MDM & GP Tips Blog

Team:

I wanted to share with you some of your peers humble suggestions for Group Policy naming. Again, what works for THEM might NOT work for you, but at least it can give you some food for thought.

From Ondrej in Slovakia:

I use names for GPO and I think it’s good way to have them this way:

GPO_RDS_APP_Office2010_v01
-    GPO – to make unique name for GPOs
-    RDS – name of part of change (Remote Desktop Services)
-    APP – managing APPlication (Software Restriction)
-    Office2010 – name of application
-    V01 – version of GPO

GPO_DisableIPV6_v01
-    GPO – to make unique name for GPOs
-    DisableIPV6 – short accurate name of changes in GPO
-    V01 – version of GPO

I think it’s very good to have versioning of GPO policies. When I change GPO I increase version number and I keep max 2 older GPOs for just history and help to find out changes I made.

From Charl in South Africa

who has 2,000 GPOs !

(edited a little for clarity):

"Here’s what we do:

-If the policy is domain linked, the GPO will start with the name of the domain it’s in; this works very well if you have multiple domains.

– For the GPOs linked to our old servers structure we kept the names as starting with "Servers" and these are slowly being migrated to the new servers OU structure and the names for these GPOs start with NS (New Servers – OK, it’s actually my company’s name that starts with an N, followed by S for servers).

– The OU is "Nxxxx  Servers". Next up is the GPOs linked for the XP OUs and they start with XP and similarly the Windows 7 GPOs start with NUW (Again, first letter of my company’s name being an N followed by U and W which stands for Users and Workstations).

– The next part of the name is followed by a dash (-), C and/or U and then another dash (-). This indicates whether the GPO has the Computer, User or both nodes enabled.

– The next part of the name indicates what the function of the GPO is and if there are multiple functions, these are separated by commas (,).

– Lastly, the name ends with a colon (:) followed by the department who ‘owns’
this GPO, i.e. Security, ServerOps, End User Computing, etc. Again, we only have about 5 owners.

So, on a daily basis I use the GPMC scripts to dump all the GPO names into a single file, DTS/SSIS then into SQL and then the fun starts:

– By using the dashes, commas and colons as separators, I can see with a stored procedure, which GPOs do not have owners as there is no colon and one of the owners defined after the colon. Which GPOs do not indicate whether they are Computer, User or both nodes-enabled GPOs.

– I can see which GPOs do not conform to the proper naming convention. It it does not start with a one of the five top-level GPO names, I know immediately that I have a problem.

– Digging a bit further (all automated now!) I can even see who made a GPO and indicated it is a Computer GPO, but the User node is still enabled. The exception reports only run IF something is wrong and the GPO guys from Server Ops know that Big Daddy form Security is watching them.

– For GPOs linked lower down, we use the abbreviations of the child OUs in the GPO name as well just after the top-level name.

So, by looking at a GPO name, I can identify where it is linked, whether is Computer/User/both, function and owner. Here’s an example:

I.e. XP-C-Power management, Screensaver lockdown:SO

I can quickly parse this, and see that the GPO is linked to OU containing XP machines, Computer node enabled, sets power management and screensaver and belongs to Server Ops.

How’s that for being in empowered?"

Many people ask me: Is there an ideal way to name GPOs?

Well, yes and no.

First, the big problem is that the swimming pool where the GPOs live that is, the Group Policy Objects node in the GPMC just sort of all runs together. One big blaaaah of all the GPOs.

So, first off there is no way to partition them or organize them. They're all just there.

Therefore, having a naming convention that works for your company could prove to be a lifesaver.

There no right or perfect way to create a GPOs name. One suggestion is a four part naming convention.

Part I: The Where.

Part II: The What.

Part III: The Who

Part IV: The Type.

For instance a GPO might be in charge of opening Port 123 on Sales Computers. Great. So, here's a name I might use:

EAST SALES COMPUTERS Firewall Open Port 123 (C) – JeremyM

All four elements are there. And in the Group Policy Objects list, all the GPOs are listed Alphabetically, so you'll see each Where together quickly. The (C) tells me that the C-omputer side of the GPO is used and not the user side. The name on the end shows who is the ultimate owner of the GPO or who is in charge or who to contact for issues or updates. (You could also put this in the GPO comment fields.)

Another perfectly fine choice is to re-arrange this list. Like:

(C) EAST SALES COMPUTERS Firewall Open Port 123 EAST SALES COMPUTERS – JeremyM

This will sort with all the Computer side GPOs grouped together first, then WITHIN that, all the EAST SALES COMPUTERS linked GPOs.

Again you're welcome to have the names be anything you want.. just note that whatever's first that's what's sorted upon based upon Alpha. Having all four elements makes things a lot easier, in this guys opinion.

A final trick here, is that sometimes I use an Underscore character _ to signify GPOs which are domain linked or are special in some way. For instance  _PolicyPak License GPO Expires 1-1-14 will bubble up to the top quite easily seen by everyone (as underscore is sorted BEFORE the letter A.) q

What's your naming convention? There's Shoot me your email with your solution. Thanks !

I’ve been playing with XenApp 6.5 the last couple of weeks. I’ve been thinking a lot about Group Policy with regards to Citrix and XenApp servers. Really, there’s two pieces:

1. Managing Applications and settings for users on XenApp servers … and…
2. Managing the XenApp servers themselves.

This is just part I: Managing Applications and Settings for Users on XenApp Servers.

Managing Applications and Settings for Users on XenApp Servers Using Group Policy

One of the things that people ask me over and over again is… "On my Citrix XenApp servers, is there any way to manage my common applications’ settings using Group Policy?"

Here are the three normal ways you can do this:

Application Has an ADM/ ADMX template

Unless the application has a managed way to deal with it’s settings (ADM or ADMX template) you’ve got a problem. Office applications have ADM templates. Great. But name five other applications with ADM or ADMX templates.

In short: You can’t.

Managing XenApp Applications Using GP Preferences

In some circumstances, you could use Group Policy Preferences if you knew exactly what registry punch to punch (if available.)

Here’s a blog entry from Mr. XenApp Blog (Eric Haavarstein), on exactly how to do this. And, he shows how to use a tool from Fellow Enterprise Mobility MVP Mark Heitbrink which converts registry punches to GPPReferences Registry items. Awesome !

So, the blog entry is: http://www.xenappblog.com/2011/group-policy-management-import-registry-files/

And Mark’s tool is found here: http://reg2xml.com/

True Application Lock Down PLUS non-Registry based Applications

I like the tip from Eric and the tool from Mark. They’re great if that’s all you need to do.

But they DO have two major limitations. How to you still perform:

• Dynamic changes if you want to. Do you know what to tweak any specific entry if you needed to to make a simple change? Ouch. Painful.
• True lock down so users can’t work around your settings? You can’t do that with Group Policy Preferences. Users can just change the setting you put down.
• File-based applications like FireFox, OpenOffice, Flash player, or others? You can’t manage those with Group Policy Preferences (since their stuff doesn’t live in the Registry.)

So what are you going to do?

Good news.

PolicyPak Software (www.PolicyPak.com) can do this. Big time.

Here is a video to show you exactly how you would do this.

The "cherry on top" is that PolicyPak is fully CitrixReady and also works with XenDesktop. Here’s a video for that too: https://www.policypak.com/technology-and-downloads/policypak-expands-xendesktop.html

If you’re interested in trying this out for yourself, you’ll need to sign up for a demonstration at www.PolicyPak.com/webinar. After that, you can get the download can give this a try yourself.

Answer: Did You Check the DNS Configuration of the Client?

One of the most frequently encountered problems with Windows 2000 and above is that things just ‘stop working’ when DNS gets out of whack.

Specifically, if you’re not seeing Group Policy apply to your client machines, make sure their DNS client is pointing to a Domain Controller or other authoritative source for the domain. If it’s pointing to the wrong place or not pointing anywhere, Group Policy will simply not be downloaded.

As a colleague of mine likes to say, ‘Healthy DNS equals a healthy Active Directory.’

Moreover, in the age of multiple forests and cross-forest trusts, Group Policy could be applying from just about anywhere and everywhere. It’s more important than ever to verify that all DNS server pointers are designed properly and working as they should.

For instance, if clients cannot access their ‘home’ Domain Controllers while leveraging a cross-forest trust, they won’t get Group Policy.

Finally, to put a fine point on it, DNS leverages only the fully qualified name.

It’s not enough to verify that you can resolve a computer named xppro1 as opposed to xppro1.corp.com.

The first is actually the NetBIOS name and not the fully qualified domain name.

The second is the fully qualified domain name.

If you find yourself in a DNS resolution situation where resolving the NetBIOS name will work, but the fully qualified name will not work, then you have a DNS problem that needs to be addressed.

If you haven’t yet utilized the updated GPMC’s new "Comments" feature, it’s pretty neat. The idea is that you can specify a comment over a GPO about, say, who created it,  who supports it, and what it’s supposed to be doing.

But something came up in my last class that I was teaching and I thought was neat and I wanted to share with you.

Someone wanted to know how they could create a comment ONE TIME, then "recycle" that comment to other GPOs.

So, imagine I had a comment in a GPO which says: "Mean Man Moskowitz made me make this GPO." An then imagine that comment could be applicable to multiple GPOs.

But, how do you repro the comment over and over again?

Turns out: it’s short and sweet. And no scripting or programming required.

The comment is inside the GPT (SYSVOL) portion of the GPO in a file called "GPO.CMT."

Just copy that file to the ANOTHER GPO’s GPT (that’s the portion that lives in SYSVOL) and.. whamo !

You’ve copied the comment.

I don’t know if this is "officially sanctioned" or not, but it seemed to work pretty well when I tested it out! So, use at your own risk, I guess.

My pal and fellow MVP Jeff Hicks noticed something. He noticed that the Group Policy Powershell cmdlets had a Backup-GPO and Restore-GPO (seen here…)

But there was no way to really get into the "Manage Backups" stuff that you can only get to within the GUI.

So he created it. You can see Jeff’s interesting blog post about using PowerShell to get to this part of the world here: http://jdhitsolutions.com/blog/2011/05/get-gpo-backup/

Also, I wanted to say THANKS to the folks who showed up for my "Secret Group Policy Meetup" at TechEd.

We got to the bottom of some sticky issues for those who attended and had a really fun overall "rap" session.

We even had several guest stars: Aaron Margosis, Microsoft Technical Services and fellow TechEd speaker, Thorbjorn Svolvold, Group Policy big-brain from Specops software and Zach Alexander from the Group Policy team at Microsoft. Thanks everyone for attending !

Photo Credit: Takayuki Shodai also in attendance, but not shown, since he’s taking the picture. Thanks Takayuki !

I ran GPupdate today on one of my Windows 7 machines and got this. . .

It's kind of a mouthful, but here's the short, sweet story here.

Group Policy relies on the Kerberos protocol. Kerberos relies on the clock. If the clock between your client and your server is skewed by more than the allowable value (normally 5 minutes) then you won't process GPOs correctly !

So, this warning, is saying: My clock is weird versus the domain controllers.

No problem. Usually, a reboot fixes this kind of thing. Or it gets fixed on it's own when the time sync service does its thing.

But, one of the key troubleshooting steps for GPOs is to VERIFY that your clients time is within 5 minutes of your DCs times.

Do this, and you’re off and running (sometimes.) ?

PS: Quick update from Jeff L. who suggested I also turn you on to this Microsoft KB article: http://support.microsoft.com/kb/816042

I'm not going to beat up Charlie Sheen in this blog post.  You'll see where the Charlie Sheen stuff comes into play. Lets get right down to GP bizness.

Lets pretend you had this setup. I have two GPOs linked to the East Sales Users OU: GPO 111 and GPO 222.

And, lets also pretend that they affect the same policy setting: Remove Games Link from Start Menu.

If we run a Group Policy Results report we can quickly see that BOTH GPOs (GPO 111 and GPO 222)

were correctly applied to the client machine (Win7Computer-32). As seen here.

Now, remember, I've said that GPO 111 and GPO 222 conflict on how they apply the Remove Games Link from Start Menu setting.

So, which one is going to win ?

Well, the quickest way to see the Winning GPO is to run the Group Policy Results report as seen here. In my not too complex (on purpose) example here we can see that GPO 111 is Winning over GPO

But what if we add something at another level, say the Domain level and Enforce those settings down?

If the GPO is Enforced, then that GPO should be the Winning GPO, and in my re-run GP Results report example here, that’s precisely what has occurred.

So, in short, the Winning GPO is the one which ultimately gets to express the setting upon the client computer.

If you can't figure out WHY a particular value is appearing on the client, look no further than looking for the one that's Winning !!

I thought I would tip the hat this week to a Microsoft Premiere Field engineer who attempts to answer the age old question:

Windows Group Policy vs. Logon Scripts. What's the right option?

Since in a previous blog post of mine, I demonstrated why I personally feel Group Policy has the advantage, I thought I would share what I recently found about a balanced rationale about why one might one to use the built-in AD Users and Computers, versus Group Policy for logon scripts.

Here's the link to his article. Enjoy.

https://blogs.technet.microsoft.com/mspfe/2011/03/15/windows-group-policy-vs-logon-scripts-whats-the-right-option/

PS: My remaining seats in my April 11 14th Denver class are melting away like snow on a warm spring day. Don't wait if you're still interested. Confirm your seat TODAY by using www.GPanswers.com/training and signing up online or call 302-351-4903 and Diane will help you with a PO. Discounts for large teams !

This came up today with a group of new friends I met today in Wisonsin at a K12 education conference.

Someone asked How can I prevent people from stopping login scripts as they run?

I thought about this for a second, and realized, he was using Active Directory Users and Computers and running an old school script like this.

It was an easy fix. Simply start using Group Policy Scripts, which can be found here:

Doing it this way, if you DID want to run Logon Scripts visible, you would need to set

User Configuration | Policies | Administrative Templates |System | Logon/Logoff

Run Logon Script Visible.

Hope that helps !