Name a few differences in Vista gpos and XP GPOs?

Answer 1

It is not like Windows XP Professional Service Pack 2 added

enough settings to Group Policy, Vista is coming in with

even more new settings to Group Policy. There will be

approximately 2400 possible settings in a Group Policy

Object that is created for a Windows Vista computer. This

only adds about 800 settings, which is adding ½ again as

much settings compared to Windows XP Service Pack 2. Many

of the settings are being added in a response to customer

response, while others are there to support new features

that will be included in Vista. Some of the more important

additions include those listed under the following areas.

Power Management

By far the number one area of configuration that people

have wanted since the advent of Group Policy is the ability

to control Power Management. Finally, Microsoft has added

this capability in Windows Vista. The reasons for

controlling power can provide an immediate impact for

companies, since both Microsoft and the EPA have tested and

reported that you can save over $50 per computer, per year

by establishing power management settings on desktops. The

idea is simple: there is no reason to have the computer in

a full power state when the end user is not even at work.

Before Vista, companies had to look at products from

DesktopStandard and Full Armor to control power for Windows

2000 and XP.

Device Installation Controls

Most IT professionals that work in the area of security for

their company are very concerned about removable media

devices. These devices pose a looming threat to the desktop

and the network as a whole. Without control over the

installation and use of these devices, users can introduce

viruses, worms, and other malicious applications using

these media. Vista will include settings that will allow

control over the installation and use of USB drives, CD-RW,

DVD-RW, and other removable media.

Security Settings

In Vista, Microsoft has joined two security related

technologies together: Firewall and IPSec. This makes a lot

of sense to protect computes using IPSec within the

firewall. Protection can be gained for server-to-server

communications over the internet, controlling which

resources a computer can access on the network based on the

computer health, and resource access based on some

regulatory requirement. As these security settings are

important to every computer, it only makes logical sense

that there are settings for them in Group Policy.

Printer Assignment Based on Location

Printer management is a nightmare for almost every company

and network admin. With most companies using a brigade of

laptop computers, printer management has become even more

complex as the users move from building to building or

campus to campus. Vista solves this issue by allowing

printers to be configured based on the current Active

Directory site the computer belongs to. Since Active

Directory sites typically map out the geographical or

physical network topology, it creates a perfect solution

for delivering printers as laptop users. Before Vista,

companies had to look at products from DesktopStandard and

Full Armor to control printers for Windows 2000 and XP.

Redesign of ADM Templates

If you administer Group Policy for your company, you have

most likely come face-to-face with an ADM template. These

ADM templates were first introduced with Windows NT4 using

markup language to define and implement changes to the

Registry. As Group Policy was introduced, the concept of

the ADM template did not change, although some new

capabilities did come along. ADM templates provide a needed

method to alter Registry values, but have their problems,

including:

• ADM bloat caused by the duplication of ADM

templates in every GPO

• ADM template version mismatches, many times caused

by the introduction of a service pack into the environment

on one or more computers

• Confusing "policies" or "preferences" settings,

depending on which portion of the Registry is being

modified

• Inability to control multi-string or binary

Registry values

Microsoft knows that ADM templates are really a stop gap

for your Registry "hacking" needs, but they had done a good

job until Vista. With Vista, the majority of these issues

are solved by the conversion of ADM templates into a new

XML-based format, as well as the introduction of a

repository for the templates. The new XML-based formatted

files will be called ADMX files, allowing for different

languages to be addressed in a single file. The ADMX files

will also take the large, bulky ADM templates and chop them

up into smaller, more manageable ADMX files.

One of my favorite features of Vista is the introduction of

the ADMX central store. This will provide a centralized

method for updating, storing, and managing ADMX files. ADMX

files will no longer need to be stored in each GPO.

Instead, each GPO will look to the central store for the

ADMX files. This will save space on domain controllers and

will allow for easier management of these files.

Network Location Awareness

Group Policy and the application of the settings in Group

Policy Objects rely heavily on the availability of the

network, as well as the connection speed of the network.

Vista takes a new approach to network awareness, allowing

faster boot times and more reliable application of policy.

The following areas of network awareness are tackled in

Windows Vista:

• When a computer is booting, the time that is spent

trying to apply policy even though the network is not yet

available can be daunting. Vista will provide indicators to

Group Policy application as to whether the NIC is enabled

or disabled, as well as indications as to when the network

is available.

• Vista will introduce the ability for a client to

detect when a domain controller is available or when one

becomes available again after a period of being offline.

This is ideal for remote access connections, such as dial-

up and VPNs.

• There will no longer be a reliance on ICMP (PING)

for determining the connection speed to the computer. This

was needed for slow network connections, but if ICMP was

disabled for security reasons, the computer would reject

the PING request, causing Group Policy application to fail.

Now network location awareness handles the bandwidth

determination, allowing policy refresh to succeed.