MDM & GP Tips Blog

Jul 2011

Group Policy: Talk is Cheap

If you haven’t yet utilized the updated GPMC’s new "Comments" feature, it’s pretty neat. The idea is that you can specify a comment over a GPO about, say, who created it,  who supports it, and what it’s supposed to be doing.

But something came up in my last class that I was teaching and I thought was neat and I wanted to share with you.

Someone wanted to know how they could create a comment ONE TIME, then "recycle" that comment to other GPOs.

So, imagine I had a comment in a GPO which says: "Mean Man Moskowitz made me make this GPO." An then imagine that comment could be applicable to multiple GPOs.

But, how do you repro the comment over and over again?

Turns out: it’s short and sweet. And no scripting or programming required.

The comment is inside the GPT (SYSVOL) portion of the GPO in a file called "GPO.CMT."

Just copy that file to the ANOTHER GPO’s GPT (that’s the portion that lives in SYSVOL) and.. whamo !

You’ve copied the comment.

I don’t know if this is "officially sanctioned" or not, but it seemed to work pretty well when I tested it out! So, use at your own risk, I guess.

Jun 2011

Group Policy and backups using Powershell

My pal and fellow MVP Jeff Hicks noticed something. He noticed that the Group Policy Powershell cmdlets had a Backup-GPO and Restore-GPO (seen here…)


But there was no way to really get into the "Manage Backups" stuff that you can only get to within the GUI.


So he created it. You can see Jeff’s interesting blog post about using PowerShell to get to this part of the world here:

Also, I wanted to say THANKS to the folks who showed up for my "Secret Group Policy Meetup" at TechEd.

We got to the bottom of some sticky issues for those who attended and had a really fun overall "rap" session.

We even had several guest stars: Aaron Margosis, Microsoft Technical Services and fellow TechEd speaker, Thorbjorn Svolvold, Group Policy big-brain from Specops software and Zach Alexander from the Group Policy team at Microsoft. Thanks everyone for attending !

Photo Credit: Takayuki Shodai also in attendance, but not shown, since he’s taking the picture. Thanks Takayuki !


May 2011

Time . . Is of the Essence !

I ran GPupdate today on one of my Windows 7 machines and got this. . .


It's kind of a mouthful, but here's the short, sweet story here.

Group Policy relies on the Kerberos protocol. Kerberos relies on the clock. If the clock between your client and your server is skewed by more than the allowable value (normally 5 minutes) then you won't process GPOs correctly !

So, this warning, is saying: My clock is weird versus the domain controllers.

No problem. Usually, a reboot fixes this kind of thing. Or it gets fixed on it's own when the time sync service does its thing.

But, one of the key troubleshooting steps for GPOs is to VERIFY that your clients time is within 5 minutes of your DCs times.

Do this, and you’re off and running (sometimes.) ?

PS: Quick update from Jeff L. who suggested I also turn you on to this Microsoft KB article:

Apr 2011

Charlie Sheen your GPOs . . . Winning !

I'm not going to beat up Charlie Sheen in this blog post.  You'll see where the Charlie Sheen stuff comes into play. Lets get right down to GP bizness.

Lets pretend you had this setup. I have two GPOs linked to the East Sales Users OU: GPO 111 and GPO 222.

And, lets also pretend that they affect the same policy setting: Remove Games Link from Start Menu.


If we run a Group Policy Results report we can quickly see that BOTH GPOs (GPO 111 and GPO 222)

were correctly applied to the client machine (Win7Computer-32). As seen here.


Now, remember, I've said that GPO 111 and GPO 222 conflict on how they apply the Remove Games Link from Start Menu setting.

So, which one is going to win ?

Well, the quickest way to see the Winning GPO is to run the Group Policy Results report as seen here. In my not too complex (on purpose) example here we can see that GPO 111 is Winning over GPO


But what if we add something at another level, say the Domain level and Enforce those settings down?


If the GPO is Enforced, then that GPO should be the Winning GPO, and in my re-run GP Results report example here, that’s precisely what has occurred.


So, in short, the Winning GPO is the one which ultimately gets to express the setting upon the client computer.

If you can't figure out WHY a particular value is appearing on the client, look no further than looking for the one that's Winning !!

Mar 2011

Windows Group Policy vs. Logon Scripts. What's the right option?

I thought I would tip the hat this week to a Microsoft Premiere Field engineer who attempts to answer the age old question:

Windows Group Policy vs. Logon Scripts. What's the right option?

Since in a previous blog post of mine, I demonstrated why I personally feel Group Policy has the advantage, I thought I would share what I recently found about a balanced rationale about why one might one to use the built-in AD Users and Computers, versus Group Policy for logon scripts.

Here's the link to his article. Enjoy.

PS: My remaining seats in my April 11 14th Denver class are melting away like snow on a warm spring day. Don't wait if you're still interested. Confirm your seat TODAY by using and signing up online or call 302-351-4903 and Diane will help you with a PO. Discounts for large teams !

Feb 2011

Showing and Hiding Scripts using Group Policy

This came up today with a group of new friends I met today in Wisonsin at a K12 education conference.

Someone asked How can I prevent people from stopping login scripts as they run?

I thought about this for a second, and realized, he was using Active Directory Users and Computers and running an old school script like this.


It was an easy fix. Simply start using Group Policy Scripts, which can be found here:


Doing it this way, if you DID want to run Logon Scripts visible, you would need to set

User Configuration | Policies | Administrative Templates |System | Logon/Logoff

Run Logon Script Visible.

Hope that helps !

Jan 2011

How to Schedule a GPO to Fire Off within certain time blocks

Thanks to member Bart for the meat of this tip !

You might have a situation where you want GPOs to apply to a collection of computers but only within certain time blocks.

Sure, you could manually link and unlink the GPO when the proper times come. But you're too busy for that.

Instead, use PowerShell, and automate the task!

First things first. Make sure the policy refresh interval on the workstations is set small enough to apply the activated GPO settings during the times you want. Normally, computers update every 90 120 minutes. To use this tip, you might want to tighten up the refresh interval just for this collection (like a Training room OU or Kiosk OU or something.) I wouldn't recommend you do this for your whole population. Do this using the policy settings located at “Computer Configuration | Administrative Templates | System | Group Policy | Group Policy refresh interval for computers.”

Where this came in handy was to activate and deactivate additional (outgoing) firewall rules specifically for a classroom setup for specific classes.

To use, simply set up a scheduled task to LINK and UNLINK the GPOs as needed.

To Enable:
Powershell -importsystemmodules -command “& {set-gplink -name ‘GPO_Computer_Classroom Outgoing Firewall’ -target ‘ou=classroom,ou=computer management,dc=yourdomain,dc=local’ -linkenabled YES}”

To Disable:
Powershell -importsystemmodules -command “& {set-gplink -name ‘GPO_Computer_Classroom Outgoing Firewall’ -target ‘ou=classroom,ou=computer management,dc=yourdomain,dc=local’ -linkenabled NO}”

PS: For more information, the PowerShell Cmdlets for managing GPO’s come with Windows 7 and W2k8-R2. For an overview of all GPO Cmdlets have a look at the TechNet site:

Jan 2011

Lockdown PCs -- Hard. With Windows 7 - - Easy.

The Lockdown Question

Hey Jeremy, what's the best way to lock down my Windows machines? I hear this question dozens of times a year from students who are sitting down at the first day of my Group Policy training workshops. They are often very eager to get right down to business and wrestle this particular problem to the ground because they know that when they go back to their offices and implement what they're about to learn, that their environment will be more predictable and more secure.

See, I know we all feel it would be best if our pesky users would just stop playing with stuff within Windows, their applications and on their desktops.

And, sure, that's part of the art of desktop lockdown. But my suggestion would be to look at desktop lockdown from a holistic and incremental approach. There's no one best way to lock down your Windows machines.

But what is true, is that the technologies built-in to Windows 7 have enabled more control than ever and enabled a wide variety of situations. Lets explore some of my favorite ways to get started with desktop lockdown, then I'll give you some tips on how to expand your controls as you need to.

Lead with Group Policy and Group Policy Preferences

This pair of technologies is arguably the most powerful arrow in your quiver. But using Group Policy, you can restrict a user from some of Windows most tempting locations such as the control panel, desktop, Start Menu, Task Bar and more. Once a GPO is created, most of these settings are found within the User Configuration | Administrative Templates section. There are way too many settings to review here, but I would encourage you to poke around, take stock of the ones that are most interesting to you then try them out in your test lab — before rolling out into production.

When performing lockdown tests, I would suggest that you use two people, a designer and a tester. The Designer should set up the Group Policy settings and lockdown tests, then the Tester would validate the tests and try to wiggle around the designers intentions. Using two people during testing ensures good feedback. One person always validates the other.

As you're working through your resting, do note that some policy settings are reliant upon other policy settings being enabled or other conditions being set or present on the client machine before you actually see the result you're expecting. So again, having a Designer design and a Tester test helps make sure the settings you want to achieve have actually occurred on the client machine.

Group Policy Preferences also enables you to deliver desktop settings. Though not specifically designed for desktop lockdown, they can helpful in guiding users away from temptation and toward standardization.


Caption: The Group Policy Preferences can implement IE settings

Sometimes what the doctor ordered is a blend between both Group Policy and Group Policy Preferences. For instance, you might want use Group Policy Preferences to set a particular setting, plus use Group Policy controls to lock down certain areas of IE.

This is an advanced skill, which takes a little practice and patience. But with enough time, you'll find the right balance using the two.

I would also suggest that you check out a favorite document of mine entitled Group Policy Settings for Creating a Steady State which can be found here with literally dozens of ideas to help you get started.

Focus, then Expand

So going back to my students who ask me Hey Jeremy, what's the best way to lock down my Windows machines? As you can tell, I love to lead with the core lockdown starting with Group Policy and Group Policy Preferences, then expand outward using additional Windows 7 technologies.

If you're looking for more hard-core controls, you might want to consider checking out this the recently published document from Microsoft entitled Creating a Steady State by Using Microsoft Technologies.

Inside you'll discover some extra ideas you can try out, such as mandatory profiles, working with AppLocker to prevent applications from running, and even wiping back the hard drive of a machine every night!

We've just scratched the surface. For additional specific tips and tricks on desktop lockdown, it's a common feature in my Tip of the Week. You can sign up the free tip of the week at You can also get hands-on experience with Group Policy and desktop lockdown in my in-person or online-based Group Policy Master Class at


Jeremy Moskowitz, and

Jeremy Moskowitz is a Enterprise Mobility MVP, the Chief Propeller-Head for and Founder of PolicyPak, which makes software to increase desktop lockdown using Group Policy. Thousands of IT professionals have taken his Group Policy training. was ranked as one of “The 20 most useful Microsoft sites for IT professionals” by ComputerWorld magazine. Jeremy is also a STEP member.

Dec 2010

Google Chrome-MSI and ADMX files

This is a short and a sweet one. Sort of.

Google has announced an MSI file for deploying their Chrome browser, en-mass to your PCs.


Well, they've got an MSI now. And you can use, say, your favorite software distribution mechanism, like.. oh, gosh, I don't know the in-the-box-and-widely-under-used Group Policy Software Installation ?

Check out the link here.. Now before you DO, I suggest you read onward.

The trick appears to be that, while the MSI is available to anyone, I'm actually NOT SURE if anyone (everyone) is allowed to use it unless they're a Google Chrome for Business company. I clicked on the link to download the MSI, and saw a huge EULA in front of me. I copied and pasted it into Word (take THAT, Google Docs !) and it was a whopping 13 pages and 6,553 words.


First things first Item 1.3 in the Eula has double-word typo, as in 1.3 Your agreement with Google will also include the the terms I'm not above typos myself, but then again, I don't have 11 billion lawyers working for me.

Next.. I did try to buzz through the document looking for words like Customer and other such stuff to help me learn what the scoop is. But I really can't tell if I'm allowed to use it. Honestly, this isn't my area of expertise, so I don't have direct advice on whether or not it's legal, quasi-legal, or totally illegal to use this MSI if you're not a Google Chrome for Business member. I guess- I could contact Google Sales, and maybe they'll get a hold of me.

But, if you KNOW the answer, then just email me, and I'll post a follow-up.

Part II of this little story is that there's also ADM and ADMX/ADML files as well.  Once you put the ADM, ADMX & ADML files in the right place, you're cookin with gas and configuring Chrome a-go-go.

The link to THAT is here:

Interesting stuff.

That's it for now.

PS: Learn how to deploy MSI files, upgrade them, manage them, patch them, revoke them and more.  Learn how to manage ADM, ADMX and ADML files and not shoot yourself in the foot or blow up your network.

I still have the <bleep>-ing discount going for my Home Study Course – Silver Kits. Gotta email me for the <bleep>-ing discount code.

Check out my Group Policy training with the Online University here:

Talk soon!

Nov 2010

Using Powershell to find Group Policy Strangeness

Do you have any GPOs which are “not doing anything”? If so, why?

If you have zillions of GPOs, here’s a quick cleanup tip.

Use a Windows 7 machine and PowerShell to quickly find all GPOs which have all their settings disabled.

Here's an example GPO with all the settings disabled.


Sure, you COULD click on every stinkin GPO you have in your domain.

-OR- you can use Powershell to quickly get to the bottom of things.

1. On a Windows 7 machine, open a command prompt.

2. Type “Powershell” (no quotes.)

3. Type import-module Grouppolicy (no quotes.)

4. Type the command you see here: get-gpo all | sort gpostatus

The ones with AllSettingsDisabled will bubble up to the top.


All the Powershell propeller-heads are rolling their eyes right now, because they know there's a cleaner way to produce the output of this showing ONLY the ones that actually match the GpoStatus of AllSettingsDisabled.

Yes, yes, you purists

Here's how to do it:

get-gpo all | where { $_.GPOstatus eq AllSettingsDisabled}


Hope this helps you out!