Longhorn Server, due to be released later this year, is a major revision of Microsoft’s flagship server operating system. In this article, I’ll look at the most significant enhancements to Group Policy (GP) in Longhorn Server.
Network location awareness
Network location awareness, or NLA, is perhaps the broadest improvement within Longhorn Server and Windows Vista. It refers to the ability of the operating system to define and detect the current network environment and take action based on where the operating system thinks the computer is currently located and what type of connection is in use.
NLA allows Windows to determine whether the network is ready for use, whether the domain controller is currently available, the amount of bandwidth and the speed of the network connection, and which security settings are enabled. NLA can then use that information to make intelligent determinations about what processes should be started, stopped, or suspended.
For example, when you take a Windows XP machine that is a member of a domain with domain-based group policy objects in force and then disconnect it from the network, it will cycle through its boot process and sometimes hang for an inordinate amount of time while it waits to find a network connection that works. Windows XP is actually using ICMP, or pings, to look for a domain controller. If it can’t use ICMP -- perhaps it is blocked, or otherwise unavailable on a disconnected machine -- and a result can’t find a domain controller, all Group Policy processing stops.
In contrast, NLA lets Group Policy sniff out these scenarios directly, and Group Policy can then decide to wait to refresh itself or apply policy once the network is back up without waiting for the normal refresh cycle.
Further, NLA allows Windows to appear kinder to mobile users. Typically, with previous versions of Windows, if a mobile user logged onto the corporate network through a VPN, he would have to wait for the standard refresh cycle to get policy applied. This is no longer a requirement: GP can be applied in the background over the VPN immediately once a domain controller is detected.
New format for administrative templates
Administrative templates, which used to be text files with an .ADM extension, now in Longhorn Server are formatted in XML, get the extension .ADMX, and allow support for several new features, including the following:
- Policies are marked up in XML rather than in a peculiar text format. This allows for multilingual support and versioning to track changes to policies and implement change management.
- ADMX files are stored centrally in the SYSVOL share, which reduces the amount of traffic that has to be passed around all of the domain controllers in your domain.
- DMX files and ADM files are interchangeable in one direction, meaning that all of the administrative tools you have grown accustomed to will still work with both ADM files and ADMX files.
However, policies residing in ADMX files are only supported on machines running Windows Vista or Longhorn Server.
In today’s complex regulatory environment, protecting the data on your network is critical to complying with law and protecting the integrity of your network. But with the influx of all sorts of removable media with enough storage capacity to download hundreds of thousands of pages of documents and massive amounts of other material, it’s become increasingly difficult to keep data on the network and on the network only. Many organisations have already taken a low-tech approach to solving this problem and have put hot glue in USB ports on their corporation’s machines, rendering it impossible to attach thumb drives.
Longhorn Server and Windows Vista, in a welcome feature introduction, support centrally blocking these types of devices and more, like CD-RW and DVD-RW drives and any other removable media, from being installed on domain-joined machines. The new settings can be found under the Computer Configuration/Administrative Templates/System/Device Installation group within Group Policy Object Editor.
Here are some other enhancements to Group Policy:
- Location-based printer assignments You can assign printers to users or machines running Windows Vista based on their location within a physical building or their geographic location in the world through the new Deployed Printers policy settings.
- Printer driver installations by users Longhorn Server will no longer require administrators to give out admin-level credentials to users solely for the purpose of installing drivers for their printers. This permission can be delegated to regular users, saving administrative headache and empowering users on a limited basis.
- Better security setting configuration In Longhorn Server, the IPsec and Windows Firewall configurations are united under one interface, making for one-stop configuration shopping. Previously, you had to configure the firewall for some settings and configure IPsec for other settings, whereas now almost all scenarios are supported within one interface -- including secure server-to-server communications and network access protection (NAP) settings.
Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Windows Small Business Server 2003 and Learning Windows Server 2003. His work appears regularly in such periodicals as Windows IT Pro magazine, PC Pro and TechNet Magazine. He also speaks worldwide on topics ranging from networking and security to Windows administration. He is currently an editor for Apress, a publishing company specialising in books for programmers and IT professionals.