The GPOGUY-- Group Policy Blog

I thought this Information Week article did a good job of articulating the challenges of security compliance on Windows, and the use of Group Policy as the first line of defense here. Most folks have been using GP to lockdown their desktop systems for a while now, but the reality is that Group Policy is THE mechanism for managing security configuration if your targets are Windows desktops and servers. However, there are challenges that folks have to deal with, as the article points out. Knowing whether policy actually worked across your environment, especially for sensitive security configurations, is a tough problem to solve. Its one of the reasons that we have been working to release the Group Policy Compliance Agent, which is a new product that will run on your Windows servers and desktops, and will collect vital statistics about GP processing. Most importantly, the agent will be able to optionally validate that settings that are reported by Resultant Set of Policy (RSoP) have actually been made successfully in the system's registry or security configuration. This will go a long way towards closing the loop between setting policy, and hoping that it has actually applied, let alone being able to prove it to your auditors!

Tags:

Group Policy Compliance, SDM Software

Posted by gpoguy at 02:55 PM | Permalink | Comments (0) | TrackBacks (0)

One of the irritating side effects of using Group Policy security group filtering on computers is that, if you change a computer's group membership, you either had to reboot the computer or wait the default 7 days for the computer's Kerberos ticket to expire before it picked up its new group membership. Recently however, there was a thread on the ActiveDir.org mailing list about this. Steve Linehan--resident AD smart guy at Microsoft--posted that in Server 2008, Microsoft added some switches to the klist.exe utility that you could use to force a refresh of the server's tokens, and thus pick up group membership changes without a reboot. The command format for doing that is:

klist –li 0x3e7 purge

You have to run this command from an elevated prompt on Server 2008. Unfortunately, on Vista, klist is not included, though Steve mentioned that Vista has all the plumbing to support it. I tried the easy route--which was simply copying klist.exe from Server 2008 to Vista, but it failed with resource errors, so I suspect something else is missing.

Of course, this approach is all great but what about those Server 2003 boxes you have that you need to pick up group membership changes on, but that you can't reboot. Well, thanks to a comment by Dean Wells on this thread, I did some experimenting and there is a way to do this on Server 2003 (and presumably XP as well)! First off, you need to get ahold of klist.exe from the Server 2003 Resource Kit Tools. Once you have that on your 2003 box, you need to fire up a command shell running as localSystem. The easiest way to do that is to simply use the AT.exe task scheduler command line to run a command shell. Because AT runs as localSystem, the resulting command shell that is opened up is also running as localSystem. So, for example, if right now its 15:30 and I want to open up my command shell at 15:31, I would type:

AT 15:31 /interactive cmd.exe

That means that in one minute, a command shell will appear on my server console running as localSystem. Once I've got that, I simply need to use the following syntax with klist:

klist purge

When you do that, you will likely see a number of y/n prompts for each ticket. Simply say y to each one and once its done, the machine should now know about its new group membership. I tested this by setting a GPO to deny a particular computer group. I ran klist purge and then gpupdate /force and sure enough, the policy settings I had denied were removed!

Thanks to Dean Wells for this tip--its a great one!

Tags:

Group Policy, Computer Groups, Klist

Posted by gpoguy at 07:11 AM | Permalink | Comments (1) | TrackBacks (0)

I suppose the din of Vista haters has been increasing lately to the point where I've actually noticed it. Lastw week, I read a blog post from my good buddy Jackson Shaw, who expressed his frustrations over Vista and IE7. And of course the technology press and analysts have been all over the apparent lack of "goodness" in Vista, what with analysts trying hard to outdo each other about recommending or not recommending organizations go to Vista. Well, and then there are those silly Mac ads that have been on forever. I like the Mac, but come on.

In any case, I figured I would break from my summer blogging hiatus to briefly blog about my own Vista experiences. Of course, as a Windows technology person, someone who writes and and develops for Windows, I'm going to have a particular viewpoint about things, but I wanted to try and blog as objectively as possible about my own experiences. I've been using Vista now for almost two years. I think I first installed it on my primary desktop machine when the first RC came out and have been running it steadily ever since. Here are some highlights

• I'm running it on a Dell server box that has a 16-bit video card wedged into an 8-bit slot (don't ask). In all the time I have had it on this box, I have not had one crash,  or blue screen. And I install a heck of a lot of crap on my machine (add/remove programs currently reports 197 applications installed!)
• Application incompatibilities have been minimal. For those apps that did not work, I was generally able to work around it or get updates for the apps
• Driver availability has been good. The only thing I was not able to get working, was an old Motorola bluetooth adapter, and frankly I haven't tried it again since SP1.
• The biggest gripe I've had with older versions of Windows is that, over time, they would get what I called "bit rot". Basically with more stuff installed and more crap on the hard drive, they would get slower and slower, to the point that I would typically have to re-image every year or so, which, I can tell you, is no fun with the amount of stuff I have on a typical system. I have not yet re-imaged my Vista system after almost 2 years and, while its not as zippy as it first was, it is still performing quite well. I will likely re-image it sometime in the near future, just to clear out some of the flotsam, but it won't be because it has slowed to a crawl.
• From a usability perspective, I turned off Aero Glass a while back, after I got over the gee-whiz factor, and have not seen a need to have partially transparent windows since then. In fact, most of the whiz-bang UI things I rarely use or need. The things I need the most, which are apps to just run and for the desktop as a whole to respond quickly, happen consistently. The big thing I hated about XP, were those inexplicable hangs where the whole desktop would just decide to take a lunch break. I have had little to none of those on Vista. The only thing it occasionally does, which bugs the heck out of me, is fail to respond to my urgent requests to end some task. It seems to have to think about it, then try to tell Microsoft all about it before letting me do something. I would prefer a little less of that and a little more kill, kill, kill.
• Perhaps my biggest gripe of Vista is UAC and mostly because of the kind of work I do. I don't like that, even as an administrator, UAC seems to block me from doing certain things unless I elevate privileges. And, whenever I build software intended for Vista, I have to worry about and work around customer problems with UAC. Usually, if something isn't working, I tell the customer to make sure they are doing whatever they are doing from an elevated prompt, but that's a pain. They need to make it easier for me to build apps that do that for them. Also, installations--I don't want to have to always fire up and elevated command prompt whenever I want to make sure an installation is really working. Frankly, some of this may be my own lack of knowledge about how UAC works under the covers, but its just too complicated for my tastes.
• The other dev related issue I have with Vista is very particular. They have made it too hard for applications to store per-computer application-related data that a normal user can write to. If I don't want to put app data in per-user locations then I'm stuck trying to work around the tighter permissions and UAC. That's a pain and I don't like it.

So, that sums up my Vista experiences. Overall I think Vista is a big improvement--from a speed, stability and security perspective, over XP. Just a few tweaks here and there and I think it would be a great OS. What do you think?

Tags 

Windows Vista

Posted by gpoguy at 09:53 AM | Permalink | Comments (2) | TrackBacks (0)

The folks at NetWrix have just announced their newest product--Group Policy Change Reporter. The product comes in both a freeware and commercial version and can provide detailed change reporting on who made changes to GPOs, what settings were changed and when. It comes with a number of out-of-the-box reports as well.

Check it out!

Posted by gpoguy at 04:39 PM | Permalink | Comments (0) | TrackBacks (0)

 I noticed that Jeff Hicks called me out on his blog for the Scripting/SysAdmin Meme, so I figured I would follow through with the chain and answer the questions here:

How old were you when you started using computers?

I was about 15.

What was your first machine?

The first computer that I used was probably a Cromemco multi-user system in High School or the original Apple computer. The first computer I owned was an Atari 800 that I got for Christmas in 1978 :).

What was the first real script you wrote?

Hmm. Well, my first language was BASIC--not sure that is really a scripting language but it approximated that on the Atari. But in terms of real scripting languages it was probably DOS batch.

What scripting languages have you used?

DOS batch, Fastlane FINAL, Perl, VBScript, JScript, PowerShell. Probably missing a couple in there.

What was your first professional sysadmin gig?

My first job out of college, as I struggled to be a bike racer, was part-time warehouse guy and part-time computer guy for a small computer leasing company. I did some basic maintenance and Paradox development. My first real sys admin. job was for an environmental consulting company. When I started, they had a Sun TOPS network based on Appletalk!!

If you knew then what you know now, would have started in IT?

Excellent question. Not sure. IT has changed a lot, there is a lot of things I don't like about it. I think I might have spent more time in dev. if I knew then what I know now.

If there is one thing you learned along the way that you would tell new sysadmins, what would it be?

What worked for me may not work for others, but I made a conscious decision to reach out and help people. This started with the early winnt-bhs mailing list on Compuserve in the mid-90s and continues today. I think this business is all about spreading the knowledge, because there is so much to learn. So, if you want to advance your own career, help others as you learn. It brings many side benefits, including gaining a reputation that might lead to more interesting things than just fixing broken printers :).

What’s the most fun you’ve ever had scripting?

Scripting is one of those things that I did out of necessity, but I can remember a perl script that I had to write to change thousands of machines from static IP to dynamic. I was particularly proud of that at the time. I think now I get the most kick out of developing PowerShell cmdlets. Fun stuff.

Who am I calling out?

Brandon Shell

Dean Wells

Joe Richards

Sean Deuby

Posted by gpoguy at 01:24 PM | Permalink | Comments (0) | TrackBacks (1)

I've heard this question often enough since the Remote Server Administration Tools shipped that I thought it was worth blogging about it. After you install RSAT on your Vista, SP1 machine, you won't find GPMC installed right away. You'll need to go into the Control Panel, Programs and Features applet to enable it. Once in Programs and Features, select the link on the left that says Turn Windows Features on and off. Whent the list of features comes up, navigate to Remote Server Administration Tools, Feature Administration Tools, Group Policy Management Tools and check that box to select the GPMC, as shown below

Then click OK and once the install completes, you will have GPMC!

Tags:

GPMC, RSAT, Group Policy

Posted by gpoguy at 02:52 PM | Permalink | Comments (0) | TrackBacks (0)

I just wanted to let everyone know that Microsoft Press has released a new version of the popular "Goup Policy Guide" book that fellow GP MVP Derek Melber and I contributed to a couple of years ago. This time Derek took the project on himself and the result is a great companion for navigating the new features within Group Policy in Server 2008 and Vista! Everyone who is doing anything with Group Policy should have this book on their desk!

Tags:

Group Policy, Derek Melber

Posted by gpoguy at 12:52 PM | Permalink | Comments (0) | TrackBacks (0)

Hey folks. I just wanted to let you all know that I will be giving a webinar about using Group Policy to create secure desktop configurations next week. The webinar is all about looking at the technology within Group Policy related to creating secure configurations. I'll also talk a little about how SDM Software's new Desktop Policy Manager product can help make the process of creating secure desktops using Group Policy much simpler. You can register for the webinar at http://www.bi101.com/go/secure_desktop/index.php. Its on May 29th at 11am Pacific Time (GMT-8). Hope to see you there!

 Tags:

Group Policy, Desktop Policy Manager, Creating Secure Desktops

Posted by gpoguy at 01:44 PM | Permalink | Comments (0) | TrackBacks (0)

The other day I got a question about one of our free GPMC PowerShell cmdlets--namely, the Add-SDMgpoSecurity that lets you modify GPO security. One of the permissions that you can grant using the cmdlet is the GPO creation permission--which controls who can create GPOs in the domain. This particular questioner was wondering why they were getting an error when trying to set GPO creation permissions on a particular OU. The question made me think that a blog entry on Group Policy delegation was in order. So, for this particular issue I just described, the answer is relatively straightforward. You can only delegate creation of GPOs at the domain level. That is why, in GPMC, you will notice that when you click on the Delegation tab for a particular OU, you don't have the option to delegate GPO creation.

In fact, the only place you will see that delegation, is when you click on the "Group Policy Objects" node within a particular domain, and view the Delegation tab. So, the right to create GPOs in a domain is domain-wide. Now of course, if you delegate to someone the right to create a GPO, it does not necessarily give them the ability to make it "live". That ability requires a different kind of delegation--the delegation of linking. Remember that a GPO can be linked to an AD site, domain or OU. Each of these AD containers has a set of permissions associated with it. One of those permissions is the ability to write to the gpLink attribute on the container, and it is that permission that controls who can link a GPO to that particular site, domain or OU. You can, of course, delegate that permission without having to dig into the bowels of the AD ACL Editor, by using the GPMC--simply by clicking the Delegation tab while focused on a container object and then choosing "Link GPOs" as the permission you want to manage.

The final type of delegation I will mention is the ability to edit GPOs. Regardless of who creates a GPO, there is the separate ability to be able to edit that GPO once its created. When a GPO is created, it gets a set of permissions that are controlled by the defaultSecurityDescriptor attribute on the AD schema groupPolicyContainer object class. That default security descriptor controls which groups have which permissions on newly created GPOs. You can, of course, modify that attribute in your AD environment so that you can control which groups get what rights on all newly GPOs (see KB article http://support.microsoft.com/kb/321476/en-us for more information), but you may also want to modify the ability to edit GPOs after they are created. For that GPMC again provides the answer. You simply need to highlight a particular GPO, choose the Delegation tab and from there you can set permissions for who can edit a GPO or who can edit, delete and modify the security on a GPO. Its also important to note that these permissions are stored on the GPO object itself, not the link or container object. So, while you can link a GPO to any number of AD containers, keep in mind that the permissions on that GPO in terms of who can read and write it remain constant, regardless of where its linked.

Finally, I will mention a slight variation on the GPO delegation I just described. The ability for a computer or user to process a GPO is just a different kind of delegation on that GPO. Namely, by granting a user or computer (or a group to which they belong) the Read and "Apply Group Policy" rights on a GPO, that user or computer is allowed to process that GPO, assuming its properly linked to them within the AD hierarchy. Strangely, this particular delegation is listed in two places within GPMC. If you're highlight a GPO, you will see it under the Scope tab, in the "Security Filtering" listview, and you will also see that same delegation listed on the Delegation tab for that GPO, except that it will say "Read(from Security Filtering)", next to the security principal name to indicate that the permission being granted is really the ability to process the GPO. Confused yet?

Of course, all of these delegation operations are supported in our free PowerShell GPMC cmdlets as well!

Tags:

Group Policy, PowerShell, GPMC

Posted by gpoguy at 07:47 AM | Permalink | Comments (0) | TrackBacks (0)

Well, its a been a bit of time since my last blog post and this being the 1st of May, I thought I would take the opportunity to write a new entry. The last few weeks have been busy. As I've already mentioned, we released our Desktop Policy Manager product in early April. Then I was at the MVP Summit in Redmond. That was very cool. Of course, all the details are NDA, but its a great opportunity for MVPs to have in-depth discussions with product teams and this year was no exception. The Group Policy product team is full of some really smart, energetic folks with lots of cool ideas. This is always a good environment in which to share thoughts and brainstorm on the technology and there was plenty of that. And even though I probably used up my allocated talking time (its hard to shut me up once I get going) I found the whole week to be very useful.

The following week I took a much needed vacation, visiting the Central Coast of California. If you ever get a chance to spend time in this area, its definitely worth it. Much less crowded than Los Angeles, but with some good beaches and even better, some great wineries. We managed to visit quite a few of the latter, and since wines are a bit of a hobby/obsession for me, it was an opportunity to sample some new wines. One of my favorite wineries, and one that should not be missed, is a winery called Linne Calodo. They specialize in Zinfandel and Rhone blends and while their wines are a bit on the pricey side, they were incredible. Other wineries that I really enjoyed include Four Vines and Tablas Creek. Four Vines got the prize for most interesting labels. Their wines had names like Naked Chardonnay, Heretic and Anarchy. Cool.

Yesterday I spent a quick day at the Microsoft Management Summit (MMS) in Las Vegas, which is usually about as much Vegas as I can handle. It was a great opportunity to meet with folks and I got to see old friends that I don't get to visit with very often, like the guys at SpecOps (my favorite Group Policy vendor...well besides SDM Software )-- many of whom live in Sweden and don't get a chance to get over here very often--as well as the folks at Netpro.

MMS is always a good show for showcasing Microsoft's latest management technology and this show was no exception. And while I did not attend any talks, I did hear the buzz about the new System Center Virtual Machine Manager product that is in development and was demo'd at the show, as well as general directions for the System Center product line. PowerShell was also prominently discussed and I heard that every attendee got a PowerShell book in their show bag!

Well since this is a Group Policy blog, I'd be remiss if I didn't mention *something* about Group Policy. I'm working on an update to our GPMC cmdlets to add support for some of the new features introduced in Server 2008, like Starter GPOs and GPO comments. Keep an eye out on this blog for an update when its finished!

Tags:

Group Policy, PowerShell, Linne Calodo, MMS, Desktop Policy Manager

Posted by gpoguy at 02:32 PM | Permalink | Comments (0) | TrackBacks (0)

I saw an announcement today by Symark that they are now entering the AD/Unix/Linux authentication space already populated by folks like Vintela, Centrify and Likewise. Symark has been around for a while but were focused more on policy-based management of Unix/Linux system security rather than Windows integration. But that changes with their new ADVantage solution, which puts them squarely into this crowded market. Most interestingly for me, they are yet another vendor offering Group Policy management of Unix/Linux systems. From screenshots on their site, it appears that they've taken the same approach as some of the other vendors of extending Group Policy using custom ADM templates that get read and translated by non-Windows systems into meaningful configuration commands for those platforms.

It will be interesting to see where this goes. That now makes 4 vendors that I know of who are doing heteregeneous Group Policy management, so it will be interesting to see if this market moves forward from managing basic configuration options on non-Windows platforms to doing the real interesting systems and application configuration tasks that could be done using this technology. So far, from what I've seen, most of these folks have taken baby steps in terms of what is possible. Maybe a new player in the space will urge all of them forwards!

Tags

Group Policy, Symark, Unix-Linux Group Policy Management

Posted by gpoguy at 07:49 AM | Permalink | Comments (2) | TrackBacks (0)

If you've installed the new Remote Server Administration Tools (RSAT) on Vista, SP1, you will notice some subtle changes in the Group Policy Editor. Namely, if you type gpedit.msc like you used to in the pre-RSAT days, you will still launch the GP Editor, focused on the local GPO, but you won't see the new Group Policy Preferences namespace, as you do when you launch GP Editor focused on a domain GPO. This is simply because GP Preferences are not supported on the local GPO.

In addition, as I've had up on my GPOGUY.COM FAQ for a while, in the pre-RSAT days you could launch GP Editor, focused on a domain-based GPO by using the following syntax:

gpedit.msc /gpobject:"LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=cpandl,DC=com"

The above command would launch GP Editor, focused on the Default Domain Policy in the cpandl.com domain. But if you try that on a RSAT-installed SP1 Vista system, you will get the Default Domain Policy, but you won't see any of the Group Policy Preferences options. Ok, so there must be a way around this, right?

Correct! Its called gpme.msc, or the Group Policy Management Editor MMC snap-in tool. So, if we take the above syntax, and change it up a bit:

gpme.msc /gpobject:"LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=cpandl,DC=com"

We get the desired result, which is the GP Management Editor launching focused on the Default Domain Policy, and showing the GP Preferences namespace! Success...

Tags:

Group Policy Preferences, GPEdit.MSC, GPME.MSC, RSAT

Posted by gpoguy at 05:50 PM | Permalink | Comments (0) | TrackBacks (0)

One of the members on our GPTalk mailing list just informed me that the Client Side Extension (CSE) packages for the new Group Policy Preference product are now available on the Microsoft download site. These are the installs that allow Windows clients to process the new Group Policy Preference settings. You can find them all, including those for XP and 2003, by searching on "Group Policy Preference". Still no sign of the Remote Server Administration Tools (RSAT) download but I suspect it will be here soon.

Tags:

Group Policy, Group Policy Preference

Posted by gpoguy at 09:07 AM | Permalink | Comments (0) | TrackBacks (0)

Well, in addition to my earlier blog post about resources for getting Group Policy help, Microsoft has fired up a new TechNet GP 2008 Forum. Check it out!

Tags:

Group Policy, TechNet

Posted by gpoguy at 11:25 AM | Permalink | Comments (0) | TrackBacks (0)

Every once in a while I like to mention that we have a great resource for asking questions and getting answers related to Group Policy. As you may know if you've read my blog for a while, I started the gpoguy.com website several years back as a free resource for GP info, tools and videos. While I don't get as much time as I'd like to update that site these days, one great resource that is available is the GPTalk mailing list. The mailing list is about 340 people strong at the moment and is a great resource that you can subscribe to for asking questions about GP and getting answers. There are some smart people that hang around the list and its always interesting to see what folks are doing with GP.

Tags:

Group Policy, GPTalk, GPOGUY.COM

Posted by gpoguy at 08:08 AM | Permalink | Comments (0) | TrackBacks (0)

Posted by gpoguy at 07:06 AM | Permalink | Comments (0) | TrackBacks (0)

If you haven't already seen it, check out my article in this month's TechNet Magazine on "Optimizing Group Policy Performance". The article goes into fair bit of detail about things you can do (or not do) to ensure that GP performance is good on your Windows systems. But one thing I didn't get into is how some specific Client Side Extension (CSE) behaviors can cause performance slowdowns. I received an email from someone at Microsoft asking about this yesterday. His specific question was around the performance impact of using GP to set file system or registry security. GP today has that capability under Computer Configuration/Windows Settings/Security Settings/File System (or Registry). But of course, if you use this feature against large numbers of files or folders (or reg keys), its going to take a while to modify ACLs on those objects, just as it would if you are doing it through Explorer. But his question had to do with the impact of this on system performance, if GP processed these ACL changes every time processing ran. The answer, of course, is that GP processing settings only if one of several situations occur. First, if *something* changes in the GP environment, a client will process those changes during the next processing cycle (I talk about what those changes could be in the article).

The other scenario where security policy would process every time GP processes is if an administrator explicitly told it to do so by setting the per-computer policy at Computer Configuration\Administrative Templates\System\Group Policy\Security Policy Processing\Process even if the Group Policy Objects have not changed. Now of course, enabling this setting can have a very obvious impact on system performance if what you're doing in security policy are expensive operations like file system re-ACLing. But if not, the advantage of using this setting is that you ensure that, every 90 minutes or so, any security policy you have defined will be re-applied, just in case a pesky user figured out a way to undo them (which they should not if they are not administator on their systems, right????). But in general, I would leave this setting alone.

The 3rd scenario where security policy would process is by virtue of its own built-in behavior. That is, the Security CSE will process security policy every 16 hours by default, regardless of what else is happening. This is a failsafe that MS decided to put into security policy so that security policy will get re-applied if the environment is reasonably static. You can actually modify this interval to be something other than 16 hours via a registry tweak (I actually created a custom ADMX file for this that will be on the CD in the upcoming Windows Server 2008 Resource Kit book, which I wrote the GP chapter for). The registry tweak info can be found at http://support.microsoft.com/kb/277543/en-us.

Tags:

Group Policy, Security Policy, TechNet Magazine

Posted by gpoguy at 02:15 PM | Permalink | Comments (0) | TrackBacks (0)

I sat in on a Microsoft webcast presentation of the upcoming release of Group Policy Preferences, which I blogged about earlier. This is the old DesktopStandard PolicyMaker stuff for extending Group Policy to do much more than it does today. While I used to work with the DesktopStandard folks and had seen PolicyMaker up close, it was interesting to hear about how Microsoft plans to make this available, and what has changed. The biggest piece of news for me is that you don't have to have a Server 2008 license to use this stuff in XP and Server 2003. Essentially what you'll need is the Client Side Extension install for your XP or Vista clients, and then the RSAT administrative tools pak for administering the new Preferences. RSAT willl add the snapins to the GP Editor (and presumably also make some extensions to GPMC) to allow you to view and edit those new Preferences settings. Cool.

The other thing that remains intact for Preferences, from the old PolicyMaker product, is the ability to do per-setting targeting. What does this mean? Well imagine being able to, within a single GPO, have 60 settings that are each targeted based on criteria ranging from IP address of client to hardware configuration, to security group membership, to whether its a laptop or desktop machine, and on and on. Can you say "power and complexity"? This is a very powerful feature but I can also quickly see how it can be abused to no good end. This is especially true as it does not appear that the RSOP reporting in GPMC will support evaluating of these targeting criteria. That means that if you are using these fine-grained targeting methods, you won't be able to see if a given user or computer is receiving a policy setting because of them. That will be interesting and challenging!

The other thing of note is that the Outlook profile and MS Office settings that were part of the original PolicyMaker product will not ship when Group Policy Preferences do, but at some later time, due to apparent legal restrictions related to shipping Office components with the OS!

In any case, it continues to be lots of good news for being able to better manage your desktops and servers using GP going forward. Frankly, if you haven't already planned on how and when you will roll out support for Preferences to your existing desktops, I would seriously consider it now. These will be out of band additions for some time to come but you might as well take advantage of the capabilities that this thing brings as soon as possible.

Tags:

Group Policy, Microsoft, Preferences, Desktop Management

Posted by gpoguy at 02:04 PM | Permalink | Comments (0) | TrackBacks (0)

Well, for those of you out there who are Microsoft MVPs, you know that getting that email announcing that you've been renewed for another year is a good feeling. Since my MVP status expires on the year end, I usually get my notice on January 1st, which is a good way to start the year. Yesterday was no exception and for the 5th year in a row, I'm proud to be a Microsoft MVP for Group Policy. Given that the MVP status is all about community and helping folks with Microsoft technology, I think its useful to point out some of the many resources that are available for folks to get help with Group Policy. This list is by no means complete but here goes:

-- The Microsoft Newsgroups: Microsoft.public.windows.group_policy & Microsoft.public.windows2000.group_policy

-- The Microsoft GP Wiki: http://grouppolicy.editme.com

-- Our GPOGUY.Com GPTalk Mailling List: This is a list with over 300 members that we provide through GPOGUY.COM to offer assistance with GP. You can subscribe at www.gpoguy.com/lists.htm

-- Mark Minasi's Forum: Mark maintains a great multi-topic forum (GP included) where you can find help on any number of issues at www.minasi.com/forum

-- GPAnswers.com Community: Jeremy Moskowitz, a fellow GP MVP, provides a bulletin board on his site at www.gpanswers.com where folks can ask questions on all manner of GP topics.

-- The ActiveDir.Org Mailling List: One of the best Active Directory mailling lists around is also a place to ask GP questions--lots of smart folks on this list to help with real-world problems. Join up at www.activedir.org.

If you've got GP questions, the good news is that there is no shortage of great, free resources out there to help!

Tags:

Group Policy, Microsoft MVP

Posted by gpoguy at 07:42 AM | Permalink | Comments (0) | TrackBacks (0)

I just wanted to take this time to wish everyone who is celebrating their new year tonight (or maybe already has celebrated!) a happy new year. 2008 should be a great year! 2007 brought many cool things, including the release of SDM Software's first product in the GPExpert Troubleshooting Pak, as well as Windows Vista adoption hitting the mainstream.  PowerShell also hit the big time in 2007, and I expect more great things from it going forward. 

2008 should be better than ever! In the world of Group Policy, Microsoft will ship the Group Policy Preferences (nee DesktopStandard PolicyMaker) product early in 2008, which will open up a whole new area of desktop configuration management using Group Policy.

And, I look forward to bringing you more of what SDM Software has in store for Group Policy in 2008, including new and innovative products for better managing Group Policy backup and recovery, simplified policy-based desktop configuration management, new PowerShell stuff and more!

Best of luck to everyone in the New Year!

Darren

Tags: Group Policy, PowerShell, SDM Software, Microsoft

Posted by gpoguy at 11:53 AM | Permalink | Comments (1) | TrackBacks (0)

If you were looking for something to do this holiday season with all that spare time, January's issue of TechNet Magazine has no less then 3 articles devoted to Group Policy, including an article I wrote on optimizng Group Policy Performance.

Enjoy!

Tags:

Group Policy, TechNet

Posted by gpoguy at 07:18 AM | Permalink | Comments (0) | TrackBacks (0)

A while back, Mark Russinovich (the pre-Microsoft Mark Russinovich!) had blogged about being able to circumvent some Group Policy using a DLL injection method that intercepted calls to the registry keys used by policy. He created a tool at the time called gpdisable that invoked this interception as a regular user. Of course, since Microsoft acquired Winternals, that gpdisable tool was removed from existence. But a couple of weeks ago, someone else created an alternative, called GPCul8r, that uses the same technique to accomplish roughly the same thing. 

Essentially what this tool does is intercept a process's calls to query registry values and, if it sees a query for one of a particular set of policy keys, it basically fakes the response, telling that calling process that the policy key was not found. Neat.

I think its important to know that tools like this exist, but also to keep it in context. For example, if you want to use this tool to block policy for all applications, you would essentially have to be administrator on the workstation to load it into the right registry key to allow this to happen automatically. Otherwise, you have to call this tool each time you launch an application. And if you're an administrator on a Windows workstation, well, there are much easier ways to disable Group Policy. Also, this tool only intercepts calls to registry policy or any policy that stores itself in the registry--that includes Admin. Templates and Software Restriction Policies and a couple other minor ones like disk quota policy. That means it doesn't impact things like security policy, folder redirection, etc. And, the current version of this tool, as posted on the site, only intercepts or looks for a small subset of policy keys. Of course, the source code is included with the posting, so if you know C++, it is fairly trivial to include other keys as well.

The bottom line is that this tool can be used with limited effect by the smart user to bypass some policy. Also, it underscores the fact that allowing users to be administrator on their own workstations is effectively saying that you really don't care whether they receive Group Policy restrictions or not, because the intrepid administrative user can completely foil all policy (not just registry policy).

Finally, it may be worthwhile, given that this tool is floating around in the ether, to create a software restriction policy that specifically prevents this utility in its current form from executing. That's not to say that other variants may not show up out there. But at least for those that folks are just downloading it as is and trying it out, you can prevent them from getting around your policies!

Tags:

Group Policy, GPDisable, GPCul8r,Bypassing Group Policy

Posted by gpoguy at 08:52 AM | Permalink | Comments (0) | TrackBacks (1)

Someone emailed a question to the GPOGUY GPTalk mailing list today that I thought was worth chatting about. The question pertained to disappearing Group Policy links. Namely, he had a situation where links to GPOs would periodically disappear from Active Directory containers. I thought this was interesting as it brings up one of the poor design decisions that MS made around this particular facet of Group Policy. Specifically, Group Policy links are stored within the gpLink attribute on an AD container (in the case of GP, the container is a site, domain or OU object). But its how they are stored that is the problem. Links are stored as a concatenated list of strings that specify the DN of the groupPolicyContainer object in AD. In addition, the state of the link (e.g. enforced, disabled, enabled) is also stored as a flag within this string. For example, an OU's gpLink attribute with multiple GPOs linked to it would look something like this:

[LDAP://cn={517989E5-C167-4446-9546-9FE44D05A094},cn=policies,cn=system,DC=cpandl,DC=com;0][LDAP://cn={D9F534B5-FE52-4EA2-9358-F90D14006700},cn=policies,cn=system,DC=cpandl,DC=com;0][LDAP://cn={67F306D6-ED52-4EC2-A624-12389418C38F},cn=policies,cn=system,DC=cpandl,DC=com;0][LDAP://cn={A2CA94A8-27AC-4FEE-9D10-6C39B810B6C5},cn=policies,cn=system,DC=cpandl,DC=com;0][LDAP://cn={2784512F-F4E0-4F4A-8CDA-D05C5798934D},cn=policies,cn=system,DC=cpandl,DC=com;1][LDAP://cn={0AA65012-F87F-4281-988A-62081B9F3686},cn=policies,cn=system,DC=cpandl,DC=com;0][LDAP://cn={A9E790E5-9963-40F9-A479-BD68DEDD921C},cn=policies,cn=system,DC=cpandl,DC=com;1][LDAP://cn={95C79242-CE65-4BF8-AC87-7678D2A85EA3},cn=policies,cn=system,DC=cpandl,DC=com;1][LDAP://cn={3C41D4AE-CCDF-4640-998D-D9A24EC48086},cn=policies,cn=system,DC=cpandl,DC=com;0]

Each link is delimited by brackets ([]). The flags that control the behavior the behavior of the link follow the DN and are delimited by semi-colons (;). So, what's wrong with this picture??

Well, think about the problems that MS had with AD security group membership when they shipped Windows 2000. Group memberships were stored in AD such that someone making a change to a group's membership on one DC could overwrite a membership change happening on another DC, because the membership was treated as a single object. You had to be really careful about where you modified memberships. Then MS introduced linked value replication (LVR) and that problem basically went away.

Well you have the same problem here with GP links except its a bit worse. Group memberships in AD are stored as links--i.e. they are references to member objects rather than just strings of member names. Not so with GP links, which have no association to the underlying GPO they reference. So, you have two problems here--one not so big and one really big. The not so big problem is that if you want to find out where a particular GPO is linked, you have to search every container object and do string matching to find that GPO's DN on the container. That's a pain but not terrible unless you have really big environments. The bigger problem is around making link changes. Because all links are held in essentially one big long string on the gpLink attribute, if two people make a link change on the same container from two different DCs, the last writer will overwrite the first writer completely. Meaning that if Admin A removes a GPO link or disables a link, and then Admin B comes along shortly thereafter, before Admin A's changes have replicated, and makes another change, the GPO link that Admin A removed or modified will be get replicated back because Admin B's change comes later.

Obviously GPMC mitigates this issue somewhat by defaulting to always focus on the PDC emulator, but you can tell it to make changes against different DCs, and that's where problems can occur. It would have been much better if MS hade made the gpLink attribute store links to GPO objects rather than strings.  

As for tools for managing GPO links, besides GPMC, I will of course mention the free PowerShell GPMC cmdlets we have, that include get-sdmgplink, add-sdmgplink and remove-sdmgplink for managing links. In all cases, those cmdlets will default to the PDC emulator DC to make changes.

SDM Software is also getting ready to release a Group Policy backup and recovery product and one of its features will be the ability to backup and recover GPO links!

Tags:

Group Policy, Active Directory, PowerShell, GPMC, Group Policy Links, SDM Software

Posted by gpoguy at 09:59 AM | Permalink | Comments (0) | TrackBacks (0)

Yesterday at TechEd in Barcelona, Microsoft made a slew of announcements. And buried in those announcements was the note about Group Policy Preferences. This is the name Microsoft has given to the DesktopStandard PolicyMaker extensions that they acquired last year. The good news is that these extensions are finally going to see the light of day as a free part of the OS when Server 2008 ships!!! This is HUGE because these extensions greatly add to what you can configure via Group Policy. And my understanding is that they will work on XP and above, which means that you get some of these great features without having to upgrade to Vista. In addition to adding support for new policy areas such as mapped drives, mapped printers, ini files, environment variables, shortcut distribution, local users and groups, scheduled tasks, power options, network options and IE settings, they also support much more granular filtering than you could ever get from WMI filters or security groups. This is huge because it means that there will be few things that you can't configure on a Windows desktop using Group Policy!

Microsoft has created a whitepaper that you can download to get more detail on this new feature. This is great news!!! Cudos to the Group Policy team for making this happen!

Tags:

Group Policy

Posted by gpoguy at 08:10 AM | Permalink | Comments (2) | TrackBacks (1)

Many of you probably know who Mark Minasi is. Mark's been writing and speaking on Windows for a very long time. Mark is a good friend as well and a really good guy. He maintains a very active Forum, on which I moderate the Group Policy section. If you haven't checked out his forum, I highly suggest it. There are a ton of smart people who lurk there and you'll find sections for just about any technology you can imagine.

Posted by gpoguy at 02:13 PM | Permalink | Comments (0) | TrackBacks (0)

I've received a number of comments and have seen a number of blog postings subsequent to my blog posting about this topic. One of the reasons I mentioned that it was probably not a good idea to have GPMC on every system was that inherently anyone that could read a GPO (which includes any user or computer that can process a GPO) could easily backup those GPOs using GPMC without any special admin privileges. Adam Vero, on his blog, and "Evan", who posted a comment on my blog posting, note that even without GPMC, a regular user who can read a GPO can simply go out to SYSVOL and copy the contents of those folders and accomplish the same thing as a GPMC backup. While I generally agree with this, GPMC makes the proces a heck of a lot easier. Don't get me wrong, a truly malicious users within an organization with the skill and the talent can do lots of fun things if they know enough about GPO. As an example, you might want to download the whitepaper I wrote when I was at DesktopStandard entitled, "How Secure is Group Policy?", which details quite a few ways that a properly credentialed user can get around GP.

However my point was more that GPMC makes it easy for a regular user who is just curious, to get information about Group Policy configurations within an organization without a lot of effort. Having access to SYSVOL and the GPT is not exactly an intuitive process, and to get a complete picture, they would also need to access the AD parts of GP, as some settings are stored there as well. In any case, the casual user might just be doing it because they want to be an IT administrator and so they decide to take a backup of the company's GPOs home to play with in their test environment. Yes, they can download GPMC from MS' website and do the same thing, but I think the point is that having it on every desktop machine makes it easier and creates more potential problems than it solves. My general approach is to not install administrative tools (or any code for that matter) on machines that doesn't need to be installed because who knows how they may be used or abused down the line.

 So, while this may not be the only good reason to remove GPMC from Vista, SP1, it is, from my perspective, a convenience that reduces the number of things I have to worry about within the desktop environment.

 Group Policy, GPMC, Vista SP1

Posted by gpoguy at 09:31 AM | Permalink | Comments (0) | TrackBacks (0)

For those of you who have been to NetPro's DEC conference, you know that this is just about the best AD and MS Identity Management conference there is. Well, Group Policy is not left out at this year's upcomfing DEC 2008 in Chicago (*TGINV!). For the 3rd year in a row, I'll be presenting at DEC--this time it will be 2 sessions on Group Policy. The first session is called "Automating Group Policy" and I'll focus on how you can use scripting (Powershell & VBScript) to automate the management of Group Policy in your environment. the second session is called "Group Policy Performance". In this session I'll look at some of the design considerations that can affect the performance of GP processing and how you can "design for performance" when it comes to GP.

So, if you're thinking about a conference next year, I highly recommend DEC as a great place to pick up some solid AD and Group Policy knowledge. See you there!

*TGINV: Thank God Its Not Vegas 

Technorati Tags

Group Policy, DEC, Netpro, Group Policy Scripting, PowerShell, Active Directory

Posted by gpoguy at 08:47 PM | Permalink | Comments (1) | TrackBacks (0)

Here's your chance to contribute some input to the future of Group Policy! The Microsoft Group Policy product team asked me to post this. They need input in the next two weeks so if you're so inclined, have at it!

The Microsoft Group Policy team would like to hear from you!  Please take a few minutes and complete the survey on how you use Group Policy to help Microsoft enhance the manageability Group Policy provides to your organization.  The survey can be found at http://www.surveymonkey.com/s.aspx?sm=mosdF9Z6WNKIJ76gL_2bxv4w_3d_3d and is completely anonymous.  The survey will remain open through Friday, September 28, 2007.  Thank you in advance for your time and input!

Technorati Tags

Group Policy

Posted by gpoguy at 05:01 PM | Permalink | Comments (0) | TrackBacks (0)