• Illustration: Windows Vista Task Scheduler
• Illustration: Windows Vista Event Viewer

To ensure that administrators can centrally manage Windows Vista-based computers, Microsoft will make substantial improvements to desktop management features such as Group Policy. Although these features have been a part of the OS since Windows 2000, Microsoft still has room for improvements that can reduce the total cost of ownership of Windows. But using them still requires careful planning, because setting a policy for one purpose might impact other functions. For instance, disabling USB flash drives to control unauthorized copying of data will also disable use of these drives for BitLocker Drive Encryption or Windows ReadyBoost.

Improved Management Tools

With Vista, Microsoft has made substantial improvements to Group Policy, which provides an infrastructure for the centralized configuration of Windows and applications by allowing administrators to override per-computer and per-user Registry settings; the Task Scheduler, which can be used to start and control scheduled administrative tasks; and the Event Viewer, which allows administrators to examine event logs to monitor the health of systems and troubleshoot problems.

Group Policy Improvements

Without Group Policy, it is hard for an organization to deliver, support, or make changes to desktops configured with a defined set of software and settings. Improvements to Group Policy in Vista give administrators control over more settings, more efficient management of network connectivity, and the ability to apply and manage computer policies for global organizations.

New and expanded settings. Prior to Vista, Group Policy could manage approximately 1,700 Windows Settings. With Vista and the next version of Windows Server (code-named Longhorn and due in 2007) that number will increase by more than 500 to approximately 2,500 settings. However, some Vista components, most notably the Media Center interface for working with digital audio and video, which is part of Vista Ultimate, still cannot be managed by Group Policy.

Examples of new settings in Group Policy include the following:

• Blocking or controlling read/write access to devices such as USB drives, CD-RW, DVD-RW, and other removable media, thus preventing use of these devices to take data, without having to resort to destructive measures, such as physically sealing computer ports with glue.
• Assigning printers based on a user's location, as determined by Active Directory or geography, so that when a mobile user moves to a different location, his computer can be automatically set to a closer printer
• Installation of device drivers, such as printer drivers, can be delegated, reducing the need to provide users with administrative credentials just so they can install a printer or other hardware device.

However, using some of the new Group Policy features will require planning and coordination, and implementing them can be quite complex. For example, an organization could choose to use Group Policy to disable USB ports to ensure that flash drives are not used to remove confidential information. But disabling these ports also means the drives cannot be used with other Vista features, such as BitLocker Drive Encryption, which protects the data on a laptop from unauthorized disclosure should a computer be stolen. In addition, ReadyBoost allows a USB drive to cache commonly used files and applications for faster retrieval—if the USB port is enabled. (For details on BitLocker, see "Vista BitLocker Encrypts Windows Volume" on page 3 of the June 2006 Update.) In addition, creating the policy to block device installation is complex. The policy must be applied to the correct hardware ID (which is used to match the device drivers to the physical and logical devices) or device class (which is used to identify groups of similar devices, such as all CD-ROM drives).

Network Location Awareness. The Network Location Awareness (NLA) service in Vista lets Group Policy adapt on the fly to changing network environments. Prior to Vista, Group Policy was applied only when a computer started or a user logged on to Windows. With NLA, Group Policy can also be applied when a computer's status or network changes, such as when the computer wakes from hibernation or standby, establishes a virtual private network session, or when a laptop is placed into a dock.

Group Policy can also use NLA to determine the bandwidth of a network and will no longer use the Internet Control Message Protocol (ICMP) protocol (the "ping" command) to check network connectivity with a domain controller and the Active Directory. As a result, Group Policy can now be applied even if firewalls restrict or filter ICMP traffic. Another scenario that works better because of NLA are computers connected by high-bandwidth and high-latency connections, such as satellite connections, which had the capacity to apply Group Policy but were misdiagnosed by the ping as low-bandwidth connections.

New administrative template format. Administrative template files (.ADM) previously used a proprietary file format to describe Registry-based policy settings. Vista will use an XML-based format (.ADMX) and will divide policy information into language-neutral and language-specific resources. This allows Group Policy tools to adjust their user interfaces according to the administrator's configured language; adding a new language to a set of policy definitions requires only a language-specific resource file. For example, an administrator can create a Group Policy Object (GPO) to manage a collection of users or computers from a Vista administrative workstation configured for English. A colleague in Paris can select the GPO created in English and view and edit the policy settings in French. The original Group Policy administrator will still see all the settings, including the changes from the French administrator, in English.

Task Scheduler Improvements

The Task Scheduler in Windows XP and Windows Server 2003 is restricted to using the date and time to start tasks. In Vista, Task Scheduler gains more flexible actions, including triggers, conditions, and improved security. (For an illustration of the new Task Scheduler, see "Windows Vista Task Scheduler".)

More triggers. Vista Task Scheduler can use new types of triggers to start tasks. New triggers include events in the event log, the computer becoming idle, boot or log-on, or session state changes (such as when the workstation is locked or a Terminal Services session starts).

Conditions. Vista Task Scheduler can use conditions to control a task—for example, it can launch a program at a specific time only if the network is available as determined by the NLA, or take a particular action at startup only if the computer is not running on its battery.

Start multiple tasks. Multiple tasks can now be synchronized, either by running multiple actions sequentially in a single task or by chaining tasks together, using events fired by one task to launch another task). This synchronization enables complex scenarios like "once a week, when the computer is not running on battery, first check the disk, then run a disk cleanup, then compress some files, and finally back the files up to a network file server."

Security. Each set of tasks in Vista Task Scheduler runs in a specific security context and starts in a separate session. Tasks executed for different users are launched in separate sessions in complete isolation from one another and from tasks running in the system context. This makes it less likely that an attacker can use a scheduled task to take complete control of the system, by compromising an executable running in that task.

Event Viewer

The Event Viewer is a Microsoft Management Console snap-in that lets users and administrators examine the event logs. The Vista Event Viewer makes it easier to examine logs because it now supports cross-log queries and reusable views. (For an illustration, see "Windows Vista Event Viewer".)

Cross-log queries. Event Viewer supports cross-log queries, making it easy to generate views of all events potentially related to a single issue from multiple log files, such as the System and Application logs. For example, a view could be created to show all the critical events in the system, application, and security log, which occurred in the last hour.

Reusable views. Finding critical events in the event logs can be the troubleshooting equivalent of finding a needle in a haystack. With Vista, the Event Viewer supports reusable views, so that once an administrator has sorted and filtered events in a particular view, she can save the view for future use and even move the view to another computer to examine its event data the same way.

Event logs now use a documented XML format, which could simplify creation of external monitoring tools that interpret the logs. However, the XML format does not by itself improve the content of the event records, which often lack meaningful or immediately actionable information about the problem.

Improvements for Roaming Users

Since Windows 2000, the OS has also included support for Roaming User Profiles (RUP), which ensure that the data and settings in a user's profile are copied to a network server when the user logs off so that they can be available to the user from any computer on the network. Another existing feature, Folder Redirection (FR), allows the user to redirect certain folders, such as My Documents, from his desktop to a server. However, using these features to move or roam among multiple computers often has been inefficient and frustrating.

Vista improves on the roaming experience by moving critical elements of the user's profile first, so that the user can begin working while the remaining elements and documents transfer in the background. It also provides more granular control over which documents are moved. For example, a user can elect to move files in the My Documents folder without having to move the less relevant files in My Music and My Pictures (which in Vista have been renamed Documents, Music, and Pictures).

In addition, FR combined with Client-Side Caching (CSC) uses several techniques to reduce the hassles associated with redirection. First, rather than holding a document on the server open for both reads and writes, Vista FR with CSC can use the local cache for reads, and send only writes to the server copy. When no network connection to the server is available, FR with CSC can provide a visual indication (a "ghost") of files located on the server. Finally, FR with CSC can speed synchronization between client and server by moving only changes to the document (Delta Sync), rather than the entire document.

Availability and Resources

A summary of the new or expanded Group Policy settings in Vista and Longhorn Server is available at www.microsoft.com/technet/windowsvista/library/gpol/a8366c42-6373-48cd-9d11-2510580e4817.mspx?mfr=true.

A step-by-step guide on using Group Policy to control device installation and the use of hardware such as USB flash drives is at www.microsoft.com/technet/windowsvista/library/9fe5bf05-a4a9-44e2-a0c3-b4b4eaaa37f3.mspx.

The new Windows Task Scheduler in Vista is described at www.microsoft.com/technet/windowsvista/mgmntops/taskschd.mspx.

Management and operations information about Windows Vista can be found from www.microsoft.com/technet/windowsvista/default.mspx.