MDM & GP Tips Blog

Feb 2015
06

Group Policy Preferences: Powerful *AND* mysterious.

I think the reason that GPPreferences is both heralded and feared, is that … they are both POWERFUL but MYSTERIOUS.

In my GP Training class we spend a WHOLE DAY and then some on the GPPrefs.. because.. of both of their POWER and their MYSTERY.

I found these quickie introductory articles on the GPPrefs and thought I would share them. It’s a three part series.. and a quick read:

Just to put a fine point on it: You’ve already paid for the power of the GPPrefs. But if you don’t know what they can do, or exactly how to use them (without blowing your toes off) you’re missing out.

To get you where you need to go, I humbly suggest my upcoming training class in Salt Lake City Mar 9 – 12.
Get prices and sign up at www.GPanswers.com/training. Discounts available with 4+ people coming.

Remember: Microsoft never goes “backward”.. so this stuff will be valid for Windows 10 when it hits !

Jun 2014
10

Group Policy Settings and Deprecation

In case you’re not familiar with the SAT vocab word deprecate (DEP-ri-kate), in computer terms it means to “spin down” or “take out of service.” So anytime a feature or something isn’t available anymore (or IS still available but shouldn’t be used), that feature is said to have been DEPRECATED.

I got this question from a friend, and thought it was interesting. Here’s the email question and my answer.

Q: Jeremy, have any Group Policy settings been deprecated, and if so, what was the story there?

A: Here’s the inside scoop of Group Policy settings, and the history of deprecation (as far as I know.)

There is no “insider baseball here” and everything here is drawn from public sources. Note: I could have my facts totally wrong here, this isn’t validated in any meaningful way. So, use at your own risk (though there is like.. zero risk here.)

Here’s the “birth” story of any given Group Policy setting:

  1. The Group Policy team itself doesn’t own *MOST* of the settings you find in Group Policy land. I think they do own the ones which pertain to Group Policy client itself, and login scripts and such. Basically if the setting configures “the engine” .. the Group Policy team owns it.
  2. The Group Policy team also own the entirety of Group Policy Preferences, whose editors are hardcoded into DLLs which ship with the GPMC.
  3. Other teams, example, the Shell team own their own ADMX settings. They submit settings to the Group Policy team for inclusion in the windows ship vehicle.
  4. Those settings are cleaned up as needed by the Group Policy team for inclusion into Windows.
  5. Teams are welcome to ship their own ADMX settings outside of Windows, say, APP-V and UE-V which have their own downloadable ADMX settings templates.

As for deprecation of settings .. here’s the “death” story:

  1. The Group Policy team has done a very good job of NOT deprecating *ANY* settings, except for two, which were related to how the Windows 2000 Group Policy engine could operate.
  2. So, said another way, to my knowledge only TWO SPECIFIC ADM/ADMX settings were removed in the history of Windows. (Again: I could be wrong.)
  3. All other settings owned by product teams have survived. Many have undergone NAME CHANGES and/or restrictions.
    1. For instance “Remove Games link from Start menu” might have started off life as “Windows Vista and later” (I think), but has since changed to “Windows Server 2008, Windows 7 and Windows Vista.” (http://screencast.com/t/wYcqfrsKZ) .
    2. And, for instance, “Prevent Access to the Control Panel” has been renamed to “Prevent Access to the Control Panel and PC Settings” (to reflect newness in Windows 8+.)
  4. The “deprecation heard round the world” was Internet Explorer Maintenance settings. Those are actually NEITHER Policy nor Preference. And the way they were killed was strange:
    1. You lost your ability to *PROCESS* IEM settings when the client had IE10 or later.
    2. You lost your ability to *EDIT* IEM settings when your management station got IE10 or later.

So this document came out to help: http://technet.microsoft.com/en-us/library/jj890998.aspx

But that’s it.

In more recent memory, at TechEd 2014 I made a formal announcement of Microsoft’s Group Policy team announcing that they are deprecating Password fields in Group Policy Preferences. That speech is here: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/WIN-B328#fbid=

And you can learn more about the issue and the remediation here: http://support.microsoft.com/kb/2962486

Mar 2014
18

Bad Advice: Putting too much stuff into you image.

Team:

This week I got a question. I’m paraphrasing it for clarity, but here’s the general gist:

“Hey Jeremy… I got some advice to make things “go faster” by putting as much stuff into my image as possible. What do you think of this advice?”

In short: Good intentions, bad advice.

Here’s my the short and sweet answer: The “more fatter” you make your image, you do save in initial “possible waits” for client machines. That is, if you pre-load all your software, settings, stop services, and so on… then, you’re “mostly done” when that user sits down on Day 1.

But IMHO, it’s not about Day 1. Day 1 will come and go.

It’s Day 2+ you need to be concerned about.

Let’s talk about Day 1:
On day one that user will get his first burst of GPOs, which will “do stuff” to the machine, and if you’re using some software deployment tool (SCCM, GPOs, whatever.) then the software will apply too.

Again: This is still DAY 1.

So, said another way: On Day 1, Mr. User will suffer (a little.)

But then by Day 2 (heck, really even just after the “burst” on Day 1)…
The storm is over.

And, at that point you’ve got the ability to FLEXIBLY MANAGE that machine, instead of hardcoding that machine with un-managable applications, setttings, locked services and so on.

So my general advice (which might not be applicable for ALL cases) is:

– Get the OS.
– Get as many patches as you can.
– Avoid installing software if you’ve got a managed way to deploy and monitor installations.
….and THAT’s your image.

Then drive all flexible changes you can to the desktop and OS using Group Policy (GP, GPPrefs and PolicyPak settings) along with deploying software via your software deployment tool.

Again: This is general advice which won’t work for every org or case. It’s just my opinion after zillions of admins have explained how they want to go from “totally (or poorly) unmanaged” to “totally managed.”

This is the first step in a journey.

We have less than THREE weeks to go for the Public Class in VA/DC. April 7 – 11th. If you’re on the journey from unmanaged to managed.. take that NEXT step and see you in class. Sign up: www.GPanswers.com/training

Thanks and see ya there !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)

Jan 2014
12

What's the deal with Skydrive when you've got domain joined Win 8.1 out there?

Two tips about SkyDrive and Group Policy.

Tip #1: Why some users aren’t sync’ing properly to Skydrive

This tip comes from frequent contributor Chris Jaramillo, who always brings it home with nice tidbits. Here’s the tip Chris wrote up (edited only lightly for clarity)

Happy New Year! And since it’s the start of a New Year, it must be time to another GPO related tip.

I recently ran across a scenario where my Domain Joined Windows 8.1 PCs would not properly synchronize SkyDrive content with a Domain User logged in who had been ‘Linked’/’Connected’ to a Microsoft Account. After great weeping and gnashing of teeth, I finally located this article, which pointed to this article, which contained the fix.

The issue is that the Prohibit User from manually redirecting Profile Folders GPO setting prevents the SkyDrive client from properly redirecting and as a result it will not complete its initial configuration and will not sync. Many ‘legacy’ enterprise environments may have this setting Enabled. To fix the problem, the user/admin can simply set this setting back to Disabled or Not Configured. However, that will obviously have impact on Windows Explorer UI for users that have Folder Redirection configured via GPO.

Summary: You can either:

A) prevent manual redirection of Profile Folders

-or-

B) You can automatically sync Windows 8.1 to SkyDrive..

but you can’t have both.

I’m still trying to figure out why our friends at Microsoft would create this scenario. However, at least do have an option to allow Domain users to use Sky Drive, even if it’s not a good option.  I hope that you find this one useful.

Tip #1 from Chris Jaramillo.

Tip 2: How to turn off Skydrive sync (and some other Skydrive GP settings)

In the “I don’t have much to add” category, Greg Shields put together a little article explaining where the ADMX / ADML files are for Skydrive, what those settings are (and what he wishes was there.)

One of those settings DOES kill the WIndows 8.1 <–> Skydrive sync; which might be useful for domain-joined machines.

Here’s the link to the article at RedmondMag.

Oct 2011
03

I'm not perfect

But I do try. 🙂

Sometimes "imperfections" make it into my book. So, with that in mind, I’ve posted a list of the known errata for my Group Policy: Fundamentals, Security and the Managed Desktop book. It’s right here:

https://www.gpanswers.com/books/book-resources/

Also, for item #3, I created a video to show you how it’s done. Check it out here:

http://youtu.be/T6qkKtt0Mjk

Enjoy, Thanks !

Sep 2011
11

Group Policy "Vocabulary"

Let’s take a step back and get some of the terminology of Group Policy down. I find that when I’m talking with IT folks, sometimes they “blur the lines” here and there.

I’m a “precise” kind of guy, so if you are too, hope you’ll enjoy these definitions.

 

() Group Policy: The mechanism in Active Directory which allows administrators to perform
change and configuration management and policy-based management.

() Group Policy Object: This is the “noun” of Group Policy. The “thing” you create which allows you to make the control happen.

() Policy setting: This is one possible setting within a GPO you can perform. For instance, “Prohibit access to the Control Panel” is one Policy Setting.

() Enabled: One of the three usual settings within a policy setting. Enabled means “do this thing at this level.” So if you “Enable” something, you’re saying to “do it.”

() Disabled: Disabled can have several meanings. But usually it means “if set at a higher level, then un-do it.” For instance, if at the Domain Level you ENABLE “Prohibit Access to the control panel” then at the OU level you “Disable” it, you’re effectively reversing the setting.

() Group Policy Preferences: Sometimes called Group Policy Preferences Extensions. In the book I call these GPPEs or GPPrefs for short. GP Prefs are 21 new superpowers which add to the original 18 “in the box” superpowers.

() Item: Any time you create a new “thing” with GP Prefs, you create an “item.” Items can be Shortcuts, drive mappings, ODBC settings and a whole lot more.

() RSoP: Resultant set of Policy. This is the “sum total” of all the settings a user or computer is supposed to get. You can run various tools to see RSoP reports, but not all reports work the way you would expect with the new GP Prefs.

() GPMC: Group Policy Management Console. There are several versions of this tool. The latest works on Windows 7 or Server 2008 R2.

() RSAT: Remote Server Administration Toolkit. Remember “Adminpak” for WS03? RSAT is kinda like the Adminpak, but it works on Win7 or Server 2008 R2 and has the newest GPMC.

() AGPM: Microsoft’s Advanced Group Policy Management tool. It’s an add-on to the GPMC you already know and love. It doesn’t add more “stuff” to the desktop, but adds “Change management” and workflow to Group Policy.

() GPanswers.com: Your secret place to get smarter in Group Policy. Pass it on. (Not everyone is on this super secret newsletter, but if you think they should be, please send them to GPanswers.com where they can just sign up.)

 

This is GP 101.. If you’re ready to take your game to the next level, join us in San Francisco on Dec 5th 2011 for a 5 day intensive GP training workshop!

www.GPanswers.com/training !

Jul 2011
07

Why Local GPOs Matter

I know lots of people who used them, then decided to dump ’em.. only to begin recently using them again.

What gives?

Let’s go back.. way back.. to a time you may not remember. That’s right: a time when your organization DIDN’T have AD. That’s right.

Before Caring about AD.

Or, BC AD.

So, when your world was BC AD, you couldn’t use AD-based GPOs to do all the dirty work for you. That’s because you didn’t have AD. (I do realize that many people grew up only starting with Windows 2000 and newer. And for that, be happy my friends.)

Anyhoo.. that’s when LGPOs were handy. LGPOs, or Local Group Policy Objects were great, because you got the power of Group Policy, but kind of in 1 on 1 sort of way. LGPOs mean that you walk up to a machine and type "gpedit.msc" and edit the Local Group Policy.

When you do — EVERYONE on that machine is affected. Sounds great! Let’s "Prevent access to the Control Panel" for everyone and give everyone the same "Active Desktop Wallpaper." Whee.
Great. Until you realize that when YOU want to log on, you’re stuck without Control Panel and can’t change the desktop background to that Porsche 911 Carerra you always wanted.

So, Vista and Windows 7 have a new trick up its sleeve called MLGPOs, or Multiple Local GPOs. I cover MLGPOs in huge detail in the updated Green book . But, here’s the summary. There are now THREE levels of Local GPOs for that matter.

Level 1: Affects everyone
Level 2A: Affects the person if they’re a Joe User
Level 2B: Affects the person if they’re a local Admin
Level 3: Affects a specific person based on username

So, you see there are three levels. But, there are four lines listed above, because a person can only be a USER *OR* an Admin. Not both.

Therefore, MLGPOs affect "Everyone First" then get more specific as they apply DOWN toward the most specific — the specific person based on username.

Now, if people stopped using LGPOs, do MLGPOs matter? Yep.

Here’s a scenario: imagine you wanted to implement a baseline of setting on your machine. Then, once you make contact and join a domain, you want the AD-based GPOs to override the local settings.

Neat! So now if you machine gets "lost in transit" between your "build shop in the basement" and it’s final destination in Kenya, you’ve at least got some baseline setting built-in. And, provided you set up the AD-based GPOs perfectly, you’ll be able to "revert" the LGPO settings on the machine.

But wait. I have an even better idea. There’s a new policy setting — just for Vista and later. And it’s called "Turn Off Local Group Policy Objects Processing." My suggestion would be to take a GPO and link it to a place in AD where you computers join after the machine makes it to Kenya.

So, the machine makes it to Kenya, safe and sound, but full of Local GPO settings that would usually affect everyone on the machine.

But, now that you’ve set up that special policy setting in the domain, you get a little magic.

The machine joins the domain, and LGPOs are immediately neutralized the moment the machine is joined.

Neat, right ?

Jun 2011
22

Why Group Policy ISN'T SLOW

Last week, I finished giving a Group Policy Master class. In the middle of the class one of the guys asked me "Jeremy, now that we’ve been using GP a little while, and are really embracing GPOs, things are a little bit slower sometimes when new users log on."

And my response might shock you.

I said "Awesome !"

He was a little taken back. And I know why. He thought he had a problem. But he doesn’t. He just missed a key point about how GP works.

Let’s imagine that you wanted to do something a little crazy. And, I know you wouldn’t really want to do what I’m about to describe; it’s just something for us to hang our hats on, okay? So, imagine you wanted to (yikes) re-ACL your entire hard drive. Yep. That’s the directive. Ouch. Again, it’s just theoretical, so go with me here.

So, in simple terms you have a handful of options:

  • Use a startup-script which manually does the deed
  • Manually run a script which does the deed on each machine
    or
  • Use GP to deliver the same set of instructions via the NTFS security node

They all do the same thing, right? Right. And the action they’re taking (the actual
"thing" they’re doing) is kind of slow and painful ,right?

 

So is the GP engine the cause of this "slowdown?" No. It’s the "action" you’re doing. The theoretical re-ACL’ing of the hard drive.

So I was kind of excited when he said that sometimes things are slower because that means he’s actually DOING something with GP. So, I like to say that GP is a "Blame the message, not the messenger" technology.

A little later in the GP 2.0 Catch-up class I showed him how to bust apart Windows 7’s new logging mechanism and see — precisely — how long a "GP Cycle" takes. That way he can be really really sure how long GP was taking to process each step if he wanted to. Heck, it might not even be that anything he’s DOING with GP is even causing the slowdown!

In other words — Group Policy might not be likely to blame AT ALL for any slowdown. By showing him how to "bust apart" the logs, he could see that GP wasn’t taking long at all ! The culprit was, well, something else.

But in any case, the next time you think "Hey, the computer is running a little slowly" take a step back. It means it’s working. (But also consider getting smarter in GP troubleshooting it too, to be 100% sure GP isn’t the culprit !)

Jun 2011
15

Why is Group policy not working ?

This tip is a "blast from the past"… I talked about this some time ago, and bringing it back, as it appears to be a hot topic right now.

Let’s start with Replication Problems.

Remember that a GPO is make up of two halves: the GPC and GPT.

And they get replicated to all DCs. What if one of your DCs isn’t getting the message about the updated GPO? And then, some of your client machines are trying to ask that DC for the latest GPO information.

Right, they get either no information or the wrong information.

So what can you do?

First, try GPOtool. It’s a download from the Microsoft 2003 Resource Kit. It can help you troubleshoot to see if the GPC and GPT are on all of your DCs.

But, here’s another tip: try creating a new user and then using Active Directory Users and Computers to "Change Domain Controllers" and verify that new account "makes it" to all your DCs. That will verify the path of the GPC.

Similarly, try creating a new text file (like a readme file or something) and dropping it into SYSVOL. Then, check out the SYSVOL on all DCs and make sure that readme file "makes it." This will verify the path of the GPT.

If the GPC and GPT are successfully replicating to all DCs (and you’ve verified that replication itself is working A-OK) there are lots of other things to check, which we’ll examine in other tips !

Apr 2011
03

Why you cannot see Site-Based GPOs inside the Inheritance Tab of the GPMC

A fellow reader like you, named Dave King emailed me this screenshot.

Dave asked me a short, sweet question and included a killer screenshot.

First the question, then the screenshot

Jeremy..

If I set a GPO to be applied at the SITE level and it is working fine, and set another at the DOMAIN level and it is working fine…

When I go to the node and look at the applied Policies it shows only the one linked at the DOMAIN level.

What happed to the SITE one?

It is there and working, and when I run a Resultant set of Policy on the node it DOES show the SITE GPO and the DOMAIN GPO.

But it does not show the SITE GPO’s influence on the Node without running the RSOP.

Is there any explanation for this behavior?

Thanks,

*Dave*

First,  Dave, THANK YOU for having this so clearly marked up, expressing exactly what your problem was, and how I can help. This makes the job of helping you MUCH EASIER. (That is to say, if you are looking for a little help, I would please first encourage you to use the GPanswers.com forums.. THEN ask for help.) And if you ARE going to ask for help or look to get a question answered, THIS is exactly how to do it.

Now, lets take a look at the screenshot. (Seriously.. this is the EXACT screenshot I got from Dave. I didn't make these markups.. he did. Thank you Dave !)

AD1

What Dave is witnessing is completely normal. Dave is noticing that Site-Linked GPOs (in this example Hide Screen Saver Option, linked to Default-First-Site-Name) is actually WORKING on the client. He explains this when he tells me that he sees it show up in the RSOP (gpresult /R) report on the client.

Cool.

So the question really is.. Why can't I see it here, in the Group Policy Inheritance tab?

The answer is simple. The GPMC itself cannot know WHO will be in that site at any given time. So, to avoid confusion it won't show site-based GPOs in the Group Policy Inheritance tab.  For instance, lets pretend that Default First Site was really named Detroit. And, lets also pretend that there was a second site named Dublin (either Ireland, or Ohio.)

Now, if there is a GPO linked to Detroit and others linked to Dublin what is the Resultant Set of Policy RIGHT NOW for anyone in the Human Resources OU? Answer? We don't know.

We don't know, because we don't know if we're talking about users in Detroit or Dublin. So, the GPMC Group Policy Inheritance tab simply doesn't show (ie: assume) where the user (or computer) is at that moment.

Therefore, you'll see the GPO in the RSOP reports on the computer (because the computer ITSELF knows where it's at).. but the GPMC simply cannot make any assumptions.

Mystery Solved !

Thanks Dave.. This was a fun one !