The blog of Darren Mar-Elia — the GPOGUY and founder of SDM Software
For those of you who missed the webinar I did yesterday on "Securing Desktops with Group Policy", you can register to view the on-demand version here. If you did attend, thanks for listening! We had a good crowd and lots of good questions!
I have heard a lot of questions about the need to install the pre-requisite XMLLite package on XP and Server 2003 prior to installing the Group Policy Preferences Client Side Extensions to those versions of Windows. The fact is that XMLLite is currently not deployable via WSUS, which has made it hard for folks to mass deploy Group Policy Preferences. What I’ve come to learn is that while this deployment challenge for XMLLite is true, there are some mitigating factors that might help certain shops. Namely:
So, bottom line is that if you are running 2003, SP1 or XP, SP2 without IE7, you will still struggle to deploy XMLLite through means other than "sneaker-net" but the good news is that, with these above exceptions, the number of those machines should get smaller and smaller over time.
And just a note that XMLLite is not required at all for GP Preferences on Vista.
Tags:
If you are one of the many IT administrators I’ve talked to that doesn’t like how Microsoft essentially broke Group Policy Software Installation-based deployment of Office when they released Office 2007, here’s how you can provide feedback to Microsoft. I just noticed a blog posting from someone on the Office Resource Kit team with the title, "Deploying Office 2007 with GPSI is not for the faint of heart ". For someone from the Office Resource Kit team to use that kind of title is what I would call irony. I encourage everyone that finds what they did with Office deployment in the latest version just plain non-responsive to customer needs, to submit a comment to that blog posting. I think if they knew how many people were adversely affected by this decision, they would perhaps get around to providing some better deployment solutions than recommending yet another deployment product for folks to install!
Tags
I just wanted to let everyone know that Microsoft Press has released a new version of the popular "Goup Policy Guide" book that fellow GP MVP Derek Melber and I contributed to a couple of years ago. This time Derek took the project on himself and the result is a great companion for navigating the new features within Group Policy in Server 2008 and Vista! Everyone who is doing anything with Group Policy should have this book on their desk!
Tags:
Hey folks. I just wanted to let you all know that I will be giving a webinar about using Group Policy to create secure desktop configurations next week. The webinar is all about looking at the technology within Group Policy related to creating secure configurations. I’ll also talk a little about how SDM Software’s new Desktop Policy Manager product can help make the process of creating secure desktops using Group Policy much simpler. You can register for the webinar at http://www.bi101.com/go/secure_desktop/index.php. Its on May 29th at 11am Pacific Time (GMT-8). Hope to see you there!
Tags:
Group Policy, Desktop Policy Manager, Creating Secure Desktops
The other day I got a question about one of our free GPMC PowerShell cmdlets–namely, the Add-SDMgpoSecurity that lets you modify GPO security. One of the permissions that you can grant using the cmdlet is the GPO creation permission–which controls who can create GPOs in the domain. This particular questioner was wondering why they were getting an error when trying to set GPO creation permissions on a particular OU. The question made me think that a blog entry on Group Policy delegation was in order. So, for this particular issue I just described, the answer is relatively straightforward. You can only delegate creation of GPOs at the domain level. That is why, in GPMC, you will notice that when you click on the Delegation tab for a particular OU, you don’t have the option to delegate GPO creation.
In fact, the only place you will see that delegation, is when you click on the "Group Policy Objects" node within a particular domain, and view the Delegation tab. So, the right to create GPOs in a domain is domain-wide. Now of course, if you delegate to someone the right to create a GPO, it does not necessarily give them the ability to make it "live". That ability requires a different kind of delegation–the delegation of linking. Remember that a GPO can be linked to an AD site, domain or OU. Each of these AD containers has a set of permissions associated with it. One of those permissions is the ability to write to the gpLink attribute on the container, and it is that permission that controls who can link a GPO to that particular site, domain or OU. You can, of course, delegate that permission without having to dig into the bowels of the AD ACL Editor, by using the GPMC–simply by clicking the Delegation tab while focused on a container object and then choosing "Link GPOs" as the permission you want to manage.
The final type of delegation I will mention is the ability to edit GPOs. Regardless of who creates a GPO, there is the separate ability to be able to edit that GPO once its created. When a GPO is created, it gets a set of permissions that are controlled by the defaultSecurityDescriptor attribute on the AD schema groupPolicyContainer object class. That default security descriptor controls which groups have which permissions on newly created GPOs. You can, of course, modify that attribute in your AD environment so that you can control which groups get what rights on all newly GPOs (see KB article http://support.microsoft.com/kb/321476/en-us for more information), but you may also want to modify the ability to edit GPOs after they are created. For that GPMC again provides the answer. You simply need to highlight a particular GPO, choose the Delegation tab and from there you can set permissions for who can edit a GPO or who can edit, delete and modify the security on a GPO. Its also important to note that these permissions are stored on the GPO object itself, not the link or container object. So, while you can link a GPO to any number of AD containers, keep in mind that the permissions on that GPO in terms of who can read and write it remain constant, regardless of where its linked.
Finally, I will mention a slight variation on the GPO delegation I just described. The ability for a computer or user to process a GPO is just a different kind of delegation on that GPO. Namely, by granting a user or computer (or a group to which they belong) the Read and "Apply Group Policy" rights on a GPO, that user or computer is allowed to process that GPO, assuming its properly linked to them within the AD hierarchy. Strangely, this particular delegation is listed in two places within GPMC. If you’re highlight a GPO, you will see it under the Scope tab, in the "Security Filtering" listview, and you will also see that same delegation listed on the Delegation tab for that GPO, except that it will say "Read(from Security Filtering)", next to the security principal name to indicate that the permission being granted is really the ability to process the GPO. Confused yet? 
Of course, all of these delegation operations are supported in our free PowerShell GPMC cmdlets as well!
Tags:
Well, its a been a bit of time since my last blog post and this being the 1st of May, I thought I would take the opportunity to write a new entry. The last few weeks have been busy. As I’ve already mentioned, we released our Desktop Policy Manager product in early April. Then I was at the MVP Summit in Redmond. That was very cool. Of course, all the details are NDA, but its a great opportunity for MVPs to have in-depth discussions with product teams and this year was no exception. The Group Policy product team is full of some really smart, energetic folks with lots of cool ideas. This is always a good environment in which to share thoughts and brainstorm on the technology and there was plenty of that. And even though I probably used up my allocated talking time (its hard to shut me up once I get going) I found the whole week to be very useful.
The following week I took a much needed vacation, visiting the Central Coast of California. If you ever get a chance to spend time in this area, its definitely worth it. Much less crowded than Los Angeles, but with some good beaches and even better, some great wineries. We managed to visit quite a few of the latter, and since wines are a bit of a hobby/obsession for me, it was an opportunity to sample some new wines. One of my favorite wineries, and one that should not be missed, is a winery called Linne Calodo. They specialize in Zinfandel and Rhone blends and while their wines are a bit on the pricey side, they were incredible. Other wineries that I really enjoyed include Four Vines and Tablas Creek. Four Vines got the prize for most interesting labels. Their wines had names like Naked Chardonnay, Heretic and Anarchy. Cool.
Yesterday I spent a quick day at the Microsoft Management Summit (MMS) in Las Vegas, which is usually about as much Vegas as I can handle. It was a great opportunity to meet with folks and I got to see old friends that I don’t get to visit with very often, like the guys at SpecOps (my favorite Group Policy vendor…well besides SDM Software )– many of whom live in Sweden and don’t get a chance to get over here very often–as well as the folks at Netpro.
MMS is always a good show for showcasing Microsoft’s latest management technology and this show was no exception. And while I did not attend any talks, I did hear the buzz about the new System Center Virtual Machine Manager product that is in development and was demo’d at the show, as well as general directions for the System Center product line. PowerShell was also prominently discussed and I heard that every attendee got a PowerShell book in their show bag!
Well since this is a Group Policy blog, I’d be remiss if I didn’t mention *something* about Group Policy. I’m working on an update to our GPMC cmdlets to add support for some of the new features introduced in Server 2008, like Starter GPOs and GPO comments. Keep an eye out on this blog for an update when its finished!
Tags:
Group Policy, PowerShell, Linne Calodo, MMS, Desktop Policy Manager
