Managing Group Policy in Windows Vista

  • Article

Hi, my name is Bob Newhouse and I will be discussing managing group policy with Windows Vista. To start we have added approximately 700 new group policies in Windows Vista and Server 2008\Vista, increasing the granularity of what you can do with group policy. For a complete listing of the Windows 2008 group policies see Microsoft's Group Policy settings in Windows 2008.

Group Policy no longer uses the Winlogon process but has as its own service. We no longer rely on Userenv Debug logging to gather information. In Windows 2008\Vista Group Policy runs under a SVChost process and group policy events now appear in a separate Group Policy operational log found under Application and Service Logs\Microsoft\Windows\Group Policy in your event viewer. The operational log provides a centralized location for group policy events. This makes it somewhat easier to diagnose a problem with group policy.

One of the biggest features of Vista is the ability to do multiple local group policy processing. In earlier versions of Windows if you used a local group policy, it would apply to anyone who logged onto a client machine. This meant having to jump through hoops to stop it from applying to Administrators and other users that you did not want it to apply to. With multiple local group policies, you can create a group policy and apply it to the local computer (everyone affected), an administrator\non-administrator group or a user on the local machine or a remote machine. Windows applies Local Group Policy objects first, then the Administrators or Non-Administrators Local Group Policy objects, and finally the user-specific Local Group Policy objects. This feature is a significant improvement for applying group policy without affecting everyone who logs on. For conflict resolution, the last writer wins. If you make the same change to computer, and a user, then the user setting will take effect.

To use this feature:

  1. Start an MMC console.
  2. Add a Snapin.
  3. Select the Group Policy Object Editor.
  4. For the Local machine you can click Finish.
  5. For a User or Group select Browse.
  6. Click on the User Tab or Computer tab (depending on what settings you are editing).
  7. Highlight the User or Administrator or Non-Administrator Group orComputer you want to apply the policy to.
  8. Click OK then Finish then OK
  9. Modify the group policy as needed.
  10. Run gpupdate /force

In a domain environment, we still apply local group policy (following the local group policy rules), site group policy, domain group policy and OU group policy. You can find a Step-by-Step Guide to Managing Multiple Local Group Policy Objects here. It has some different scenarios that you might like to test out before implementing.
GPMC was added with Vista when it first released and will be removed with SP1. After SP1 it will be available for download.

References:
Vista Group Policy FAQ
What's New in Group Policy in Windows Vista
Windows Vista Managment and Operations