Group Policy Changes in Vista

As a Microsoft Most Valuable Professional (MVP) in the area of Group Policy, it is always nice to see new Group Policy related changes, enhancements, and features from  Microsoft. With the imminent release of Microsoft’s newest operating system, Vista, on the horizon, Microsoft is gearing up to deliver some more radical and amazing changes to Group Policy. As an instructor and consultant for Active Directory and Group Policy for the past 6 years, these changes are a welcome addition in my eyes. The reason is that I will no longer need to let people down (or point them to third party Group Policy extension solutions) when they ask me if Group Policy can solve problems related to Power Options, Printer management, and Device management. Other new Group Policy features in Vista include Network Location Awareness and a new approach for ADM templates.

New Group Policy Settings in Vista

It is not like Windows XP Professional Service Pack 2 added enough settings to Group Policy, Vista is coming in with even more new settings to Group Policy. There will be approximately 2400 possible settings in a Group Policy Object that is created for a Windows Vista computer. This only adds about 800 settings, which is adding half again as much settings compared to Windows XP Service Pack 2. Many of the settings are being added in a response to customer response, while others are there to support new features that will be included in Vista. Some of the more important additions include those listed under the following areas.

Power Management

By far the number one area of configuration that people have wanted since the advent of Group Policy is the ability to control Power Management. Finally, Microsoft has added this capability in Windows Vista. The reasons for controlling power can provide an immediate impact for companies, since both Microsoft and the EPA have tested and reported that you can save over $50 per computer, per year by establishing power management settings on desktops. The idea is simple: there is no reason to have the computer in a full power state when the end user is not even at work. Before Vista, companies had to look at products from DesktopStandard and Full Armor to control power for Windows 2000 and XP.

Device Installation Controls

Most IT professionals that work in the area of security for their company are very concerned about removable media devices. These devices pose a looming threat to the desktop and the network as a whole. Without control over the installation and use of these devices, users can introduce viruses, worms, and other malicious applications using these media. Vista will include settings that will allow control over the installation and use of USB drives, CD-RW, DVD-RW, and other removable media.

Security Settings

In Vista, Microsoft has joined two security related technologies together: Firewall and IPSec. This makes a lot of sense to protect computes using IPSec within the firewall. Protection can be gained for server-to-server communications over the Internet, controlling which resources a computer can access on the network based on the computer health, and resource access based on some regulatory requirement. As these security settings are important to every computer, it only makes logical sense that there are settings for them in Group Policy.

Printer Assignment Based on Location

Printer management is a nightmare for almost every company and network admin. With most companies using a brigade of laptop computers, printer management has become even more complex as the users move from building to building or campus to campus. Vista solves this issue by allowing printers to be configured based on the current Active Directory site the computer belongs to. Since Active Directory sites typically map out the geographical or physical network topology, it creates a perfect solution for delivering printers as laptop users. Before Vista, companies had to look at products from DesktopStandard and Full Armor to control printers for Windows 2000 and XP.

Redesign of ADM Templates

If you administer Group Policy for your company, you have most likely come face-to-face with an ADM template. These ADM templates were first introduced with Windows NT4 using markup language to define and implement changes to the Registry. As Group Policy was introduced, the concept of the ADM template did not change, although some new capabilities did come along. ADM templates provide a needed method to alter Registry values, but have their problems, including:

  • ADM bloat caused by the duplication of ADM templates in every GPO
  • ADM template version mismatches, many times caused by the introduction of a service pack into the environment on one or more computers
  • Confusing “policies” or “preferences” settings, depending on which portion of the Registry is being modified
  • Inability to control multi-string or binary Registry values

Microsoft knows that ADM templates are really a stop gap for your Registry “hacking” needs, but they had done a good job until Vista. With Vista, the majority of these issues are solved by the conversion of ADM templates into a new XML-based format, as well as the introduction of a repository for the templates. The new XML-based formatted files will be called ADMX files, allowing for different languages to be addressed in a single file. The ADMX files will also take the large, bulky ADM templates and chop them up into smaller, more manageable ADMX files.

One of my favorite features of Vista is the introduction of the ADMX central store. This will provide a centralized method for updating, storing, and managing ADMX files. ADMX files will no longer need to be stored in each GPO. Instead, each GPO will look to the central store for the ADMX files. This will save space on domain controllers and will allow for easier management of these files.

Network Location Awareness

Group Policy and the application of the settings in Group Policy Objects rely heavily on the availability of the network, as well as the connection speed of the network. Vista takes a new approach to network awareness, allowing faster boot times and more reliable application of policy. The following areas of network awareness are tackled in Windows Vista:

  • When a computer is booting, the time that is spent trying to apply policy even though the network is not yet available can be daunting. Vista will provide indicators to Group Policy application as to whether the NIC is enabled or disabled, as well as indications as to when the network is available.
  • Vista will introduce the ability for a client to detect when a domain controller is available or when one becomes available again after a period of being offline. This is ideal for remote access connections, such as dial-up and VPNs.
  • There will no longer be a reliance on ICMP (PING) for determining the connection speed to the computer. This was needed for slow network connections, but if ICMP was disabled for security reasons, the computer would reject the PING request, causing Group Policy application to fail. Now network location awareness handles the bandwidth determination, allowing policy refresh to succeed.


Windows Vista is coming. There is no doubt that it will be available at your nearest vendor in the coming months (ok, multiple coming months). When it arrives, you need to know the benefits that it can provide to your company. As Group Policy continues to grow and be relied on more and more, you need to ensure that you keep up to speed on the changes that are being delivered in Windows Vista. The changes in some cases are dramatic and in other cases are subtle, yet important. With 800 new settings, you will need to have a feel for which settings might impact your network the best. Certainly settings around power management, devices, security, and printers will have an immediate and fruitful impact for your company. The return on your Vista investment can be recouped quickly. The changes to the ADM templates into ADMX files is also radical and very beneficial. The new ADMX files will be easier to manage and provide better control for the enterprise due to the central repository. Finally, network location awareness will be a welcome addition to reduce the failure of Group Policy that relies on the standard network architecture of Windows 2000 and XP.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top