Detailed description of Windows Vista group policies

Following the preceding steps, how does one deploy a group policy for Windows Vista? Later, this article will continue to introduceWindowsVista Group Policy.

The common group policy solution may be an English webpage)

This package contains a series of Group Policy objects (GPO), which list some common desktop solutions. They include light hosting, mobile and kiosk solutions and other solutions.

GPMC script

GPMC includes a set of script interfaces used to automatically execute many common GPO management tasks. You can use these script interfaces to manage group policy environments, including generating GPO settings reports, creating and copying GPO, and searching for unlinked GPO. Windows Vista does not contain any scripts. For more information about GPMC scripts, see http://go.microsoft.com/fwlink? Linkid = 31191 may be an English webpage)

Multi-language problems

In Windows Vista, management template settings are divided into neutral language. admx files available for all group policy administrators) and specific language resources. adml files ). These files allow the group policy tool to adjust their UI based on the language configured by the Administrator. Adding a new language to a group of policy definitions can be done by providing available resource files for specific languages.

For example, the Group Policy administrator can create a group policy object (GPO) from the Windows Vista management workstation configured as English ). The Administrator saves the GPO and links it to the domain deployed across geographical boundaries. Colleagues in Paris use GPMC to browse the same domain and select the GPO created in English. She can view and edit policy settings in French. The policy administrator of the original group that created this GPO can still view all the settings in English in the local language, including the changes made by the French administrator.

Group Policy Changes after migration or upgrade to Windows Vista

After migrating or upgrading to Windows Vista, the Group Policy will be re-applied as if it were newly installed. For clients in the Windows domain, the application group policy is the same as that when the computer is added to the domain or the user logs on for the first time. When applying group policies for the first time in a domain, each extension either migrates its policy settings or applies these policy settings. After the upgrade, the Group Policy engine will process policy settings like the new installation, regenerate all RSoP data, and set all cached values. The following table provides detailed information about each component-specific upgrade or migration.

The group policy engine does not migrate data. RSoP

After the upgrade, RSoP data does not need to be migrated because all policy settings will be re-applied during the first restart.

Local GPO

Migrate the local GPO.

Migration Group MLGPO.

Migrate user MLGPO.

Note that MLGPO data will be migrated when different SKUs of Windows Vista are upgraded.

Migrate the local GPO.

Migration Group MLGPO.

Client Extension

The client extension retains registration data in the registry. The extended registry entry is located

HKLM \ Software \

Microsoft \ WindowsNT \

CurrentVersion \ Winlogon \

GPExtensions

Note that each client extension will upgrade its own information.

ADM Template

The previously provided ADM file is replaced with the ADMX file.

The custom ADM file is retained during the upgrade.

Migrate all Policy settings and values under the Software \ Policy registry key.

Do not set migration preferences.

Re-apply all policy settings in the domain at the first restart after the first logon.

Automatically migrate all applications installed through group policies.

Automatically migrate all files under % windir % \ system32 \ appmgmt.

Migrate all the following items and values in the registry:

HKLM | HKCUSoftware \ Microsoft \ Windows \ CurrentVersion \ GroupPolicy \ Appmgmt

Value of "appmgmtdebuglevel" in HKLM \ Software \ Microsoft \ WindowsNT \ CurrentVersion \ Diagnostics"

GPMC and GPEdit

Delete a previous version of GPMC.

Save the script folder after the upgrade, including any GPMC scripts installed using previous versions of GPMC.

The following GPMC configuration data will be migrated:

Information directly stored in the console file (msc), such as the last connected domain or forest)

The Registry Key and preference in the tool backup folder location, ADM file options, etc)

For GPEdit, any first item will be migrated, such as the default GPO name.

No migration.

Note:

For a list of registry items to move during migration, see Appendix B.

Verification Group Policy settings-policy result set (RSoP)

All Group Policy Processing information is collected and stored in the Common Information Model Object Management (CIMOM) database on the local computer. You can then access this information by using the WindowsManagementInstrumentation tool, such as the list, content, and detailed processing records of each GPO.

In record mode group policy results), the policy result set (RSoP) queries the CIMOM database on the target computer, receives information about the policy, and displays it in GPMC. In planning mode Group Policy Modeling), RSoP uses the Group Policy Directory Access Service (GPDAS) to simulate the application of policies on the domain controller. GPDAS simulates GPO applications and transmits them to virtual client extensions on the domain controller. The simulation results are stored in the local CIMOM database on the domain controller before the information is returned and displayed in GPMC.

Use the RSoP of GPMC

In the ActiveDirectory environment, the Administrator uses GPMC to manage group policies. GPMC provides administrators with a persistent view of the Group Policy Environment on the network, including GPO, GPO links, sites, domains, and organization units (OU) in the selected forest ). With GPMC, the administrator can execute any management tasks that were previously only executed through the group Policies Tab Of The ActiveDirectory management tool.

You can also use GPMC to generate RSoP data that predicts the cumulative effect of GPO on the network or reports the cumulative effect of GPO on a specific user or computer. In addition, the administrator can also use GPMC to perform GPO operations that are never previously performed, such as backing up and restoring GPO, copying GPO, and even migrating GPO to other forests. You can also use WMI scripts to read or generate HTML or XML reports set by GPO.

There are some restrictions when using GPMC because it cannot retrieve Multiple Local Group Policy objects (MLGPO) in RSoP, and GPMC reports do not display Windows Firewall with advanced security settings.

Verify the current effective policy settings

The policy result set (RSoP) Management Unit is a Microsoft Management Console (MMC) tool. The administrator can use the RSoP Management Unit to report the cumulative effect of policy objects in the scheduler group. Although the effects of RSoP management unit reporting and planning group policies can be used, many of its features are included in the Group Policy Management Console (GPMC), which provides a better experience for network administrators. The RSoP Management Unit has some limitations because it does not report all settings, for example, does not report many new Windows Vista settings) and cannot retrieve remote computers in RSoP. Although you can continue to use the RSoP management unit to collect RSoP data of Third-Party Group Policy extensions in Windows Vista, it is not recommended to use this management unit.

When determining whether a policy is applied to a user or computer, we recommend that you use the GPMC report tool. However, GPMC cannot be used with MLGPO. Although GPMC reports cannot be used for MLGPO, you can view this information in the Group Policy Operation Log.

The main purpose of using User Account Control (UAC) in Windows Vista is to reduce the exposure and attack surface of the operating system. UAC requires all users to run in standard user mode. This restriction can minimize the user's permission to change, thus avoiding the loss of computer stability caused by user changes, it also avoids unintentional attacks against viruses that infect computers but have not been detected by malware.

With UAC, you can run most applications, components, and processes with limited permissions. However, you may need to "escalate Permissions" for specific management tasks and application functions ". Windows uses two access tokens for each user: a limited access token and an improved access token. An access token is used to identify the permissions of users, user groups, and users. The system uses an access token to control access to security objects and to control the ability of users to perform various system-related operations on local computers.

This token is used by the local administrator to include and start all management permissions. UAC requires the local administrator to use the escalation token when trying to execute only system tasks or management tasks. The limited token used by the local administrator contains all administrative permissions, but these permissions are disabled. This allows Windows to view and manage users and general users, and provides options to improve their permissions.

By default, all users logging on to Windows Vista Use their full token to process group policies and logon scripts. However, they use limited user tokens to load desktops and all subsequent processes. For permissions and groups, most of the non-managed tokens and Token escalation are the same. Therefore, you can view the processes started by using the unmanaged token. Windows allows this situation because you do not need to escalate permissions to view the processes started by the token.

Windows handles local logon administrators in the same way. The Group Policy and login script processes use the elevated User Token, while the desktop and all subsequent processes use the limited token. However, there is a permission difference between a limited User Token and a higher User Token. Therefore, Windows will restrict the ability of processes started with a limited token to share information with those started with a higher token.

UAC may prevent the logon script of the Group Policy from working properly. For example, the domain environment contains a group policy object that contains the login script mapped to the network drive. Non-administrator users log on to the domain from the Windows Vista computer. After Windows Vista loads the desktop, non-Administrator starts Windows Resource Manager. This user will see the mapped drive. In the same environment, the Administrator logs on to the domain from the Windows Vista computer. After Windows Vista loads the desktop, manage the user to start Windows Resource Manager. This user will not see the mapped drive.

When you manage user logon, Windows uses the token to process the logon script. The script runs and maps the drive. However, Windows will block the view of the mapped network drive because the desktop uses a limited token when using the promoted token to map the drive.

To solve this problem, the management user should map the network drive under the Limited User Token. This ing is done by using the launchapp. wsf script shown in Appendix A, which is done by using the task scheduler command. The task scheduler starts the script under the full management token to allow Windows Resource Manager, other limited token processes, and the escalation token process to view the mapped network drive.

Configure launchapp. wsf to postpone the execution of the login script

1. Copy the logon script and launchapp. wsf script to the shared network location.

2. Start the Group Policy Management Console (GPMC ). In GPMC, right-click the GPO you want to modify and click Edit ".

3. On the "user configuration" node, expand "Windows Settings" and click "script ".

4. Right-click "Log on" and click "properties ".

5. In the "Logon properties" dialog box, click "add ".

6. In the Script Name box, type launchapp. wsf

7. In the "Script Parameters" box, type the complete path and name of logon. bat.

In Windows Vista, the Group Policy is removed from the Winlogon process and runs as a separate service. The Group Policy client is responsible for setting the Group Policy components configured by the Administrator for computers and users. In the Service Management Unit, the options for starting, stopping, pausing, and resuming the Group Policy client are unavailable. This is because, if the client service is stopped or disabled, application settings cannot be applied and applications and components cannot be managed through group policies. If the client service is stopped or disabled, any component or application dependent on the group policy component will not work properly.

Policy settings for restarting or logging on

In this section, registry-based group policy settings must be restarted or logged on when enabled. The entry with the project symbol in this section contains the name set by the Group Policy, followed by its function.

Login

Window animation not allowed: this policy controls the display of window animations, such as animations for restoring, minimizing, and maximizing windows.

Desktop combination not allowed: this policy controls how certain images are rendered and facilitates other features, including Flip, Flip3D, and taskbar thumbnails.

Do not call Flip3D: this policy is used to disable the 3D Window converter.

Specify default color: this policy controls the default color of the window frame when the user does not specify a color.

Color cannot be changed: this policy controls the ability to change the color of the window frame.

Details and normal status messages: this policy indicates that the system displays very detailed status messages.

Set the operation to be performed when the logon time expires: this policy controls the operation to be performed when the logon time of a logon user expires.

Set the operation to be performed when the logon time expires: this policy controls the operation to be performed when the logon time of a logon user expires. This operation includes locking the workstation, disconnecting the user, or logging out of the user.

Report when the login server is unavailable during user login: this policy controls if you cannot contact the login server during login, in addition, should users be notified when they log on using the previously stored account information.

Custom User Interface: this policy specifies the standby user interface.

Disable TabletPC touch screen input: this policy allows you to disable touch screen input, allowing you to use your fingers to interact with your computer.

Disable WindowsDefender: this policy is used to disable Real-time protection for WindowsDefender, that is, scanning is no longer scheduled.

Disable the old version of the remote shutdown interface: this policy controls the old version of the remote shutdown interface named pipe ). The remote function of the MPs queue is required to be disabled from the remote WindowsServer2003 or WindowsXP system.

Windows Vista provides many advantages when combining roaming user configuration files and Folder Redirection. Redirecting user data to a central network location can reduce the size of user configuration files, making user data available at any time, and improve user login and logout performance by transmitting less data. The combination of Folder Redirection and roaming user configuration files allows users to share roaming data between Windows Vista and Windows XP computers.

The computer running Windows Vista cannot read the roaming user configuration file created from Windows XP. This is a problem for users who have roaming user configuration files but must roam from Windows Vista and Windows XP computers. Windows Vista Folder Redirection solves this problem.

Folder Redirection can be used to redirect all common folders provided along with the Windows Vista user configuration file. You can use this function to share folders in the Windows XP user configuration file with folders in the Windows Vista Configuration File. For example, you can share favorites between Windows Vista and Windows XP. You can redirect the favorites in Windows Vista to the same location in the user configuration file of synchronous roaming in Windows XP.

Use solution 3 in the following White Paper to create one or more Folder Redirection policies to allow users to share roaming user data with Windows Vista and Windows XP. The sharing path in the White Paper is the sharing path of the user's roaming user folder.

For additional information, visit the http://go.microsoft.com/fwlink? LinkId = 73435 may be an English webpage ).

Network access protection and Network Location Awareness

Network access protection (NAP) is a policy enhancement platform for Windows Vista, Windows Server, and Windows XP. It forces compliance with system health requirements, for example, ensure that the client has the latest operating system and installed anti-virus updates) to better protect network assets. Using NAP, you can create custom health policies to verify computer health before access or communication is permitted, and automatically update computers that meet the requirements to ensure that they continue to meet the requirements, and selectively restrict non-conforming computers to a limited network until they become compliant computers.

When a client computer attempts to access the network, it must provide its System Health Status. If the client computer cannot prove that it complies with the System Health Policy, its access to the network will be limited to a limited network segment containing server resources to remedy compliance issues. After the update is installed, the client computer requests access to the network again. If required, the client computer is granted unrestricted access.

Remember that NAP is not a security solution. It is designed to prevent computers with insecure configurations from connecting to the network, rather than protecting the network from attacks by malicious users with valid creden and computers that meet current health requirements.

At one end of the client computer, the Network Location Awareness (NLA) function ensures that the system receives notifications when establishing a connection to the domain controller, and the Group Policy Service determines whether to apply policy settings for this event. However, NLA cannot identify the transition from an isolated environment, that is, a NAP environment, to a company environment. Therefore, when a computer comes out of the isolation zone, NLA will not provide network notifications to group policies.

Since NLA does not provide notifications about successful network connections after isolation, the following solutions can be provided. The NAP component records an event in the log file. The administrator needs to write a script to detect this event, which calls gpupdate to ensure that the Group Policy is refreshed when the VPN connection is successful.

With NLA, Windows Vista can respond to network changes more quickly without a latency of up to 90 minutes until the Group Policy is refreshed. If you skip the previous policy to set the application cycle or fail), the Group Policy will retry when the network connection to the domain controller is available. This is an important improvement to the previous version of the Group Policy, because it eliminates the dependency of the Group Policy on ICMP.

Use group policy to manage Windows Vista

Windows Vista has many new features that can be managed by group policies, including power management, device installation and use, and security settings. The following is a step-by-step guide to help you configure these features.

The step-by-step guide for Windows Vista printing management may be an English webpage)

The step-by-step guide for controlling device installation and use through group policies may be an English webpage)

The Management Group Policy ADMX file step-by-step guide may be an English webpage)

The workbook referenced in the following link lists the computer policy settings and user configurations included in the management template file (admx/adml) delivered with WindowsVistaRC1. The policy settings in this workbook include WindowsVistaRC1, MicrosoftWindowsServer2003, WindowsXPProfessional, and Windows2000. These files are used to publish policy settings when you use the Group Policy object Editor, also known as GPEdit, to edit the Group Policy object (GPO.

Http://go.microsoft.com/fwlink? Linkid = 54020 may be an English webpage)

Resolve Group Policy Issues

To solve the Group Policy problem, you need to understand the Group Policy and its support technologies, such as Microsoft? ActiveDirectory? Interaction between the Directory Service and the file replication service [fr], as well as management, deployment, and Application Group Policy object. After learning about the content, you can use specific tools to help you locate and solve the problem.

The basic structure of group policies in Windows Vista has been greatly changed. Group Policy Processing no longer exists in the Winlogon process, but serves as its own service. In addition, the Group Policy engine no longer relies on tracking logs in userenv. dll. Therefore, there are no userenv log files.

Many Group Policy troubleshooting methods in earlier versions of Windows depend on logging enabled in the userenv. dll component. This creates a log file named userenv. log in the % WINDIR % \ Debug \ Usermode folder. This log file contains the feature tracking instructions for supporting data. In addition, the configuration file loading and uninstallation functions share this log file, making it difficult to diagnose logs. This log file is used in conjunction with the policy result set Microsoft Management Console (RSoPMMC) and is the primary way to diagnose and resolve group policy issues.

In Windows Vista, a group policy is regarded as a component with a new Group Policy Service. This service is an independent service running in the Svchost process for reading and applying group policies. The new service includes changes to the event report. Group Policy event messages previously displayed in application logs are now displayed in system logs. The Event Viewer lists these new messages with Microsoft-Windows-GroupPolicy event sources. The Group Policy Operation Log replaces the previous userenv log records. Operation Event Logs provide improved event messages specific to Group Policy Processing.

This article describes the group policies of Windows Vista and hopes to help readers. More information about group policies remains to be explored and learned by readers.