Exploring Group Policy in Windows 7

In Windows 7, the Group Policy architecture includes these enhancements, as discussed in the following sections:

• Group Policy Client service

• Support for Network Location Awareness

• Multiple Local Group Policy Objects (LGPOs)

• Updated management tools and policy file formats

1. Introducing the Group Policy Client Service

The Group Policy Client service completely isolates Group Policy notification and processing from the Windows logon process. Separating Group Policy from the Windows Logon process:

• Ensures that a single service can deliver the needed Group Policy functionality

• Enables more dynamic control over how policy settings are applied, maintained, and updated

• Reduces the resources used for background processing of policies while increasing overall performance

• Allows delivery of new Group Policy files as part of the update process and application of those updates without restart

The Group Policy Client service is a standalone service that runs under the Svchost process and no longer uses the trace logging functionality in userenv.dll. As a result, Group Policy event messages are now written to the system log with the event source of Microsoft-Windows-GroupPolicy, and the Group Policy Operational log replaces previous Userenv logging. The operational event log provides detailed event messages specific to Group Policy processing. When troubleshooting Group Policy issues, you’ll use this log rather than userenv.log as you did in Windows XP and earlier versions.

2. Using Multiple Local Group Policy Objects

Unlike Windows XP and earlier implementations of Group Policy, Group Policy in Windows Vista and Windows 7 allows the use of multiple LGPOs on a single computer. Previously, computers had only one LGPO. Windows Vista and Windows 7 allow you to assign a different LGPO to each local user or group. This allows the application of a policy to be more flexible and support a wider array of implementation scenarios.

Multiple LGPOs are particularly useful when computers are being used in a standalone configuration rather than a domain configuration, because local administrator users no longer have to explicitly disable or remove settings that interfere with their ability to manage a computer before performing administrator tasks. Instead, an administrator user can implement one LGPO for administrators and another LGPO for nonadministrators.

NOTE

Administrator and nonadministrator LGPOs are the two standard types of LGPOs available.

3. Enhancing Group Policy Application

Thanks to the Network Location Awareness feature in Windows Vista and Windows 7, Group Policy can respond better to changing network conditions and no longer relies on ICMP (ping) for policy application. Network Location Awareness ensures that a computer is aware of the type of network to which it is currently connected—in other words, whether the computer is on a home, public, or work network—and is responsive to changes in the system status or network configuration. This gives Group Policy access to the resource detection and event notification capabilities in the operating system, allowing Group Policy to determine when a computer is in standby mode or resuming from hibernation, as well as when a network connection has been disabled or disconnected. In cases where the network isn’t available, Group Policy won’t wait for the network, allowing for faster startup.

Because ICMP (ping) is no longer used for slow link detection, business networks can filter this protocol on their firewalls. Group Policy uses Network Location Awareness to determine the network bandwidth. When mobile users connect to a business network, Group Policy can detect the availability of a domain controller and initiate a background refresh of policy over the VPN connection.

4. Improving Group Policy Management

Windows 7 includes the Group Policy Management Console (GPMC) and Group Policy Object Editor (GPOE) for managing Group Policy. If you are an administrator, you can install the GPMC as part of the Remote Server Administration Tools for Windows 7. GPOE is included with Windows 7.

Using the GPMC, shown in Figure 1, you can manage Active Directory Group Policy in an enterprise environment. To edit Group Policy for your local computer or users, skip ahead to the next example. To open the GPMC, follow these steps:

1. Log on to a computer running Windows 7 with an administrative user account.

2. Click Start, type mmc into the Search box, and then press Enter.

3. In the Microsoft Management Console, click File→Add/Remove Snap-in.

4. In the Add or Remove Snap-ins dialog box, click Group Policy Management Console, click Add, and then click OK.

5. You can now navigate through the forest and domains in the organization to view individual Group Policy Objects (GPOs).

6. If you expand the site, domain, or organizational unit node in which a related policy object is stored, you can right-click the policy object and then choose Edit. This opens the object for editing in the GPOE.

Figure 1. Accessing Active Directory Group Policy

Using the GPOE, shown in Figure 2, you can manage group policy for your local computer. To open the GPOE, follow these steps:

1. Log on to a computer running Windows 7 with an administrative user account.

2. Click Start, type mmc into the Search box, and then press Enter.

3. In the Microsoft Management Console, click File→Add/Remove Snap-in.

4. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor and then click Add.

5. In the Select Group Policy Object dialog box, the default object is the Local Computer Group Policy Object. If this is the object you want to work with, click Finish. If this isn’t the object you want to work with, click Browse, select the object you want to work with, and then click OK.

6. Click OK to close the Add or Remove Snap-ins dialog box.

7. You can now work with the GPO you’ve opened.

Figure 2. Accessing Local Group Policy

For Windows Vista and Windows 7, the GPMC and GPOE have been updated to work with XML-based Administrative Templates and use a document format referred to as ADMX. These tools can also work with the previous ADM format.

ADMX files are divided into language-neutral and language-specific file sets. The language-neutral files ensure that a GPO has the same core policies. The language-specific files allow policies to be viewed and edited in multiple languages. Because the language-neutral files store the core settings, policies can be edited in any language for which a computer is configured, thus allowing one user to view and edit policies in English and another to view and edit policies in Spanish. The mechanism that determines which language is used is the language pack installed on the computer.

In domains, ADMX files are stored in a central store—the domain-wide directory created in the System volume (Sysvol). Previously, Administrative Templates were stored with each GPO. In the new implementation, only the current state of the setting is stored in the GPO and the ADMX files are stored centrally. As a result, this reduces the amount of storage space used as the number of GPOs increases, and it reduces the amount of data being replicated throughout the enterprise. As long as you edit GPOs using Windows Vista or Windows 7, new GPOs will not contain either ADM or ADXM files inside the GPO.

5. Editing Group Policy

After you access a policy for editing, you can use the GPOE to work with group policies. The GPOE has two main nodes:

Computer Configuration

Enables you to set policies that are applied to computers, regardless of who logs on

User Configuration

Enables you to set policies that are applied to users, regardless of which computer they log on to

The Computer Configuration and User Configuration nodes have subnodes for the following:

Software Settings

Enables you to set policies for software settings and software installation

Windows Settings

Enables you to set policies for name resolution, scripts, printers, security, and quality of service

Administrative Templates

Enables you to set policies for the operating system, Windows components, and programs

The policy settings you’ll work with the most are those found under Administrative Templates. You can enable, disable, and configure policy settings for Administrative Templates by completing the following steps:

1. Open the policy object you want to edit. Access the GPOE for the resource you want to work with .

2. Expand Computer Configuration→Administrative Templates or User Configuration→Administrative Templates as appropriate for the type of policy you want to set.

3. After you expand the policy subfolders as appropriate, double-click a policy or right-click it and select Edit to display its Properties dialog box.

4. The Help section of the dialog shows a description of the policy, if one is available.

5. Use the following buttons to change the state of the policy:

   Not Configured

   The policy is not configured.

   Enabled

   The policy is enabled.

   Disabled

   The policy is disabled.

6. If you enabled the policy, set any additional parameters specified under Options and then click Apply.

7. Click OK to save your settings.

Policy changes are applied when Group Policy is refreshed. Windows automatically refreshes policy periodically. However, with some types of policies you may need to log out and then log back in, or restart the computer.