11.29.09
Posted in Group Policy Preferences at 7:48 pm by Administrator
I was playing around with some scenarios related to "item-level targeting" (ILT) in Group Policy Preferences and was reminded of a significant limitation in this newer as it relates to Resultant Set of Policy reporting. What I was doing was creating a GPO that contains some GP Preferences registry settings, and then using item-level targeting to control which machine groups got those registry settings. However, when I went into GPMC and ran a GP Results (RSoP) report against one of my test machine, it showed my test GPO in the "Applied GPOs" section of the report, even though I knew that it had not passed the item-level target filter.
This pecularity caused me to dredge up a distant memory about a limitation in the way GP Preferences interacts with RSoP–namely, RSoP is incapable of deciphering whether a machine has passed an item-level target. So, even though the registry setting was blocked from being processed by the machine because it was not in the correct group, RSoP saw no reason why the GPO should not apply, since it was linked and security group filtered (using normal security group filtering) in a way that told it that everything was good.
This could very easily bite you as you leverage GPP more, so I thought it would be useful to re-iterate it here for everyone’s benefit. In short, if you use ILT to control which policy settings apply to a computer or user, RSoP will not reflect whether the ILT filter passed or failed. It will only reflect the "normal" means of filtering through linking, security group filtering and WMI filters.
Darren
Permalink
11.20.09
Posted in sdm software at 10:24 am by Administrator
Well, I was very surprised and happy to receive an IM from a colleague this morning, directing me to http://windowsitpro.com/Windows/Articles/ArticleID/102984/pg/2/2.html, where I read that our SDM Software Group Policy Automation Engine won GOLD as Best Active Directory and Group Policy Product. This is really cool and a great acknowledgement of the work we’ve been doing. Its always nice to be recognized and especially to win in the Editor’s Choice category!
Cool!
Tags:
Group Policy, SDM Software
Permalink
11.02.09
Posted in Bugs at 8:31 am by Administrator
I found this issue recently–at first I thought it was just my environment, but have confirmed it on a couple of different environments. When you are on a Win 7 box (and probably R2 as well), in GPMC and viewing the setttings of a GPO that had previously been created and contains software restriction policies, you will get an error when GPMC tries to display those SRP settings. Specifically, the error looks like this:
|
Software Restriction Policies
Software Restriction Policies/Security Levels
Software Restriction Policies/Additional Rules |
| The following errors apply to all of the above settings: |
| An unknown error occurred while data was gathered for this extension. Details: Unable to cast object of type ‘System.String[]‘ to type ‘Microsoft.GroupPolicy.Reporting.Extensions.Registry.UnknownType’. |
From the looks of it, it appears to be a bug in the way the Win 7 GPMC object model is parsing these settings. I’ve reported it to MS but wanted to let everyone know about it so you don’t think you’re going crazy. Not surprisingly, if I open the GP Editor on this GPO, all of the SRP settings appear fine. This is only an issue with the GPMC reporting of settings.
Tags
Group Policy, Windows 7, Software Restriction Policies
Permalink
