Multi-Version Investments in Group Policy

JimAll — Fri, 15 Dec 2006 06:40:00 GMT

Anyone who has ever heard me give a talk about Windows Vista (even back when it was called Windows Longhorn) knows that I usually mention that Windows Vista is the first version of Windows since Windows 95 that truly has something for everyone, including home users, business users, IT professionals and developers. One particular area of improvement in Windows Vista for IT professionals is Group Policy.

We first introduced Group Policy in Windows 2000 Client and Server. Unlike Windows Vista, Windows 2000 was not a "something for everyone" release. The primary beneficiaries of Windows 2000 were business users (mainly because it enabled the Windows NT kernel to work on portable machines) and IT Professionals. For IT Pros, the big news was unprecedented performance/scalabilty, reliability, and of course, manageability. Windows 2000 introduced Active Directory which not only enabled a much more scalable notion of single network logon (we call that identity management today), but as importantly, it allowed IT managers to configure policy settings to centrally control the behavior and security of the systems they were managing. In Windows 2000, Group Policy enabled IT Professionals to create a specific desktop configuration to configure and control groups of users and computers. Windows 2000 Group Policy specifies settings for groups of users and of computers, including registry-based policy settings, security settings, software installation, scripts (computer start-up and shutdown, and log on and log off), and folder redirection. When introduced, Windows 2000 enabled about 500 policy settings, which grew over time with new releases of the server and client operating systems and components so that in Windows Server 2003 and Windows XP SP2, there were over 1,700 total settings that could be centrally administered through Group Policy.

As it turns out, the most "killer application" that utilized Active Directory back in 2000 was as the identity store for Exchange Server. From a policy perspective, much of the policy that was actually managed by Active Directory back in the Windows 2000 time frame were rules that were authored, tested and maintained by individual customers. The point is that it took the development cycle of Windows 2000 (along with some refinements in Windows Server 2003) to develop and flesh out the infrastructure so that it could be used to solve a more sophisticated set of IT scenarios.

What is cool is that we had an opportunity with Windows Vista to build upon the Group Policy investment we've made over the last 6 years to provide even more capabilities. Windows Vista brings about 800 new policy settings to the table. These span multiple categories, many of which you already know and rely on. But, Windows Vista focuses not just on the amount of new settings, but also the right ones -- scenario-based settings that our customers asked us to include to help simplify their operational problems -- ones that simply hadn't existed or had lacked any Group Policy controls.

Enhanced areas in Group Policy include Wired and Wireless networking policy, Windows Firewall and IPsec, Print Management, Desktop Shell, Remote Assistance and Tablet PC. We have also made the policies that can be managed for Internet Explorer much more extensive for Windows Vista.

New areas in Windows Vista Group Policy include Removable Storage Device Management, Power Management, User Account Control, Windows Error Reporting, Printer Deployment, Network Access Protection (with Windows Server “Longhorn”), Network Quality of Service and Windows Defender. For example, using the Group Policy capabilities in Windows Vista, an IT manager can set a policy to put the Windows Vista PCs in their environment into a reduced power state after a specified period of inactivity. This is a great example of the value of Group Policy -- enabling power management policy settings can have an immediate and direct benefit on the bottom line by reducing power costs. IT managers who have users with sensitive data can also use Group Policy to limit use of removable storage devices on systems that handle such sensitive data. We've heard from customers that they needed this control for quite some time and now, Windows Vista delivers it. I should also note that in as much as Group Policy can be used to lock down the systems in a network, it can also be used to delegate certain features so that the non-administrator user on a machine can complete key tasks -- like installing a printer driver -- without having to ask for permission from the IT department.

Be sure to check out the Group Policy Reference Spreadsheet, which now lists all policy settings requiring schema updates -- as well as, for the first time, listing those requiring a reboot or user logoff.

One of the other things that we have added to Group Policy is the ability to use Windows Vista's Network Location Awareness feature to drive policy refresh behavior. Through these improvements, Group Policy is now more aware of changes in network conditions as they occur. For example, Group Policy can now use the event of a newly established VPN session as an opportunity to refresh policy to help maintain network security. This makes Group Policy much more responsive in scenarios such as these. We have also removed the dependency in "ping," which caused issues for some customers that blocked ICMP traffic.

For the Group Policy administrator, we've made significant changes to the manner in which we report events. Specifically, we take advantage of Windows Vista's new event reporting infrastructure for our administrative and operational logs. We expose richer and more logical events as policy events occur, logging information such as which Domain Controllers (DCs) were used, whether slow links were in effect, and which Group Policy Objects (GPOs) were applicable. The net effect of these changes is a more streamlined and effective troubleshooting process for Group Policy.

Clearly the investments that we made more than 6 years ago as we developed Active Directory and Group Policy to work at scale are paying off in the form of new capabilities that will not only lower TCO for IT Administrators and give business end-users a greater sense of security as they work, but also enable a new generation of applications to be managed centrally using an ever-ubiquitous infrastructure element. As Group Policy has been established as a key infrastructure component of the OS, we are now seeing more parts of the OS using Group Policy to manage system behavior, which leads to a much more consistent and pervasive use of Group Policy as a way to manage Windows Systems. The result is that we have nearly doubled the number of policy settings in the OS between Windows XP SP2 and Windows Vista.

As I look back at some of the growing pains we experienced 6 years ago in building Windows 2000, it's exciting to see the positive long-term impact that those investments are making in Windows Vista. What's even cooler is knowing that Windows Vista is another great milestone along the way for business end-users, developers and IT managers who choose to invest in Active Directory.

jim

Windows Vista Team Blog : Business Deployment, Jim Allchin

Multi-Version Investments in Group Policy