Windows Vista and its Group Policies

Microsoft Windows Vista comes with a complete new way of implementing Group Policy settings, a new lay-out for Group Policy settings and even complete new Group Policy settings. Windows Server "Longhorn" adds even more bling to your Group Policies!


The new settings

Microsoft Windows Vista will contain around 3,000 Group Policy settings in contrast with Microsoft Windows XP which contains between 1,200 and 1,500 settings. On Technet Microsoft officially unveiled the new features of Group Policies in Microsoft Windows Vista and categorized them into the following fields of management:

  • Power Management Settings
  • Blocking Device Installation
  • Improvements to Security Settings
  • Expanded Internet Explorer Settings Management
  • Assigning Printers Based on Location
  • Delegating Printer Driver Installation to Users

In my opinion Microsoft tackled a lot of problems that needed tackling. In my post about Deploying Printers with Group Policy I cursed at the new feature in Microsoft Windows Server 2003 R2 because it lacks a lot of features. The information Microsoft released indicates these features got added and some problems addressed. Built-In features like the BitLocker functionality and the device installation blocking might prove to be new reasons to charge Microsoft like we've seen with Media Player.

You can find more detailed information on this page on Technet, which contains an elaborate table. If that's not geeky enough for you, you can also feast your eyes on the Microsoft Excel sheet within the Group Policy Settings Reference for Windows Vista Beta 2 which contains 2450 of the new Group Policy settings.


The new lay-out

ADMX and ADM files

Microsoft introduces a new XML based format for the administrative template files, called ADMX files in contrast with the ADM files we are using nowadays. With XML as the magic word we're introduced to some nice features with names like "true multilingual support" (based on Operating System language) and "strong versioning". Microsoft furthermore ensures us the new Group Policy Management Console (which will come standard with Windows Server "Longhorn") will be your link between your new ADMX and your old ADM world, which ensures interoperability with earlier platforms for administering Group Policy Objects (GPO's) like Microsoft Windows 2000. The only downside is that we we will only be able to administer Group Policy settings for Microsoft Windows Vista and Windows Server "Longhorn" from within these Operating Systems.

ADMX and ADML files

Multilingual policies are made possible by dividing Administrative Templates into language neutral administrative templates (ADMX files) and language specific administrative templates (ADML files). You can find the latter in a subfolder of your policyDefinitions folder.


The new way of implementing

The new server way of doing things

Have you ever noticed your Group Policy Objects (GPO's) are about 4 MB in size? This is because when you created the new GPO it got loaded with all your default Administrative Template files (ADM files) In Microsoft Windows Vista and Microsoft Windows Server "Longhorn" this amateurish way of is set aside and replaced with a centrally available store with new ADMX files in a new folder in the Sysvol folder (called sysvol\domain\policies\PolicyDefinitions) and Group Policy Objects (GPO's) linking to this central location. Using DFS Replication (DFS-R) for (bit level) replication Group Policy Objects (GPO's) between servers instead of FRS replication further adds efficiency to GPO replication. This is something I'm very much looking forward to because of my splendid experiences with the changes in DFS in Microsoft Windows Server 2003 R2.

The new client way of doing things

Microsoft Windows Vista comes with a Group Policy Service, where Microsoft Windows 2000 and Windows XP had the Group Policy functionality built into the Winlogon process. This is in accordance with the granular build-up of Microsoft Vista and adds better event logging (in the System Log, instead of the Application Log, just like the other services) and lower memory usage.

Another great improvement is the ability to set multiple Local Group Policy Objects (GPO's). Although not very useful in enterprise environments because of the many ways of utilizing Organizational Units, "No Override" options, Loopback processing and WMI filtering it is very useful in situations where there's no Active Directory (Yes! they do exist…), Kiosk situations, disconnected laptops and of course the inevitable home PC used by you and your wife but also possibly misused by your children… I doubt you will even use this new feature on disconnected laptops, because the new way the Group Policy handles background refreshes using Network Location Awareness (NLA) technologies is something that made me gasping for air; it's an enormous improvement!



Group Policies are a Windows Systems Administrator's best friend ever since they were introduced with Microsoft Windows 2000. With Microsoft Windows Vista and the new format, the new store, the new service and almost double the settings we're entering a new era of Group Policy administration and joy. I can't hardly wait!

Further reading

Microsoft Windows Vista Homepage
What's New in Group Policy in Windows Vista and Windows Server "Longhorn" (Technet)
Selected Scenarios for Managing Desktops with Windows Vista (Technet)
An Inside Look at Group Policy in Windows Vista (WindowsDevCenter)
Windows Vista doubles Group Policy's potential
Group Policy Changes in Vista (WindowsSecurity)
Windows Vista Beta 2 Managing Group Policy ADMX Files Step-by-Step Guide
Beta 2 Group Policy Updates (The User Account Control WebLog)
Group Policy Settings Reference for Windows Vista Beta 2
Group Policy in Windows Vista… (Scarbone on MSDN Blogs)
New and Udated Group Policy in Windows "Longhorn" (Windows Server Division WebLog) on Managing Group Policy ADMX Files in Longhorn Server on Managing Windows Vista Group Policy

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.