MDM & GP Tips Blog

Apr 2011
20

Charlie Sheen your GPOs . . . Winning !

I'm not going to beat up Charlie Sheen in this blog post.  You'll see where the Charlie Sheen stuff comes into play. Lets get right down to GP bizness.

Lets pretend you had this setup. I have two GPOs linked to the East Sales Users OU: GPO 111 and GPO 222.

And, lets also pretend that they affect the same policy setting: Remove Games Link from Start Menu.

image

If we run a Group Policy Results report we can quickly see that BOTH GPOs (GPO 111 and GPO 222)

were correctly applied to the client machine (Win7Computer-32). As seen here.

image

Now, remember, I've said that GPO 111 and GPO 222 conflict on how they apply the Remove Games Link from Start Menu setting.

So, which one is going to win ?

Well, the quickest way to see the Winning GPO is to run the Group Policy Results report as seen here. In my not too complex (on purpose) example here we can see that GPO 111 is Winning over GPO

image

But what if we add something at another level, say the Domain level and Enforce those settings down?

image

If the GPO is Enforced, then that GPO should be the Winning GPO, and in my re-run GP Results report example here, that’s precisely what has occurred.

image

So, in short, the Winning GPO is the one which ultimately gets to express the setting upon the client computer.

If you can't figure out WHY a particular value is appearing on the client, look no further than looking for the one that's Winning !!

Mar 2011
23

Windows Group Policy vs. Logon Scripts. What's the right option?

I thought I would tip the hat this week to a Microsoft Premiere Field engineer who attempts to answer the age old question:

Windows Group Policy vs. Logon Scripts. What's the right option?

Since in a previous blog post of mine, I demonstrated why I personally feel Group Policy has the advantage, I thought I would share what I recently found about a balanced rationale about why one might one to use the built-in AD Users and Computers, versus Group Policy for logon scripts.

Here's the link to his article. Enjoy.

https://blogs.technet.microsoft.com/mspfe/2011/03/15/windows-group-policy-vs-logon-scripts-whats-the-right-option/

PS: My remaining seats in my April 11 14th Denver class are melting away like snow on a warm spring day. Don't wait if you're still interested. Confirm your seat TODAY by using www.GPanswers.com/training and signing up online or call 302-351-4903 and Diane will help you with a PO. Discounts for large teams !

Feb 2011
28

Showing and Hiding Scripts using Group Policy

This came up today with a group of new friends I met today in Wisonsin at a K12 education conference.

Someone asked How can I prevent people from stopping login scripts as they run?

I thought about this for a second, and realized, he was using Active Directory Users and Computers and running an old school script like this.

image

It was an easy fix. Simply start using Group Policy Scripts, which can be found here:

image

Doing it this way, if you DID want to run Logon Scripts visible, you would need to set

User Configuration | Policies | Administrative Templates |System | Logon/Logoff

Run Logon Script Visible.

Hope that helps !

Jan 2011
24

How to Schedule a GPO to Fire Off within certain time blocks

Thanks to GPanswers.com member Bart for the meat of this tip !

You might have a situation where you want GPOs to apply to a collection of computers but only within certain time blocks.

Sure, you could manually link and unlink the GPO when the proper times come. But you're too busy for that.

Instead, use PowerShell, and automate the task!

First things first. Make sure the policy refresh interval on the workstations is set small enough to apply the activated GPO settings during the times you want. Normally, computers update every 90 120 minutes. To use this tip, you might want to tighten up the refresh interval just for this collection (like a Training room OU or Kiosk OU or something.) I wouldn't recommend you do this for your whole population. Do this using the policy settings located at “Computer Configuration | Administrative Templates | System | Group Policy | Group Policy refresh interval for computers.”

Where this came in handy was to activate and deactivate additional (outgoing) firewall rules specifically for a classroom setup for specific classes.

To use, simply set up a scheduled task to LINK and UNLINK the GPOs as needed.

To Enable:
Powershell -importsystemmodules -command “& {set-gplink -name ‘GPO_Computer_Classroom Outgoing Firewall’ -target ‘ou=classroom,ou=computer management,dc=yourdomain,dc=local’ -linkenabled YES}”

To Disable:
Powershell -importsystemmodules -command “& {set-gplink -name ‘GPO_Computer_Classroom Outgoing Firewall’ -target ‘ou=classroom,ou=computer management,dc=yourdomain,dc=local’ -linkenabled NO}”

PS: For more information, the PowerShell Cmdlets for managing GPO’s come with Windows 7 and W2k8-R2. For an overview of all GPO Cmdlets have a look at the TechNet site: http://technet.microsoft.com/en-us/library/ee461027.aspx

Jan 2011
16

Lockdown PCs -- Hard. With Windows 7 - - Easy.

The Lockdown Question

Hey Jeremy, what's the best way to lock down my Windows machines? I hear this question dozens of times a year from students who are sitting down at the first day of my Group Policy training workshops. They are often very eager to get right down to business and wrestle this particular problem to the ground because they know that when they go back to their offices and implement what they're about to learn, that their environment will be more predictable and more secure.

See, I know we all feel it would be best if our pesky users would just stop playing with stuff within Windows, their applications and on their desktops.

And, sure, that's part of the art of desktop lockdown. But my suggestion would be to look at desktop lockdown from a holistic and incremental approach. There's no one best way to lock down your Windows machines.

But what is true, is that the technologies built-in to Windows 7 have enabled more control than ever and enabled a wide variety of situations. Lets explore some of my favorite ways to get started with desktop lockdown, then I'll give you some tips on how to expand your controls as you need to.

Lead with Group Policy and Group Policy Preferences

This pair of technologies is arguably the most powerful arrow in your quiver. But using Group Policy, you can restrict a user from some of Windows most tempting locations such as the control panel, desktop, Start Menu, Task Bar and more. Once a GPO is created, most of these settings are found within the User Configuration | Administrative Templates section. There are way too many settings to review here, but I would encourage you to poke around, take stock of the ones that are most interesting to you then try them out in your test lab — before rolling out into production.

When performing lockdown tests, I would suggest that you use two people, a designer and a tester. The Designer should set up the Group Policy settings and lockdown tests, then the Tester would validate the tests and try to wiggle around the designers intentions. Using two people during testing ensures good feedback. One person always validates the other.

As you're working through your resting, do note that some policy settings are reliant upon other policy settings being enabled or other conditions being set or present on the client machine before you actually see the result you're expecting. So again, having a Designer design and a Tester test helps make sure the settings you want to achieve have actually occurred on the client machine.

Group Policy Preferences also enables you to deliver desktop settings. Though not specifically designed for desktop lockdown, they can helpful in guiding users away from temptation and toward standardization.

clip_image002

Caption: The Group Policy Preferences can implement IE settings

Sometimes what the doctor ordered is a blend between both Group Policy and Group Policy Preferences. For instance, you might want use Group Policy Preferences to set a particular setting, plus use Group Policy controls to lock down certain areas of IE.

This is an advanced skill, which takes a little practice and patience. But with enough time, you'll find the right balance using the two.

I would also suggest that you check out a favorite document of mine entitled Group Policy Settings for Creating a Steady State which can be found here with literally dozens of ideas to help you get started.

Focus, then Expand

So going back to my students who ask me Hey Jeremy, what's the best way to lock down my Windows machines? As you can tell, I love to lead with the core lockdown starting with Group Policy and Group Policy Preferences, then expand outward using additional Windows 7 technologies.

If you're looking for more hard-core controls, you might want to consider checking out this the recently published document from Microsoft entitled Creating a Steady State by Using Microsoft Technologies.

Inside you'll discover some extra ideas you can try out, such as mandatory profiles, working with AppLocker to prevent applications from running, and even wiping back the hard drive of a machine every night!

We've just scratched the surface. For additional specific tips and tricks on desktop lockdown, it's a common feature in my GPanswers.com Tip of the Week. You can sign up the free tip of the week at https://www.gpanswers.com/register. You can also get hands-on experience with Group Policy and desktop lockdown in my in-person or online-based Group Policy Master Class at www.GPanswers.com/training.

BIO:

Jeremy Moskowitz, GPanswers.com and PolicyPak.com

Jeremy Moskowitz is a Group Policy MVP, the Chief Propeller-Head for GPanswers.com and Founder of PolicyPak, which makes software to increase desktop lockdown using Group Policy. Thousands of IT professionals have taken his Group Policy training. GPanswers.com was ranked as one of “The 20 most useful Microsoft sites for IT professionals” by ComputerWorld magazine. Jeremy is also a STEP member.

Dec 2010
17

Google Chrome-MSI and ADMX files

This is a short and a sweet one. Sort of.

Google has announced an MSI file for deploying their Chrome browser, en-mass to your PCs.

How?

Well, they've got an MSI now. And you can use, say, your favorite software distribution mechanism, like.. oh, gosh, I don't know the in-the-box-and-widely-under-used Group Policy Software Installation ?

Check out the link here.. Now before you DO, I suggest you read onward.

http://www.google.com/apps/intl/en/business/chromebrowser.html

The trick appears to be that, while the MSI is available to anyone, I'm actually NOT SURE if anyone (everyone) is allowed to use it unless they're a Google Chrome for Business company. I clicked on the link to download the MSI, and saw a huge EULA in front of me. I copied and pasted it into Word (take THAT, Google Docs !) and it was a whopping 13 pages and 6,553 words.

Ohkay.

First things first Item 1.3 in the Eula has double-word typo, as in 1.3 Your agreement with Google will also include the the terms I'm not above typos myself, but then again, I don't have 11 billion lawyers working for me.

Next.. I did try to buzz through the document looking for words like Customer and other such stuff to help me learn what the scoop is. But I really can't tell if I'm allowed to use it. Honestly, this isn't my area of expertise, so I don't have direct advice on whether or not it's legal, quasi-legal, or totally illegal to use this MSI if you're not a Google Chrome for Business member. I guess- I could contact Google Sales, and maybe they'll get a hold of me.

But, if you KNOW the answer, then just email me, and I'll post a follow-up.

Part II of this little story is that there's also ADM and ADMX/ADML files as well.  Once you put the ADM, ADMX & ADML files in the right place, you're cookin with gas and configuring Chrome a-go-go.

The link to THAT is here:

http://www.google.com/support/a/bin/answer.py?hlrm=en&answer=187945

Interesting stuff.

That's it for now.

PS: Learn how to deploy MSI files, upgrade them, manage them, patch them, revoke them and more.  Learn how to manage ADM, ADMX and ADML files and not shoot yourself in the foot or blow up your network.

I still have the <bleep>-ing discount going for my GPanswers.com Home Study Course – Silver Kits. Gotta email me for the <bleep>-ing discount code.

Check out my Group Policy training with the Online University here:

https://www.gpanswers.com/training/sign-up-now-online/

Talk soon!

Nov 2010
30

Using Powershell to find Group Policy Strangeness

Do you have any GPOs which are “not doing anything”? If so, why?

If you have zillions of GPOs, here’s a quick cleanup tip.

Use a Windows 7 machine and PowerShell to quickly find all GPOs which have all their settings disabled.

Here's an example GPO with all the settings disabled.

image

Sure, you COULD click on every stinkin GPO you have in your domain.

-OR- you can use Powershell to quickly get to the bottom of things.

1. On a Windows 7 machine, open a command prompt.

2. Type “Powershell” (no quotes.)

3. Type import-module Grouppolicy (no quotes.)

4. Type the command you see here: get-gpo all | sort gpostatus

The ones with AllSettingsDisabled will bubble up to the top.

image

All the Powershell propeller-heads are rolling their eyes right now, because they know there's a cleaner way to produce the output of this showing ONLY the ones that actually match the GpoStatus of AllSettingsDisabled.

Yes, yes, you purists

Here's how to do it:

get-gpo all | where { $_.GPOstatus eq AllSettingsDisabled}

image

Hope this helps you out!

Oct 2010
19

How to use Group Policy to control Services

Guest post by Alan Burchill (Group Policy MVP) from the Group Policy Center

Services are programs that are configured to run in the background of a Windows computer weather or not there is a users that is logged on. They are essential part of windows and are essential to the operation of any windows computers. Without services computer could not perform automatic updates, run scheduled tasks or even connect to a file share. Therefore the ability to control Windows Services is a vita task for IT administrators.

Quite often disabling services on a computer is the best way to reduce the security surface of a computer or to improve performance by turning off un-used components of the OS. Inversely it is also very important to have the ability to turn on services to enable certain functionality or to ensure that certain services are not turned off.

Below I will go through the two ways you can control services in windows by using Group Policy each ways has its own advantages and/disadvantages but together you can pretty much control any system service the way you want.

In the examples below I am going to show you how to enable the Applications Identification service that is required to be enabled to make AppLocker work in Windows 7.

Using Group Policy to configured a Service

Even since Group Policy was introduced to Windows 2000 you have been able to configured some aspects of services using native group policy.

Now that you can control service using Group Policy Preference there are only two reason that you will still want to use this method.

  1. You want to control services on Windows 2000 or a computer that does not have the client side extensions installed.
  2. You want to configure the security so that non-administrators can start,stop and pause the service.

Step 1. Edit a computer Group Policy Object that is targeted at the computer that you want to configure

Step 2. Select the services that you want to configure.

Note: If the service that you want to configure is not present in the list you will need to install GPMC on a computer that has the service running. This is a painful restriction of controlling services this way and

image

Step 3. From the menu click on Action > Properties then tick Define this policy setting and then configured the service startup mode to what you want it configured.

image

Step 4. If you click on the Edit Security button you can also configured who has control over the service. This would be useful if you want to give end users the ability to start and stop specific services. Tip: Tick Start, stop and pause for INTERACTIVE if you want the logged on user to control the services.

image

Now that you have configured the services via group policy you will need to reboot the computer for the new startup mode to take affect. This means if you are disabling a service then it will not stop until your next reboot which could be may days, weeks or even months after you made the policy change.

Using Group Policy Preferences to configure a Service

The newer and almost always better way to configure service now is to you the Group Policy Preference Services options. As opposed to the native method which only allowed you to control the startup and security of service, preference now allows you much greater control.

The only reasons you would not want to use Group Policy Preference to control services are:

  1. You need to configured the startup mode of a service on a computer running Windows 2000 or one that is not running the client side extensions.
  2. You want to be able to configured the security to allow non-admin to start, stop or pause the service.

Always remember that when you do configure a service startup mode using the native method that this will take precedence over Group Policy Preferences and you can use the security options in conjunction with preferences.

Step 1. Edit a computer Group Policy Object that is targeted to the computers that you want to control the service.

Step 2. Navigate to Computer Configuration > Preferences > Control Panel Settings > Services

image

Step 3. In the menu click on Action > New > Service and now click on the button next to the Service Name field.

Note: From here you can either type in the service name in the Service Name field or click on the button to chose the service from a predefined list of services.

image

Step 4. Select the service name that you want to configured and then click Select

image

Step 5. Now you can configure the Startup mode from the Startup mode drop down box and you can configure a service action.

image

Service Action will take place each time there is a group policy refresh so that you do not need to wait for the computer to reboot for the latest startup mode to take affect. This can also be handy to configure if you want a service to start if it crashes or if you have a pesky service that requires restarting on a regular basis to keep running properly.

Step 6. Click on the Recovery tab to configure the recovery options of the service as you would configure in the service control panel.

image

Step 7. As this is a preference you can also configure the standard Common options from such as item level targeting which will allow you to granularly control what computer you target this setting.

As you can see with the combination of Group Policy Preferences and the native policies there is nothing you cant configure to your system services Enjoy

This post was originally posted here http://www.grouppolicy.biz/2010/08/how-to-use-group-policy-to-control-services/

Oct 2010
18

Office 2010: Group Policy Deployment Bonanza

I’m not exactly sure why.. but sometimes Microsoft goes on a little jag about something. They get a particular bee in their bonnet, then BLAMMO! Tons of stuff on one focused topic comes out, all at once, just overwhelming us.

Well, this kind of just happened recently. And NO, I’m not talking about “Windows 7 Phone Mobile System 7 Mobility Solution for Mobile Phones” … or whatever-the-heck-it’s called.

I’m talking about Office 2010. And, specifically, deploying that big ‘ol beast using Group Policy.

I do cover how to deploy Office 2010 (and Office 2007 for that matter) in my big green book (www.GPanswers.com/book) but it’s also true Microsoft has made some newly available docs which give some extra oomph to dealing with that rollout.

PS: If you’re coming to my Chicago class NEXT WEEK, then GOOD NEWS !    I’ve decided to put my working gloves on, and POOF ! Now, you’ve got a brand new “unannounced” extra bonus lesson with hands-on labs for “Office 2010 + Group Policy = Deployment !” So, see you there. (Two seats left, by the way… https://www.gpanswers.com/training if you want to claim ’em.)

If you can’t make it to Chicago, here’s the “self help” resources I talked about.

() TechNet Magazine Auto Deploy Office 2010 with Free Tools:
http://technet.microsoft.com/en-us/magazine/ff956190.aspx

() Deploy Office 2010 by using Group Policy computer startup scripts
http://technet.microsoft.com/en-us/library/ff602181.aspx

() For IT professionals: Group Policy for Microsoft Office 2010
http://tinyurl.com/23g8txf

() Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool
http://technet.microsoft.com/en-us/library/cc178992.aspx#section8

I do gotta say “Thanks Microsoft.”  Having to slog though without the docs (even, heck.. WITH the docs) out on your own is PAINFUL. Really. But these newer docs do ease that pain a little bit. I know people are hep on trying to roll out Office 2010.. and it isn’t easy.

Hopefully these docs help you make the magic happen. Until next time !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)

Oct 2010
10

ADMX Overlap

By now you saw the video related to this blog posting. If you haven’t yet, then STOP, watch this, then come back here:

http://tinyurl.com/admx-overlap-video

Okay. Now that you understand the “ADMX overlap” issue a little more, here’s the EXACT list of files that are exclusive to each operating system. So, if you want to have “100% of it all” be sure to copy up ONE operating system’s ADMX files, then hunt the rest of these down, and also put them in the Central Store.

(For more information on the Central Store, I would suggest my live or GP Online University Training course. Just click Training | Get Training and check it out.) Here’s the list:

Server 2008 R2 “only” ADMX / AXML files:

  • Adfs.admx
  • GroupPolicyPreferences.admx
  • Group Policy-Server.admx
  • Kdc.admx
  • MMCSnapIns2.admx
  • NAPXPQex.admx
  • PowerShellExecutionPolicy.admx
  • PswdSync.admx
  • ServerManager.admx
  • Snis.admx
  • TerminaServer-Server.admx
  • WindowsServer.admx

Windows 7 only ADMX files:

  • DeviceRedirection.admx
  • Sdiagschd.admx
  • Search.admx