic Error messages • No consistent diagnosis or resolution information • Not Actionable • Error help link broken • Userenv.log • Not many users aware of this option • Not Admin friendly • Each GP extension has a different format and location of its log • No consolidated centralized reporting
Windows VistaGP Logging enhancements • Leverages new ‘Crimson’ event management infrastructure • XML based event logs • Supports application ‘channels’ • Simple event consolidation using ‘Subscription’ • Can associate actions to events (Send e-mail, execute script/WMI jobs) • Two levels of logging • Admin events • Operational events
Windows VistaGP Logging enhancements • Admin events • Actionable set of events in ‘System’ log (source = ‘Group Policy Service’ not ‘Userenv’) • Linked to Microsoft Web site with more information including troubleshooting steps, related KBs • Operational events • Step-by-step policy processing events in ‘Group Policy’ Application channel • Admin friendly replacement of Userenv.log • Unique Activity ID enables grouping of events occurring in a single policy refresh • Provides valuable data like Username, GPO list, policy processing metrics (total time, individual extension processing time, etc.) • NOTE: Logging enhancements only for Group Policy engine (not extensions)
ADMX FilesWhat? • New XML based Administrative Templates • Stored in %windir%\PolicyDefinitions • Split in 2 types of files • ADMX - Core template • ADML – Language template (en-US, nl, fr, ...) • Replaces .ADM files (%windir%\inf) • ADMX per OS component
ADMX FilesWhy? • Some Challenges with ADM Files? • No support for multi-lingual environments • Sysvol bloat (4Mb+ per GPO – not a good thing!) • A rather obscure and somewhat limited syntax • ADMX Benefits • Multi-lingual support built-in (Associated ADML files) • Improved storage of files (Uses either local ADMX files or the “central store”) • More extensible language (XML-based)
ADMX Central StoreWhat? • Default Behavior (without The Central Store) • ADMX files local to the administrative machine are used by GPMC/GPEdit • Creating and Using The Central Store* • Domain-wide location for storing ADMX files – [sysvol]\policies\PolicyDefinitions • One-off step to create and populate the central store • See published Step-by-Step guide • From then, Windows Vista GPMC/GPEdit use ADMX files in the central store (and ignore the local store) * Does NOT require Windows Server “Longhorn”
Windows Vista Interop Scenarios (ADMX/ADM Co-Existence) • Windows Vista does not ship with any ADM files. ADMX files are superset of older ADM files • Both ADMX and ADM files can co-exist. You can use “Add/Remove Templates” dialog for ADM files (only) • You can leverage this feature in existing Win2k3/Win2k environments. • Just Admin workstations need to run Vista • Conversion tool available to transform ADM to ADMX (FullArmor– http://download.microsoft.com)
Agenda • State of Group Policy today • In Windows Vista: • New features • New and updated policy settings • More features (coming later)
New/Updated policy settings • Up to 1,800+ policy settings in past – hundreds more in Windows Vista (2500+) • “Groundswell” of support across the Operating System • Group Policy is a Windows ‘Manageability’ basic requirement • Policy Settings Greatly Expanded in a Number of Areas • Some Examples…
SecurityOver privileged users • Most end users have higher privilege on their system than what is required • Security is relaxed to run Line-of-Business applications • Problems • Security Risks: Spyware, Virus can run in context of high privilege/administrator account • Lost productivity and increased help desk costs • Customers want “secure by default” behavior
User Account Control (UAC) • By default, everyone, including administrators, runs as a standard user • User provides explicit consent before using elevated privilege • Standard users must elevate to an administrator account for privileged tasks
User Account Control (UAC) Policy Settings • Only a per machine setting • Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options • UAC Policy Settings • Behavior of elevation prompt for administrators in Admin Approval Mode (no prompt/prompt for consent/promt for credentials) • Behavior of elevation prompt for standard users • Detect application installs and prompt for elevation • Elevate executables only if signed and validated • Run all administrators in Admin Approval Mode • Switch to secure desktop when prompting for elevation • Virtualizes file and registry write failures to per-user locations
SecurityRemovable storage devices • Significant security risk due to small removable storage devices • USB storage devices • MP3 players • CD/DVD burners • Risks • Unwanted data in (Spyware, Virus) • Confidential data out (sales data, product design, price quotes, etc.) • Customers want granular control
Removable Storage Devices Policy Settings • Computer- and User-based Policy to control • Read Access • Write Access • Removable Storage Device classes • CD/DVD • Tapes • USB plug-in devices • Windows Portable Devices (WPD) • All other external removable storage devices • Only Computer settings are applicable on Terminal Server
Windows Firewall And IPsec • Combines Windows Firewall and IPsec management into a single wizard-driven user interface Provide More Intelligent Firewall • Specify allowed applications and ports • Allow connections only if they are secured • Allow connections only from a specified Active Directory group Enforce Isolation Scenarios • Restrict network resource access to domain-joined computers Simplify Management • Unifies management concepts into a single console • Streamlines configuration of core scenarios
SecurityOther new policy settings • Windows Defender (Anti-Spyware) • Enable/Disable real-time protection/scanning • Manage signature download configuration • Device Installation control • Prevent driver installation for specific devices • Wireless and Wired Service configuration • Different Policy settings for Wired and Wireless 802.1x • Network Access Protection • Control Quarantine setting • Enhanced Public Key Policy configuration • More Policy settings for Certificates • Enhanced Internet Explorer Security Configuration • Support for IE7 security features • ActiveX installer service
Desktop ManagementPower management Group Policy control over Power Settings allow businesses to control energy costs • Windows Vista includes extensive power management capabilities • All power settings are per-user and per-machine • Group Policy support for all in-box power settings • Separate power plan for when no user is logged into the system • Default settings enable energy-saving features on all PCs • Sleep is the default “off” behavior for the system • System sleep idle timeouts are enabled • Display blanking timeouts are enabled Extensive Power Management Energy Savings by Default
Desktop ManagementNew and improved • Printer Management • Deploy Printers to machines or users • Per Machine: Shared Use Computers • Per User: Printers follow Users • Deploy trusted printer drivers, prevent install of untrusted drivers • Delegate Printer installation rights • Internet Explorer • Converting most settings from Internet Explorer Maintenance (IEM) to registry-based • Windows Shell • Classic Shell, Logon, Start Menu, and Control Panel • Screen Saver: Define timeout, restrict to “built in screensaver” • Secure Conscious: Force prompting, don’t save credentials • Sync and Sharing: Item sharing, PC-PC, folder redirection
Coming Later • The following features are targeted for the Windows Server “Longhorn” timeframe but do not require Windows Server “Longhorn”
Comments and Templates • Comments • Enabled per-GPO and per-GPO setting • Free-form text - helpful for simple annotation of administrative intent • Templates • Contain recommended policy settings and values (GPO “starting point”) • Supports the encapsulation of best practices/scenarios • Microsoft will ship some initial scenario-based templates but anyone can create and share custom templates • Create new GPOs based on a template • GPMC provides “template management” support (UI and API)
Search/Filters • Filter/Search By: • Text search of setting title, explain text and comments • Platform and application “supported on” tag • Managed (“true GP policy setting” ) • Configured (Enabled/Disabled) • Commented • Results of search is a filtered GPedit view
GPMC Templates & Comments Integration Filter Options Dialog Prototype UI For Templates And Search And Filter Features
Resources • Group Policy on Microsoft.com • http://www.microsoft.com/GroupPolicy • Group Policy FAQ • http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/faq.mspx • What's New in Group Policy in Windows Vista and Windows Server "Longhorn" • http://www.microsoft.com/technet/windowsvista/library/a8366c42-6373-48cd-9d11-2510580e4817.mspx • Managing ADMX Files Step by Step Guide • http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx • Group Policy Feature Suggestions, New Policy Setting Ideas, etc. • http://www.WindowsServerFeedback.com
What’s new in GP in Windows Vista • http://www.microsoft.com/technet/windowsvista/library/a8366c42-6373-48cd-9d11-2510580e4817.mspx • New categories of Policy settings • http://www.microsoft.com/technet/windowsvista/library/2b8dc2fd-eafe-4c74-914c-ec101133feb4.mspx • Managing the new ADMX files: A step by step guide • http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx
Technical Community Resources • TechNet Belgium & Luxembourgwww.microsoft.com/belux/technet/ • Resources For IT Professionalswww.microsoft.com/belux/technet/community • Webcasts, • Bloggers • Newsgroups, • Most Valuable Professionals, • Interesting Websites...