Friday, April 28, 2006

GPO Administrative Templates in Vista Part 1

Well as I mentioned in the previous post Administrative Templates for GPOs are all set to change in Vista and Longhorn Server.  Although Microsoft says that for a majority of the time you won’t notice the difference, there are differences, and you need to be aware of them.

The underlying Policy file for each GPO (Registry.pol) is found in the Sysvol of Domain controllers in a Windows 200x network and it delivers registry based settings to the User/Computer; this will remain.  The differences will come with how they are presented to Administrators.  The two sets of files to concern yourself with are the admx and adml files, this can be found on any Vista station under %systemroot%\PolicyDefinitions and %Systemroot%\PolicyDefinitions\[MUIculture] (i.e. en-us  This is the American English Language file location), both sets of files are XML based.
The ADMX files contain the structure of the view of the policies that will be presented in the GPEdit or GPMC consoles and as with ADM templates they contain:-
  • Categories

  • Policies

  • Registry Key Paths and Values

  • Elements (previously known as Parts)

  • Control Types
The ADML files contain all the language specific information such as Explain Text and Help Text; it also contains information such as Default values and Spin.  This split will help with International Companies that may have offices that speak different languages but wish to have IT staff in several locations working on the same GPOs; you can just create a separate set of ADML templates.  Your first reaction to this maybe that this would just bloat the size of Sysvol with all these additional templates, this is another major change coming with Vista/Longhorn, the ADMX/ADML templates will be stored in the Sysvol share as a single set of templates rather than one set per policy.

This is all good news so far, but what happens if you use other tools to manage GPOs that are also reliant on ADM templates for the Structure it display policies with.  Well this means you will just have to create your own ADM templates and include any Vista specific settings in them.  I will go through this in more detail in Part 2.

Windows Vista

I have had this post hanging around on my computer for a while waiting for me to have some time to finish and upload it but here goes.

I have spent the couple of months or so evaluating Vista with respect to:-

  • Features and how to centrally manage and them with Group Policy Objects (GPOs).

  • How to lockdown Vista for use in a secure environment

  • How to let trusted administrators turn on ‘useful’ or cool new features.

  • Ease the learning curve for the users of Vista.

Well the good news is that it in an environment that is closely managed and tightly locked down such as in Educational Institutions most of the new features will be locked down by existing GPOs that you have in place.  The company I work for is a large IT service provider and supplier to the Educational market in the UK and further a field.  My primary interest in Vista comes from a security standpoint; how can we lock the OS down so that Kids (or adult users) can’t break the OS but keeping it usable and exposing the new features they can make use of.

Whilst the level of locking down we do will not be required by many corporate networks it’s a good start point to lock the whole thing down and open things up as required or demanded (with justification) by the business.

In a Windows 200x/XP based network GPO settings are exposed in the Microsoft tools (GPMC, GPEdit) by the use of Administrative templates, currently these are ADM templates that use a kind of markup language that is proprietry to Microsoft.  They control what you see in the MS GPO tools, how its laid out, descriptions of the settings, options you have for changing the settings.  Whilst this works, with the coming of Vista and Longhorn Server these ADM templates will not be used by default and ADMX and ADML files are used and are based on open xml standards but essentially do the same job as ADM templates with a few differences in the mechanics of how they work.  These will be discussed in more detail in another post.

In environments that use GPOs to lock down the OS its fairly simple to ensure Vista functionality is locked down too, you might ask why do this with the OS being all the publicity by Microsoft highlighting new security features in Vista?  Whilst this may be the case, during any period of co-existence between different versions of Windows (XP and Vista) there will obviously be a learning curve, but you can stick to classic menus and the same GPOs to provide a common User Experience between the two versions.  Useful new features in Vista can be evaluated and introduced as users are educated in these features and begin to use them on a home computer.

In my next few posts I will be going through the Vista Feature set providing information on how to control access to and features of them, generally they will come as time allows or when I happen to be testing them.

Sunday, April 09, 2006

First One.....

Well, I thought it was about time I started one of these things.

I will no doubt post to here when I get chance, if I have something to say.........If I don't, obviously I won't.

Laters.