Q and A from Windows Vista Group Policy Webcast
Well, it took me a while to clean up the 26 pages of Q&A from my Windows Vista Group Policy Webcast, but as promised here it is.
Questions and Answers:________________________________________Asked: Where can I get more Windows Vista GPO information?Answered: See the step by step guide at http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx________________________________________Asked: When will the ADM Templates for Vista be released?Answered: When talking about Windows Vista we will refer to ADMX files. I expect the Beta 2 release will include a pretty comprehensive view... Coming in a few weeks________________________________________Asked: Will Vista be completely compatible with Server 2003?Answered: Great Question. Vista will be compatible with Windows Server 2003. Please note it is being developed to be used as the client on a Longhorn server network. Many of the features and functions of Vista are obviously not currently available on Windows Server 2003.________________________________________
Asked: Will those features be available later on Server 2003?Answered: It is possible but really depends on what the product group chooses to do with Windows Server 2003. Our goal is to provide the best products and the best experience in both the home and business network environment.________________________________________Asked: vista have new version of gpmc?Answered: There is ongoing discussion now around schema changes/updates to AD 2000/2003 that will make full functionality available, but updates and fixes to the GPMC would seem natural even outside the Windows Vista dev cycle.________________________________________Asked: Will there be tools from MS to convert registry keys to custom .admx filesAnswered: I am not aware of such a tool.________________________________________Asked: Will W2K/WXP GPOs and their respective Registry Keys keep the same settings (and locations) as they do today or will those registry keys be changing as well?Answered: Win2k and XP will maintain their existing registry structures while Vista will have its own structure that is similar but not identical to win2k3.________________________________________
Asked: where I download the adm template?Answered: Right now to my knowledge there is not a publicly available ADMX template. You will need to wait for one to be made publicly available.________________________________________Asked: So that means the registry hives model will be same as that of XP or will that be some addition in relation to all these features?Answered: The hive model remains essentially the same.________________________________________Asked: Will IE7 be finally completely manageable in windows vista over Group Polices? (i.e. all internet options/advanced settings, manageability for IE-Zone client-side-extension, ...)Answered: "completely manageable" is pretty subjective. IE7 can be tightly controlled by Group Policy in Windows Vista. Getting complete control of an application that is used to connect and integrate with other applications is a big challenge. I personally love the control features for IE7.________________________________________Asked: will there be a way to convert existing adm templates to the admx format for longhorn/vista?Answered: have you reviewed http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx ???________________________________________Asked: How will a Windows Vista policy affect legacy systems?Answered: When a policy is implemented it will affect only the systems in the Site, Domain, or OU where they are applied. There are still permissions that can be applied and can be used in conjunction with Group policy on Windows Vista.________________________________________Asked: Why I can't see the new setting in w2k3 after I copied .adm and .admx files from vista to w2k3?Answered: See http://www.microsoft.com/technet/windowsvista/library/92340b68-8254-4060-883b-88116c197a34.mspx As you can see there, a Windows Vista workstation is needed________________________________________Asked: Do domain based GPO still take precedence over local GPO.Answered: Yes, processing order is Local, Site, Domain, OU, Child OU, unless Loopback processing or Block Inheritance is in place.________________________________________Asked: Can GPO's be set for specific hardware types - Laptop vs. Desktop?Answered: Great Question. You can do this by creating separate OU's for the desktop and laptop computers and then applying your desired Policy settings on the different OU's________________________________________Asked: These User-specific GPO are located under the HKEY_CURRENT_USER Hive?Answered: The User specific settings from the Administrative Templates node in the Group Policy Object Editor that are written to the registry are found in HKEY_CURRENT_USER.________________________________________Asked: Can you still apply the old NT 4.0 type policies?Answered: The ntconfig.pol files can only be used for NT machines. They can be used in conjunction with a Win2k3 DC running Active Directory however it is no longer supported nor recommended. ________________________________________Asked: Is network awareness model of the same concept as NAC or this is strictly for authentication ?Answered: Network Awareness provides the ability to report changes in network connectivity to applications in order to provide a more seamless connected experience. As you connect to different networks, the change is communicated to Network Awareness-supported applications, which can then take appropriate actions for your connection to that network.________________________________________Asked: so ADMX policy objects are stored as a single object vs. multi objects in 2003 for GPO?Answered: Check this link for your answer. http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx________________________________________Asked: can I force a hard disk defrag (on a schedule or not) via GP under Vista?Answered: I don’t know of a way to force disk maintenance with Group policy. You would want to use scheduled tasks or script the task directly.________________________________________Asked: will it be possible to define different password policies in the same domain with windows vista policies?Answered: Nope. For all the same reasons as Windows Server 2003.________________________________________Keith Combs Asked: Can I force a hard disk defrag?Answered: I reviewed the Longhorn server build 5326 templates and did not see that specific setting. I could have missed it, or it could be added later. Let's hope so.________________________________________Asked: There's a service in 2000/XP to process GP? What is it?Answered: GP before Windows Vista is processed as part of Winlogon process - in Vista there is a Group Policy Service in its own shared service host________________________________________Asked: Is the GPMC part of the Adminpak.msi or is built in to the OSAnswered: For Windows Server 2003, it was an optional download from microsoft.com which will be built into both Windows Vista and Longhorn Server. It was never included in adminpak.msi.________________________________________Asked: Will this new event collection tool be available for the legacy operating systems?Answered: Eventually we would expect this tool to run on some of our other OS's________________________________________Asked: will the network awareness feature work with external VPN clients or just with windows VPN?Answered: Today, it's VPN. NAP is a Longhorn server feature.________________________________________Asked: What’s the major difference between GPO modeling and GPO resultsAnswered Privately: GPO Modeling lets you do "What-if" scenarios without actually moving the User or machine in AS. GP Results shows what GPO are actually enforced based on the User/Machine logon.________________________________________Asked: is GPO logging automatic or does it still need to be enabled in the registry first?Answered: I believe it still needs to be enabled first. I personally like the GPResults tool from GPMC.________________________________________Asked: What is the best way to programmatically get applied computer and user GPOs?Answered Privately: Define get. Get the definitions?________________________________________Asked: Under W2K Server, there were problems applying GPO's with a large number of changes. As such MS often said to create several smaller GPO's rather than one large one. Is there still problems with large/complex GPO's?Answered: I have implemented sweeping changes to the clients in a Windows 2k3 network with no issues. I am assuming that the problems you mention are associated with lack of available network bandwidth for policy acquisition and application.________________________________________Asked: Is there a search feature in the GPO Editor?Answered: Not in the build 5326 editor. ________________________________________Asked: NAP is very cool, very granular too, but my question was more so with a vpn client (CISCO etc,) will the network awareness work across a client like that or would NAP determine if that will work?Answered: Group Policy subscribes to Network Location Awareness in Vista - specifically the value "Ability To Reach DC = TRUE". At that time GP client service will check for GP Updates on DC, especially if a checkpoint has been missed. NOW - with Quarantine (NAP) ... this requires additional configuration on the quarantine session. This should also be true for any VPN software.________________________________________Asked: is there an event viewer category for user profile messages?Answered Privately: Not that I know of________________________________________Asked: Can I get GPO settings programmatically?Answered: Yes, the Monad shell will provide a robust environment for getting and setting GPO settings.________________________________________Asked: When Group Policy applies to a 2000/XP pc, what interprets/processes the GP? I'm trying to compare this to Vista where Michael said that a service will process GP.Answered: see the info at the following link http://technet2.microsoft.com/WindowsServer/en/Library/20e1b1dc-5a5a-4ee5-9a1a-31bffce6a2de1033.mspx________________________________________ Asked: Can I use a single GPO for 2 forests ?Answered: You would have to export it from Forest A and import to Forest B. So it would be two separate GPOs. The GPO can only be shared within the same forest.________________________________________Asked: It seems that some of the really cool features in Windows Vista require Longhorn, what is the official release date of Longhorn?Answered: There is no official RTM date. I believe the target is still late 2007.________________________________________Asked: DFS and AD replication are still depending on/Using same connection objects(AD sites and services) ?Answered: Yes both require AD.________________________________________Asked: Does Vista's GPO include any items to prevent unpatched machines accessing a domain?Answered: This will be done with NAP.. network access protection.... check http://www.microsoft.com/technet/itsolutions/network/nap/napoverview.mspx________________________________________Asked: Can I push the local gpo to another workstation and how?Answered: If you want to use the local policy of one machine on the others in you network you would a security template based on the local GPO settings. Then you could deploy the security template via GPO's________________________________________Asked: Is NAC different from NAP?Answered: They are generally used to mean the same thing.________________________________________Asked: Is there a GPO to restrict the source of data used on typical 3rd party DVD burning software? (i.e. can a GPO stop Roxio from sourcing data from particular LAN paths?) It seems unlikely but that is what the presenter seems to be alluding to and I want to clarify the issue.Answered: You could use a software restriction policy and add a path rule. This is commonly used to control access to applications.________________________________________Asked: If you can't use admx files with Win2003 are there adm equivalent files for use with Vista in a Win2003 environment?Answered: They can be used in a Windows Server 2003 environment, but they have to be managed and configured from a Vista machine... http://www.microsoft.com/technet/windowsvista/library/1494d791-72e1-484b-a67a-22f66fbf9d17.mspx________________________________________Asked: is longhorn server build available for download ?Answered: Not currently. You need to be part of one of the Beta or TAP programs.________________________________________Asked: Is this same level of NAP avail. with Server 2003 and XP?Answered: It is not. ________________________________________Asked: Will Microsoft's NAC solution require an entire Longhorn infrastructure and is this now a feature of the client, server or both?Answered: The current plan is Longhorn server as a requirement.________________________________________Asked: re: Roxio question: is "software restriction policy and add a path rule" new or have I missed it in W2003 SP1. I know there are draconian software restrictions in W2003 but I do not know about PATH RULESAnswered: they are not new. They are available in win2k3. Under computer policy, windows settings, security settings, software restriction. Right click and choose create new rule. You can create path rules and hash rules which both have possible use here.________________________________________Asked: Is it possible to define a new policy? What would be a procedure for that?Answered: New policy or GPO? GPO's are created in the Group Policy Object container using a tool like GPMC. ________________________________________Asked: While end user is logging on the entire LGPO is processed by default or can I configure it only to process the configured polices ?Answered: No. It has to process the whole LGPO to find the settings. No way around that.________________________________________Asked: Is there a downloadable Beta for the VISTA O.S. available yet?Answered: It's on connect.microsoft.com but access is only for Beta participants. See http://www.microsoft.com/technet/prodtechnol/beta/preregister.mspx for registration. It is also in the TechNet Plus subscription.________________________________________Asked: so basically with UAC, the default admin profile still runs as a limited user till prompted for consent if needs higher privilege like software installation?Answered: No, it doesn’t run as a limited user, it just prompts you whenever you’re an administrator and are performing a task that require admin capability________________________________________Asked: New policy, not GPO. Also how I should add the policy enforcer?Answered: To deploy security policy templates to other systems you would add them as Group policy objects under the computer configuration for the appropriate Site, Domain, or OU________________________________________Asked: not to drag this, then what's the reason for the consent of higher privilege when one wants to install a program, also does Vista support autologon or not? thxAnswered: When you want to perform an administrative task, like installing a new program, Windows Vista prompts you to verify that you want to install the program before allowing that administrative task to run. This way, the use of administrator privileges is minimized, making it more difficult for malware, such as viruses, worms, spyware, and other potentially unwanted software, to have machine-wide impact on your PC. ________________________________________Asked: can we block exes from running off usb devices?Answered: Yes, there is a policy that can be implement to prevent the use of removable usb devices.________________________________________
Asked: are the device numbers specific to that particular mouse or to a class of mouses?Answered: Yes, so be careful. It was just an example to demo a point.________________________________________Asked: An hour and a half just isn't enough to cover this subject. Is there a part 2 of this meeting or additional presentations scheduled that cover Group Policy in Windows Vista that I can attend?Answered: We'll have lots of webcasts and screencasts over the next few months and years.________________________________________Asked: Doesn't QoS only become useful when your network is at 100% capacity, that is, if you're not at 100% bandwidth, then QoS has no effect -- everything is getting though.Answered: not necessarily so. Imagine if you had a 1.5mb line and only half of it is in use. At 5 p.m. you have an app that will use 1mb to transfer daily sales, inventory, and reports information. You can use QoS to ensure the traffic you want to get through will get through.________________________________________Asked: Will QoS be included in Vista Home and Premium O.S.?Answered: The entire documented feature set and versions will be published in the Book of Windows Vista due out in Beta 2 in .doc and .xps form.________________________________________Asked: Does QoS require switches that understand AD or does the Vista client just manage its own traffic (i.e. no control over all packets)?Answered: Check this link.... it tells u exactly what you need to know regarding QoS http://www.microsoft.com/technet/community/columns/cableguy/cg0306.mspx#EJB________________________________________Asked: Can IE settings be done by IP Address ranges, or are they still restricted to URLs when pushing out the policies?Answered: GPO settings are normally applied to machines in an OU. It that how you are applying settings?________________________________________