When Windows Vista was released in January of 2007 there was much discussion of the new Vista look, the Aero 3D enhancements, the programs menu with integrated search.
What escaped notice by many was the enormous number of new group policy settings. In Microsoft’s words: “In Windows Vista, enhancements to Group Policy significantly improve the ability to plan, stage, deploy, manage, troubleshoot, and report on Group Policy implementations.” There were over 700 new group policy settings that allowed administrators to manage a computers’ operation in ways that were never possible before. Vista also had a completely new capability in multiple local group policy objects (LPGOs) that made it possible for each local user on a Vista computer to have individualized LPGO settings.
All of this new Group Policy functionality was available in Windows 2003 Active Directory environments. New policy settings could be added to each GPO by importing an ADM file into the Administrative Templates node. With the arrival of Windows Server 2008, new Group Policy settings could be updated and managed from a single location named the Central Repository. The new templates files in the Central Repository are XML based and are called ADMX and ADML. ADMX is language neutral and language support is provided by adding the appropriate ADML file for a language. The Central Repository is located in the System Volume share, or SYSVOL and therefore is replicated to all Domain Controllers in the domain. When an updated ADMX is added to the Central Repository its’ setting are available on all new GPOs created using the Group Policy Management Console on Vista. The ADMX files are not in the GPO itself which saves 4 MB per GPO and reduces bandwidth and storage costs. Even ADM files required by XP and Server 2003 can be managed in the Central Repository.
The new Group Policy setting available to manage Vista and 2008 Server include the following:
- Restricting device access- you can use Group Policy to prevent the use of USB flash drives, USB hard drives, CD/DVD writers and other removable media. Devices can be controlled by the use of a manufacturer specific hardware id or a generic compatible id.
- Complete control of all Power Management Settings.
- Combined control of IPSEC and Windows Advanced firewall settings.
- Delegation of printer driver installation to standard users.
These Group Policy enhancements will be supported by the highly anticipated Windows 7.
A spreadsheet listing all of the new settings is available at: