Group Policy Blog by Darren Mar-Elia (The “GPOGUY”)
The Virtues and Vices of GPO Deny ACEs
Someone asked me recently what I thought of using Deny ACEs on GPOs for security group filtering. First, a little background. As you probably know, you can control which users and computers will process a particular GPO by using security filtering on that GPO. The...
iPads in the Enterprise—running Windows
Saw this site put up by Citrix today--www.ipadsatwork.com. I thought it was an interesting approach--pitching iPads in the enterprise by making the iPad a glorified dumb terminal, via the Citrix Receiver, for accessing your Windows desktop and apps. While I agree that...
Performing Bulk GPO Renames
Someone recently asked about the best way to perform bulk GPO renames. Of course, there are probably many reasons why you would want to do this (e.g. moving to a standard naming convention, cleaning up mis-named GPOs, etc.) but for my money, there is one technology...
Find Group Policy (GPO) Setting Conflicts using PowerShell
This is my 2nd blog post around using the PowerShell features in the two products of SDM Software's GPO Reporting Pak. In this post, I'll talk about the GPO Exporter product, which, as the name implies, lets you export Group Policy settings. The cool thing about the...
Get to “Best Privilege” on Windows Desktops
I recently wrote a whitepaper for my friends over at Beyondtrust that talks about the challenges and choices of trying to get to what I call "Best Privilege" on Windows desktops. The idea here is that a secure Windows desktop is one in which the user is not an...
Comparing Group Policy (GPO) Settings from PowerShell
One of the cool things we added in the new version of GPO Compare 2.0 was support for a PowerShell interface. GPO Compare 2.0 is all about letting you compare GPO settings across two live or backed up GPOs. The PowerShell interface lets you perform these comparisons...
Disabling Print Screen through Group Policy
Recently someone asked if it was possible to disable the print screen functionality on their keyboard through Group Policy. My initial response was that I had never seen a policy setting to do this, and indeed I figured that you would need to do some low level...
VDI Skepticism
In a bit of a departure from my normal Group Policy banter, I wanted to talk a little bit about VDI, or Virtual Desktop Infrastructure. Like most things around virtualization, there's a ton of hype about the promise of virtualizing desktops. Companies are starting to...
Using GP Preferences to protect against the zero-day shortcut vulnerability
Microsoft recently announced a new security vulnerability in Windows shortcuts that affects all versions of Windows since XP! Its references here: https://support.microsoft.com/kb/2286198. This particular vulnerability takes advantage of the icon that appears in...
Backing up and restoring the Local GPO
Some of you may have seen a twitter post I did a while back letting folks know about the Security Compliance Manager, which is a tool from Microsoft that lets you manage, edit, report, search and export security templates and baselines. This tool is pretty cool, but...