Saturday, January 06, 2007

Group Policy Update

If you have read my article series on windowsecurity.com about "Managing Windows Vista Group Policy" theres a few extra comments I would like to add...

ADMX
The most important note I would like to make is that Microsoft published a tool to migrate ADM files to the ADMX file format some time ago (november 2006) - the tool was actually developed by FullAmor and licensed freely for Microsoft costumors. The tool is called "ADMX Migrator", but actually does more than just migrate templates...

The product requires "Microsoft Management Console 3.0" and "Microsoft .NET version 2.0" on Windows Vista, Windows XP SP2 or Windows Server 2003 SP1 to work - and provides the following functionality:

1. Converting/migrating ADM files to the new XML based Administrative Templates format: ADMX. You can even select multiple files to convert at one time - it's almost too easy!

2. Creating new ADMX files from scratch without the need to understand and master XML and the special syntax the templates requires. This is the "editor" part of the "ADMX Migrator" tool.
This is a very powerfull tool with lots of possibilities for admins around the world. I you haven't played with this already I will advice you to do so, you can use this link.

GPMC
At TechEd in Barcelona there was a "rumor" that Microsoft will remove the builtin GPMC from Windows Vista as part of the Vista Service Pack 1 installation. I don't know if this is true and a final decision, but it was actually stated so by the Group Policy Product Manager, Michael Dennis. The reason should be, that Microsoft received some "complaints" on the fact that every user could start this wonderfull admin tool (maybe those costumors haven't heard of Group Policy settings that disallow the use of MMC, Software Restriction policies etc.?). Well, I just think it's funny to think of a Service Pack that actually remove functionality (without replacing with anything else/better) instead of adding stuff - maybe it's just me :-)

TOOLBELT
The great guys at gpanswers.com have collected a Group policy Toolbelt that a GP admin just must have - it can be downloaded here: http://www.gpanswers.com/toolbelt. Within this "belt" you will find tools within an ISO file ready to be "mounted" or burned. The tools are anything from an ADM file that sets GPO logging level to third party utilities that makes tho job of a GP admin a bit more easy. Check it out the next time you have time to download about 70 MB - a lot better than finding the tools on diffenrent sites around the world.

THE VISTA SETTINGS
If you haven't looked on Windows Vista Group Policy news in detail yet, here is you chance to do so. Microsoft relased this Excel document (as they have done in the past) with Vista GP settings. Very interesting reading for GP nerds like myself. We now have SO many GP settings that no man can possibly contain all the great possibilities in his head so that's why we need this sheet. As mentioned in one of my articles for windowsecurity.com there will hopefully be a search option within the MMC when Microsoft released the first service pack to Windows Vista (and in Longhorn Server). It will be interesting to see how they manage to incorporate such a crucial functionality - we must have faith in those guys :)

And BTW - when you guys are changing the code anyway, why not put a "Save changes" dialog into the GPEDIT MMC like ANY other GUI that handles important system changes. I hope that we will also see some workflow handling soon, one admin that changes the GP settings and a manager that approves the changes, making them "live" in the environment. Also versioning is needed as GP's will probably "rule the world" in a few years - not just backups, but real versioning that makes it possible to spot changes made over time and to get back to a "safe" setting fast (rollback). Well, I actually know that MS is working on this too (DOPSA - Desktop Optimization Pack for Software Assurance) - but as with Christmas presents it can be hard to wait too long - I'll get back to this in a post very soon :)

2 Comments:

gpoguy said...

Hi Jakob. If you get a chance, check out my site, www.gpoguy.com. I have a free tools page on their that has some of the tools Jeremy put into his toolkit as well as other new ones.

Darren

Jakob H. Heidelberg said...

Hi Darren,

It's an honour to have you here, thank you for your comment!

http://www.gpoguy.com/Tools.htm