Microsoft’s official Group Policy blog
I have two (wonderful) daughters and, like most parents, my wife and I regularly face little sibling wars. Our youngest daughter, in particular, is an absolute delight but has - how can I say - a "strong personality". Now, I don't know if there is any science behind this (and it's certainly not the basis of this blog entry!!) but in the small sample of families I know that come to mind, the younger sibling often has the more "forceful" personality, which manifests itself in little streaks of jealousy. But in her sweeter moments she knows how to melt the heart by sneaking up on her "victim", tugging a sleeve, fluttering her eyelids and saying in an angelic voice "Don't forget about me...". The strong Dad in me wants to say that I look at every situation on it's merits, etc, etc - but that little phrase tends to work on me every time!!
If you've read this far then you're probably wondering what on earth this has to do with Group Policy! Well, let me take you back to my first blog entry. I come from a support background, having started life at Microsoft a little over 9 years ago as a Technical Account Manager in Premier Support. That role tends to ensure you have a customer-centric view of the world. We have incredibly creative customers who do great things with our technology - and when we ship a product we REALLY start learning about these new features in the real world.
Windows Vista is next in line but I know that many customers will run Windows XP clients on Windows Server 2003 / Windows 2000 domains for quite some time. I'm the first to advocate the great advantages of Windows Vista. I run it as my regular desktop, have done for a number of months and Release Candidate 1 will be awesome. But I am biased! I work at Microsoft and we are - by design - somewhat forward thinking in our adoption rates :-) Many of our customers roll out technology - especially a new OS - over an extended period.
With all this in mind, I'll keep my earlier blog promise not to forget about XP! It's very relevant - and will remain so - to many of you for a long time. So, I thought I'd straddle the two - Windows Vista and Windows XP - in this blog by discussing how new Group Policy features in Windows Vista play ball nicely with environments including Windows XP, Windows Server 2003 and Windows 2000.
A good example of this is the new "central store". Many of you will know ADM files, which define policy settings for display in GPMC and GPEdit. Traditionally (before-Windows Vista) and by default, ADM files are stored in all GPOs you create. Create two GPOs and you have identical copies of five specific ADM files (which total about 5Mb in size). Create 100 GPOs and - well, you get the picture. That's a lot of redundant storage space and a burden on your network as these are replicated across all your DCs.
In Windows Vista we introduce ADMX files. These are the new XML-based version of ADM files and, over time, we anticipate a "cottage industry" around the creation of ADMX files. If you create or edit ADMX files in Visual Studio the Intellisense feature will guide you along in terms of the supported elements, as defined by the ADMX schema. However, a primary reason for the move to ADMX files was to introduce a better story around multi-lingual environments. Unlike an ADM file, an ADMX file contains no language-specific information. Such information - like Explain Text and the Supported string - is stored in one or more ADML files associated with the ADMX file.
But the multi-lingual benefits are for a future blog entry. Given the "challenges" with ADM file storage, we also took the opportunity to improve things around how files are stored. That's where the central store comes in. The central store is a single directory replicated across your domain controllers in which ADMX files are stored. The Windows Vista versions of GPMC and GPEdit look in that store - if created - for their policy definitions (if the central store has not yet been created, by the way, then these tools use the ADMX/L files on the local machine). The advantages are clear. The overhead of each GPO - both in terms of storage and replication traffic - is dramatically reduced because there are no ADMX files stored with each GPO. And if you modify or receive an updated ADMX file you have just one place to update. It's a good thing...
But what about little sister XP (OK, this doesn't work from an age perspective since XP is "older" but play along!!)? Well, Windows Vista and Windows XP can work side-by-side just fine. Here's how...
Let's say you are managing Windows XP clients from an XP administrative machine. You'll have the same scenario as before - ADM files stored in GPOs. Now, the ADMX files that ship with Windows Vista define a SUPERSET of the policy settings in ADM files. They include all policy settings previously shipped PLUS the large number of new Windows Vista policy settings (we've added about 50% new settings, across all aspects of the operating system). So, you can run GPMC and GPEdit from Windows Vista and start editing the same GPOs that you created from your XP machine. In this scenario - before creation of the central store - the ADMX files on the Windows Vista machine will be used. By the way, GPMC ships in the OS with Windows Vista, so you no longer need to download and install it.
Now, a drawback with LOCAL usage of ADMX files is that if you have a custom ADMX file - and customers have told us already that this will be quite common - then you'll need to distribute that to each administrative machine from which GPMC and GPEdit are run. However, after creating and populating the central store all Windows Vista machines will use that central location and ignore their local ADMX files. Then all you need to do is move your custom ADMX files to that one directory and everyone "sees" the policy settings it defines. By the way, note that ADMX files cannot be stored in the GPO like ADM files.
But what about little sister XP? Let's say you have a custom ADM file that is happily living in a GPO created from XP. NO PROBLEM! Windows Vista will see and consume that ADM file just fine. You won't get the multi-lingual benefits of ADMX files but you will at least be able to see and edit the policy setting.
And what about Windows 2000 and Windows Server 2003. Well, recall that I mentioned early that the central store is just a directory. That means it works just fine on Windows 2000 or Windows Server 2003. There's no additional server component beyond that already provided by any domain controller. If someone tells you that ADMX files or the central store require "Longhorn Server" - well, just tell 'em they are wrong!
And that's the key. Although Windows Vista introduces some great new functionality around managing "settings" in general, it will absolutely continue to work with ADM files. Over time we expect people to move many ADM files to ADMX files but there is no absolute NEED to do this when you start using Windows Vista.
So, when XP (or, indeed, Windows 2000 or Windows Server 2003) tugged on our coat sleeves and said "Don't forget about me..." - we didn't.
Thanks for reading...
Mark Williams: Program Manager, Group Policy