03.31.08
Posted in sdm software at 6:57 am by Administrator
Well, today we announced the release of a product I’ve mentioned in previous blog posts–the GPExpert Desktop Policy Manager. I’m very excited about this product because it is the first product that really seeks to address the complexity of managing desktop configuration using Group Policy. One of the things I’ve heard loud and clear over the years from folks is that using Group Policy can be complex, daunting and prone to error. This product seeks to remove that complexity and make using this powerful technology really simple, using a web-based interface and wizard-driven style that simplifies the task of locking down Windows desktops.
I’m looking forward to getting feedback on this product to learn how we can make the process of Windows configuration even easier!
Tags:
Desktop Management, Group Policy, SDM Software, Desktop Policy Manager
Permalink
03.28.08
Posted in General Stuff at 5:50 pm by Administrator
If you’ve installed the new Remote Server Administration Tools (RSAT) on Vista, SP1, you will notice some subtle changes in the Group Policy Editor. Namely, if you type gpedit.msc like you used to in the pre-RSAT days, you will still launch the GP Editor, focused on the local GPO, but you won’t see the new Group Policy Preferences namespace, as you do when you launch GP Editor focused on a domain GPO. This is simply because GP Preferences are not supported on the local GPO.
In addition, as I’ve had up on my GPOGUY.COM FAQ for a while, in the pre-RSAT days you could launch GP Editor, focused on a domain-based GPO by using the following syntax:
gpedit.msc /gpobject:"LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=cpandl,DC=com"
The above command would launch GP Editor, focused on the Default Domain Policy in the cpandl.com domain. But if you try that on a RSAT-installed SP1 Vista system, you will get the Default Domain Policy, but you won’t see any of the Group Policy Preferences options. Ok, so there must be a way around this, right?
Correct! Its called gpme.msc, or the Group Policy Management Editor MMC snap-in tool. So, if we take the above syntax, and change it up a bit:
gpme.msc /gpobject:"LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=cpandl,DC=com"
We get the desired result, which is the GP Management Editor launching focused on the Default Domain Policy, and showing the GP Preferences namespace! Success…
Tags:
Group Policy Preferences, GPEdit.MSC, GPME.MSC, RSAT
Permalink
03.26.08
Posted in IE Policy at 1:57 pm by Administrator
There been a long-standing issue, ever since IE 7 was introduced, related to GPMC and the use of IE Maintenance Policy. Specifically, if you defined zone security in IE Maintenance policy from a machine running IE 7, and then tried to view a settings report on that GPO from GPMC running on Vista or XP (and presumably also 2003), you would get the following error on the Report tab:
An error occurred while generating report:
An unknown error occurred while the HTML report was being created.
XP would also throw this error if you tried to view an RSOP report on a machine that had received this policy. Until recently, the workaround would be to only use Admin. Template policy to define zone security. Specifically, you can do this under:
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List
Well, I just loaded up the new version of GPMC that comes with RSAT for Vista, Sp1 and it appears that this IE Maintenance problem is fixed! Of course, all that means is that you know have to use GPMC on Vista, Sp1 if you want to be able to get correct settings reports for IE Maintenance Policy, but its something!
Tags:
Group Policy, Internet Explorer Maintenance, GPMC
Permalink
03.25.08
Posted in Vista-2008 stuff at 1:20 pm by Administrator
Well, I think this qualifies as a "Yee-Haw" moment. Finally, you can now get the RSAT tools for Vista, SP1 (with GPMC!) at http://www.microsoft.com/downloads/details.aspx?FamilyID=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en
Tags:
Group Policy, RSAT
Permalink
03.19.08
Posted in sdm software at 12:38 pm by Administrator
Just a quick note to let folks know that SDM Software will be exhibiting at the upcoming TechMentor San Francisco show, March 30th to April 3rd. We’re excited to have a booth at this show as it will be our first "standalone" exhibit experience. If you’re going to be at TechMentor-SF, stop by and see us. I’m especially looking forward to the show as we’ll be announcing the release of a new product, called Desktop Policy Manager, that I’m very excited about. We’ll be demo-ing the product at the show, but the gist of this product is that it combines the power of Group Policy and PowerShell in a brand new web-based interface, to make configuration of Windows desktops using Group Policy much, much simpler. I am looking forward to showing it!
If you are going to be at TechMentor, stop by booth #309 to see us!
Darren
Tags
Group Policy, PowerShell, Desktop Policy Manager, Desktop Management, SDM Software
Permalink
03.18.08
Posted in Cool New Products at 9:27 am by Administrator
Windows IT Pro Magazine has a good article this month on 3rd-party Group Policy tools. It goes over the challenges of Group Policy management and then talks about some of the various solutions in the space. I got a few quotes in there as well, which is cool. Check it out at:
http://windowsitpro.com/Windows/Articles/ArticleID/98087/pg/1/1.html
Tags:
Group Policy, Group Policy Tools, SDM Software, Windows IT Pro
Permalink
03.17.08
Posted in Cool New Products at 3:38 pm by Administrator
The guys over at BeyondTrust have come out with a cool new (and free) tool for helping folks get to "least privileged use" (i.e., users are not admins on their workstations) on Windows more quickly. This product is a nice compliment to their Privilege Manager Group Policy extension for allowing elevation based on white lists of applications. Essentially the new product, called BeyondTrust Application Rights Auditor, lets you audit application usage on your Windows desktops to determine which applications will require administrative elevation to function properly. Using such a tool, you can more quickly make adjustments to your Windows system security, or use a product like Privilege Manager, to get to a point where you can remove administrator access on your systems. This is a great tool to have and very cool that they are making it available for free.
Tags:
BeyondTrust, Privilege Manager, Application Rights Auditor, Group Policy
Permalink
03.14.08
Posted in Vista-2008 stuff at 8:21 am by Administrator
With the release of Windows Server 2008, Microsoft made the previously mentioned Group Policy Preferences feature available to all XP, 2003, Vista and 2008 users. This is a great thing, as I’ve said, but there has definitely been some confusion about how to manage this stuff, which platforms it works on and how to deal with it if you were already using DesktopStandard’s PolicyMaker product. This latter issue came up while I was helping to moderate a Birds of a Feather session on GP at the recent NetPro DEC conference (which was a great show, btw). So let’s run through the basics of this so you understand the issues.
- Group Policy Preferences ships on Server 2008 without having to install anything. You can edit GPPs from the GPMC using the new version of the GP Editor that ships with that version.
- GPP does not support local GPOs at all
- If you want downlevel clients (i.e. XP and 2003) to process GPP settings, you need to install the GPP client side extension installations located here. Note that if you already use DesktopStandard’s PolicyMaker extensions, then the GPP client-side extension install will deinstall the DesktopStandard extensions if they are found on the client, so be aware!
- If you want to manage GPP settings in GPOs, you need to use GPMC and the GP Editor that get installed by the Remote Server Administration Tools (RSAT) on Vista, Service Pack 1. Note that RSAT is not actually shipping yet but should be available by end of this month.
- You CANNOT edit GPP settings on XP or Server 2003. That will not change as far as I know. You will need to manage these GPP settings only on Vista, SP1 or Server 2008
In addition, if you were using DesktopStandard’s PolicyMaker extensions, you need to be a aware of a few things. I already mentioned above the the GPP extensions will deinstall the PolicyMaker extensions when you install them. You cannot co-exist both on the same client. However, more interestingly, the settings that were created by PolicyMaker are not compatible with GPP settings or the GPP client-side extensions. So what this means is that a GPO containing PolicyMaker settings will not be processed by a client running the GPP extensions (and vice-versa!). I know that Microsoft plans to provide some kind of conversion script in the near future that will convert PolicyMaker settings in a GPO into GPP settings. In the meantime, you will need to keep the two environments separate.
In any case, if you are already moving towards GPP, there is a lot to be excited about here.
Tags:
Group Policy, Group Policy Preferences, PolicyMaker
Permalink
