Group Policy Extensions in Windows Vista and Windows Server 2008, Part 7
If you missed the previous articles in this series please read:
In the previous article in this series, I began discussing some of the new group policy settings that are geared toward making it easier to diagnose various problems that may occur with Windows. In this article, I will conclude the series by talking about some more diagnostic policy settings.
Detect Application Installers that Need to Be Run as Administrator
When the previous article ended, I was talking about group policy settings related to application compatibility diagnostics. You can find application compatibility diagnostic related policy settings within the group policy editor at Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics.
The next setting within this section is the Detect Application Installers that Need to Be Run as Administrator setting. The basic idea behind this setting is that many legacy applications do not work with Vista, because the application assumes that it is going to have free reign over the system. However, Vista’s User Account Control prevents applications from running with administrative privileges.
The problem is that you cannot even install some applications, because some installers require administrative access to the system. In such cases, you can enable this group policy. When you do, Vista will detect that the installer has insufficient privileges, and will offer to restart the installer as an administrator. Incidentally, this group policy setting will only be valid if the Program Compatibility Assistant and the Diagnostic Policy Service are both running.
Keep in mind that Vista is designed to detect an installer’s need for administrative privileges by default (assuming that the Program Compatibility Assistant and the Diagnostic Policy Service are both running). That being the case, you can use this setting as a way of either ensuring that installers always run with administrative permissions if necessary, or as a way of preventing an installer from ever receiving administrative permissions.
Detect Applications Unable to Launch Installers Under UAC
One of the biggest trends in the software industry is to create software that occasionally checks the Internet for available updates. This can sometimes cause a problem with Vista because although the application may not require administrative privileges, the child process that it launches in an effort to check for updates often does require administrative privileges.
As you have probably guessed, this group policy setting allows applications to launch installers used for software updates with administrative privileges if necessary.
All of the same limitations apply to this group policy setting that applied to the last one that I showed you. Essentially this means that Vista’s default behavior is to allow update installers to run with administrative privileges if necessary. You can however, use the group policy setting to ensure that Vista always allows update installers to use administrative privileges if necessary, or to prevent Vista from ever granting update installers administrative privileges.
Like the previous setting that I showed you, this group policy setting is only effective if the Program Compatibility Assistant and the Diagnostic Policy Service are both running.
Corrupted File Recovery
Another diagnostic capability that can now be controlled through a group policy is that of detecting corrupt files. The policy setting for corrupt file recovery behavior is located at: Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Corrupted File Recovery.
When enabled, the Configure Corrupted File Recovery Behavior setting can be set to one of three modes. The first mode is called Regular. Regular mode, which is also the default behavior, is designed to automatically detect corrupted files, and to present the user with a user interface display that tells them what they need to do in order to fix the problem.
The Configure Corrupted File Recovery Behavior setting can also be set to work in Silent mode. When operating in Silent mode, Windows will automatically detect, troubleshoot, and repair corrupted files, without alerting the user. Windows will however report the activity in the event log.
The other possible corrupted file recovery behavior mode is Troubleshooting Only. When Windows is running in Troubleshooting Only mode, corrupt files will be automatically detected, and Windows will perform automatic troubleshooting of the problem, but that is it. Windows will not automatically repair the problem, nor will it alert the user. If a repair is possible, then Windows will place an alert in the event log, along with repair instructions.
Windows Vista also has the capability of controlling disk diagnostics through group policy settings. The pertinent settings can be found at: Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Disk Diagnostic.
There are two different group policy settings that are related to disk diagnostics. The first of these settings is the Disk Diagnostic: Configure Custom Alert Text setting.
As you probably know, a hard disk that is S.M.A.R.T. (Self Monitoring And Reporting Technology) enabled has the ability to report impending problems to the operating system. When such an alert is received from the hard disk, Windows Vista has the ability to display a custom alert message to the user. This group policy setting allows you to enter the message text. Keep in mind that your alert message is limited to 512 characters.
The other setting related to disk diagnostics is the Configure Execution Level setting. When this setting is enabled (or not configured), then Windows will attempt to perform corrective action when S.M.A.R.T failures are detected. Essentially, this means that Windows will attempt to guide the user through the backup and recovery process, in an effort to minimize data loss.
If you should disable this policy setting, then S.M.A.R.T. failures will still be detected, but the user will not be alerted. Instead, an event will be written to the event logs, but Windows will not alert the user or attempt to take any sort of corrective action.
Because disk failures can be catastrophic, I recommend always enabling this setting. Keep in mind that this setting will only work if the machine is equipped with S.M.A.R.T. enabled hard drives. Likewise, this group policy setting will only work if the Diagnostic Policy Service is running.
The Diagnostic Policy Service
Several of the group policy settings that I have discussed rely on the Diagnostic Policy Service. If you want to verify that this service is enabled, enter the MMC command at the Run prompt. When you do, Windows will open the Microsoft Management Console. Choose the Add/Remove Snap-in command from the console’s File menu, and the console will display a list of the available snap-ins. Now, choose the Services snap-in from the list and click the Add button. When prompted, verify that the Local Computer option is selected, and click Finish, followed by OK.
The console should now display a list of services. Scroll through the list of services until you find the Diagnostic Policy Service. The Startup type should be set to Automatic, and the service should be started (this is the default behavior). You can see the list of services in Figure A.
The Diagnostic Policy Service’s startup type should be set to Automatic, and the service should be started
In this article series, I have explained that over 700 new group policy settings have been added to Windows Vista and to Windows Server 2008. Unfortunately, there is no way that I can possibly cover every setting in detail within the amount of space that I have to work with. If you would like to know more about the new group policy settings though, I suggest visiting: What’s New in Group Policy in Windows Vista.
If you missed the previous articles in this series please read: