01.29.08
Posted in PowerShell at 3:13 pm by Administrator
Well, if you’ve read my blog at all, you know that there are two technology areas that are especially interesting to me–Group Policy and PowerShell. Once again, I’ve brought the two together in the form of a new freeware cmdlet for triggering remote Group Policy refreshes. This is an update of the GPOGUY.COM rgprefresh utility that is by far the most popular download on that site. I figured it was time to PowerShell enable this sucker and so that’s what I’ve done.
This new cmdlet, called Update-SDMgp, basically lets you specify a remote hostname to trigger a GP Refresh against, and provides the same options that RGPRefresh did for letting you specify the type of refresh and alternate credentials.
You can download the free setup (registration optional) at www.sdmsoftware.com/freeware.php.
Check it out and let me know what you think. For more information on the syntax of this new cmdlet, just type:
get-help update-sdmgp after installing the cmdlet and launching the snap-in from the installed shortcut!
Tags:
PowerShell, Group Policy, GPOGUY, SDM Software
Permalink
01.17.08
Posted in General Stuff at 2:15 pm by Administrator
If you haven’t already seen it, check out my article in this month’s TechNet Magazine on "Optimizing Group Policy Performance". The article goes into fair bit of detail about things you can do (or not do) to ensure that GP performance is good on your Windows systems. But one thing I didn’t get into is how some specific Client Side Extension (CSE) behaviors can cause performance slowdowns. I received an email from someone at Microsoft asking about this yesterday. His specific question was around the performance impact of using GP to set file system or registry security. GP today has that capability under Computer Configuration/Windows Settings/Security Settings/File System (or Registry). But of course, if you use this feature against large numbers of files or folders (or reg keys), its going to take a while to modify ACLs on those objects, just as it would if you are doing it through Explorer. But his question had to do with the impact of this on system performance, if GP processed these ACL changes every time processing ran. The answer, of course, is that GP processing settings only if one of several situations occur. First, if *something* changes in the GP environment, a client will process those changes during the next processing cycle (I talk about what those changes could be in the article).
The other scenario where security policy would process every time GP processes is if an administrator explicitly told it to do so by setting the per-computer policy at Computer Configuration\Administrative Templates\System\Group Policy\Security Policy Processing\Process even if the Group Policy Objects have not changed. Now of course, enabling this setting can have a very obvious impact on system performance if what you’re doing in security policy are expensive operations like file system re-ACLing. But if not, the advantage of using this setting is that you ensure that, every 90 minutes or so, any security policy you have defined will be re-applied, just in case a pesky user figured out a way to undo them (which they should not if they are not administator on their systems, right????). But in general, I would leave this setting alone.
The 3rd scenario where security policy would process is by virtue of its own built-in behavior. That is, the Security CSE will process security policy every 16 hours by default, regardless of what else is happening. This is a failsafe that MS decided to put into security policy so that security policy will get re-applied if the environment is reasonably static. You can actually modify this interval to be something other than 16 hours via a registry tweak (I actually created a custom ADMX file for this that will be on the CD in the upcoming Windows Server 2008 Resource Kit book, which I wrote the GP chapter for). The registry tweak info can be found at http://support.microsoft.com/kb/277543/en-us.
Tags:
Group Policy, Security Policy, TechNet Magazine
Permalink
01.15.08
Posted in General Stuff at 2:04 pm by Administrator
I sat in on a Microsoft webcast presentation of the upcoming release of Group Policy Preferences, which I blogged about earlier. This is the old DesktopStandard PolicyMaker stuff for extending Group Policy to do much more than it does today. While I used to work with the DesktopStandard folks and had seen PolicyMaker up close, it was interesting to hear about how Microsoft plans to make this available, and what has changed. The biggest piece of news for me is that you don’t have to have a Server 2008 license to use this stuff in XP and Server 2003. Essentially what you’ll need is the Client Side Extension install for your XP or Vista clients, and then the RSAT administrative tools pak for administering the new Preferences. RSAT willl add the snapins to the GP Editor (and presumably also make some extensions to GPMC) to allow you to view and edit those new Preferences settings. Cool.
The other thing that remains intact for Preferences, from the old PolicyMaker product, is the ability to do per-setting targeting. What does this mean? Well imagine being able to, within a single GPO, have 60 settings that are each targeted based on criteria ranging from IP address of client to hardware configuration, to security group membership, to whether its a laptop or desktop machine, and on and on. Can you say "power and complexity"? This is a very powerful feature but I can also quickly see how it can be abused to no good end. This is especially true as it does not appear that the RSOP reporting in GPMC will support evaluating of these targeting criteria. That means that if you are using these fine-grained targeting methods, you won’t be able to see if a given user or computer is receiving a policy setting because of them. That will be interesting and challenging!
The other thing of note is that the Outlook profile and MS Office settings that were part of the original PolicyMaker product will not ship when Group Policy Preferences do, but at some later time, due to apparent legal restrictions related to shipping Office components with the OS!
In any case, it continues to be lots of good news for being able to better manage your desktops and servers using GP going forward. Frankly, if you haven’t already planned on how and when you will roll out support for Preferences to your existing desktops, I would seriously consider it now. These will be out of band additions for some time to come but you might as well take advantage of the capabilities that this thing brings as soon as possible.
Tags:
Group Policy, Microsoft, Preferences, Desktop Management
Permalink
01.03.08
Posted in sdm software at 1:21 pm by Administrator
Late last year, we (SDM Software that is!) announced the GPExpert™ Backup Manager for Group Policy product. Well, the product is now available to trial on our website. The product leverages the GPMC’s backup format but also includes some neat features such as the ability to backup and restore GPO Links, a feature that lets you check your GPOs to ensure the current version has been backed up, the ability to schedule GPO backups and a Backup-on-Edit feature, where you can backup a GPO as a function of starting the GP Editor on that GPO. I’m excited that these and other features will give folks excellent control over their GP environments from a backup and recovery perspective. Check it out and let me know what you think!
Darren
Tags:
Group Policy, Group Policy Backup, SDM Software
Permalink
01.02.08
Posted in General Stuff at 7:42 am by Administrator
Well, for those of you out there who are Microsoft MVPs, you know that getting that email announcing that you’ve been renewed for another year is a good feeling. Since my MVP status expires on the year end, I usually get my notice on January 1st, which is a good way to start the year. Yesterday was no exception and for the 5th year in a row, I’m proud to be a Microsoft MVP for Group Policy. Given that the MVP status is all about community and helping folks with Microsoft technology, I think its useful to point out some of the many resources that are available for folks to get help with Group Policy. This list is by no means complete but here goes:
– The Microsoft Newsgroups: Microsoft.public.windows.group_policy & Microsoft.public.windows2000.group_policy
– The Microsoft GP Wiki: http://grouppolicy.editme.com
– Our GPOGUY.Com GPTalk Mailling List: This is a list with over 300 members that we provide through GPOGUY.COM to offer assistance with GP. You can subscribe at www.gpoguy.com/lists.htm
– Mark Minasi’s Forum: Mark maintains a great multi-topic forum (GP included) where you can find help on any number of issues at www.minasi.com/forum
– GPAnswers.com Community: Jeremy Moskowitz, a fellow GP MVP, provides a bulletin board on his site at www.gpanswers.com where folks can ask questions on all manner of GP topics.
– The ActiveDir.Org Mailling List: One of the best Active Directory mailling lists around is also a place to ask GP questions–lots of smart folks on this list to help with real-world problems. Join up at www.activedir.org.
If you’ve got GP questions, the good news is that there is no shortage of great, free resources out there to help!
Tags:
Group Policy, Microsoft MVP
Permalink
