I've seen a lot of interest in Group Policy Preferences since its release, and a lot of confusion about whether you can use it if you don't have Windows Server 2008 in your environment (you can!) so I thought it would be useful to create a quick whitepaper on the basic requirements for this feature, and what things it can do. Check it out at the GPOGUY.COM Whitepaper page.
Enjoy!
Tags:
I thought this Information Week article did a good job of articulating the challenges of security compliance on Windows, and the use of Group Policy as the first line of defense here. Most folks have been using GP to lockdown their desktop systems for a while now, but the reality is that Group Policy is THE mechanism for managing security configuration if your targets are Windows desktops and servers. However, there are challenges that folks have to deal with, as the article points out. Knowing whether policy actually worked across your environment, especially for sensitive security configurations, is a tough problem to solve. Its one of the reasons that we have been working to release the Group Policy Compliance Agent, which is a new product that will run on your Windows servers and desktops, and will collect vital statistics about GP processing. Most importantly, the agent will be able to optionally validate that settings that are reported by Resultant Set of Policy (RSoP) have actually been made successfully in the system's registry or security configuration. This will go a long way towards closing the loop between setting policy, and hoping that it has actually applied, let alone being able to prove it to your auditors!
Tags:
I frequently find that a lot of folks have not yet discovered all of the cool new Group Policy management features that Group Policy Preferences brings to Windows. As a result, I thought it would be worthwhile to do a couple of blog items about some of these features. Today, I'll talk about Power Management.
When Vista shipped, Microsoft provided a way of controlling Vista Power options using Group Policy. Great! We're all concerned about energy use these days and, as my friend Brandon might say, I'm as big a "tree-hugger" as there is, so I like seeing these built-in features that make it easy to conserve power. But unfortunately, you had to be running Vista to take advantage of this control. That left all those millions of XP PCs out in the cold (or hot, as the case may be), with the only option to buy a 3rd party product or install the very useful, but somewhat heavy, EZ-GPO client service, sponsored by the US Government (http://www.energystar.gov/index.cfm?c=power_mgt.pr_power_mgt_ez_gpo).
However, with the release of Group Policy Preferences, you can now control power options on both a per-computer and per-user basis, natively within Group Policy, for XP (and Server 2003) systems. These options are under Computer (or User) Configuration\Preferences\Control Panel Settings\Power Options, within GP Editor. Within this section, you have the option to control both "Power Options" and "Power Schemes". Power Options include global settings like enabling hibernation, and setting the behavior of Windows when the user presses the shutdown or sleep button or closes a laptop lid.
The Power Schemes section is where you can define the active Power Scheme in effect on a machine, and configure the specific options for it, such as how long the display and hard drives will run during inactivity before powering down, depending upon whether they are plugged in or on batteries. You can also use this section to define new custom power schemes that are right for your organization!
And, since this is Group Policy Preferences, you also get the advantage of the item-level filtering feature, which means that you can target specific power schemes to just laptops or just desktops, within a single GPO. And of course, I can't fail to mention that the upcoming release of SDM Software's GPExpert(tm) Scripting Toolkit will support GP Preferences, so you can now automate power management policy changes using PowerShell or VBScript!
Very cool stuff for this tree hugger! I hope you take advantage of this new "in-the-box" feature!
Tags:
Group Policy, Power Management, XP, Group Policy Preferences
One of the irritating side effects of using Group Policy security group filtering on computers is that, if you change a computer's group membership, you either had to reboot the computer or wait the default 7 days for the computer's Kerberos ticket to expire before it picked up its new group membership. Recently however, there was a thread on the ActiveDir.org mailing list about this. Steve Linehan--resident AD smart guy at Microsoft--posted that in Server 2008, Microsoft added some switches to the klist.exe utility that you could use to force a refresh of the server's tokens, and thus pick up group membership changes without a reboot. The command format for doing that is:
klist –li 0x3e7 purge
You have to run this command from an elevated prompt on Server 2008. Unfortunately, on Vista, klist is not included, though Steve mentioned that Vista has all the plumbing to support it. I tried the easy route--which was simply copying klist.exe from Server 2008 to Vista, but it failed with resource errors, so I suspect something else is missing.
Of course, this approach is all great but what about those Server 2003 boxes you have that you need to pick up group membership changes on, but that you can't reboot. Well, thanks to a comment by Dean Wells on this thread, I did some experimenting and there is a way to do this on Server 2003 (and presumably XP as well)! First off, you need to get ahold of klist.exe from the Server 2003 Resource Kit Tools. Once you have that on your 2003 box, you need to fire up a command shell running as localSystem. The easiest way to do that is to simply use the AT.exe task scheduler command line to run a command shell. Because AT runs as localSystem, the resulting command shell that is opened up is also running as localSystem. So, for example, if right now its 15:30 and I want to open up my command shell at 15:31, I would type:
AT 15:31 /interactive cmd.exe
That means that in one minute, a command shell will appear on my server console running as localSystem. Once I've got that, I simply need to use the following syntax with klist:
klist purge
When you do that, you will likely see a number of y/n prompts for each ticket. Simply say y to each one and once its done, the machine should now know about its new group membership. I tested this by setting a GPO to deny a particular computer group. I ran klist purge and then gpupdate /force and sure enough, the policy settings I had denied were removed!
Thanks to Dean Wells for this tip--its a great one!
Tags:
I suppose the din of Vista haters has been increasing lately to the point where I've actually noticed it. Lastw week, I read a blog post from my good buddy Jackson Shaw, who expressed his frustrations over Vista and IE7. And of course the technology press and analysts have been all over the apparent lack of "goodness" in Vista, what with analysts trying hard to outdo each other about recommending or not recommending organizations go to Vista. Well, and then there are those silly Mac ads that have been on forever. I like the Mac, but come on.
In any case, I figured I would break from my summer blogging hiatus to briefly blog about my own Vista experiences. Of course, as a Windows technology person, someone who writes and and develops for Windows, I'm going to have a particular viewpoint about things, but I wanted to try and blog as objectively as possible about my own experiences. I've been using Vista now for almost two years. I think I first installed it on my primary desktop machine when the first RC came out and have been running it steadily ever since. Here are some highlights
So, that sums up my Vista experiences. Overall I think Vista is a big improvement--from a speed, stability and security perspective, over XP. Just a few tweaks here and there and I think it would be a great OS. What do you think?
Tags
Just a quick note to everyone out there that if you visit www.gpoguy.com as of today, you will see some pretty big changes on the site! We've partnered with the guys over at activedir.org, home of the very popular and very cool Active Directory mailing list, to make gpoguy.com a much better resource for Group Policy information. I hope you all like the new look! Drop me a line if you have any comments or feedback on it. I'll be fleshing it out with more content over the next months as well. We'll also be introducing a cool new service soon that anyone with a need for Group Policy information will really appreciate. More information on that soon!
Darren
Tags:
Well, we've released a new version of our GPMC PowerShell cmdlets--version 1.2. This new version represents a significant updgrade to the existing cmdlets. The biggest change is that we incorporated new functionality that became available in the version of GPMC that shipped with Vista, SP1 and Windows Server 2008. As a result of those significant GPMC changes, we had to break the cmdlets into two separate download packages--one package for Vista, SP1 and Server 2008 users and the other for earlier platforms. In general, the main differences between the two downloads is that the package for Vista, SP1 and 2008 supports some features like managing "Starter GPOs" and some other new capabilities that the older version of GPMC does not support. But both packages have added some cool new features, such as better pipelining support between cmdlets and support for creating GP Settings and RSOP reports. The pipelining support is especially interesting for those of you out there looking to fully automate your GP Management tasks. In earlier versions of the cmdlets, whenever you got a reference to a GPO or created a new GPO, you could not easily pipe the output of that to another cmdlet. The reason for this is that the objects that the cmdlets emitted were COM Interop types that did not appear as useful objects to the PowerShell pipeline. As a result, we have modified the default output of many of these Get- cmdlets to emit custom objects that are more easily piped to other cmdlets. For example, now you can create a GPO and link it in one fell swoop, like this:
new-sdmGPO "Marketing Stuff" | add-sdmgplink -Scope "OU=Marketing,DC=Cpandl,DC=com" -Location -1
If you do still need access to the COM interop types, then there is now a -Native parameter on cmdlets that emit these custom objects so that you can revert to the old 1.1 behavior if needed.
The following are the rest of the release notes on the new 1.2 version. Check them out and let us know what you think!
*******************************************************************
Release Notes for SDM Software's GPMC PowerShell Cmdlets, v1.2
July 2, 2008
-------------
#Added -Native parameter to a number of the get- cmdlets, including get-SDMGPO. In version 1.1, these cmdlets emitted native GPMC COM Interop types, which could not be sent to the pipeline successfully. As a result, all of the cmdlets in this release that support the -Native parameter now, by default, emit custom object types to work better with the pipeline. If you need the native GPMC object types, then use the -Native parameter.
#Add 9 new Cmdlets, including:
Add-WMIFilterLink: Links an existing WMI filter to a GPO
Copy-SDMStarterGPO: Copies an existing Starter GPO to a new Starter GPO (Server 2008 and Vista, Sp1 only)
Get-SDMStarterGPO: Retrieves a reference to and information on a named Starter GPO (Server 2008 and Vista, Sp1 only)
Get-SDMWMIFilter: Retrieves a reference to and information on one or all WMI Filters in a domain
New-SDMStarterGPO: Creates a new Starter GPO (Server 2008 and Vista, Sp1 only)
Out-SDMGPSettingsReport: Creates an xML or HTML GPO Settings report
Out-SDMRSOPLoggingReport: Creates and XML or HTML Group Policy Results report
Remove-SDMStarterGPO: Deletes a Starter GPO (Server 2008 and Vista, Sp1 only)
Remove-SDMWMIFilterLink: Removes any WMI Filter linked to a particular GPO
#Added a Name parameter to Get-SDMGPLink. This new parameter lets you search for links by GPO name in addition to SOM. So, you can provide a GPO name and get a list of all the places its linked.
#Added a GPOID parameter to Get-SDMGPO. This new parameter lets you search for a GPO by GUID instead of by name. With this new parameter, you can use this cmdlet to effectively translate from GUID to Name and Name to GUID.
***********************************************************************
Tags:
