You're the Visitors & Web Site Hit Counter Page Views.

Sunday, September 2, 2007

Windows Vista SP1 Will Uninstall Group Policy Management

Probably in response to a few users' bewilderment over the seemingly unrestricted accessibility of what had actually been one of Windows Vista's most requested new security tools, Group Policy Management Console, Microsoft announced today that the act of installing Vista Service Pack 1 will simply delete the tool altogether.

"Administrators requested features in Group Policy that simplify policy management," reads a white paper released by Microsoft this afternoon. "To do this, the service pack will uninstall the Group Policy Management Console (GPMC) and GPEdit.msc will edit local Group Policy by default."

Last November, I chronicled the addition of GPMC to Vista in a Reference Guide page for InformIT. There, in reference to Microsoft having not yet edited its own documentation from the XP era, I made a comment that I will now have to edit for a future revision: "GPMC is definitely on your Vista machine; you don't have to download it."

Although the white paper did not say so explicitly, GPMC will probably continue to be available for free download from Microsoft, and that will likely remain true when GPMC is revised. (The new version of GPMC is being tested now along with Beta 3 of Windows Server 2008.) UPDATE: WS2K8's release was delayed until the first quarter of next year, Microsoft announced this morning.

But as we learned all through the testing period for Monad - later "Microsoft Command Shell," later PowerShell - whether a component is shipped with the operating system or instead made freely available "offline" makes all the difference with respect to what a consultant is required to know in order to receive certification. It also impacts the extent to which published documentation, both by Microsoft and others, includes references to a topic. Throughout the XP era, many Professional Edition users were wondering when group policies would be added to the basic operating system, only to be astonished to learn from the Internet someplace that they were already there to begin with.

As independent developer Derek Melber wrote for Redmond Channel Partner magazine back when Vista was released last January, Microsoft's choice to include GPMC in the shipping versions of Vista was supposed to have been a dream come true for admins, especially those who had to put up with "offline" availability only.

"Most of you reading this article likely use the GPMC every day when you work with GPOs," Melber wrote. "However, there are plenty of administrators that have been reluctant to embrace the GPMC. Many complaints surrounding the GPMC stem from it not being included with the operating system. Consequently, many have the mindset that it must not be important or reliable. But because the GPMC actually is one of the most important tools you need to administer your GPOs, Microsoft decided to put it in every installation of Vista. The company also plans to put it in Longhorn Server when that product becomes available."

Since Vista's release, there have reportedly been some complaints about Microsoft having included something as powerful as GPMC in relatively full reach of the everyday user, who could conceivably learn how to override policies set by the admin. There were, however, obvious solutions to that problem, one of which included using GPMC to create a default GPO that prohibits GPMC's use by non-authorized accounts. Another involves serious account policing, and a third compels admins to actually pay attention to their logs, where an override of a GPO would undoubtedly be recorded in detail.

Inevitably, there may come complaints from others who will fault GPMC's absence from Vista SP1 as being partly responsible for some security vulnerabilities, as its presence may be key to patching some obvious holes. Security engineer Jesper Johansson wrote about one such GPMC use last September, specifically with regard to an acknowledged vulnerability that enabled Windows Shell to execute non-authorized code remotely.

Johansson advised that users and admins could stop the problem immediately, in advance of a patch from Microsoft, by using GPMC to change the permissions for ActiveX controls so that they could not execute certain code remotely.

GPMC's removal from Vista will not mean group policies will not run there, only that they're expected to be administered from Windows Server. But today, Microsoft's stance on the removal is that you asked for it.

"The goal of Windows Vista SP1 is to address key feedback Microsoft has received from its customers without regressing application compatibility," its white paper reads. "Windows Vista SP1 will deliver improvements and enhancements to existing features that significantly impact customers, but it does not deliver substantial new operating system features." In fact, it will certainly deliver at least one less feature than it did before.

Taken from BetaNews


Recent Comments


Mod By Mickeel Pramono