Q and A from Windows Vista Group Policy Webcast

Well, it took me a while to clean up the 26 pages of Q&A from my Windows Vista Group Policy Webcast, but as promised here it is.

Questions and Answers:
________________________________________
Asked: Where can I get more Windows Vista GPO information?
Answered: See the step by step guide at http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx
________________________________________
Asked: When will the ADM Templates for Vista be released?
Answered: When talking about Windows Vista we will refer to ADMX files. I expect the Beta 2 release will include a pretty comprehensive view... Coming in a few weeks
________________________________________
Asked: Will Vista be completely compatible with Server 2003?
Answered: Great Question. Vista will be compatible with Windows Server 2003. Please note it is being developed to be used as the client on a Longhorn server network. Many of the features and functions of Vista are obviously not currently available on Windows Server 2003.
________________________________________

Asked: Will those features be available later on Server 2003?
Answered: It is possible but really depends on what the product group chooses to do with Windows Server 2003. Our goal is to provide the best products and the best experience in both the home and business network environment.
________________________________________
Asked: vista have new version of gpmc?
Answered: There is ongoing discussion now around schema changes/updates to AD 2000/2003 that will make full functionality available, but updates and fixes to the GPMC would seem natural even outside the Windows Vista dev cycle.
________________________________________
Asked: Will there be tools from MS to convert registry keys to custom .admx files
Answered: I am not aware of such a tool.
________________________________________
Asked: Will W2K/WXP GPOs and their respective Registry Keys keep the same settings (and locations) as they do today or will those registry keys be changing as well?
Answered: Win2k and XP will maintain their existing registry structures while Vista will have its own structure that is similar but not identical to win2k3.
________________________________________

Asked: where I download the adm template?
Answered: Right now to my knowledge there is not a publicly available ADMX template. You will need to wait for one to be made publicly available.
________________________________________
Asked: So that means the registry hives model will be same as that of XP or will that be some addition in relation to all these features?
Answered: The hive model remains essentially the same.
________________________________________
Asked: Will IE7 be finally completely manageable in windows vista over Group Polices? (i.e. all internet options/advanced settings, manageability for IE-Zone client-side-extension, ...)
Answered: "completely manageable" is pretty subjective. IE7 can be tightly controlled by Group Policy in Windows Vista. Getting complete control of an application that is used to connect and integrate with other applications is a big challenge. I personally love the control features for IE7.
________________________________________
Asked: will there be a way to convert existing adm templates to the admx format for longhorn/vista?
Answered: have you reviewed http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx ???
________________________________________
Asked: How will a Windows Vista policy affect legacy systems?
Answered: When a policy is implemented it will affect only the systems in the Site, Domain, or OU where they are applied. There are still permissions that can be applied and can be used in conjunction with Group policy on Windows Vista.
________________________________________
Asked: Why I can't see the new setting in w2k3 after I copied .adm and .admx files from vista to w2k3?
Answered: See http://www.microsoft.com/technet/windowsvista/library/92340b68-8254-4060-883b-88116c197a34.mspx As you can see there, a Windows Vista workstation is needed
________________________________________
Asked: Do domain based GPO still take precedence over local GPO.
Answered: Yes, processing order is Local, Site, Domain, OU, Child OU, unless Loopback processing or Block Inheritance is in place.
________________________________________
Asked: Can GPO's be set for specific hardware types - Laptop vs. Desktop?
Answered: Great Question. You can do this by creating separate OU's for the desktop and laptop computers and then applying your desired Policy settings on the different OU's
________________________________________
Asked: These User-specific GPO are located under the HKEY_CURRENT_USER Hive?
Answered: The User specific settings from the Administrative Templates node in the Group Policy Object Editor that are written to the registry are found in HKEY_CURRENT_USER.________________________________________
Asked: Can you still apply the old NT 4.0 type policies?
Answered: The ntconfig.pol files can only be used for NT machines. They can be used in conjunction with a Win2k3 DC running Active Directory however it is no longer supported nor recommended. ________________________________________
Asked: Is network awareness model of the same concept as NAC or this is strictly for authentication ?
Answered: Network Awareness provides the ability to report changes in network connectivity to applications in order to provide a more seamless connected experience. As you connect to different networks, the change is communicated to Network Awareness-supported applications, which can then take appropriate actions for your connection to that network.
________________________________________
Asked: so ADMX policy objects are stored as a single object vs. multi objects in 2003 for GPO?
Answered: Check this link for your answer. http://www.microsoft.com/technet/windowsvista/library/02633470-396c-4e34-971a-0c5b090dc4fd.mspx
________________________________________
Asked: can I force a hard disk defrag (on a schedule or not) via GP under Vista?
Answered: I don’t know of a way to force disk maintenance with Group policy. You would want to use scheduled tasks or script the task directly.
________________________________________
Asked: will it be possible to define different password policies in the same domain with windows vista policies?
Answered: Nope. For all the same reasons as Windows Server 2003.
________________________________________
Keith Combs Asked: Can I force a hard disk defrag?
Answered: I reviewed the Longhorn server build 5326 templates and did not see that specific setting. I could have missed it, or it could be added later. Let's hope so.
________________________________________
Asked: There's a service in 2000/XP to process GP? What is it?
Answered: GP before Windows Vista is processed as part of Winlogon process - in Vista there is a Group Policy Service in its own shared service host
________________________________________
Asked: Is the GPMC part of the Adminpak.msi or is built in to the OS
Answered: For Windows Server 2003, it was an optional download from microsoft.com which will be built into both Windows Vista and Longhorn Server. It was never included in adminpak.msi.
________________________________________
Asked: Will this new event collection tool be available for the legacy operating systems?
Answered: Eventually we would expect this tool to run on some of our other OS's
________________________________________
Asked: will the network awareness feature work with external VPN clients or just with windows VPN?
Answered: Today, it's VPN. NAP is a Longhorn server feature.
________________________________________
Asked: What’s the major difference between GPO modeling and GPO results
Answered Privately: GPO Modeling lets you do "What-if" scenarios without actually moving the User or machine in AS. GP Results shows what GPO are actually enforced based on the User/Machine logon.
________________________________________
Asked: is GPO logging automatic or does it still need to be enabled in the registry first?
Answered: I believe it still needs to be enabled first. I personally like the GPResults tool from GPMC.
________________________________________
Asked: What is the best way to programmatically get applied computer and user GPOs?
Answered Privately: Define get. Get the definitions?
________________________________________
Asked: Under W2K Server, there were problems applying GPO's with a large number of changes. As such MS often said to create several smaller GPO's rather than one large one. Is there still problems with large/complex GPO's?
Answered: I have implemented sweeping changes to the clients in a Windows 2k3 network with no issues. I am assuming that the problems you mention are associated with lack of available network bandwidth for policy acquisition and application.
________________________________________
Asked: Is there a search feature in the GPO Editor?
Answered: Not in the build 5326 editor. ________________________________________
Asked: NAP is very cool, very granular too, but my question was more so with a vpn client (CISCO etc,) will the network awareness work across a client like that or would NAP determine if that will work?
Answered: Group Policy subscribes to Network Location Awareness in Vista - specifically the value "Ability To Reach DC = TRUE". At that time GP client service will check for GP Updates on DC, especially if a checkpoint has been missed. NOW - with Quarantine (NAP) ... this requires additional configuration on the quarantine session. This should also be true for any VPN software.
________________________________________
Asked: is there an event viewer category for user profile messages?
Answered Privately: Not that I know of
________________________________________
Asked: Can I get GPO settings programmatically?
Answered: Yes, the Monad shell will provide a robust environment for getting and setting GPO settings.
________________________________________
Asked: When Group Policy applies to a 2000/XP pc, what interprets/processes the GP? I'm trying to compare this to Vista where Michael said that a service will process GP.
Answered: see the info at the following link http://technet2.microsoft.com/WindowsServer/en/Library/20e1b1dc-5a5a-4ee5-9a1a-31bffce6a2de1033.mspx
________________________________________
 Asked: Can I use a single GPO for 2 forests ?
Answered: You would have to export it from Forest A and import to Forest B. So it would be two separate GPOs. The GPO can only be shared within the same forest.
________________________________________
Asked: It seems that some of the really cool features in Windows Vista require Longhorn, what is the official release date of Longhorn?
Answered: There is no official RTM date. I believe the target is still late 2007.
________________________________________
Asked: DFS and AD replication are still depending on/Using same connection objects(AD sites and services) ?
Answered: Yes both require AD.
________________________________________
Asked: Does Vista's GPO include any items to prevent unpatched machines accessing a domain?
Answered: This will be done with NAP.. network access protection.... check http://www.microsoft.com/technet/itsolutions/network/nap/napoverview.mspx
________________________________________
Asked: Can I push the local gpo to another workstation and how?
Answered: If you want to use the local policy of one machine on the others in you network you would a security template based on the local GPO settings. Then you could deploy the security template via GPO's
________________________________________
Asked: Is NAC different from NAP?
Answered: They are generally used to mean the same thing.
________________________________________
Asked: Is there a GPO to restrict the source of data used on typical 3rd party DVD burning software? (i.e. can a GPO stop Roxio from sourcing data from particular LAN paths?) It seems unlikely but that is what the presenter seems to be alluding to and I want to clarify the issue.
Answered: You could use a software restriction policy and add a path rule. This is commonly used to control access to applications.
________________________________________
Asked: If you can't use admx files with Win2003 are there adm equivalent files for use with Vista in a Win2003 environment?
Answered: They can be used in a Windows Server 2003 environment, but they have to be managed and configured from a Vista machine... http://www.microsoft.com/technet/windowsvista/library/1494d791-72e1-484b-a67a-22f66fbf9d17.mspx
________________________________________
Asked: is longhorn server build available for download ?
Answered: Not currently. You need to be part of one of the Beta or TAP programs.
________________________________________
Asked: Is this same level of NAP avail. with Server 2003 and XP?
Answered:  It is not.
________________________________________
Asked: Will Microsoft's NAC solution require an entire Longhorn infrastructure and is this now a feature of the client, server or both?
Answered: The current plan is Longhorn server as a requirement.
________________________________________
Asked: re: Roxio question: is "software restriction policy and add a path rule" new or have I missed it in W2003 SP1. I know there are draconian software restrictions in W2003 but I do not know about PATH RULES
Answered: they are not new. They are available in win2k3. Under computer policy, windows settings, security settings, software restriction. Right click and choose create new rule. You can create path rules and hash rules which both have possible use here.
________________________________________
Asked: Is it possible to define a new policy? What would be a procedure for that?
Answered: New policy or GPO? GPO's are created in the Group Policy Object container using a tool like GPMC. ________________________________________
Asked: While end user is logging on the entire LGPO is processed by default or can I configure it only to process the configured polices ?
Answered: No. It has to process the whole LGPO to find the settings. No way around that.
________________________________________
Asked: Is there a downloadable Beta for the VISTA O.S. available yet?
Answered: It's on connect.microsoft.com but access is only for Beta participants. See http://www.microsoft.com/technet/prodtechnol/beta/preregister.mspx for registration. It is also in the TechNet Plus subscription.
________________________________________
Asked: so basically with UAC, the default admin profile still runs as a limited user till prompted for consent if needs higher privilege like software installation?
Answered: No, it doesn’t run as a limited user, it just prompts you whenever you’re an administrator and are performing a task that require admin capability
________________________________________
Asked: New policy, not GPO. Also how I should add the policy enforcer?
Answered: To deploy security policy templates to other systems you would add them as Group policy objects under the computer configuration for the appropriate Site, Domain, or OU
________________________________________
Asked: not to drag this, then what's the reason for the consent of higher privilege when one wants to install a program, also does Vista support autologon or not? thx
Answered: When you want to perform an administrative task, like installing a new program, Windows Vista prompts you to verify that you want to install the program before allowing that administrative task to run. This way, the use of administrator privileges is minimized, making it more difficult for malware, such as viruses, worms, spyware, and other potentially unwanted software, to have machine-wide impact on your PC.
________________________________________
Asked: can we block exes from running off usb devices?
Answered: Yes, there is a policy that can be implement to prevent the use of removable usb devices.
________________________________________

Asked: are the device numbers specific to that particular mouse or to a class of mouses?
Answered: Yes, so be careful. It was just an example to demo a point.
________________________________________
Asked: An hour and a half just isn't enough to cover this subject. Is there a part 2 of this meeting or additional presentations scheduled that cover Group Policy in Windows Vista that I can attend?
Answered: We'll have lots of webcasts and screencasts over the next few months and years.
________________________________________
Asked: Doesn't QoS only become useful when your network is at 100% capacity, that is, if you're not at 100% bandwidth, then QoS has no effect -- everything is getting though.
Answered: not necessarily so. Imagine if you had a 1.5mb line and only half of it is in use. At 5 p.m. you have an app that will use 1mb to transfer daily sales, inventory, and reports information. You can use QoS to ensure the traffic you want to get through will get through.
________________________________________
Asked: Will QoS be included in Vista Home and Premium O.S.?
Answered: The entire documented feature set and versions will be published in the Book of Windows Vista due out in Beta 2 in .doc and .xps form.
________________________________________
Asked: Does QoS require switches that understand AD or does the Vista client just manage its own traffic (i.e. no control over all packets)?
Answered: Check this link.... it tells u exactly what you need to know regarding QoS http://www.microsoft.com/technet/community/columns/cableguy/cg0306.mspx#EJB
________________________________________
Asked: Can IE settings be done by IP Address ranges, or are they still restricted to URLs when pushing out the policies?
Answered: GPO settings are normally applied to machines in an OU. It that how you are applying settings?
________________________________________