08.12.09
Posted in Uncategorized at 8:40 pm by Administrator
HEY GPOGUY & SDM SOFTWARE FANS!! We need your help! Windows IT Pro Magazine is having their COMMUNITY AWARDS NOMINATIONS until this Friday, August 14th. If you like the freeware products we have on www.gpoguy.com and on www.sdmsoftware.com/freeware, please consider nominating your favorite SDM Software or GPOGUY freeware products in the BEST Active Directory and Group Policy PRODUCT category. Let’s show the world that FREEWARE is just as valuable as the commercial products costing thousands of dollars, that typically win these awards.
TO NOMINATE OUR PRODUCTS, GO TO http://windowsitpro.com/awards/CommunityChoice.html.
Remember to vote by this Friday, the 14th of August, 2009!!!!!
Permalink
07.20.09
Posted in General Stuff at 8:17 pm by Administrator
I thought this was cool. John Fontana over at Network World did a nice article on the challenges around the recent Microsoft zero-day vulnerabilities and SDM Software and yours truly got a nice mention on Page 2! Cool!
Darren
Permalink
07.16.09
Posted in Security-related at 9:35 am by Administrator
Recently, Microsoft announced a zero-day vulnerability in IE’s ActiveX video control, that required folks to react quickly to prevent exploits of this vulnerability. One of the possible routes for preventing this was to disable the affected ActiveX control in IE using so-called "Killbits" in the registry. This technique is described in general within a Microsoft KB article and specifically for this vulnerability within this document. Essentially, Killbits are a set of registry entries that must be enabled on a per-computer basis (i.e. within HKEY_LOCAL_MACHINE in the registry) that sets a flag on the GUIDs related to the given ActiveX Control. In the case of the recent video control vulnerability, there were something like 45 GUIDs requiring registry updates.
Someone asked me yesterday if Group Policy might not be a good way to push out these kinds of Killbits changes. And, not surprisingly, my answer was a solid, "YES!". Centralized registry change control, is, after all, the bread and butter of Group Policy for many enterprises. In this case, there are really two ways to skin this using Group Policy. The most obvious way is to create a custom ADM file (or ADMX for Vista/2008 environments) that hard codes the registry values in question. You can then add that ADM to a GPO in your AD environment and use it to target computer objects in AD for delivery of the Killbits values. Of course, the downside to that approach is that for any new ActiveX vulnerability that comes along, you have to create a new/modified ADM file with the new GUIDs.
Probably the easier way to handle this is to leverage our good friend, the Group Policy Preferences (GPP) feature that Microsoft introduced with Server 2008. Remember that you don’t need to have Server 2008 running in your environment to use GPP, but just need to have deployed the GPP Client Side Extensions (CSEs) to your XP, Vista and 2003 systems, and then you just need one Vista, SP1 or Server 2008 machine with GPMC installed to create and manage GPP settings. GPP includes a Registry extension (under either Computer or User Configuration\Preferences\Windows Settings\Registry) that lets you deploy "free-form" registry settings. One of the cool features of this Registry extension is the "Registry Wizard". The Wizard is designed to let you pick a bunch of existing registry values from the registry on a local or remote machine, and those are captured into policy without you having to manually enter anything! So, for example, you could apply the KillBits "Fix-it" package that Microsoft typically provides, to a test machine, and then use the Registry Wizard to capture those into a GPO, and push them out to all of your desktop machines. The following screen-shot shows an example of how this works with GPP and the Registry Wizard:
When you use the registry wizard in GPP to capture these registry entries, they are defined with a GPP Action type of "Update". This means that if these registry values exist already, they will be modified to conform to the KillBits value you specify. If they don’t exist, they will be created.
GPP provides a great mechanism for managing ActiveX Killbits settings, because they are centrally visible and manageable within the GP UI and you can use Group Policy’s built-in targeting mechanisms and even the more granular GPP Item-Level Targeting, to make sure all of the machines on your network receive the settings.
And of course, if you need to be able to automate reading or writing of these GPP Killbits registry settings, you can do that very easily with our GPExpert(r) Group Policy Automation Engine and Powershell!
Tags
Group Policy, ActiveX Killbits
Permalink
06.19.09
Posted in Cool New Products at 1:58 pm by Administrator
For those of you waiting patiently to migrate your PolicyMaker settings to the new GP Preferences format, your wait is over! You can now download the migration tool here! And here’s a good blog post on how it all works.
Darren
Tags:
Group Policy, Group Policy Preferences, PolicyMaker
Permalink
06.17.09
Posted in General Stuff at 3:27 pm by Administrator
Hey Folks. Sorry for the long delay in between postings. Lots going on in Group Policy land and in my own life that has been keeping me busy! But, now that I have some time, I wanted to blog about a few things of note, in no particular order:
- Thanks to Mike Kline for posting a nice review of SDM Software’s GPO Compare tool, which lets you graphically compare two GPOs for settings differences
- Just a quick note to let you know that I posted a new tool up at GPOGUY.COM a couple of weeks back. Its a new Powershell v1 snap-in that does two things. The first is a cmdlet called Get-SDMGPOVersion which lets you retrieve and show differences between GPO version numbers on a given DC, designed to spot AD and SYSVOL replication inconsistencies within GPOs. I would call it a Powershell version of GPOTool.exe. The 2nd cmdlet in the snap-in is called Invoke-SDMTouchGPO. This is basically a "touch" command for GPOs. What it does is, for a given GPO, it increments the per-computer or per-user version numbers for the GPO. This tricks clients into thinking that "something" has changed within that GPO, and thus will trigger a refresh of the settings within that GPO. Or more specifically, it will trigger a full reprocessing of policy for a given client that is impacted by that GPO that was touched. This came up in a thread that I participated in on the ActiveDir.Org mailling list, and I thought it was worth putting something together. You can download it for free at the GPOGUY.COM Free Tools Site.
- Working with the folks at Windows IT Pro Magazine, I’ve created a one-day Group Policy Troubleshooting webinar next Thursday, June 25th. You can get more information and register for it at the link I just provided. It should be a good session–its a 3 part training session that covers GP internals and GP processing basics, troubleshooting tools and techniques and then advanced topics in GP troubleshooting. I’ll be on hand afterwards to answer questions during each session, as well! Check it out and see you there!
- Finally, I wanted to just call attention to some cool stuff Microsoft did recently in anticipation of the Windows 7 release. As you know, I’ve been a big advocate of enabling automation of Group Policy automation, primarily through Powershell. Our SDM Software Group Policy Automation Engine was the first product on the market to let you read and write GP settings using Powershell, when it shipped a couple of years ago. Recently the Applocker feature team within Microsoft (Applocker is the new replacement for Software Restriction Policies in Windows 7) announced availability of Powershell cmdlets for getting and setting Applocker policies within a GPO! This is all good stuff and provide a nice complement to what the GP Product team is doing with Powershell and registry settings in Win7. Check it out here: http://blogs.msdn.com/powershell/archive/2009/06/02/getting-started-with-applocker-management-using-powershell.aspx.
Well, enjoy those tidbits and I hope to be back blogging soon!
Darren
Permalink
05.13.09
Posted in General Stuff at 6:01 pm by Administrator
I thought this was cool: http://blogs.technet.com/grouppolicy/archive/2009/05/12/group-policy-at-tech-ed-2009-mark-russinovich-demos-group-policy-powershell-cmdlets.aspx
Mark demo’d Microsoft’s upcoming Group Policy PowerShell cmdlets that will ship with Windows 7 and Server 2008 R2. I think its cool primarily because it validates the work we have done at SDM Software over the last couple of years to provide automation for Group Policy, with both our free GPMC cmdlets and our commercial Group Policy Automation Engine. Microsoft is providing something like 25 cmdlets in Windows 7 and Server 2008, R2, that will provide much of the same functionality as our free GPMC cmdlets. In addition, they are providing a set of what I call "teaser" cmdlets for automating a small portion of GP settings. Specifically, they will be provide a set of cmdlets to get and set registry policy (i.e. Administrative Templates but without the ADM or ADMX view of the world) and also registry settings through Group Policy Preferences Registry extension.
The cool part about this is that it gets people thinking about how they can automate the auditing and management of GP settings using Powershell. And when they run out of capabilities with the built-in cmdlets, well our GP Automation Engine will be waiting in the wings to provide the ability to script reading and writing of not just Admin. Template policy, but also Security policy, Software Installation, Folder Redirection, IE Maintenance, Scripts policy and all of GP Preferences.
Permalink
04.22.09
Posted in General Stuff at 11:15 am by Administrator
If you’re planning on being at the Microsoft Management Summit next week, I’ll be presenting a Group Policy Troubleshooting session there on Wednesday morning. Stop by and say hi or attend the session or the Birds of a Feather I’ll be doing that evening at around 5:30pm!
Darren
Tags: Microsoft Management Summit, Group Policy Troubleshooting
Permalink
04.14.09
Posted in General Stuff at 3:50 pm by Administrator
Just a quick note to let those of you who are Microsoft partners know that I’m going to be giving a webinar on using Group Policy in Small Business Server (SBS) 2008 on April 24th. Here’s the info on the webinar if you want to register to attend!
Date: 4/24/2009 (Friday)
Time: 9:00-10:00am (PDT)
5W/50 Series – Managing your Desktops using Group Policy in SBS 2008
In this session we’ll look at the new features available in Group Policy in SBS 2008 that enable you to have improved control over your user’s desktop experience and security. We’ll look at the new Group Policy Preferences features that provide capabilities such as USB device control, point-and-click drive and printer mapping and control over your computers’ power usage.
Registration:
https://training.partner.microsoft.com/plc/details.aspx?publisher=12&delivery=259635
See you there!
Darren
Tags:
Group Policy, SBS Server 2008
Permalink
03.30.09
Posted in sdm software at 5:36 am by Administrator
As I mentioned in a previous post, SDM Software was close to shipping the next version of our GPExpert Scripting Toolkit product, and that has happened! Today we announced the release of the GPExpert(r) Group Policy Automation Engine 2.0. This newly branded and updated product provides a host of improvements and additions over the previous version, most notably the addition of support for Group Policy Preferences automation! Now you can automate almost any aspect of Group Policy management from Powershell or .Net. And not only can you automation the modification of GPO settings, but you can also automate the reading and auditing of settings across GPOs, something that is an incredibly manual process to perform today.
So visit the website and download an evaluation copy today and let us know what you think!
Darren
Tags:
Group Policy, SDM Software, Powershell
Permalink
03.12.09
Posted in PowerShell at 2:58 pm by Administrator
Just a quick shout-out to let folks know that I posted an update to our SDM Software GPMC Cmdlets on our freeware page. This is version 1.3 and primarily just fixes some bugs including an issue when you tried to get, add or remove site-based GPO links. Enjoy!
Tags:
Group Policy, GPMC, Powershell, SDM Software
Permalink
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »
