12.31.07
Posted in General Stuff at 11:53 am by Administrator
I just wanted to take this time to wish everyone who is celebrating their new year tonight (or maybe already has celebrated!) a happy new year. 2008 should be a great year! 2007 brought many cool things, including the release of SDM Software’s first product in the GPExpert Troubleshooting Pak, as well as Windows Vista adoption hitting the mainstream. PowerShell also hit the big time in 2007, and I expect more great things from it going forward.
2008 should be better than ever! In the world of Group Policy, Microsoft will ship the Group Policy Preferences (nee DesktopStandard PolicyMaker) product early in 2008, which will open up a whole new area of desktop configuration management using Group Policy.
And, I look forward to bringing you more of what SDM Software has in store for Group Policy in 2008, including new and innovative products for better managing Group Policy backup and recovery, simplified policy-based desktop configuration management, new PowerShell stuff and more!
Best of luck to everyone in the New Year!
Darren
Tags: Group Policy, PowerShell, SDM Software, Microsoft
Permalink
12.24.07
Posted in General Stuff at 7:18 am by Administrator
If you were looking for something to do this holiday season with all that spare time, January’s issue of TechNet Magazine has no less then 3 articles devoted to Group Policy, including an article I wrote on optimizng Group Policy Performance.
Enjoy!
Tags:
Group Policy, TechNet
Permalink
12.12.07
Posted in General Stuff at 8:52 am by Administrator
A while back, Mark Russinovich (the pre-Microsoft Mark Russinovich!) had blogged about being able to circumvent some Group Policy using a DLL injection method that intercepted calls to the registry keys used by policy. He created a tool at the time called gpdisable that invoked this interception as a regular user. Of course, since Microsoft acquired Winternals, that gpdisable tool was removed from existence. But a couple of weeks ago, someone else created an alternative, called GPCul8r, that uses the same technique to accomplish roughly the same thing.
Essentially what this tool does is intercept a process’s calls to query registry values and, if it sees a query for one of a particular set of policy keys, it basically fakes the response, telling that calling process that the policy key was not found. Neat.
I think its important to know that tools like this exist, but also to keep it in context. For example, if you want to use this tool to block policy for all applications, you would essentially have to be administrator on the workstation to load it into the right registry key to allow this to happen automatically. Otherwise, you have to call this tool each time you launch an application. And if you’re an administrator on a Windows workstation, well, there are much easier ways to disable Group Policy. Also, this tool only intercepts calls to registry policy or any policy that stores itself in the registry–that includes Admin. Templates and Software Restriction Policies and a couple other minor ones like disk quota policy. That means it doesn’t impact things like security policy, folder redirection, etc. And, the current version of this tool, as posted on the site, only intercepts or looks for a small subset of policy keys. Of course, the source code is included with the posting, so if you know C++, it is fairly trivial to include other keys as well.
The bottom line is that this tool can be used with limited effect by the smart user to bypass some policy. Also, it underscores the fact that allowing users to be administrator on their own workstations is effectively saying that you really don’t care whether they receive Group Policy restrictions or not, because the intrepid administrative user can completely foil all policy (not just registry policy).
Finally, it may be worthwhile, given that this tool is floating around in the ether, to create a software restriction policy that specifically prevents this utility in its current form from executing. That’s not to say that other variants may not show up out there. But at least for those that folks are just downloading it as is and trying it out, you can prevent them from getting around your policies!
Tags:
Group Policy, GPDisable, GPCul8r,Bypassing Group Policy
Permalink
12.05.07
Posted in General Stuff at 9:59 am by Administrator
Someone emailed a question to the GPOGUY GPTalk mailing list today that I thought was worth chatting about. The question pertained to disappearing Group Policy links. Namely, he had a situation where links to GPOs would periodically disappear from Active Directory containers. I thought this was interesting as it brings up one of the poor design decisions that MS made around this particular facet of Group Policy. Specifically, Group Policy links are stored within the gpLink attribute on an AD container (in the case of GP, the container is a site, domain or OU object). But its how they are stored that is the problem. Links are stored as a concatenated list of strings that specify the DN of the groupPolicyContainer object in AD. In addition, the state of the link (e.g. enforced, disabled, enabled) is also stored as a flag within this string. For example, an OU’s gpLink attribute with multiple GPOs linked to it would look something like this:
[LDAP://cn={517989E5-C167-4446-9546-9FE44D05A094},cn=policies,cn=system,DC=cpandl,DC=com;0][LDAP://cn={D9F534B5-FE52-4EA2-9358-F90D14006700},cn=policies,cn=system,DC=cpandl,DC=com;0][LDAP://cn={67F306D6-ED52-4EC2-A624-12389418C38F},cn=policies,cn=system,DC=cpandl,DC=com;0][LDAP://cn={A2CA94A8-27AC-4FEE-9D10-6C39B810B6C5},cn=policies,cn=system,DC=cpandl,DC=com;0][LDAP://cn={2784512F-F4E0-4F4A-8CDA-D05C5798934D},cn=policies,cn=system,DC=cpandl,DC=com;1][LDAP://cn={0AA65012-F87F-4281-988A-62081B9F3686},cn=policies,cn=system,DC=cpandl,DC=com;0][LDAP://cn={A9E790E5-9963-40F9-A479-BD68DEDD921C},cn=policies,cn=system,DC=cpandl,DC=com;1][LDAP://cn={95C79242-CE65-4BF8-AC87-7678D2A85EA3},cn=policies,cn=system,DC=cpandl,DC=com;1][LDAP://cn={3C41D4AE-CCDF-4640-998D-D9A24EC48086},cn=policies,cn=system,DC=cpandl,DC=com;0]
Each link is delimited by brackets ([]). The flags that control the behavior the behavior of the link follow the DN and are delimited by semi-colons (;). So, what’s wrong with this picture??
Well, think about the problems that MS had with AD security group membership when they shipped Windows 2000. Group memberships were stored in AD such that someone making a change to a group’s membership on one DC could overwrite a membership change happening on another DC, because the membership was treated as a single object. You had to be really careful about where you modified memberships. Then MS introduced linked value replication (LVR) and that problem basically went away.
Well you have the same problem here with GP links except its a bit worse. Group memberships in AD are stored as links–i.e. they are references to member objects rather than just strings of member names. Not so with GP links, which have no association to the underlying GPO they reference. So, you have two problems here–one not so big and one really big. The not so big problem is that if you want to find out where a particular GPO is linked, you have to search every container object and do string matching to find that GPO’s DN on the container. That’s a pain but not terrible unless you have really big environments. The bigger problem is around making link changes. Because all links are held in essentially one big long string on the gpLink attribute, if two people make a link change on the same container from two different DCs, the last writer will overwrite the first writer completely. Meaning that if Admin A removes a GPO link or disables a link, and then Admin B comes along shortly thereafter, before Admin A’s changes have replicated, and makes another change, the GPO link that Admin A removed or modified will be get replicated back because Admin B’s change comes later.
Obviously GPMC mitigates this issue somewhat by defaulting to always focus on the PDC emulator, but you can tell it to make changes against different DCs, and that’s where problems can occur. It would have been much better if MS hade made the gpLink attribute store links to GPO objects rather than strings.
As for tools for managing GPO links, besides GPMC, I will of course mention the free PowerShell GPMC cmdlets we have, that include get-sdmgplink, add-sdmgplink and remove-sdmgplink for managing links. In all cases, those cmdlets will default to the PDC emulator DC to make changes.
SDM Software is also getting ready to release a Group Policy backup and recovery product and one of its features will be the ability to backup and recover GPO links!
Tags:
Group Policy, Active Directory, PowerShell, GPMC, Group Policy Links, SDM Software
Permalink
