08.28.08
Posted in Group Policy Preferences at 11:03 am by Administrator
I frequently find that a lot of folks have not yet discovered all of the cool new Group Policy management features that Group Policy Preferences brings to Windows. As a result, I thought it would be worthwhile to do a couple of blog items about some of these features. Today, I’ll talk about Power Management.
When Vista shipped, Microsoft provided a way of controlling Vista Power options using Group Policy. Great! We’re all concerned about energy use these days and, as my friend Brandon might say, I’m as big a "tree-hugger" as there is, so I like seeing these built-in features that make it easy to conserve power. But unfortunately, you had to be running Vista to take advantage of this control. That left all those millions of XP PCs out in the cold (or hot, as the case may be), with the only option to buy a 3rd party product or install the very useful, but somewhat heavy, EZ-GPO client service, sponsored by the US Government (http://www.energystar.gov/index.cfm?c=power_mgt.pr_power_mgt_ez_gpo).
However, with the release of Group Policy Preferences, you can now control power options on both a per-computer and per-user basis, natively within Group Policy, for XP (and Server 2003) systems. These options are under Computer (or User) Configuration\Preferences\Control Panel Settings\Power Options, within GP Editor. Within this section, you have the option to control both "Power Options" and "Power Schemes". Power Options include global settings like enabling hibernation, and setting the behavior of Windows when the user presses the shutdown or sleep button or closes a laptop lid.
The Power Schemes section is where you can define the active Power Scheme in effect on a machine, and configure the specific options for it, such as how long the display and hard drives will run during inactivity before powering down, depending upon whether they are plugged in or on batteries. You can also use this section to define new custom power schemes that are right for your organization!
And, since this is Group Policy Preferences, you also get the advantage of the item-level filtering feature, which means that you can target specific power schemes to just laptops or just desktops, within a single GPO. And of course, I can’t fail to mention that the upcoming release of SDM Software’s GPExpert(tm) Scripting Toolkit will support GP Preferences, so you can now automate power management policy changes using PowerShell or VBScript!
Very cool stuff for this tree hugger! I hope you take advantage of this new "in-the-box" feature!
Tags:
Group Policy, Power Management, XP, Group Policy Preferences
Permalink
08.22.08
Posted in General Stuff at 7:11 am by Administrator
One of the irritating side effects of using Group Policy security group filtering on computers is that, if you change a computer’s group membership, you either had to reboot the computer or wait the default 7 days for the computer’s Kerberos ticket to expire before it picked up its new group membership. Recently however, there was a thread on the ActiveDir.org mailing list about this. Steve Linehan–resident AD smart guy at Microsoft–posted that in Server 2008, Microsoft added some switches to the klist.exe utility that you could use to force a refresh of the server’s tokens, and thus pick up group membership changes without a reboot. The command format for doing that is:
klist –li 0×3e7 purge
You have to run this command from an elevated prompt on Server 2008. Unfortunately, on Vista, klist is not included, though Steve mentioned that Vista has all the plumbing to support it. I tried the easy route–which was simply copying klist.exe from Server 2008 to Vista, but it failed with resource errors, so I suspect something else is missing.
Of course, this approach is all great but what about those Server 2003 boxes you have that you need to pick up group membership changes on, but that you can’t reboot. Well, thanks to a comment by Dean Wells on this thread, I did some experimenting and there is a way to do this on Server 2003 (and presumably XP as well)! First off, you need to get ahold of klist.exe from the Server 2003 Resource Kit Tools. Once you have that on your 2003 box, you need to fire up a command shell running as localSystem. The easiest way to do that is to simply use the AT.exe task scheduler command line to run a command shell. Because AT runs as localSystem, the resulting command shell that is opened up is also running as localSystem. So, for example, if right now its 15:30 and I want to open up my command shell at 15:31, I would type:
AT 15:31 /interactive cmd.exe
That means that in one minute, a command shell will appear on my server console running as localSystem. Once I’ve got that, I simply need to use the following syntax with klist:
klist purge
When you do that, you will likely see a number of y/n prompts for each ticket. Simply say y to each one and once its done, the machine should now know about its new group membership. I tested this by setting a GPO to deny a particular computer group. I ran klist purge and then gpupdate /force and sure enough, the policy settings I had denied were removed!
Thanks to Dean Wells for this tip–its a great one!
Tags:
Group Policy, Computer Groups, Klist
Permalink
