RSAT: Windows Server 2008 Remote Server Admin Tools

In response to reader requests for information about Windows Server 2008 Remote Server Administration Tools (RSAT) for Windows Vista SP1, I talked with Jason Lesnek, a senior product manager for Windows Vista management. (Watch for technical drilldown articles on RSAT in upcoming issues of Windows IT Pro.)

RSAT, Jason explained, “is the collection of Windows Server 2008 administrative tools packaged as a download to be run by an IT pro on a Windows Vista SP1 machine. RSAT is an updated version of AdminPack.msi [Windows Server 2003 Administration Tools Pack] and is designed for the Windows Server 2008 toolset. RSAT is available in both a 32-bit and 64-bit version for Windows Vista SP1.” RSAT tools support a full installation of Server 2008, as well as Server Core.

Jason pointed out that “several of the RSAT tools will run in a pure Windows Server 2003 environment.” Specifically, with Windows 2003, you can use only the following RSAT tools: Active Directory Domain Services (AD DS); AD Lightweight Directory Services (AD LDS); AD Certification Authority; DHCP; DNS; Terminal Services; Universal Description, Discovery, and Integration (UDDI) Services; Group Policy Management; and Network Load Balancing (NLB). (For a list of RSAT tools, as well as information about known technical issues, see “Description of Windows Server 2008 Remote Server Administration Tools for Windows Vista Service Pack 1,” at support.microsoft.com/kb/941314.)

Group Policy Features
According to Jason, “The biggest thing that RSAT delivers is the new functionality in the Group Policy tools. We shipped Windows Vista with the Group Policy Management Console [GPMC]. We removed that with SP1 to provide an updated version with the RSAT toolset.”

In particular, Jason said, “we provided search and filter capabilities. We publish a spreadsheet we keep up to date whenever there’s a new service pack or OS release. That spreadsheet lists all the Group Policy settings that ship in the release. To find a Group Policy setting, you can launch the spreadsheet and do a search. Also, within the Group Policy editor itself, you can now right-click on a node and apply a filter. That filter could mean applying a specific OS version, a component, or a keyword. For example, I could search for ‘power management,’ and get a list of all the Group Policy settings that include ‘power management.’”

Another customer-driven feature Jason pointed out “is that I can make my Group Policy setting and then apply comments to it—including, for example, the reason why I made the setting what I did. So if other IT pros in the organization have to edit the Group Policy, they can look at the setting and see why it was enabled. They can see that Jason had to do this because of a management directive, or data compliance, or whatever.”

Group Policy Preferences
“The other big component” of RSAT that Jason highlighted “is Group Policy Preferences. It extends the reach of Group Policy. Depending on what type of setting it is, Group Policy allows you to set up a configuration that gets applied whenever Group Policies are refreshed. It’s applied either through a registry setting that the application is looking for, or its own private client-side extension that knows how to process whatever the policy is. In most cases, the policy is not changeable. So the administrator can say, ‘I want the desktop screensaver to be turned on after 10 minutes,’ and the UI option for the end user is dimmed out or removed. Group Policy Preferences allows me to set the default, and let users go in and change it.”

For instance, Jason said, “If there’s a preference setting for how my Start menu should look, I can change it, but the administrator can decide whether that user change should be reset on the next Group Policy refresh or let the user change stand. In addition, I can map network drives, add network printers to machines lower than Windows Vista (we have that for Vista today), customize the Start menu, and put files on the desktop.”

Jason continued, “Administrators can do things directly through Group Policy and greatly reduce the content or the number of logon scripts. I may want to add a user to a Local Administrators group. With Group Policy, you can modify the Administrators group, but it actually does a replace. Instead of adding Jason to the Admin group, it replaces everyone in the Admin group with Jason. With Group Policy Preferences, I can add, replace, and remove—actually go in and touch a group and inject a user object into a group. I can also reset passwords very easily that way.”