X

What's new in Vista Group Policy?

Vista offers 800 new Group Policy settings, some that pertain to added features and others that enhance control over features carried over from Windows XP. Deb Shinder offers a detailed look at some of Vista's more interesting Group Policy additions: access to removable media, power management, and User Account Control policies.
By Debra Shinder, Contributor
66296.jpg
1 of 8 Debra Shinder/ZDNET
This gallery is also available as an article and PDF download.

Group Policy in Vista adds hundreds of settings, giving administrators more control than ever over users and computers. Some of these settings pertain to Vista's new features, and others add more control over features that were carried over from XP.

Let's look at what you can do with some of the more interesting new Group Policy settings in Vista. You can download a spreadsheet containing all of the Group Policy settings for computer and user configuration that are included in the administrative template files that ship with Vista from the Microsoft Web site. Note that administrative template files in Vista use a new XML-based file format (.ADMX).
66289.jpg
2 of 8 Debra Shinder/ZDNET
Removable devices such as USB thumb drives, flash memory card readers, and external USB hard disks, as well as CD and DVD writers and even the venerable floppy disk drive, are extremely convenient for transferring data between two computers.

Unfortunately, they can also pose a big security problem for companies: Users can easily download data that shouldn't leave the company networks to a removable device and take it with them or they can upload data from a device and unknowingly introduce viruses or malware to the company computer.

In the past, some companies went so far as to physically destroy USB ports by filling them with epoxy or some other substance. A less drastic measure was to disconnect the USB ports inside the computer and remove optical drives capable of burning discs. You could buy third-party software to allow you to enable or disable access to USB devices, CD/DVD writers, etc. Or you could create a custom .ADM file to block usage of these devices in XP.Vista makes it much easier.

Here's what you do to apply a policy controlling access to removable media to the local Vista computer:

  1. Click Start | Control Panel | Administrative Tools.
  2. Select Local Security Policy.
  3. In the Local Security Policy console's left pane, under Computer Configuration, expand Administrative Templates and click System.
  4. Scroll down in the right pane and double click Removable Storage Access, shown here.
66290.jpg
3 of 8 Debra Shinder/ZDNET

You can select from a number of choices, depending on what type of removable storage you want to control. For example, you can deny access to all removable storage classes by double-clicking the right pane item All Removable Storage Classes: Deny All Access.In the properties box, select the Enabled option.

66291.jpg
4 of 8 Debra Shinder/ZDNET
Businesses have asked for a way to control the power management settings within Windows for quite some time. There are third-party products available that will let administrators centrally control these settings, but that entails extra cost and installation of software. In Vista, companies can establish policies governing power management to save money on the cost of electricity.

The Power Management node in Vista Group Policy, located in the same Administrative Templates folder as the Removable Storage Access node discussed above, contains several subfolders for apply policies to different aspects of power management.
66292.jpg
5 of 8 Debra Shinder/ZDNET
The Button Settings folder contains eight policy options:
  • Select the Power Button action when the computer is plugged in
  • Select the Sleep Button action when the computer is plugged in
  • Select the Start Menu Power Button action when the computer is plugged in
  • Select the Lid Switch action on portables when the computer is plugged in
  • Select the Power Button action when the computer is on battery power
  • Select the Sleep Button action when the computer is on battery power
  • Select the Start Menu Power Button action when the computer is on battery power
  • Select the Lid Switch action on portables when the computer is on battery power

The possible actions you can assign to each of the buttons are:

  • Take no action
  • Sleep
  • Hibernate
  • Shut down

Double-click the button item you want to configure and select the Enabled option. Then, select the action from the drop-down list.
66293.jpg
6 of 8 Debra Shinder/ZDNET
The Notification Settings folder allows you to configure the following policies:
  • Critical battery notification action
  • Low battery notification action
  • Critical battery notification level
  • Turn off low battery user notification
  • Low battery notification level

Using these policies, you can set the levels at which notifications will be triggered (low and critical levels). When a level policy is enabled, you specify the value as a percentage of remaining battery capacity (for example, 10 if you want notification when the battery has 10 percent of its full capacity remaining). This setting is shown here.

The notification action policies allow you to specify what the computer should do when it reaches the low or critical level set in the level policies. When you enable these policies, you can select from the following actions:

  • Take no action
  • Sleep
  • Hibernate
  • Shut down

66294.jpg
7 of 8 Debra Shinder/ZDNET
One of the most prominent security improvements in Vista is User Account Control (UAC). There are nine policies in the Security Options folder that you can use to change the behaviors of this feature.

To change the settings, under the Computer Configuration node in the left pane of the Group Policy Object Editor, expand Windows Settings, then Security Settings, and then Local Policies. Now, click Security Options.
66295.jpg
8 of 8 Debra Shinder/ZDNET
Here are the UAC-related policies you can configure in Vista:

  • Admin Approval Mode for the built-in Administrator account: If you enable this policy, the built-in Administrator account will log on in Admin Approval Mode, which means you'll be prompted to consent before elevation of privileges occurs. By default, this policy is disabled so that the built-in Administrator account (unlike other administrative accounts in Vista) logs on in XP-compatible mode; all applications can run by default with full administrative privileges. Enabling this policy increases security.


  • Behavior of the elevation prompt for administrators in Admin Approval Mode: By default, all administrators (except the built-in Administrator account) are prompted for consent before an elevation of privileges occurs. If you enable this policy, you can choose to increase security by requiring that administrators enter their credentials to elevate privileges or you can lower security by allowing elevation without prompting for credentials or consent. The choices are shown in the photo above.


  • Behavior of the elevation prompt for standard users: By default, those logged on with standard user accounts are prompted to enter administrative credentials to elevate privileges. If you enable this policy, you can choose to increase security by returning an access denied message when a standard user tries to perform an operation that requires elevated privileges.


  • Detect application installations and prompt for elevation: If you enable this policy, application installation packages that require elevation of privileges will be detected through a heuristic algorithm,and the configured elevation prompt will be triggered.


  • Only elevate executables that are signed and validated: This policy allows you to increase security by enforcing PKI signature checks on interactive applications that request elevation of privileges. By default, PKI certificate chain validation is not enforced.


  • Only elevate UIAccess applications that are installed in secure locations: If you enable this policy,UIAccess applications will not launch unless they're stored in a secure location. Secure locations include the Program Files directory and the Windows\System32\r-_\Program Files (x86) directory. This policy is enabled by default, but you can disable it if you want UIAccess applications stored in other locations to be able to run.


  • Run all users, including administrators, as standard users: This policy is enabled by default and is the heart of Vista's UAC protection. If you disable this policy, all UAC policies will be disabled and security is decreased. You must reboot for a change in this policy to take effect.


  • Switch to secure desktop when prompting for elevation: This policy is enabled by default; when elevation is requested, the desktop locks down and no applications can interact with it. You can disable this policy to cause elevation requests to display on the normal interactive desktop, but this reduces security.

Related Galleries

Holiday wallpaper for your phone: Christmas, Hanukkah, New Year's, and winter scenes
Holiday lights in Central Park background

Related Galleries

Holiday wallpaper for your phone: Christmas, Hanukkah, New Year's, and winter scenes

21 Photos
Winter backgrounds for your next virtual meeting
Wooden lodge in pine forest with heavy snow reflection on Lake O'hara at Yoho national park

Related Galleries

Winter backgrounds for your next virtual meeting

21 Photos
Holiday backgrounds for Zoom: Christmas cheer, New Year's Eve, Hanukkah and winter scenes
3D Rendering Christmas interior

Related Galleries

Holiday backgrounds for Zoom: Christmas cheer, New Year's Eve, Hanukkah and winter scenes

21 Photos
Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza
img-8825

Related Galleries

Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza

26 Photos
A weekend with Google's Chrome OS Flex
img-9792-2

Related Galleries

A weekend with Google's Chrome OS Flex

22 Photos
Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup
shutterstock-1024665187.jpg

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

8 Photos
Inside a fake $20 '16TB external M.2 SSD'
Full of promises!

Related Galleries

Inside a fake $20 '16TB external M.2 SSD'

8 Photos