07.23.10
Posted in General Stuff, Group Policy Preferences, Security-related at 10:24 pm by Administrator
Microsoft recently announced a new security vulnerability in Windows shortcuts that affects all versions of Windows since XP! Its references here: http://support.microsoft.com/kb/2286198. This particular vulnerability takes advantage of the icon that appears in shortcut (.lnk and .pif) files on Windows. Within the article cited above, Microsoft provides a “FixIt” workaround for the problem that essentially removes the icon from the shortcut, leaving a blank icon in its place. In looking at what they are doing in the FixIt, it struck me that you could leverage GP Preferences’ registry extension to blow this fix out to your entire environment pretty quickly. So, what I did was create two new GP Preferences registry items, that update the appropriate registry values, and remove the data from those values. The values in question are:
HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler\@
HKEY_CLASSES_ROOT\piffile\shellex\IconHandler\@
Where @ represents the “Default” registry value. Each of these values needs to have no data in them in order for this fix to work (and you’ll need to restart the target machine).
The GP Preferences items were very easy to craft. The following screenshot shows an example of the one I did for the lnk files:
Note that the value data field is left blank. That, in combination with using the “Update” action on the GP Preferences item, makes it easy to blank out a registry value. I then repeated this same process for the piffile path in the registry. Since I created this policy under “Computer Configuration”, I targeted the GPO to my computer objects in AD by linking it to an OU containing my computers. During the next policy refresh, the fix applied and I was protected. When an update is provided by Microsoft, you can again use GP Preferences registry extension to update the registry value with its previous, default value, which is “{00021401-0000-0000-C000-000000000046}” for both lnkfile and piffile.
Cool! GP Preferences strikes again!
Darren
Permalink
07.22.10
Posted in General Stuff, Microsoft-Related, Security Policy, Security-related at 10:02 pm by Administrator
Some of you may have seen a twitter post I did a while back letting folks know about the Security Compliance Manager, which is a tool from Microsoft that lets you manage, edit, report, search and export security templates and baselines. This tool is pretty cool, but it also has a hidden gem in it. When you install the SCM, you will notice a folder within its program group called “LocalGPO”, which contains a package called localgpo.msi. When you run that MSI it installs some files within a folder on your hard drive, and one of those files is a script called localgpo.wsf. What this script can do is pretty cool. It can do 3 things against your local GPO that I really like:
- It can backup your local GPO to a GPMC formatted backup. Which means you could backup a local GPO and then use GPMC to import it into a domain-based GPO.
- It can take a GPMC backup of GP settings and import them into a local GPO on a machine.
- It can restore a local GPO to its default state.
These are three great features for managing the local GPO. Let’s take a look at how to use each. For backing up the local GPO, the syntax is simple:
From a command shell, I simply type:
cscript LocalGPO.wsf /path:c:\gpbackups /export
Where c:\gpbackups is a path to where I want to store my backup and /export tells the script to export my local GPO settings.
Now if I want to import a GPMC backup into my local GPO, the syntax is even easier. I simply provide the path to the GUID-Named folder that GPMC creates under the backup directory when you back up a GPO, like this:
cscript LocalGPO.wsf /path:C:\gpbackups\{42ADD8FE-EDF6-479B-92C6-557343D8D091}
And, to restore a local GPO to its default config:
cscript LocalGPO.wsf /restore
Pretty easy to use and this script seems to support every OS from XP to Win7. A couple of caveats however. In looking at the script, Microsoft is only supporting Administrative Templates and Security Policy within these backup and restore operations (understandable given the ship vehicle for this thing). So if you have other policies like Scripts or IE Maintenance within your local GPO, it won’t be captured. Also, the script does not appear to deal with the multiple local GPOs feature supported in Win Vista and above. So if you have per-user local GPOs, they are not captured–only the default local GPO.
That being said the script does provide some good basic functionality as well as a good instructional document on how to capture and reset security settings from the local GPO (which are essentially stored in the local SAM rather than on the file system as in domain-based GPOs).
Hope this proves useful to you!
Darren
Permalink
02.05.10
Posted in General Stuff at 3:24 pm by Administrator
I had a question recently that I thought was worth blogging. The question was, “if I create a GPO using Windows 7, Server 2008 or similar newer platform”, then backup that GPO using XP or Server 2003, will it back up everything?”. The answer, not surprisingly, is “it depends”. GPMC Backup only backs up the “policy areas” that it knows about. For example, if I set some policy settings within Administrative Templates policy on Server 2008 and then backup that GPO using GPMC running on XP, those Admin. Template settings will be backed up just fine, because the Admin Templates policy area exists on both versions of Windows.
But lets say I create a GPO from GPMC using Windows 7, and set some GP Preferences settings or some of the new “Advanced Audit Configuration” options, then try to backup that GPO from XP or Server 2003’s GPMC. In that case, neither the GP Preferences nor the Audit settings will be backed up because those policy areas do not exist in XP or Server 2003 (from a GPMC perspective–its true that XP and Server 2003 can process GP Preferences settings, but they cannot manage them).
The bottom line is, as always, if you introduce newer versions of Windows into an environment and plan to leverage newer policy areas, its always best to manage GP from those newer versions of GPMC, since GPMC is backwards-compatible but not forwards-compatible!
Darren
Permalink
01.31.10
Posted in General Stuff at 12:54 am by Administrator
Just a quick note to remind folks that for the 5th year in a row my good friend Mark Minasi is hosting the Minasi Conference in Virginia this Spring. For those of you who are used to going to one of those big conferences, this is a much more “intimate” and, in some ways, more valuable type of technical conference. Mark being who he is, you will hear some of the Windows world’s smartest techies at this event. If you have budget for training this year, you should consider this conference. Not only are the topics usually great but its small enough for you to get much more interaction with the speakers than at your typical TechEd show. Check it out!
Darren
Permalink
01.02.10
Posted in General Stuff at 6:00 pm by Administrator
Despite once again having to fetch it from my spam folder, I did indeed get the coveted email from Microsoft yesterday indicating that I’d been made a Group Policy MVP for the 5th year in a row. Cool!
I am honored and happy to be an MVP for another year. I look forward to another year of community contributions!
Permalink
10.23.09
Posted in General Stuff at 9:14 am by Administrator
As many folks probably know, Group Policy slow link detection prior to Windows Vista relied on a series of ICMP pings to determine link speed between the client and domain controller. This process was fairly inprecise and was fraught with issues because many folks have turned off ICMP on their internal networks to prevent malware that leverages this protocol from exploiting this. The end result was that you either had to disable slow link detection, or watch GP processing fail completely.
When Windows Vista and Server 2008 shipped, they introduced a completely new way of detecting slow links for Group Policy processing that no longer leverages ICMP. The process uses the Network Location Awareness (NLA) service to determine the link speed between client and DC, but the explanation of HOW that works has been relatively undocumented…until now. Mike Stephens at Microsoft has written a great blog that describes this process in great detail. Check it out!
Permalink
07.20.09
Posted in General Stuff at 8:17 pm by Administrator
I thought this was cool. John Fontana over at Network World did a nice article on the challenges around the recent Microsoft zero-day vulnerabilities and SDM Software and yours truly got a nice mention on Page 2! Cool!
Darren
Permalink
06.17.09
Posted in General Stuff at 3:27 pm by Administrator
Hey Folks. Sorry for the long delay in between postings. Lots going on in Group Policy land and in my own life that has been keeping me busy! But, now that I have some time, I wanted to blog about a few things of note, in no particular order:
- Thanks to Mike Kline for posting a nice review of SDM Software’s GPO Compare tool, which lets you graphically compare two GPOs for settings differences
- Just a quick note to let you know that I posted a new tool up at GPOGUY.COM a couple of weeks back. Its a new Powershell v1 snap-in that does two things. The first is a cmdlet called Get-SDMGPOVersion which lets you retrieve and show differences between GPO version numbers on a given DC, designed to spot AD and SYSVOL replication inconsistencies within GPOs. I would call it a Powershell version of GPOTool.exe. The 2nd cmdlet in the snap-in is called Invoke-SDMTouchGPO. This is basically a "touch" command for GPOs. What it does is, for a given GPO, it increments the per-computer or per-user version numbers for the GPO. This tricks clients into thinking that "something" has changed within that GPO, and thus will trigger a refresh of the settings within that GPO. Or more specifically, it will trigger a full reprocessing of policy for a given client that is impacted by that GPO that was touched. This came up in a thread that I participated in on the ActiveDir.Org mailling list, and I thought it was worth putting something together. You can download it for free at the GPOGUY.COM Free Tools Site.
- Working with the folks at Windows IT Pro Magazine, I’ve created a one-day Group Policy Troubleshooting webinar next Thursday, June 25th. You can get more information and register for it at the link I just provided. It should be a good session–its a 3 part training session that covers GP internals and GP processing basics, troubleshooting tools and techniques and then advanced topics in GP troubleshooting. I’ll be on hand afterwards to answer questions during each session, as well! Check it out and see you there!
- Finally, I wanted to just call attention to some cool stuff Microsoft did recently in anticipation of the Windows 7 release. As you know, I’ve been a big advocate of enabling automation of Group Policy automation, primarily through Powershell. Our SDM Software Group Policy Automation Engine was the first product on the market to let you read and write GP settings using Powershell, when it shipped a couple of years ago. Recently the Applocker feature team within Microsoft (Applocker is the new replacement for Software Restriction Policies in Windows 7) announced availability of Powershell cmdlets for getting and setting Applocker policies within a GPO! This is all good stuff and provide a nice complement to what the GP Product team is doing with Powershell and registry settings in Win7. Check it out here: http://blogs.msdn.com/powershell/archive/2009/06/02/getting-started-with-applocker-management-using-powershell.aspx.
Well, enjoy those tidbits and I hope to be back blogging soon!
Darren
Permalink
05.13.09
Posted in General Stuff at 6:01 pm by Administrator
I thought this was cool: http://blogs.technet.com/grouppolicy/archive/2009/05/12/group-policy-at-tech-ed-2009-mark-russinovich-demos-group-policy-powershell-cmdlets.aspx
Mark demo’d Microsoft’s upcoming Group Policy PowerShell cmdlets that will ship with Windows 7 and Server 2008 R2. I think its cool primarily because it validates the work we have done at SDM Software over the last couple of years to provide automation for Group Policy, with both our free GPMC cmdlets and our commercial Group Policy Automation Engine. Microsoft is providing something like 25 cmdlets in Windows 7 and Server 2008, R2, that will provide much of the same functionality as our free GPMC cmdlets. In addition, they are providing a set of what I call "teaser" cmdlets for automating a small portion of GP settings. Specifically, they will be provide a set of cmdlets to get and set registry policy (i.e. Administrative Templates but without the ADM or ADMX view of the world) and also registry settings through Group Policy Preferences Registry extension.
The cool part about this is that it gets people thinking about how they can automate the auditing and management of GP settings using Powershell. And when they run out of capabilities with the built-in cmdlets, well our GP Automation Engine will be waiting in the wings to provide the ability to script reading and writing of not just Admin. Template policy, but also Security policy, Software Installation, Folder Redirection, IE Maintenance, Scripts policy and all of GP Preferences.
Permalink
04.22.09
Posted in General Stuff at 11:15 am by Administrator
If you’re planning on being at the Microsoft Management Summit next week, I’ll be presenting a Group Policy Troubleshooting session there on Wednesday morning. Stop by and say hi or attend the session or the Birds of a Feather I’ll be doing that evening at around 5:30pm!
Darren
Tags: Microsoft Management Summit, Group Policy Troubleshooting
Permalink
« Previous entries Next Page » Next Page »
