Presentation is loading. Please wait.

Presentation is loading. Please wait.

Group Policy – What's New In Vista And Longhorn Server Sean Rooney Microsoft Consulting Services.

Similar presentations


Presentation on theme: "Group Policy – What's New In Vista And Longhorn Server Sean Rooney Microsoft Consulting Services."— Presentation transcript:

1 Group Policy – What's New In Vista And Longhorn Server Sean Rooney Microsoft Consulting Services

2 State Of Group Policy Today Heavily used and with broad coverage… Of those that have deployed the Active Directory, Group Policy is Actively used by 90%+ of large organizations/ enterprises Actively used by 60%+ of mid-market customers Policy settings coverage at last major release 1,800+ registry-based policy settings Many more in security, IE and other extensions Customers want more Policy settings in the areas of security and desktop management

3 GPO Infrastructure ActiveDirectory Policy Targeting Policy Troubleshooting Policy Enforcement Policy Definition GPMC and GPEdit – GPO Management and Operations

4 GPO Infrastructure – Customer Pains AD AD Policy Targeting Policy Troubleshooting Policy Enforcement Policy Definition GPMC and GPEdit – GPO Management and Operations Difficult to locate settings Lack of best practice knowledge ADM File format and storage issues ADM File format and storage issues Sysvol bloat Ping Issues, VPN scenarios Ping Issues, VPN scenarios Kiosk Scenarios Error Messages Error Messages Complicated Diagnostic log (Userenv) What and Where is GPMC? What and Where is GPMC? Change Management, Auditing and Workflow

5 Windows Vista Improvements In Group Policy More settings, applied more reliably, easier to use Category GPMC integration into the operating system Improved syntax and multilingual support for Admin Templates policy settings (ADMX files) A solution to sysvol bloat Searching, Filtering and Templates (SP1) Extending the Coverage Reliable and Efficient Application of Policy Ease of Use More secure, stable infrastructure (Group Policy Service) Responsiveness to changing network conditions for GP processing Enhanced troubleshooting experience Multiple Local GPOs Extended Group Policy to cover new Windows Vista features Improved coverage in key areas like Security and Desktop management Key Features and Enhancements

6 Group Policy Client Service Reliability – A fundamental Vista goal Prior to Windows Vista, Group Policy processing was implemented within the Winlogon process Group Policy now runs in a shared service host on the client Service has been hardened A local administrator needs elevated privilege to stop the service Service restart configuration provides recovery from any unexpected failures Isolation of third-party Client Side Extensions Note: This is transparent to users

7 Network Awareness Problems today Policy application is not network sensitive VPN Scenario Laptop Hibernate/Standby recovery Slow Link detection failures ICMP turned off at routers Failures in high bandwidth high latency (Satellite connection) scenarios

8 Improved Network Awareness More Responsive to Network Changes No longer just 90 minutes or so If previous policy application cycle was skipped or failed then it retries whenever network connectivity (Ability to reach DC) is available Leverages NLA v2.0 (Network Location Awareness) Subscribe for DC availability notification Removal of dependence on ICMP (no more Ping!) Improved bandwidth determination (through NLA) Note: Network Quarantine scenario needs additional configuration

9 Local GPO Customer request Local GPOs are primarily used Non AD environments for non-domain joined, shared-use machines like Kiosks, Task stations Customer Request: Ability to set different configurations for different users using just Local GPO Common example is where local admins need a less locked down configuration than regular users Cannot accomplish this today since there is not concept of Security Filtering on LGPOs

10 Multiple Local GPOs Supports having different policy settings for different local users LGPOs for The machine (same LGPO as today) NEW: Local groups (Admin or Non-Admin) NEW: Individual local users Application Order is same as above Note: Any single user receives either the Admin or the Non- Admin LGPO (not both) Domain GPOs still have greater precedence than LGPOs (as today) New policy setting – ability to exclude all local GPO processing

11 Troubleshooting Group Policy Some challenges Cryptic Error messages No consistent diagnosis or resolution information Error help link broken Not Actionable Userenv.log Not many users aware of this option Not IT Admin friendly Each GP extension has a different format and location of its log No consolidated centralized reporting

12 Windows Vista GP Logging enhancements Leverages new Crimson event management feature XML based event logs Supports application channels Simple event consolidation using Subscription Can associate actions to events (Send e-mail, execute script/WMI jobs) Two levels of logging Admin events Operational events

13 GPMC Integration GPMC is the one-stop shop for managing Group Policy (has been our recommendation for almost 3 years) Why Integrate GPMC Into The Operating System? The perception is… Its just a little utility Great, but its not part of the Operating System Whats GPMC? Will be available on client and server – no need to download/install No major feature updates; Just bug fixes and localization Some feature updates will be available in Longhorn Server (Vista SP1)

14 ADMX Files Some Challenges with ADM Files? No support for multi-lingual environments Sysvol bloat (4Mb+ per GPO – not a good thing!) A rather obscure and somewhat limited syntax ADMX Benefits Multi-lingual support built-in (Associated ADML files) Improved storage of files (Uses either local ADMX files or the central store) More extensible language (XML-based)

15 No Central Store %windir%\policydefinitions Printing.admx Printing.admx inetres.admx inetres.admx … %windir%\policydefinitions \en-us Printing.adml Printing.adml inetres.adml inetres.adml %windir%\policydefinitions Printing.admx Printing.admx inetres.admx inetres.admx … %windir%\policydefinitions \fr Printing.adml Printing.adml inetres.adml inetres.adml Windows Vista Administrative Machine (English) Windows Vista Administrative Machine (French)

16 Using The Central Store \policies\policydefinitions Printing.admx inetres.admx.. \en-us Printing.adml inetres.adml \fr Printing.adml inetres.adml \.. Windows Vista Administrative Machine (English) Windows Vista Administrative Machine (French)

17 Windows Vista Interop Scenarios (ADMX/ADM Co-Existence) Windows Vista does not ship with any ADM files. ADMX files are superset of older ADM files Both ADMX and ADM files can co-exist. You can use Add/Remove Templates dialog for ADM files You can leverage this feature in existing Win2k3/Win2k environments. Just Admin workstations need to run Vista Note: No plan currently to ship ADM to ADMX conversion tool

18 ADM Templates – Usability Improvements Windows Vista SP1/Longhorn Server Comments Enable per GPO and per setting comments Search/Filter – locate settings based on Text search of setting title, explain text and comments Platform and applications supported on Managed (true GP policy setting) Configured (enabled or disabled) Results of search is a filtered GPedit view Templates Encapsulation of best practices/scenarios Will contain recommended Policy settings and values Microsoft will ship some initial scenario-based templates Anyone can create and share new custom templates Create new GPOs based on a template GPMC will provide Template management support

19 Prototype UI For Templates And Search And Filter Features GPMC Template Integration Filter Options Dialog

20 Migration/Upgrade Reliable/seamless migration for both types Same machine Upgrade (2000/XP to Vista) PC – PC Migration(2000/XP/Vista to Vista) Stand Alone Workstation Domain Joined Client or Server machine All Policy settings are retained and reapplied on first boot as if they just joined the domain Domain Joined Admin workstation Old version of GPMC is removed and since GPMC is on every client it is no longer accessible via ARP GPMC preferences will be retained

21 Data Included In The Migration/Upgrade Local GPO Group Policy engine preference keys and values Registration info for any third-party extensions Potentially their settings will not Software Installation packages installed using GPOs Any registry (ADM* template) based Policy setting All Policy settings are retained and reapplied on first boot as if they just joined the domain All RSoP data will NOT be migrated and will be regenerated Domain Joined Admin workstation Old version of GPMC is removed and since GPMC is on every client it is no longer accessible via ARP GPMC preferences will be retained

22 The Right Set Of Policy Settings 1,800+ policy settings today – and hundreds more in Windows Vista Groundswell of support across the Operating System Group Policy is a Windows Manageability basic Policy Settings Greatly Expanded in a Number of Areas Some Examples… Removable Storage Devices IPSec/ Windows Firewall Power Management Printer Management Troubleshooting and Diagnostics Windows Defender Network Access Protection Internet Explorer Tablet PC Windows Error Reporting User Account Control (UAC) Wired and Wireless Policy Desktop Shell Globalization Remote Assistance

23 Security Over privileged users Most end users have higher privilege on their system than what is required Security is relaxed to run Line-of-Business Applications Problems Security Risks: Spyware, Virus can run in context of high privilege/administrator account Lost productivity and increased help desk costs Customers want secure by default behavior

24 User Account Control (UAC) Policy Settings Only a per machine setting; Can be found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options UAC Settings Behavior of elevation prompt for administrators in Admin Approval Mode Behavior of elevation prompt for standard users Detect application installs and prompt for elevation Elevate executables only if signed and validated Run all administrators in Admin Approval Mode Switch to secure desktop when prompting for elevation

25 Windows Firewall And IPsec Unifies management concepts into a single console Streamlines configuration of core scenarios Restrict network resource access to domain-joined computers Combines Windows Firewall and IPsec management into a single user experience Simplify Management Enforce Isolation Scenarios Provide More Intelligent Firewall Specify allowed applications and ports Allow connections only if they are secured Allow connections only from a specified Active Directory group

26 Security Other new policy settings Windows Defender (Anti-Spyware) Enable/Disable real-time protection/scanning Manage signature download configuration Device Installation control Prevent driver installation for specific devices Wireless and Wired Service configuration Different Policy settings for Wired and Wireless 802.1x Network Access Protection Control Quarantine setting Enhanced Public Key Policy configuration More Policy settings for Certificates Enhanced Internet Explorer Security Configuration Support for IE7 security features

27 Desktop Management Power management Group Policy control over Power Settings allow businesses to control energy costs Windows Vista includes extensive power management capabilities Windows Vista includes extensive power management capabilities All power settings are per-user and per-machineAll power settings are per-user and per-machine Group Policy support for all in-box power settingsGroup Policy support for all in-box power settings Separate power plan for when no user is logged into the systemSeparate power plan for when no user is logged into the system Default settings enable energy-saving features on all PCs Default settings enable energy-saving features on all PCs Sleep is the default off behavior for the system System sleep idle timeouts are enabled Display blanking timeouts are enabled Extensive Power Management Energy Savings by Default

28 Desktop Management Printer Management Deploy Printers to machines or users Per Machine: Shared Use Computers Per User: Printers follow Users Roll out trusted printer drivers, prevent install of untrusted printer drivers Delegate Printer installation rights Internet Explorer Converting most settings away from Internet Explorer Maintenance (IEM) to registry-based Shell Team Classic Shell, Logon, Start Menu, and Control Panel Screen Saver: Define timeout, restrict to built in Secure Conscious: Force prompting, dont save credentials Sync and Sharing: Item sharing, PC-PC, folder redirection

29 Security Removable storage devices Significant security risk due to small removable storage devices USB storage devices MP3 players CD/DVD burners Risks Unwanted data in (Spyware, Virus) Confidential data out (sales data, product design, price quotes, etc.) Customers want granular control

30 Removable Storage Devices Policy Settings Computer- and User-based Policy to control Read and Write Access Removable Storage Device classes CD/DVDTapes USB plug-in devices Windows Portable Devices (WPD) All other external removable storage devices Only Computer settings are applicable on Terminal Server NOTE: This feature work came in after the 5270 CTP build

31 Removable Storage Access

32 Resources Group Policy on Microsoft.com http://www.microsoft.com/GroupPolicy Group Policy FAQ http://technet2.microsoft.com/windowsserver/en/technologies/feat ured/gp/faq.mspx http://technet2.microsoft.com/windowsserver/en/technologies/feat ured/gp/faq.mspx What's New in Group Policy in Windows Vista and Windows Server "Longhorn" http://www.microsoft.com/technet/windowsvista/library/a8366c42- 6373-48cd-9d11-2510580e4817.mspx http://www.microsoft.com/technet/windowsvista/library/a8366c42- 6373-48cd-9d11-2510580e4817.mspx Managing ADMX Files Step by Step Guide http://www.microsoft.com/technet/windowsvista/library/02633470- 396c-4e34-971a-0c5b090dc4fd.mspx http://www.microsoft.com/technet/windowsvista/library/02633470- 396c-4e34-971a-0c5b090dc4fd.mspx Group Policy Feature Suggestions, New Policy Setting Ideas, etc. http://www.WindowsServerFeedback.com

33 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.


Download ppt "Group Policy – What's New In Vista And Longhorn Server Sean Rooney Microsoft Consulting Services."

Similar presentations


Ads by Google