Windows Vista SP1 Will Uninstall Group Policy Management
Probably in response to a few users' bewilderment over the seemingly unrestricted accessibility of what had actually been one of Windows Vista's most requested new security tools, Group Policy Management Console, Microsoft announced today that the act of installing Vista Service Pack 1 will simply delete the tool altogether.
"Administrators requested features in Group Policy that simplify policy management," reads a white paper released by Microsoft this afternoon. "To do this, the service pack will uninstall the Group Policy Management Console (GPMC) and GPEdit.msc will edit local Group Policy by default."
Group policy in Windows is a set of restrictions and permissions placed on users' accounts. In this case, "users" includes both the people who use computers directly and the system services that can access resources through a network without having to impersonate a human user.
A standard group policy first applies to everyone and everything in the network, enabling admins to set general guidelines for which resources are locked down. Then new group policy objects (GPO) are created to apply to subsets of the network's or system's user list, enabling exceptions to the rule for people or accounts who can be trusted to know what they're doing.
Of course, for those people to be trusted as the people they claim to be, Windows authentication must be strong. For Windows Server 2003 and the upcoming Windows Server 2008, it is; but typically peer-to-peer networks set up under Windows XP and Windows Vista do not use Active Directory, so they don't have strong authentication.
GPOs tend to rely upon Active Directory to identify what user subgroups are and what they consist of. So AD's absence in a non-Windows Server network would seem to go against the very notion of group policy. But small peer-to-peer network admins can still set up policies that apply to their network domains as a whole, or individual computers in that network, without AD being present.
While the concept of group policies was originally created for Windows networks, support for executing GPOs was first added to Windows XP, though it was intentionally limited for XP Home Edition. But being able to actually implement group policy management effectively through XP meant that users had to download the GPMC snap-in for Microsoft Management Console - and even then, Home Edition users weren't privy to all of its benefits.
With XP, local policy objects (that apply to just the computer on which they're stored) began using the same GPO format as network policy objects. Microsoft originally had plans to expand and reinforce that concept so that GPOs became the principal security enforcement tool for all Windows editions, as evidenced by the presence in Vista of something called "Windows Advanced Firewall" - a way to make firewall-style rules that are often supplied by GPOs.
This morning's announcement appears to be a 180-degree turn away from that course of development. In fact, Microsoft's explanation appears to kick the whole notion of GPO ubiquitousness out the window, replacing it with its 1990s viewpoint that system security is best achieved when the tools everyday users are given are too difficult for them to bother with.
That conclusion can be drawn through the resumed reliance upon GPEDIT.MSC as the sole GPO mechanism in Vista. Also known as Group Policy Editor, it actually exists in Vista now, though its purpose is simply to create or revise GPOs and not to apply them with respect to one another. As any veteran admin will tell you, this is practically impossible, since new GPOs by design are exceptions to the default - and if you can't see the default with a management tool, you don't know what it is you're writing an exception to.
The conclusion is also reinforced by this footnote which appears in today's Vista SP1 white paper: "Beta testers will find that after installing Windows Vista SP1, they no longer have access to GPMC, and that the new, enhanced version of GPMC has not yet been released. In this case, administrators can continue to edit Group Policy by opening a remote desktop session directly to the server or to a PC running the release to manufacturing (RTM) version of Windows Vista."
In other words, it will be considered more appropriate to edit and manage GPOs through Windows Server. That means a big network with an AD domain or forest. It also means, please don't expect to effectively manage a small network using Vista alone.
|Windows Vista's Local Security Policy editor console. This is a manifestation of Group Policy Management Console, though tailored specifically to manage security settings and permissions on a local computer. Based on information released by Microsoft today, this feature may be one of those removed from Vista Service Pack 1, when it is released in the first quarter of next year.|
Last November, I chronicled the addition of GPMC to Vista in a Reference Guide page for InformIT. There, in reference to Microsoft having not yet edited its own documentation from the XP era, I made a comment that I will now have to edit for a future revision: "GPMC is definitely on your Vista machine; you don't have to download it."
Although the white paper did not say so explicitly, GPMC will probably continue to be available for free download from Microsoft, and that will likely remain true when GPMC is revised. (The new version of GPMC is being tested now along with Beta 3 of Windows Server 2008.) UPDATE: WS2K8's release was delayed until the first quarter of next year, Microsoft announced this morning.
But as we learned all through the testing period for Monad - later "Microsoft Command Shell," later PowerShell - whether a component is shipped with the operating system or instead made freely available "offline" makes all the difference with respect to what a consultant is required to know in order to receive certification. It also impacts the extent to which published documentation, both by Microsoft and others, includes references to a topic. Throughout the XP era, many Professional Edition users were wondering when group policies would be added to the basic operating system, only to be astonished to learn from the Internet someplace that they were already there to begin with.
As independent developer Derek Melber wrote for Redmond Channel Partner magazine back when Vista was released last January, Microsoft's choice to include GPMC in the shipping versions of Vista was supposed to have been a dream come true for admins, especially those who had to put up with "offline" availability only.
"Most of you reading this article likely use the GPMC every day when you work with GPOs," Melber wrote. "However, there are plenty of administrators that have been reluctant to embrace the GPMC. Many complaints surrounding the GPMC stem from it not being included with the operating system. Consequently, many have the mindset that it must not be important or reliable. But because the GPMC actually is one of the most important tools you need to administer your GPOs, Microsoft decided to put it in every installation of Vista. The company also plans to put it in Longhorn Server when that product becomes available."
Since Vista's release, there have reportedly been some complaints about Microsoft having included something as powerful as GPMC in relatively full reach of the everyday user, who could conceivably learn how to override policies set by the admin. There were, however, obvious solutions to that problem, one of which included using GPMC to create a default GPO that prohibits GPMC's use by non-authorized accounts. Another involves serious account policing, and a third compels admins to actually pay attention to their logs, where an override of a GPO would undoubtedly be recorded in detail.
Inevitably, there may come complaints from others who will fault GPMC's absence from Vista SP1 as being partly responsible for some security vulnerabilities, as its presence may be key to patching some obvious holes. Security engineer Jesper Johansson wrote about one such GPMC use last September, specifically with regard to an acknowledged vulnerability that enabled Windows Shell to execute non-authorized code remotely.
Johansson advised that users and admins could stop the problem immediately, in advance of a patch from Microsoft, by using GPMC to change the permissions for ActiveX controls so that they could not execute certain code remotely.
GPMC's removal from Vista will not mean group policies will not run there, only that they're expected to be administered from Windows Server. But today, Microsoft's stance on the removal is that you asked for it.
"The goal of Windows Vista SP1 is to address key feedback Microsoft has received from its customers without regressing application compatibility," its white paper reads. "Windows Vista SP1 will deliver improvements and enhancements to existing features that significantly impact customers, but it does not deliver substantial new operating system features." In fact, it will certainly deliver at least one less feature than it did before.