Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


January 2008

Windows Vista and Server 2008 Group Policy Enhancements

New features for GPOs and GPMC
From the January 2008 Edition
of Windows IT Pro
Darren Mar-Elia
Feature
InstantDoc #97623
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Windows OSs Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

New security policies. Vista and Server 2008 adds quite a few new security policy capabilities to the mix. Several are highlighted here:
Wired and Wireless Policy—New for Vista and Server 2008 is the support for setting wired network security policy. Wired policy applies to Ethernet network links and lets you enforce 802.1x usage on those links for machines on your network. Wireless policy updates the policy supported in XP and provides new support for enhanced encryption schemes, such as Wi-Fi Protected Access 2 (WPA2), as well as the ability to explicitly deny or allow access to certain Service Set Identifiers (SSIDs). (Note that some of these capabilities are available only to Vista and Server 2008 systems.) Find the Wired and Wireless Policy in Group Policy under Computer Configuration\Windows Settings\Security Settings.
Windows Firewall with Advanced Security— This new area within Group Policy is actually a redesign of two previously supported policy areas—IPsec and Windows Firewall. The new UI makes it simpler for you to define Windows Firewall exceptions as well as implement IPsec filtering on your network. Older IPsec and Windows Firewall policy settings are still available for backward compatibility, but you should use this new Group Policy area to control network security on your Vista and Server 2008 devices. Find this capability in Group Policy under Computer Configuration\Windows Settings\Security Settings.
Network Access Protection (NAP)—This policy area supports the new NAP features in Server 2008 and lets you use Group Policy to configure client NAP behavior on your network. Find this capability in Group Policy under Computer Configuration Windows Settings\Security Settings.

Device restrictions. Device restriction support, and the ability to manage it via Group Policy, is probably one of the more compelling features for deploying Vista. The Device Restrictions policy in GPE lets you control access to any number of removable storage devices. Not only can you control which devices can be used, but you can also specify whether a user can read or write from a removable device. Figure 4 shows the options that are available for this policy area. You can set this policy either per-computer or per-user and you can find it under Computer (or User) Configuration\Admin istrative Templates\System Removable Storage Access.

GPMC Changes in Server 2008
There are a number of new GPMC changes coming in Server 2008. You’ll be able to search through Administrative Template settings within GPOs for, among other criteria, all enabled or disabled policies with a certain keyword in the policy, for Explain Text, for the Supported OS tag, or for whether the policy is managed or is a “preference.” You can also use search filters to filter the view of settings that appear in GPE.

The ability to create per-GPO and per-setting comments is also new. Those comments are stored with the GPO and provide a way for you to let others know what a particular GPO or setting is used for.

Now you’ll have the ability to provide new Starter GPOs. Starter GPOs are really collections of Administrative Template settings that you can apply to live GPOs. Starter GPOs let you create, for example, a group of Administrative Template settings for desktop lockdown that you can re-use whenever you create a new desktop lockdown GPO. Note that Starter GPOs support only Administrative Template policy but provide a quasi-offline capability for defining GPO settings that aren’t immediately live. You can also include Starter GPOs in Resultant Set of Policy (RSoP) modeling calculations so that you can see the impact that applying a Starter GPO to an existing live GPO has on your users and computers.

Microsoft added a very important set of new policy capabilities called Group Policy preferences in time for the release of Server 2008. Group Policy preferences is the name given to the former DesktopStandard PolicyMaker Standard Edition and PolicyMaker Share Manager products that Microsoft acquired in 2006. These new Group Policy extensions supply the missing link for providing coverage of almost every desktop and server configuration scenario imaginable. Group Policy preferences supports clients from XP forward and adds new Group Policy features such as support for mapped drives (without having to write scripts), distribution of shortcuts, power management, device restrictions, and local user and group management, to name just a few.

Time to Upgrade?
Overall, Vista and Server 2008 add some truly compelling features to the manageability and capability of Group Policy as the configuration management technology for Windows. Finally, you can map printers, manage power settings, and control removable storage access natively in Windows. These are all features that used to require third-party products to manage. The catch, of course, is that you need to upgrade your clients to Vista to take advantage of some of these desktop features. Even so, Group Policy still doesn’t provide all of the features you need. For example, you still need to purchase a product like Microsoft’s Advanced Group Policy Management in order to get change management for your Group Policy environment, and Group Policy still has no built-in enterprise reporting capability.

That said, if you are looking for justification to upgrade, the cost savings and risk mitigation that the many new features provide might be enough. In any case, these new features show that Microsoft is committed to making Group Policy an important part of your Windows management toolset.

End of Article

   Previous  1  2  [3]  Next  


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path Windows IT Pro Resources
"“How can I manage Group Policy for Windows Vista machines?”"

"“Managing Windows Vista Group Policy Options,”"

"“Converting an ADM File into an ADMX File,”"

"“Network Access Protection in Windows Server 2008,”"


Microsoft Resources
"Windows Server Group Policy,"

"Group Policy ADMX System Reference Guide,"

"ADMX Migrator,"

"Group Policy Log View,"
Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...

Escape From Yesterworld

Kevin points you to the funniest SQL Server website ever! ...
Windows OSs Whitepapers Why SaaS is the Right Solution for Log Management
Related Events Introduction to Identity Lifecycle Manager "2"

Configuration Manager SP1 and R2 Overview

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.

Implement a Successful Archiving Solution
View this web seminar to learn the best practices for creating an email archive that is secure, compliant, and searchable.
Protect Your Company’s Digital Assets
Do you know the risks of sending important files over email or FTP? Read this white paper to learn what you can do to safeguard your company’s data.

Prepare Yourself for Exchange Catastrophe
Read this white paper to learn how you can keep Exchange server healthy, as well as predict and respond to server failure.

Boost Customer Confidence and Satisfaction
Read this eBook to learn how faxing can ease communication with less computer-savvy customers while reducing your security, compliance and support woes.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing