Friday, October 12, 2007

Vista's GPMC: Don't trust it

Vista has seen some dramatic changes to GPOs and the Group Policy Management Console (GPMC) used to manage them. The coles notes version is that Microsoft has introduced ADMX templates which are Vista-specific GPO templates written in a new XML format. To administer new Vista features, such as Folder Redirection, you are required to use these new templates; however, these new templates are not compatible with your existing Windows Server 2003 GPMC. The only GPMC able to manage ADMX templates actually comes installed with Vista!

This is where it gets interesting. To manage Vista GPO settings, you must use a Vista computer. Once you have GPOs based on ADMX templates in your environment you can only use Vista computers to manage them. This basically means that you quickly have to roll out Vista computers to all your enterprise GPO administrators even before you have really locked down the configurations for your Vista computers. In addition, we have been experiencing problems with the Vista version of GPMC.

Throughout the course of our Vista desktop design project, we have been tinkering with various GPO settings. We would often not get the results we were expecting or find that systems were implementing settings contrary to those that we had specifically chosen. After months of head scratching and frustration, we think we now understand what is going on...

Vista's version of GPMC gets confused when you make changes to GPOs and only properly understands what is going on after it is closed/terminated and restarted. Here's what I mean - I now present a series of actions that occur within the Vista GPMC application:

  • I target an existing GPO with an existing setting.
  • I choose to edit that GPO and change a setting to the alternate value (if it was Enabled, I select Disabled, etc.).
  • I then click 'Apply' or 'OK' on the edit window to commit my changes.
  • I wait a few minutes and go to my test computer to see what effect the new setting has - I see no change.What gives?
  • I go back to GPMC and run an RSOP specifying my test user and test computer.
  • It tells me that my setting change is being applied to that computer correctly. More head scratching.
  • I eventually give up and shut things down to go home.
  • The next day I get into the lab and suddenly everything is fine - more head scratching.
  • I inspect and everything looks fine.
  • So I try another setting - same odd results when I check my test PC.
  • This time I look at the GPO report. It tells me my setting is not applied as I had specified.
  • I choose to edit my GPO once again. That interface tells me that the setting is set as I have already specified so there really isn't much more I can do.
Fun eh? It looks like my co-worker has figured out what's happening (I'd love to hear from others about their experiences as well):
  • When I apply a setting in GPMC's edit window, it is not properly getting applied.
  • The edit window shows my setting as I have requested.
  • But the GPO Report I then generate in GPMC continues to show the old value.
  • Also, the test PC continues to only receive the old value.
  • But running an RSOP in GPMC thinks the setting has been applied.
  • Only once I close GPMC, does the test PC receive the setting change.
  • When I reopen GPMC, my edit window, new RSOP report and new GPO report all agree with each other!
The lesson here is to close GPMC often and not leave it lying open on your admin PC.

[EDIT] Well so much for that... we had tested the hypothesis above and properly reproduced the results... but today GPMC changed its behaviour. It now updates workstations after hitting the Apply button without the need for a restart. We tried for 2 hours to break the darn thing... Oh well, I guess the headline still holds true - Don't trust it! [/EDIT]

There is one additional bit of GPMC goodness that I would like to direct you too. Microsoft recently released a Windows Vista Service Pack 1 Beta White Paper. In it there is the following text:
Beta testers will find that after installing Windows Vista SP1, they no longer have access to GPMC, and that the new, enhanced version of GPMC has not yet been released. In this case, administrators can continue to edit Group Policy by opening a remote desktop session directly to the server or to a PC running the release to manufacturing (RTM) version of Windows Vista.
I find it interesting that SP1 is removing GPMC before a replacement is even available. This suggests to me that Microsoft is already aware that the Vista version of GPMC has some serious issues. Unfortunately, if you have implemented any ADMX templates in order to support your Vista environment, you have no choice but to continue using Vista's GPMC - so be sure to keep a non-SP1 Vista desktop around until a replacement is made available.

No comments: