« August 2007 | Main | October 2007 »
If you're running Vista with GPMC pre-installed, you know that the one big difference between the Vista version of GPMC and the version you install from the MS download site onto XP, is that the sample scripts that the XP version provides are not to be found on Vista. Well, MS is now providing a separate download install of the GPMC scripts for Vista GPMC users. Cool.
Tags:
I've received a number of comments and have seen a number of blog postings subsequent to my blog posting about this topic. One of the reasons I mentioned that it was probably not a good idea to have GPMC on every system was that inherently anyone that could read a GPO (which includes any user or computer that can process a GPO) could easily backup those GPOs using GPMC without any special admin privileges. Adam Vero, on his blog, and "Evan", who posted a comment on my blog posting, note that even without GPMC, a regular user who can read a GPO can simply go out to SYSVOL and copy the contents of those folders and accomplish the same thing as a GPMC backup. While I generally agree with this, GPMC makes the proces a heck of a lot easier. Don't get me wrong, a truly malicious users within an organization with the skill and the talent can do lots of fun things if they know enough about GPO. As an example, you might want to download the whitepaper I wrote when I was at DesktopStandard entitled, "How Secure is Group Policy?", which details quite a few ways that a properly credentialed user can get around GP.
However my point was more that GPMC makes it easy for a regular user who is just curious, to get information about Group Policy configurations within an organization without a lot of effort. Having access to SYSVOL and the GPT is not exactly an intuitive process, and to get a complete picture, they would also need to access the AD parts of GP, as some settings are stored there as well. In any case, the casual user might just be doing it because they want to be an IT administrator and so they decide to take a backup of the company's GPOs home to play with in their test environment. Yes, they can download GPMC from MS' website and do the same thing, but I think the point is that having it on every desktop machine makes it easier and creates more potential problems than it solves. My general approach is to not install administrative tools (or any code for that matter) on machines that doesn't need to be installed because who knows how they may be used or abused down the line.
So, while this may not be the only good reason to remove GPMC from Vista, SP1, it is, from my perspective, a convenience that reduces the number of things I have to worry about within the desktop environment.
As you may have heard, Microsoft is finally providing the ability to have fine-grained password policies within a single AD domain. That means you can now have different password policies for different user groups within AD. This feature is described nicely in Jorge de Almeida's excellent blog entry.
Well, now our friends at SpecOps have come out with a free GUI tool for managing these new "PSO" objects in AD. This tool looks really nice so check it out!
Its a good alternative to Joe Richards' free command-line tool for managing PSO, called PSOMgr.
Despite the desperate need for doing this, the one thing that I don't like about the new fine-grained password policy is that its a completely separate mechanism for managing password policy from the existing GPO-based method, which, by the way, is still in Server 2008. In the absence of Fine-grained password policies set in AD, the default is still whatever you've defined on your domain-linked GPO. This can get confusing since you will need two mechanisms for determining effective password policy across all users. I think Jorge's advice in his blog is good--once you implement Fine-grained password policies, implement it for all users so that you essentially don't need to care what Group Policy is doing with account policy anymore. That will simplify management of this stuff tremendously!
Tags:
Group Policy, Active Directory, Fine-grained Password Policy, SpecOps, Joeware
For those of you who have been to NetPro's DEC conference, you know that this is just about the best AD and MS Identity Management conference there is. Well, Group Policy is not left out at this year's upcomfing DEC 2008 in Chicago (*TGINV!). For the 3rd year in a row, I'll be presenting at DEC--this time it will be 2 sessions on Group Policy. The first session is called "Automating Group Policy" and I'll focus on how you can use scripting (Powershell & VBScript) to automate the management of Group Policy in your environment. the second session is called "Group Policy Performance". In this session I'll look at some of the design considerations that can affect the performance of GP processing and how you can "design for performance" when it comes to GP.
So, if you're thinking about a conference next year, I highly recommend DEC as a great place to pick up some solid AD and Group Policy knowledge. See you there!
*TGINV: Thank God Its Not Vegas
Technorati Tags
Group Policy, DEC, Netpro, Group Policy Scripting, PowerShell, Active Directory
Here's your chance to contribute some input to the future of Group Policy! The Microsoft Group Policy product team asked me to post this. They need input in the next two weeks so if you're so inclined, have at it!
The Microsoft Group Policy team would like to hear from you! Please take a few minutes and complete the survey on how you use Group Policy to help Microsoft enhance the manageability Group Policy provides to your organization. The survey can be found at http://www.surveymonkey.com/s.aspx?sm=mosdF9Z6WNKIJ76gL_2bxv4w_3d_3d and is completely anonymous. The survey will remain open through Friday, September 28, 2007. Thank you in advance for your time and input!
Technorati Tags
