MDM & GP Tips Blog

May 2008
14

Issue#28

  • Policy or Preference: Who wins the smackdown?
  • Announcing: Downloadable eChapters of Jeremy's two new upcoming books!
  • Kansas City Class: ON! Will you be there?

Welcome to Newsletter #28.

One of the questions I get all the time is: "Which one 'wins' if a Policy and a Preference overlap?"

Think you know the answer? I thought I did too; so let's see how that shakes out. Next,

I'm happy to announce my two new upcoming books on Group Policy.

  • Group Policy Fundamentals, Security, and Troubleshooting
  • Creating the Secure Managed Desktop: Group Policy, SoftGrid, and Microsoft Deployment and Management Tools

Right now, you can zip on over to www.GPanswers.com/books and learn about them, or a little later in the newsletter I'll give you the full rundown of the two books, what's new, and tell you why I had to expand it into two books!

I'm also super excited to announce our new Partner/Affiliate. Sign up, and everyone you recommend for a GPanswers.com training (or newsletter signup) means some extra dough in your pocket. More, later in the newsletter.


This Month's Newsletter Sponsored by: NetIQ

Are you stepping on other administrator's toes when managing Group Policy? It happens a lot, but there are some strategies to help you address that. In this new whitepaper, "Group Policy Management Challenges" authored by Group Policy guru Jeremy Moskowitz and NetIQ you'll learn some immediate techniques to get working better today.

Download it now


Getting Down to Business: Policy vs. Preferences

Microsoft has a Group Policy blog entry called "GP Policy vs. Preference vs. GP preferences" which you should all stop and read right now. Really. I'll wait. I know you'll come back, because there's a lot more to learn on this subject. Check it out here. http://tinyurl.com/339wgx

And while I really dug that blog entry, and it was really well written and smart, there are some other angles to that Policy vs. Preferences story. And that's what I want to cover here.

How, exactly does the Group Policy engine deal with overlaps between policies and preferences? Well, there’s the short answer, the middle-length answer, and the long answer. Let’s go over all of them. (We’re old friends now—you knew I would anyway, right?)

The Short Answer: Policy Wins over Preferences

The short answer is that if there’s a conflict between a policy setting and a preference setting, the policy setting will win. (So, for instance, items in Computer and User Configuration | Policies should always win over Computer or User Configuration | Preferences.)

Why?

Because only policies actually lock out the user interface of the application they manage (Explorer, Office 2003, etc.).

Preferences don't.

Remember, preferences are suggestions that you can give to the user’s application, but the user can usually just wipe them out if they want. (Although, GPPEs will re-apply again at policy refresh time by default.)

Here's a quick example to prove the point. In the example in Figure 1, I’m clicking Help to ensure that the Help menu is on the Start Menu for all Windows Vista machines using GPPEs. True, this is the default anyway, but by selecting it here, I’m laying down a preference that is always put on the machine.

Figure 1

However, if I use the policy setting User Configuration | Policies | Administrative Templates | Start Menu and Taskbar | Remove Help menu from Start Menu, as seen in Figure 2, the Help option disappears in the Windows Vista Start Menu.

Figure 2

But the general case here is that policies always beat preferences. Rock always beats scissors. Or does it? Can the rock crumble when it’s hit by the scissors? Let’s continue onward to see at least one interesting case where it doesn’t work that way.

The Middle-Length Answer: Sometimes Preferences Win over Policy

You need to be careful to assume that policy always wins over preference. In fact, that’s not always true. Here’s an example we can use to prove it:

  1. Create a single GPO and link it to a Windows Vista or Windows Server 2008 machine that uses the Internet Settings preference extension to set the Internet Explorer 7 proxy server to 10.1.1.1 with port 8080. You can see a shot of this in

    Figure 3

  2. Then, use Group Policy’s Internet Explorer Maintenance to set the proxy to 10.2.2.2 with a port of 8282. You can see a shot of this in

    Figure 4

    Click on image for larger view
  3. Then, refresh your client via GPupdate and fire up Internet Explorer 7.

Uh oh. This seems to break the laws of nature! How can preferences win over policy? Because Internet Explorer Maintenance policy isn’t really policy. Indeed, by setting the IE Home page using Internet Explorer Maintenance, the value goes to HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings in a value called ProxyServer, as seen in Figure 5. And since this is not a place for a true policy, it must actually be a preference.

Figure 5

Click on image for larger view

Indeed, the value that’s being set is exactly the same for both the IE Group Policy Preference and Internet Explorer Maintenance.

Why does one win over the other? I’ll show you the nuances of why in the next section.

But for now, it turns out there is a clever way to attain our goal; which is to force an IE proxy server and lock it down so users cannot change it.

Check out an obscure Administrative Templates policy setting named Disable changing proxy settings (located in User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer). A-ha! That’s true policy, so hopefully that will perform some kind of lockdown, as shown in Figure 6!

Figure 6

But why then does that Administrative Templates setting named Disable changing proxy server settings work in a way the other guys don’t? Because IE 7.0 (and 6.0 and 5.0) are all coded to look in the proper policies keys. And if there’s a value there that IE recognizes, then IE makes sure to honor that.

And it does.

The end result is that true policy wins. You can see this in Figure 7 where the proxy server entry’s values are taken from the preferences, but it’s locked down via the policy.

Figure 7

For most people, the medium-length answer will be good-enough. But you’re not most people. You’re looking for the most detailed knowledge you can get. So if you’re curious to know why the Internet Explorer GPPE won against the Internet Explorer Maintenance Group Policy settings, read on for The Longer Answer.

The Longer Answer: Understanding CSE Timing and Overlap

To get to the bottom of this mystery, we need to understand when Group Policy applies. Recall that the Group Policy system is a last-written-wins technology. So, if you have an overlap between, say, the domain level and the OU level, the default is that the OU level will win because it was written last.

But now things become markedly more confusing. Not only is there overlap between Active Directory levels (site, domain, OU) for some of the features above, there’s overlap at the feature level, where two or three CSEs compete to write their data last.

Ow.

There is some order in this chaos. But to understand it you’ll need an intimate understanding of what happens when the CSEs process (in the foreground and in the background). In short, the CSEs process in the order seen in Figure 8. This is a script you can download from http://tinyurl.com/23xfz3 called FindGPOsByPolicyExtension.wsf.

This exposes the same information as if you went to the following Registry key on a machine with the GPPE extensions loaded: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.

There, you’ll see the registrations for all CSEs. The GUID of each CSE dictates the order in which things will process. They’ll process alphabetically, by GUID. So, Wireless Group Policy fires off first (that’s a classic Group Policy setting), then Group Policy Environment (that’s a new GPPE CSE), then Group Policy Local Users and Groups (another new GPPE CSE), then Folder Redirection (a classic Group Policy CSE), and so on.

Figure 8

Click on image for larger view

So on the surface, it appears that if you had a conflict with both classic Group Policy settings and newer GPPE settings, you could just see which one ran last and bank on that setting always “winning.”

But that’s only true if the two CSEs end up writing to the exact same places. While this is precisely what we encountered with the Internet Proxy server setting, usually two technologies don’t write to exactly the same place. The tie will be broken when an application is coded to look in the proper policies keys. And, if there’s a policy setting in those keys, the target application will honor the policy, not the preference.

In our mystery, it’s now easy to understand why the Internet Explorer GPPEs (listed as Group Policy Internet Settings) in Figure 8 “won” over the IE Maintenance settings (listed as Internet Explorer Zonemapping and Internet Explorer Branding). The new Internet Explorer GPPE CSE (Group Policy Internet Settings) applies after the original Internet Explorer CSEs.

But in neither case are we actually applying policy. We’re really just applying preferences—using two different kinds of technology. We finally got it to work the way we wanted when a true policy was applied, and Internet Explorer saw the policy in the policies keys and acted accordingly.

Whew. All this stuff can give you a headache. This “who will win” stuff is really confusing, and I haven’t tested every case. Be sure to test all interactions in a test lab before you roll out settings into production.

Other Items That Can Affect Group Policy and GPPE Processing

If you download Chapter 4 of Book 1 , you will learn about various policy settings found at Computer Configuration | Policies | Administrative Templates | System | Group Policy that have the configuration option to “Process Even If the Group Policy Objects Have Not Changed.” (It's in the section called “Using Group Policy to Affect Group Policy.”)

If this option is turned on for a particular CSE, then that CSE will always try to rewrite its configuration data—upon every single refresh. Again, that’s not the default for classic Group Policy, but it is an option on a CSE-by-CSE basis.

However, this same “always try to rewrite configuration data” mantra is held by the GPPE CSEs by default, but it can also be set such that the data is laid down once and never rewritten.

So knowing this information, you might have to do a little mental math to figure out which one is going to win if you have conflicting policies plus the wildcard settings.

The Group Policy Results reports, which is discussed in Chapter 2 of Book 1, are going to be helpful in figuring out which settings ultimately applied, but they’re not going to be helpful in your understanding of why the setting ultimately applied.

Hopefully, this newsletter helps you out. This section is lightly lifted from Chapter 10 of Book 1 where I discuss this topic in even more depth.

If you want to conquer Group Policy Preference Extensions, consider taking my Group Policy 2.0 Training at www.GPanswers.com/workshop.

OMG: Now Jeremy has Two Books on Group Policy!

I've been in deep, deep quarantine the last 9 months or so. I spent three quarters of a year to get the most awesome tips, tricks, how-tos, and deep-dive information on Group Policy to you. And it took two books to do it. So, let me explain how the two books work.

The books are Companion Books to each other. Not exactly "Volume I/Volume II." But, they do go together like peanut butter and jelly.

Lucy and Desi. Group and Policy.

You get the idea.

Start out with Book 1, which is really called Group Policy Fundamentals, Security, and Troubleshooting. You already know this book, but it’s been rev’d for 2008 with the following new superpowers:

  • How to create a modern management station with RSAT and the GPMC 2.0
  • GPMC 2.0 Features: Filters, Comments, and Starter GPOs
  • Microsoft’s Advanced Group Policy Management Tool (AGPM)
  • Powershell with Group Policy (ooohhhh yeahhh!)

And the crown jewels...

  • The Group Policy Preference Extensions: 21 new features you positively must have

But to make room for all that stuff, I moved some “Group Policy Friends of the Family” from Book 1 to Book 2. Book 2 is really called

Creating the Secure Managed Desktop: Group Policy, SoftGrid, and Microsoft Deployment and Management Tools. But now Book 2 is fortified with EVEN MORE AWESOMENESS. Re-read the title of Book 2 again. Let’s break it down:

The main title is:
“Creating the Secure Managed Desktop”

And you do that by first knowing Group Policy Fundamentals (that’s Book 1). You’ll take your Group Policy knowledge and put it to PRACTICAL use here in Book 2. Start out by using Microsoft new Microsoft Deployment Toolkit.

Then move on to create the managed desktop with Roaming Profiles, Offline Files, the Sync Manager and more.

Deploy software to your machines using Group Policy and Microsoft’s newest tool: SoftGrid. Yep, to my knowledge this is the only book that has any real, meaty SoftGrid coverage. We have three MEGA chapters on SoftGrid. You’ll learn how to deploy your first servers, learn all about the architecture, and learn how to sequence applications like a pro. Truly a one-of-a-kind resource. I had help from GPanswers.com Shortstop Eric Johnson with two SoftGrid chapters. Way to hit one (well, two) out of the park!

Continue on and learn how to lock down machines. Use WSUS to protect and patch your machines (thanks to Greg Shields for that awesome chapter), use Network Access Protection (NAP) to keep unhealthy machines off the network, and learn to use Windows SteadyState to put the full smackdown on your most critical machines.

Wrap up the book with a little printer magic and finishing touches, and I’m totally confident you’re going to love this newest member of the Group Policy book family.

Here’s the best part: you can pre-order copies at www.GPanswers.com/books. Or, better yet (and this is going to blow your mind)

you can download just specific chapters you might want, today, as eChapters

That’s right. I’ve worked it out so you can buy just the chapters you need. Some people will want BOTH the eChapters and the actual books. Some may want one medium. It’s up to you. Your choice.

Just head over to www.GPanswers.com/books and explore the books’ contents then select “Download eChapters now.” When you do, you’ll be able to select the chapters from each book. Go ahead and mix and match. Just put checkmarks next to the chapters you want to download and select “Buy Selected eChapters Now” as seen here.   We have a FAQ on the same page you should read before you buy. But by all accounts, people are very happy with their PDF purchasing experience.

If you want signed copies, select Pre-Order Your Signed Hard Copy Now. Then once we get the books in stock, we’ll send them to you right away.

We’re expecting the first one at the end of April, and the second one at the end of May.

So, not far off. Pre-order your hard copy now and you'll be the first kid on the block when the books come in. www.GPanswers.com/books .

Let me know what you think of the chapters as you download them!

About GPanswers.com Training

I hate the word "bootcamp," but I guess that's what it is. So, if you want your butt kicked in Group Policy (in a kind, gentle way), then join me for the full week of Group Policy awesomeness:

  • Two Day Essentials Group Policy Training and Workshop
  • Two Day "Group Policy 2.0" Training for Vista, Server 2008 and the Group Policy Preference Extensions and
  • One-Day Advanced Group Policy Training

"I finally figured out how we would block out USB ports, games and lockdown users. This alone made the entire class an extremely valuable and fun learning experience. I learned how to use Vista's event viewer to track a single event in group policy - so easy but powerful!

I learned how to set up various restrictions on a PC for different users. A tremendously valuable feature! I cannot wait to get back to the office and implement what I have learned.

I highly recommend the whole week to anyone who has anything to do with Group Policy. Nothing beats these classes, nothing." -- Mark Latham, PC Support Specialist, Mercy Regional Medical Center

Learn more about each course here:

https://www.gpanswers.com/workshop/courses/

You can take the full week, or join us for just the classes you need.

Announced Classes:

  • May 5 - 9: Kansas City, MO (Lenexa, KS, really)
    • Class is declared ON. If you sign up now, you'll be guaranteed a seat.
    • It's the full week: Group Policy Essentials Course, Group Policy 2.0 Catch-up and Advanced One Day Course
  • No other cities are announced yet. Maybe more coming soon, but I suggest if you want to get GP 2.0 with Group Policy Preferences training, then come to Kansas City!

For any public class, sign up online at: https://www.gpanswers.com/workshop/

What about OTHER CITIES in 2008?

We have a new "Suggest a city" form at https://www.gpanswers.com/suggest .

Even if you've used this before, please re-suggest your cities, as we have a new back-end tracking system. Thanks !

Private courses

I have limited dates remaining in 2008 for private classes. But call me soon, and we might be able to work it out. If you think you might want your own private in-house training (with all the personalized attention that affords), don't keep it a secret.

Call me.

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, Japan—or wherever! Have passport, will travel!

Join the thousands of administrators (and managers!) who have gotten smarter using the technology they already have.

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.


 

Become a GPanswers.com Partner/Affiliate

Amazon had a great idea. Put up some links on your web site for stuff you love, and when people buy stuff you recommend, you get some extra dough. We now have a similar program. It's super easy to sign up and get started. We provide you with your own tracking links and you get credit each time someone signs up for a class or signs up to be on our Newsletter/Tips.

It's that easy. Learn more about the program and start making some extra dough today by checking out www.GPanswers.com/partners.

Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before!

So, head on over to the Solutions Guide and see what other goodies are available!

Be a GPanswers.com "Booster"

Do you feel you get value out of GPanswers.com and want to see us grow? Well, I'm a Group Policy guy, not a web guy, so I need to pay for my web services somehow and enhance the site and bring you more stuff (both features and content).

If you'd like to help out, please consider making a one-time donation, or become a monthly GPanswers.com Booster for just $5 a month. If you and just 500 other people do it, I'll be able to pay for all the web bills each month and really take the site up a notch.

To help GPanswers.com and donate, here's how:

Thank you for your support!

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription .

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book or signing up for a public class, contact my assistant Margot at: [email protected] . I endeavor to respond to everyone who emails.

Thanks for reading!

May 2008
14

Issue#27

  • Installing the GPPEs: Could they make it any harder?
  • Another newsletter coming soon !
  • Public GP Training Schedule Update
    • Cities that are scheduled for public courses
  • Subscribe, Unsubscribe, and Usage Information

Welcome to Newsletter #27.

As some of you know, the GPPEs, or Group Policy Preference Extensions are finally released.

They're here: they're real, and they're spectacular.

Apologies to Seinfeld fans everywhere.

But, even though they’re here, it’s going to take a little negotiating to make sure we don’t install them, then, right away blow ourselves in the foot. This is a the first in a multi-part newsletter series.

First, we'll talk about installing the GPPEs. A little later, I'll have updates for automatically installing the GPPEs, then another newsletter on how to deal with the "overlaps" that are now created in the various categories.

Additionally inside this newsletter -- where I'm having public training courses and more.

PS: I know my graphics have the word "width" in them. Working on fixing that, but I wanted to get the newsletter out ASAP and fix it later.

Getting Down to Business: Installing the GPPEs

Microsoft likes to call them the Group Policy Preferences. But I like GPPEs, so I’m going to keep calling them that.

The Group Policy Preference Extensions (GPPEs) look “different” than the rest of the Group Policy universe. That’s because they are different. They were born at Desktop Standard and integrated into Microsoft technology.

In all, it's a cool, cool brave new (or rather updated ) world. You can see the new Preferences node underneath User Configuration | Preferences and Computer Configuration | Preferences as seen here. You might be asking yourself: why don't *I* see these in my GP editor? Because you're not using Windows Server 2008 as your editor or the download update (which isn't yet released) called RSAT which contains the updates.

This is going to be a two-part newsletter. In this first part, we'll tackle installing the GPPEs. In the next part, we'll tackle one of the most misunderstood aspects of the technology. That s, why they are called Preferences in the first place and how they work differently than it’s Policy cousins.

Now that the GPPEs are available. How do you install them?

Well, it's different depending on the operating system. We'll explore that now.

The CSEs for Windows Server 2008

Everything you need to take advantage of the Group Policy Preference Extensions is already installed here. Both the management station pieces (where you define what you want to control) and the CSE piece (the .DLLs that process the GPOs).

So, if you wanted to get started using Group Policy Preference Extensions, you can do so immediately with very little effort by using a Windows Server 2008 machine.

The CSEs for Windows Server 2003, Windows XP, and Windows Vista

Again, for Windows Server 2003, Windows XP, and Windows Vista you need to download pieces to make the magic happen. Let’s examine each operating system, where to get the downloads, and how to install the pieces by hand.

The Group Policy Preference Extensions can be downloaded from http://tinyurl.com/2za5zz. You can also track them down by heading over to http://www.microsoft.com/downloads and searching for the word "Preference."

Windows XP and Windows Server 2003 machines also need a prerequisite called XMLlite, and it can be found at http://support.microsoft.com/default.aspx/kb/914783 .

Here's the trick. Neither the XMLlite prerequisite nor the GPPEs themselves are MSIs.

Nope, they're patches.

So, for Windows XP and Windows Server 2003, they're .EXE patches, and for Windows Vista they're a newfangled format called .MSU for Microsoft Update patch.

And, if you'll recall, Group Policy Software Installation cannot install patches. You need a "big tool" like an SCCM 2007 or WSUS which expressly handles patch management. Or, you'll need a script to install it en-mass for your systems.

Ugh, what a nightmare!

You'll always be able to install each piece "by hand" (which we'll explore first), but you'll also want a mass-deployment recipe to start really rolling this out. I'll provide a script which helps you roll this out to your machines, so you're not running around from machine to machine doing all the dirty work. I don't have this ready yet, but along with my pal Jakob Heidelberg, I hope to have something for you in the next several days.

Installing the Prerequisites and CSEs for Windows Server 2003, Windows XP by hand

If you’re installing the CSEs on Windows Server 2003, you’ll likely do each one by hand. This makes sense, as “mass deploying” and mass rebooting live servers can be, well, not good for your users. However, if you wanted to mass-rollout the CSEs, check out the section “Installing the Prerequisites and CSEs for all operating systems automatically.”

Again, both Windows XP and Windows Server 2003 have the prerequisite of XMLlite, a Microsoft middleware component. You can see the available command line switches in Figure X, if you want to do something fancy, or you can just double-click on the downloaded .EXE and kick off the installation. Figure: The XMLLite component's command-line switches

In my testing, the XMLlite components didn't require a reboot (but your mileage may vary.) Knowing this fact will come in handy when we try to automate the whole thing using a script. Next, in my testing, I simply double-clicked the .EXE which contained the CSE.

Once again, it didn't even require a reboot and it appeared ready to go. You might want to reboot once one the safe side for good measure.

You can verify the Group Policy Preference Extensions installed on Windows Server 2003 or Windows XP in Add or Remove Programs and clicking on "Show updates" as seen here. When you do, you'll see the hotfixes, like GPPE installation. Figure: You can verify that the Group Policy Preference Extensions were installed on Windows XP and Windows Server 2003 by selecting “Show updates.”

Installing the CSEs for Windows Vista by hand

The Windows Vista CSE ships as an MSU a Microsoft Update package as seen in Figure X. Just double-click on it and click OK to install, and you’re off to the races. Figure: Installing the Windows Vista MSU file is like installing an executable

Again, in my testing there was no need to reboot after completion, but it certainly couldn’t hurt. You can verify that the Group Policy Preference Extensions were properly installed by looking at Control Panel | Programs | Uninstall a program and then clicking “Turn Windows features on or off” as seen in Figure X.

Note the Group Policy Preference Extensions are on by default, and it’s not such a hot idea to turn them off. Note you can also see the MS KB update number as an installed update. Figure: You can verify that the Group Policy Preference Extensions were properly installed

Installing the Prerequisites and CSEs for all operating systems automatically

Again, at this point, we’re still working on a fully-automating script to install the prerequisites and the GPPE CSEs.

Hang tight.

That'll appear in a tip or newsletter or something else soon.

Thing we're going to tackle #2 (in a newsletter coming soon): How Does the Group Policy Engine Deal with Overlaps?

This is something that’s really, really confusing for a lot of people. And with good reason. There are lot of “similar and shared” areas in both Group Policy and the Group Policy Preference Extensions.

So to answer this question, there's the short answer, the middle-length answer and the long answer.

That'll be the next newsletter, which shouldn't be too far behind.

Hang tight, we'll explore this stuff at that point.  


About GPanswers.com Training

I teach three courses on Group Policy now .. usually in the same week:

  • Two Day Essentials Group Policy Training and Workshop
  • Two Day "Group Policy 2.0" Training for Vista, Server 2008 and the Group Policy Preference Extensions and
  • One-Day Advanced Group Policy Training

Learn more about each course here:

https://www.gpanswers.com/workshop/courses/

You can take the full week, or join us for just the classes you need.

Announced Classes:

  • March 17 - 21: Portland, OR:
    • This Class is ON. We have a really great group coming.
    • It's the full week: Group Policy Essentials Course, Group Policy 2.0 Catch-up and Advanced One Day Course
  • May 5 - 9: Kansas City, MO (Lenexa, KS, really)
    • Class is ALMOST ON. If you sign up now, you'll be guaranteed a seat.
    • It's the full week: Group Policy Essentials Course, Group Policy 2.0 Catch-up and Advanced One Day Course
  • No other cities are announced yet. Maybe more coming soon, but I suggest if you want to get GP 2.0 training to come to one of these cities.

For any public class, sign up online at: https://www.gpanswers.com/workshop/

What about OTHER CITIES in 2008?

We have a new "Suggest a city" form at https://www.gpanswers.com/suggest .

Even if you've used this before, please re-suggest your cities, as we have a new back-end tracking system. Thanks !

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, Security, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/ .
For a private class, just contact me at [email protected] or call me at 302-351-8408.


 

Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before!

So, head on over to the Solutions Guide and see what other goodies are available!

Be a GPanswers.com "Booster."

Do you feel you get value out of GPanswers.com and want to see us grow? Well, I'm a Group Policy guy, not a web guy, so I need to pay for my web services somehow and enhance the site and bring you more stuff.. (both features and content.)

If you'd like to help out, please consider making a one-time donation, or become a monthly GPanswers.com Booster for just $5 a month. If you and just 500 other people do it, I'll be able to pay for all the web bills each month and really take the site up a notch.

To help GPanswers.com and donate, here's how:

Thank you for your support!

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription .

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book or signing up for a public class, contact my assistant Margot at: [email protected] . I endeavor to respond to everyone who emails.

Thanks for reading!

May 2008
12

Issue #26

Issue #26

  • The fate of DesktopStandard's PolicyMaker tools
  • Inside Specops GPupdate–a free way to "push" updates to GP clients
  • Public GP Training Schedule Update
    • Cities that are scheduled for public courses
  • Subscribe, Unsubscribe, and Usage Information

It was so great to see each of you at WinConnections last month. Holy moly, that was awesome! You really rocked my world with your support of my sessions and the book signing. You guys make it worth getting out of bed in the morning.

Here's some great new stuff for you to take with you this week and into Thanksgiving. Something to be thankful for–free tools!

In this issue we'll talk about two new free things for you to add to your GP arsenal.

Thanks for coming out to see my talks and say hello. Looking forward to having you an upcoming Group Policy training class this year. If ever there was a year to get smarter in GP, this is it!

Group Policy News

The Fate of the DesktopStandard PolicyMaker Tools

The big news is finally here: Have you been wondering what Microsoft is doing with the "crown jewels" of the DesktopStandard acquisition? We'll explore that first before we move on to other stuff. And we'll do that in Good, Bad, and Ugly fashion.

The Good: Policymaker Technology is going to be free

The PolicyMaker technologies will officially be called Group Policy Preferences. I'll call them GPP for short. GPP can do 20-some-odd big things with Group Policy that you couldn't do before. Here's a list of some things that are now possible, which weren't possible before (without scripts, or a whole lot of work).

  • Map network drives
  • Set environment variable
  • Copy files to client
  • Create and update INI file
  • Modify Registry settings on the clients (REG_SZ, REG_DWORD, REG_BINARY,REG_MULTI_SZ, and REG_EXPAND_SZ)
  • Create shortcuts (URL/File/Shell)
  • Open Database Connectivity (ODBC)
  • Control devices
  • Set folder options
  • Define file associations
  • Tweak internet settings
  • Handle local users and groups (change passwords, add/remove from groups, disable users, etc.)
  • Set network options (like VPN or dial-up connections)
  • Configure power options (Windows XP)
  • Map printers (even TCP/IP printers)
  • Set regional options
  • Create scheduled tasks
  • Set properties on services
  • Tweak the Start Menu
  • Dictate shares and share permissions on servers (mostly)

Thanks to Jakob Heidelberg for compiling this list for me. So, more is good right? Well, no. More can sometimes be bad. Which leads us to...

The Bad: There's overlap and you have to install something

Okay, this stuff isn't really bad but it could be at least confusing .

It appears that you'll be able to do some items in two places in GP land. For instance, it appears like you'll be able to set power management options in two places. Only one way was available before integrating GPP into the mix. Now, another way is available afterintegrating GPP into the mix.

Same thing with printers. You could already zap printers down (to Vista clients) before integrating GPP into the mix. Now, there's anotherway to zap down printers.

This can get confusing to inexperienced administrators.

Additionally, all these new settings require a CSE (Client Side Extension), as do all GP extensions. So, this isn't bad, it just means you have a liiiiittle bit of work to do on your client machines in order for the new magic to be available. Here's the breakdown of where the new technology will run and what it needs to run:

  • The CSE will ship in the box for Windows Server 2008.
  • The CSE will be an extra download for XP, 2003 and Vista.
  • The CSE will not work for 2000.

If you know how to use GP Software Installation, you can deploy the GPP client lickety-split to your machines.(What? You don't know how to use Group Policy Software Installation? Check out www.GPanswers.com/book and flip to Chapter 11 – stat!)

The Ugly: Why is it Preferences and not Policies? (And why hasn't it debuted yet?)

So, why are they called the Group Policy Preferences and not something more..."Policy-ish?"

Well, that's an interesting point. Let's take a moment to review the difference between a policy and a preference.

A policy is generally how we expect GP to work. That is, when you use Group Policy to, say, prevent access to the Control Panel, GP will generally send the signal down to the system, and the program (Explorer, in this case) will pick up the message and lock our access to Control Panel.

Simple.

And, if you delete the GPO, what's the expected behavior? The expected behavior is that the settings will revert back and allow access to the Control Panel.

Pretty much every setting contained within Administrative Templates works in this way. This is probably one of the top three reasons you've come to love Group Policy. This area is controlled by the Registry or Admin Templates Client Side Extension (CSE). That CSE is smart enough to know what to set the value to, and even better, smart enough to know what to set the value back to when the policy no longer applies.

But other areas of Group Policy don't work in this way; for instance, Security settings. Take something simple like an Internet Explorer setting which changes the Proxy server, like you see here in Figure 1.  
Figure 1: The IE Maintenance CSE has a history of not "acting like you would think."

Sure, Group Policy will deliver your changes, but the real challenge is what happens when that setting no longer applies. If the CSE is smart it knows how to put back the original value. But, if the CSE isn't smart, it doesn't have a value to put back. And, in short, what you plunk down with Group Policy could end up tattooing the Registry.

That's precisely the problem with the Internet Explorer 6 settings. The CSE isn't too smart. It doesn't know precisely what to do when the value is taken away, so it just freaks out and leaves it in place, even though the expected behavior (as far as the Administrator is concerned) is to change the policy setting back to the default. But it doesn't do that.

Unfortunately, that's precisely one of the challenges with the PolicyMaker, er, GPP Extensions. They're called Preferences because they do tend to tattoo the computer with the wish you lay down using GP.

I know this stuff isn't even out yet, but here's a Group Policy Preference tip, for future reference. This tip will get you out of some jams, but could get you into other jams, so be careful.

Whenever you create a new wish you can optionally check "Remove this setting when it is no longer applied," as shown in Figure 2.  
Figure 2: The GPP Common tab

(Note this screenshot is using PolicyMaker and not actually the Group Policy Preference extensions.) 

Buuut, you need to be exceptionally careful. In some cases, this will work the way you think, but in some cases it won't.

Good Example: Let's say you wanted to use the new GPP Extensions to map a drive letter S: to all of the Sales guys. And when Fred moves from Sales to Marketing you want to delete the mapping. This setting works great for that, and will work as you expect it to.

But, here's an example where you need to use this with extreme caution.

Use with Caution Example : Let's say you wanted to use the new GPP Extensions to push the Registry value 100 to your Sales application. The GPP Registry Extension will do the job. But if you chose to "Remove this policy when it is no longer applies"–WATCH OUT! The entire Registry key will be deleted. Ow, ow, ow, ow, ow!

My team working on PolicyPak Software is very aware of this interesting GPP nuance. And our PolicyPak CSE is a great alternative which issmart and does know how to precisely put down a value and take it away when it no longer applies. In short, PolicyPak (fromPolicyPak.com ) is true-blue, full Group Policy, and will never tattoo your computer's Registry.

The other Ugly thing is, well, where is it? Now that Microsoft has announced that it will be part of Windows Server 2008 (in the box) and then an available update for XP and 2003, when can we get our hands on it? I'm sure the answer is "soon," but that's not really my question. My question is, if it's going to ship in the box for Windows Server 2008, how stable is it going to be? Hopefully, very. But I'm concerned that it's RC1 (that's Release Candidate 1) and we're JUST NOW able to give our feedback and bug reports. That means this puppy could ship with unfixed bugs, but that's the facts of life in software sometimes.

In short though.. I'm psyched. It's a Whole New World for GP goodness we're getting our hands on, and it's free. And I love free stuff. So, congrats to the GP team for a real win here. Let's hope those bugs are few and far between.

That's all the time we have for the GPP Extensions. More when they officially make their debut. However, Microsoft has a whitepaper that details the major new categories of features and describes some other odds and ends including the distinction between a policy and a preference.

That paper is found here and every GP admin should read it.


This Month's Newsletter Sponsored by: NetIQ

Are you using Group Policy optimally? Ever wonder if you can do more with it? Learn the best practices you need in order to leverage Group Policy on your servers in this new whitepaper, "Why Group Policy Matters for Servers," authored by Group Policy guru Jeremy Moskowitz an NetIQ. Download it now


This Issue's Big Tech Tip...Technology Takeaway ®, a Service of Moskowitz, inc.

All about the Free Specops Gpupdate Tool

A quick note from Jeremy Moskowitz: This tech tip was written by friend, and guest contributor, Claus Jensen of www.chinchilladata.dk. Periodically, at GPanswers.com, we explore the free tools in the Group Policy world so you can be a more effective administrator. You can inspect both free and for-a-fee tools in our Solutions Guide at GPanswers.com/solutions .

Let's say that you have just deployed some strict, new security settings to all the computers in the Danish branch office via Group Policy. But you want them to be effective immediately.

Of course, you could wait for the ordinary background processing of Group Policy, which happens every 5 minutes for domain controllers and takes between 90 and 120 minutes for workstations, member servers, and users. Alternatively, you could call all your users and ask them to run Gpupdate, which might be a bit much to ask. And waiting up to two hours doesn’t sound too appealing either.

What if you had machines that required a reboot to get some Group Policy settings updated; for instance, a server that needed an updated disk quota assignment? Are you going to run around to each machine and reboot it?

You're impatient (let's call it security conscious). So why wait? Specops is a Swedish company specializing in tools for Active Directory. They have a free tool available that allows you to run Gpupdate, and to shutdown, restart, and start the computers in your Active Directory domain. The tool is called Specops Gpupdate. This newsletter will describe installation and use of this magnificent tool that will ease the burden of administering and forcefully applying Group Policy's power in the enterprise.

Before You Get StarteD

You'll start out by downloading Specops Gpupdate here ( http://www.specopssoft.com/products/specopsgpupdate/ ). Then, you’ll install it on your Windows XP SP2, Windows Vista, or Windows Server 2003 machine, which should also already be running Active Directory Users and Computers (ADUC). (Note that if you’re running Windows Vista, you may encounter some problems if you install the tool in a different directory than the default one.) You’ll also need to make sure .NET Framework 2.0 is installed.

Installation of Specops Gpupdate

Installing Specops Gpudate is easy! You’ll first need to run the Specops Gpupdate installer (SpecopsGpupdate.msi) inside the download.

Then, from the %CommonProgramFiles%SpecopssoftSpecops ADUC Extension directory, run SpecopsAducMenuExtensionInstaller.exe with the /add parameter as seen in Figure 1 (top). This will add the Display Specifiers for Specops Gpupdate into Active Directory (note that this is different than a schema update). Once the display identifiers are in Active Directory, only Administrators with the Specops GPupdate tool installed will be able to see them. Other users using ADUC will not be able to see the new menu items, which you can see in Figure 3 (bottom).  
Figure 3: The Domain DisplayIdentifiers aren't like Schema Updates. They can be removed.

The information about the Display Specifiers is saved in the Configuration container in Active Directory. So, adding the display identifiers is something that only needs to happen once per Active Directory forest. Because of this, you will need to be a Domain Admin or Enterprise Admin in order to make this happen. The good news is that it’s also easy to later remove them (unlike a schema change). If you ever tire of using Specops GPupdate and you want to erase the changes it made to the Active Directory Display Specifiers, you just run SpecopsAducMenuExtensionInstaller.exe with the /remove parameter.

Using Specops Gpupdate

When Specops Gpupdate is installed and the Display Specifiers are added, you’re ready to start using it! The commands it brings to the table are:

  • GPupdate
  • Restart Computers
  • Shut Down Computers, and
  • Start Computers

You can see these new Specops Gpupdate commands by selecting the Action menu, or right-clicking over certain common entities in ADUC. Specifically, you can right-click over the following types of objects in ADUC to start using your new superpowers:

  • Domain-Level–By selecting one or more domains, you execute the command on all computer accounts in the selected domain or domains.
  • Specific OU–By selecting one or more OUs, you will execute the command on all computer accounts in the OU and all nested OUs.
  • Specific Computer account or accounts–You can select one or more computer accounts and execute the command on these accounts.
  • Security groups–The command will be executed on all computer accounts in the selected and nested groups. Be aware that group nesting depends on you having a domain functional level of at least Windows 2000 native.

In Figure , you can see that we’ve right-clicked over an OU to expose the new commands Specops GPupdate provides: GPupdate, Restart Computers, Shut Down Computers, and Start Computers.
Figure 4: Action menu in ADUC

Let's examine the four different commands you can select:

  1. Gpupdate–This is why Specops Gpupdate is so cool. You can do a remote Gpupdate for both the computer and the currently logged-in user. There is an optional parameter equivalent to /force on the command-line version of Specops Gpupdate.
  2. Restart Computers–This is useful if you have changed Group Policy settings that can only be applied after a reboot.
  3. Shut Down Computers–Similar to the Restart Computers command, but the computers will not turn back on after they have been shut down.
  4. Start Computers–This selection allows you to send a Start command to the computers using Wake-On-LAN. This means that, remotely, you can have a computer start up (and in doing so, of course, reapply Group Policy) and then have the computer ready for the user.

One of the best parts about Specops GPupdate is that it provides real-time reporting of its actions with a nifty bar graph that literally moves as it makes contact with each machine. As you can see in Figure 5, five computers have been asked to run the Gpupdate command. Four of the computers have successfully updated the Group Policy settings, but one of the computers could not be reached, either due to not being online, or due to a firewall blocking the WMI commands. Don't worry, Windows Vista works just as well with Specops Gpupdate as Windows XP. The error here is simply that the machine was not turned on.  

Configuration of Permissions on the Target Computers

The commands contained within Specops GPupdate aren’t special, though it is really nice that they’re wrapped up in one place with a cool bar graph thingie. What I mean is that the different commands require you to have the relevant permissions on the target computers in order to work. Let’s take a look at the commands again, but this time, let’s see what security access rights we need in order to execute them on the target machine:

  1. Gpupdate–For this command, you need permissions to run WMI and to start processes on the remote computers. Beware of any firewalls that block WMI. This one is tricky, so I’ll explain how to adjust for this potential problem in just a bit.
  2. Restart Computers and Shut Down Computers–These require you to have the permission to shut down the computer remotely. Again, beware of firewalls that block RPC (more on this later).
  3. Start Computers–Of course Wake-On LAN needs to be implemented at the hardware level on the remote computers, but you will also need permission to read the computer’s IP address in the DHCP database. If you’re a member of the group DHCP Users you’ll have the required permissions. Also, note that the Start Computers command is only guaranteed to be compatible with Microsoft DHCP servers.

What if you have the firewall turned on at your target computer? This can be resolved by configuring the Allow Remote Administration Exception policy setting. You will find it at Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile in the Computer part of the Group Policy Object Editor. Here you can specify which computers are allowed to perform remote administration. The Explaintext for this policy setting is a must-read. Please be aware that this policy setting only works with Windows XP/SP2 or later. Don't forget: If you’re not using Microsoft’s built-in XP (or Vista) firewall, you’ll need to do the same thing that this policy setting is meant to do, that is, you’ll need to open ports 135 and 445.

There were a lot of changes to DCOM functionality in Windows Server 2003/SP1, one of which was that, by default, only Administrators can start WMI remotely. We need to change this so we can run Specops Gpupdate against our target computers. You need to make the account that you use to run Specops Gpupdate a member of the built-in Distributed COM Users group. To make sure that this group has the correct permissions, perform the following steps:

  1. Start the program dcomcnfg.exe on a sample target computer.
  2. Expand Component Services and then expand Computers.
  3. Select My Computer and click the computer or properties icon in the toolbar.
  4.  

Figure 6: GPO with the needed settings for using Specops Gpupdate

Common Problems with Specops Gpupdate and How to Avoid Them

Even if you configure the remote computers correctly, you may run into some problems when using Specops Gpupdate. Here are some things to keep in mind to avoid potential problems

  1. If you’re using the Start Computers command, you need to ensure that the computer's Wake-On LAN is enabled in the hardware/BIOS. Similarly, Wake-On-LAN might fail if your computer’s BIOS is old and crusty. So make sure that you are running the latest version of BIOS and the latest drivers for the NIC.
  2. If the computer running Specops Gpupdate is on a different subnet or VLAN than the computer you are trying to start, you may need to enable directed broadcasts on any routers and switches between the two computers.
  3. Because Specops Gpupdate is using DHCP to find the IP and MAC addresses for the target computers, you need to be using Microsoft DHCP to store the IP addresses for the computers that you want to start. The servers also need to have undergone the DHCP authorized procedure which prevents rogue DHCP servers from spitting out IP addresses to anyone who asks.

If, despite your best efforts, you cannot resolve the problem, you can enable Specops Gpupdate debugging, which will generate a log file that will help you further troubleshoot the problem. You enable debugging by going to HKEY_LOCAL_MACHINE | SOFTWARE | SpecopsSoft | Specops Gpupdate and setting the debug Registry key to 1. When you have run the Specops Gpupdate commands you can see the result of your actions in the logs contained within: C:Documents and Settingslogged on userLocal SettingsApplication DataSpecopsSoftSpecopsGpupdate.log.

Here’s an example log where I ran Specops Gpupdate against a computer named xp1.knowhow.local, but the computer isn’t taking my commands. Hopefully, by reading the log, I can determine what Specops GPupdate thinks is going on, fix the problem, and move on to some other issue.
SpecopsGpupdate: Starting Tracing for Specops Gpupdate, the time is '5/26/2007 11:07:26 AM', assembly name is 'SpecopsGpupdate, Version=1.0.2.13, Culture=neutral, PublicKeyToken=null'.
SpecopsGpupdate: ---> Program.Main
SpecopsGpupdate: Command to execute is 'gpupdate'.
SpecopsGpupdate: The selection is of a type that do not need expansion, only remove the command.
SpecopsGpupdate: Number of computers selected is '1'
SpecopsGpupdate: Group Policy refresh selected.
SpecopsGpupdate: ---> Program.GetNumberOfThreads
SpecopsGpupdate: <--- Program.GetNumberOfThreads
SpecopsGpupdate: ---> SpecopsGpupdate.UpdateGroupPolicies
SpecopsGpupdate: Main form initialized.
SpecopsGpupdate: Main form shown.
SpecopsGpupdate: The WOL starter is running.
SpecopsGpupdate: <--- SpecopsGpupdate.UpdateGroupPolicies
SpecopsGpupdate: <--- Program.Main
SpecopsGpupdate: Processing computer 'LDAP://DC1.knowhow.local/CN=XP1,OU=Denmark,OU=Clients, DC=knowhow,DC=local'.
SpecopsGpupdate: Operating System version is '5.1 (2600)'
SpecopsGpupdate: Hostname 'XP1.knowhow.local', force update 'False', Windows 2000 'False'.
SpecopsGpupdate: This is a non-Windows 2000 box that is updated.
SpecopsGpupdate: The command is 'gpupdate /wait:0'.
SpecopsGpupdate: An exception occurred when calling the WMI method, exception is 'The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)'.

As you can see from the log, Specops Gpupdate is able to easily determine the location of the computer object, the version of the operating system, and the hostname. Then at the end, we see “The RPC server is unavailable.” This usually means the computer is off, or the firewall on the machine is preventing us from dictating an update. Now we have things narrowed down, and a quick check of the computer and its firewall should give us the answer pretty quickly.

If you run into a problem that isn’t described here, or have questions about Specops Gpupdate, you can visit the Specops forum specifically geared for Specops GPupdate located here: http://www.specopssoft.com/forum/forum.asp?FORUM_ID=15 . Specops personnel monitor the forum and are quick to answer any questions relating to Specops products.

The Future of Specops Gpupdate

The latest version of Specops Gpupdate is version 1.0.1.13, which was released in October 2006, and there haven’t been any additional updates to this free product. But in the Specops Gpupdate forum, several new features have been discussed by current users and the Specops staff. Stay tuned, and maybe we’ll get some new features soon, like the ability to schedule commands or a command-line interface.

Final comments

I hope that this has given you some insight into the free Specops Gpupdate software tool. Considering the added functionality that you get from this tool, it should be in every Domain– and Group Policy–Administrator’s tool belt. Since it works with OUs, groups, and single-computer accounts, you have total control over your PCs and servers–no more waiting for the background processing of Group Policy to occur. The possibilities are endless!

About Claus Jensen

Contact info: [email protected]

Website: www.chinchilladata.dk

Claus is currently the only trainer outside the USA who is certified to teach Jeremy’s GPanswers.com training. Claus works for a Danish consulting firm who works with several large businesses in Denmark. Claus has been an MCT for 5 years and a great friend to the GPanswers.com community.


About GPanswers.com Training

Choosing the Right Course for You

Of course you want GP training. And we know you'd prefer to use GPanswers.com as your go-to source for GP training. We try to make it as easy for you as possible.

We have GP courses that fit what you need.

  • Are you dealing with mostly XP machines? We have an XP-focused course.
  • Are you warming up to Vista? We have a Vista-focused course.
  • Do you want to learn in an intensive format? Learn it in TWO DAYS.
  • Less intensive? Learn it in THREE days.
  • Want even more Advanced material? We've got that too.
  • Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?

You can find out more about the different public and private courses available from the workshops section of GPanswers.com .

We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take based on your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private (on site) and public classes. Use the Rightsize tool to get a complete understanding of your options.

Public courses–Beginning of 2008 scheduled

I have limited classes for the beginning of 2008:

  • Jan 15, 16, 17, 18: Portland, OR: Group Policy Essentials Course, Advanced One Day Course and XP-to-Vista Catch-Up Course. We really need you to sign up now if we want to make this class happen.
  • Jan 29, 30, Feb 1, 2: Orlando, FL: (Yes, I spun up this course so that you, yes you, can get approval to go to Orlando in the dead of winter time.) Group Policy Essentials course, Advanced One Day Course and XP-to-Vista Catch-Up course
  • Feb 4, 5, 6, 7: Washington, DC: Group Policy Essentials course, Advanced One Day Course and XP-to-Vista Catch-Up course
  • March 4, 5, 6, 7: Nashville, TN: Group Essentials course, Advanced One Day Course and XP-to-Vista Catch-Up Course.

For any public class, sign up online at: https://www.gpanswers.com/workshop/

What about OTHER CITIES in 2008?

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go for 2007.

Now tell me where you want me to go for 2008. The cities with the most votes get classes in their city. Bigger cities are a better bet, so you might want to vote for your closest "major airport" city.

Here's a deal you can't pass up!

Okay, let's assume I'll be in your city teaching a public class. How would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two, three, or four days, and you get a free student attendee!

Such a deal!

Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, Japan–or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, Security, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/ .
For a private class, just contact me at [email protected] or call me at 302-351-8408.


Get signed copies of...

Group Policy: Management, Troubleshooting, and Security

For Windows Vista, Windows 2003, Windows XP, and Windows 2000

-and-

Windows & Linux Integration: Hands-on Solutions for a Mixed Environment 

If you’re in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Security directly from me for $45 (including shipping).

  • If you order the book from me, I’ll sign the book for you, free! I’ve had many requests for this service, and I’m honored that you'd ask!
  • If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
  • The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
  • We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.

This book is in stock! We can ship it out today!

Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.

Order your signed copy today by clicking here .

Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book .

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0470106425 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)


Free Stuff

  • I just did a radio interview at RunAs radio. Check it out here.
  • I'll be doing a GP Webinar for Centrify on Windows/Linux/Mac + GP Integration sometime in January or February. Stay tuned for that !

Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before!

So, head on over to the Solutions Guide and see what other goodies are available!

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription .

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistant Margot at: [email protected] . I endeavor to respond to everyone who emails.

Thanks for reading!

Aug 2007
09

Issue#25

  • Let's get an understanding of ADMs and ADMXs (PART TWO)
  • New Public Classes and upcoming events
  • Some more goodies about PolicyPak Software
  • Public GP Training Schedule Update
    • Cities that are scheduled for public courses
  • Subscribe, Unsubscribe, and Usage Information

In our last issue, we tackled what ADM files are, where they live, and what they look like in the interface. Here, we

GPanswers.com News and Updates

Update #1:

Search We have SEARCH! That's right, it took us, like way too long .. but we have a new search capability right on the GPanswers.com home page. Just type in what you're looking for and.. whamo !

Update #2:

FAQs Our FAQs are now more FAQ'n organized than ever. (Did I really just go there!?) Anyway, they are. Thanks to Eric Johnson, who really went the extra mile to make this happen. Each FAQ now has it's own unique URL, so, if someone in the forums asks "How do I enable GP for Windows 95" we can just say.. "Please read this: faq/5 " Okay, that one doesn't come up all that often, but you get the idea.

Update #3:

One more public class for the rest of 2007 and two new ones for 2008

I have new dates in Portland (Jan 15-18) Orlando (Jan 29- Feb 1), Washington DC (Feb 4 - 7) and Nashville (March 4-7). More on this topic later.  


This Month's Newsletter Sponsored by: NetIQ

Are you using Group Policy optimally? Ever wonder if you can do more with it? Get the best practices you need to leverage Group Policy on your servers in this new white paper, "Why Group Policy Matters for Servers," authored by Group Policy guru Jeremy Moskowitz & NetIQ. Download it now


 

This issue's big tech tip...

What’s All the Hubbub about ADMX? (Part II)

In the last issue, you learned all about ADM files. But what's this you keep hearing about ADMX files ?

Windows Vista ships with a built-in GPMC. And with that GPMC comes a new ability to shake off the use of old ADM files in lieu of newer ADMX files if you want to. Why would we want to shake off the ADM format?

Recall that the ADM file itself is placed up inside the GPT part of the GPO (the part that lives in SYSVOL). When that happens, you burn about 4MB on every Domain Controller—every time you create a GPO. Also recall that the ADM file itself is placed in the GPT of the GPO because it’s necessary when you want to re-edit the GPO on another management station. Without that ADM file, you can’t edit the custom setting contained within the GPO.

So, the ADMX format helps us break away from these issues. You no longer need to store anything inside the GPO, so you don’t get what’s known as “SYSVOL Bloat.” That is, a fat SYSVOL which has the heavy duty to store GPOs full of ADM files. To work around this, the new ADMX standard can take advantage of what’s known as the Central Store. The job of the Central Store is to have one place which can store the new ADMX files so they don’t need to get copied into each and every GPO. So, goodbye SYSVOL bloat. The other big deal about the Central Store is that if an ADMX file has an updated definition, then all Vista management stations will immediately use that updated ADMX file.

If you want to learn about the format of ADMX files, the creation and use of the Central Store in detail, I’ve got two resources for you. Darren Mar-Elia has an informative, yet succinct, article on ADMX file format internals and a brief explanation of the Central Store in his Technet Article here (http://tinyurl.com/2musnh). I also have an entire, downloadable chapter from my new book, Group Policy: Management, Troubleshooting, and Security on GPanswers.com available here.

As we’ve seen, ADM templates are still supported when you use a Vista management station; but ADM files are not supported within the Central Store. This can be a little confusing, so let’s walk through an example.

Let's assume the following:

  • I created a GPO from a Vista management station.
  • I tweaked some in-the-box settings (like Prohibiting Access to the Control Panel).
  • I wanted to add a custom ADM template.

After we do this final step, we’ll then peek into the GPO’s GPT and see what has happened to get some clarity.

To add the ADM template, we’ll repeat some steps we performed earlier. Just open up the Group Policy Object Editor, right-click “Administrative Templates” which is contained within both the Users or Computers node and select “Add/Remove Template.” You can see the added template in Figure 1.

gp
Figure 1

Note that in order to actually see the settings contained within this ADM template, click on View | Filtering. Finally, uncheck “Only show policy settings that can be fully managed”.

Then, close the Group Policy Object Editor and return to the GPMC. Figure 2 shows the Details tab of the GPO I just created from my Vista management station. (Note the catchy name of the GPO.) By looking in the “Details” tab, I can determine the GUID for the GPO, which will make it easier when I go fishing around in SYSVOL to sleuth around for that particular GPO.

 gp
Figure 2

Once I track down the GPT of the GPO (by using the GPO’s GUID), I can crack open that GPO’s ADM directory and see that there’s exactly one ADM template here—the one which I manually imported, seen in Figure 3. This is because Vista machines don’t rely on ADMs anymore. Since they don’t natively use them, they don’t natively push anything up into the GPO itself. However, if you manually import an ADM (as we just did) it will continue to honor the ADM it in the same fashion it always did.

 gp
Figure 3

This is in contrast with, say, the GPO in Figure 4, which was created on an XP or Windows Server 2003 machine. When GPOs are created using pre-Vista management stations, the original ADM files are pushed up into the GPO as previously described. This GPO was created on a Windows XP management station. You can tell, because it’s jam packed with ADM files that Vista doesn’t need or use.

gp
Figure 4

Converting ADM to ADMX Using the ADMX Migrator Tool

We just learned that Windows XP uses ADM files and Vista uses ADMX files. We also learned that Vista will continue to utilize ADM files if that’s what we have available. But, we cannot stick an ADM file into the Central Store and expect our Windows Vista management stations to all be able to utilize the file.

In order to utilize the settings contained within the ADM in the Central Store, you need to convert the ADM file to ADMX, or re-create the ADM files as ADMX files by hand. Luckily, there’s only one download that performs both of these functions.The ADMX Migrator tool (which is really composed of an ADM-to-ADMX converter tool and an ADMX creation tool) can be downloaded from Microsoft’s website here: http://tinyurl.com/yjnptj.

You can install the ADMX Migrator Tool .msi file on Windows Server 2003, Windows XP, or Windows Vista. Once installed, the applications go to C:Program FilesFullArmorADMX Migrator. The command-line application we’ll be running is called “faAdmxConv.exe”. But since the directory isn’t in the path, you would need to be in that directory in order to run the app. Therefore, when I’m using the tool, I opt to add this directory to my Windows Path. Click here for more information on how to set the path in Windows (http://tinyurl.com/3n4zy).

I usually create a temp directory, like C:ADMtemp and copy my source ADM files into it. There are a lot of possible parameters for faAdmxConv.exe, but the simplest way to convert an ADM file is to specify the name of the ADM file and the output directory. If you’ve already put the source ADM file in ADMtemp and added faAdmxConv.exe to the path, you can just run “faAdmxConv nopassport.adm .” (with the dot to signify the current directory as output). If you don’t specify the dot (for this directory) or another explicit path, the output goes somewhere you likely don’t want it to: the installation directory of the ADMX Migrator tool. Doh! In Figure 5, you can see three commands:

  • A “dir” command to see the ADM file
  • The “faAdmxConv” command with the name of the ADM and the . (dot) to represent the current directory and
  • A “dir” to see the outputted files: nopassport.admx and nopassport.adml

gp
Figure 5

Before you go plunking this into your Central Store, you might want to test this on a machine which isn’t leveraging the Central Store (like a Windows Vista machine that’s offline). After you take the machine offline, copy the ADMX file to the C:WindowsPolicyDefinitions directory, and the ADML file to the language-specific directory. In the US, that directory is C:WindowsPolicyDefinitionsen-us. An example of the copy procedure can be seen in Figure 6.

 gp
Figure 6

The ADM to ADMX converter tool doesn’t always generate ADMX files which are “ready to go” inside the Group Policy Object Editor. That is, the conversion process appears to be 100% successful. But then loading the resulting ADMX and ADML files into the Central Store and seeing the results using your Vista management station could demonstrate errors. This could manifest itself when the Group Policy Object Editor starts, with various error messages appearing about the resulting ADMX file. To remedy this, there will be another update of the ADMX Migrator tool that should produce more useful output at conversion time to help you adjust your ADM file before it makes its way through the conversion process.

This is a known issue, and one that the FullArmor and Microsoft teams are aware of and are working hard to fix. The updated tools will likely be available by the time this article goes to press. Be sure to check in at www.GPanswers.com/blog for the latest info. The official timetable for this updated tool is “soon,” but stay tuned to GPanswers.com and the ADMX Migrator tool download page for more details.

Finally, the now-converted ADM file is really now two files: an ADMX (language neutral file) and an ADML (language specific file). At this point, you can put inside the Central Store or test on a local machine. However, once again, in order to actually see the policy settings contained within this ADMX template, you’re still going to need to do what we did earlier as seen in Figure 4. That is, you’ll still need to click on View | Filtering, then uncheck the “Only show policy settings that can be fully managed” safety. That’s because the settings contained within this ADMX file does not write to one of the “proper” Policies keys, as previously discussed.

Cleaning Up Shop

The ideal state is clearly to use only ADMX files, and to utilize the Central Store. But in order to do that you need to:  

  • Convert all your current ADM files to ADMX
  • Convert all management stations to Vista (or Windows Server 2008)
  • Commit to stop editing GPOs on pre-Vista machines

If you’ve done these three steps, you have ostensibly banished ADM files from your world. At this point, the ADM files within your GPOs are just taking up space within your Domain Controller’s SYSVOL. Once you’re achieved ADMX nirvana, you could, if you wanted, simply delete the ADMs contained within the GPO’s GPT within SYSVOL. That’s right: like your body’s appendix, they’re vestigial. They did serve a purpose at one point; but their purpose is done. You can do this manually, or do it with a script. Before you do, though, note that this would be a serious mistake if the above steps haven’t been completed. So be sure to do this only if you’re sure you can leave ADM files behind.

For more about ADM, ADMX, and ADML files be sure to sign up for the GPanswers.com newsletter (the thing you're reading right now) at www.GPanswers.com/newsletter and intermediary notices via blog at www.GPanswers.com/blog.

Test some PolicyPaks for a test drive

Some of you have downloaded the software at PolicyPak to start making your admin life a little easier. We have our own Group Policy CSE, a Client-Side-Extension. This isn't an "agent", it's an organic extension to Group Policy. Installation is super-easy. You run a component which extends the Group Policy Object editor on your administrative machine (where you create your GPOs). Then you deploy the CSE using Group Policy Software Installation to your target machines, and you're ready to control your applications using Group Policy.

  • Wanna control Adobe Acrobat Reader using Group Policy? Try PolicyPak for Adobe Acrobat Reader.
  • Wanna control Microsoft Windows Live Messenger using Group Policy? Use PolicyPak for Windows Live Messenger.
  • Wanna control WinZip using Group Policy? We're working on PolicyPak for WinZip (and lots of others...)
  • Wanna control something we don't support yet? Suggest an application at www.PolicyPak.com/suggest !

gp
Click for larger graphic...

So, how can you check them out? We're ready for you to check us out and it for a test drive. Just mosey over to www.PolicyPak.com, register for an account and give our two PolicyPaks a whirl. We've made the download process even easier. So, if you "gave up" before because we asked for too much information, I think you'll be a lot happier now.  


About GPanswers.com Training

Choosing the Right Course for You

Of course you want GP training. And we know you'd prefer to use GPanswers.com as your GO TO source for GP training. We try to make it as easy as possible for you. We have GP courses that fit what you need.

  • Are you dealing with mostly XP machines? We have an XP-focused course.
  • Are you warming up to Vista? We have a Vista-focused course.
  • Do you want to learn in an intensive format? Learn it in TWO DAYS.
  • Less intensive? Learn it in THREE days.
  • Want even more Advanced material? We've got that too.
  • Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?

You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take for your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private (on site) and public classes. Use the Rightsize tool to get a complete understanding of your options.

Public courses—2007 scheduled

I have limited classes for the rest of 2007 and beginning of 2008:

  • Oct 23, 24 and 25: Netherlands: Three-Day Group Policy Essentials Course (XP Focused). Sign up here.
  • Jan 15, 16, 17, 18: Portland OR: Group Policy Essentials Course, Advanced One Day Course and XP to Vista Catchup Course.
  • Jan 29, 30, Feb 1, 2: Orlando, FL: (Yes, I spun up this course so that you, yes you, can get approval to go to Orlando in the dead of winter time.) Group Policy Essentials course, Advanced One Day Course and XP to Vista Catchup course
  • Feb 4, 5, 6, 7: Wash, DC: Group Policy Essentials course, Advanced One Day Course and XP to Vista Catchup course
  • March 4, 5, 6, 7: Nashville: Group Essentials course, Advanced One Day Course and XP to Vista Catchup Course.

For any public class, sign up online at: https://www.gpanswers.com/workshop/

What about OTHER CITIES in 2008?

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go for 2007.

Now tell me where you want me to go for 2008. The cities with the most "votes" get classes in their city. Bigger cities are a better bet, so you might want to vote for your closest "major airport" city.

Here's a deal you can't pass up!

Okay, let's assume I'll be in your city teaching a public class. But how would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two, three or four days, and you get a free student attendee !

Such a deal!

Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, the Security Team and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.


Places I'll be...

  • WinConnections 2007 Fall in Vegas: www.WinConnections.com
    • I'll be speaking on Group Policy Essentials
    • Group Policy Troubleshooting
    • Microsoft Softgrid and other Application Virtualization technologies
    • Maybe more !

Get signed copies of...

Group Policy: Management, Troubleshooting, and Security

For Windows Vista, Windows 2003, Windows XP, and Windows 2000

-and-

Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

  If you’re in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Security directly from me for $45 (including shipping).

  • If you order the book from me, I’ll sign the book for you, free! I’ve had many requests for this service, and I’m honored that you'd ask!
  • If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
  • The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
  • We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.

This book is in stock! We can ship it out today!

Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.

Order your signed copy today by clicking here.

Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
 http://www.amazon.com/gp/product/0470106425 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)


Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before! So, head on over to the Solutions Guide and see what other goodies are available! Our newest sponsors at the Solutions Guide:

  • AdventNet with their ADManager Plus

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistant Margot at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Jul 2007
17

Issue #24

Issue #24

edit

  • Let's get an understanding of ADMs and ADMXs, finally !
  • Did you miss the Fourth ? (Edition, that is...)
  • Some more goodies about PolicyPak Software
  • Public GP Training Schedule Update
    • Different course levels
    • XP and Vista coverage
    • Cities that are scheduled for public courses
  • Subscribe, Unsubscribe, and Usage Information

GPanswers.com News and Updates

GPanswers.com is a free service, as you know. And we try try try to keep it as up-to-date as possible. But we're a limited full time staff (that's me!) so every once in a while, I ask for some part time helpers to help give us a "boost."

These just aren't "any ol' people" .. they need to be READY and WILLING to help the cause of GP everywhere ! (Okay.. maybe that's a little much, but you get the idea.) We've added three super helpful folks to our GPanswers.com staff.

Staff Changes

In the office, I've changed my office assistant to Margot Cullen. Margot is just awesome. So, if you need receipts, want to call in to sign up for a public class, or ask her personal and revealing questions about what I do on the weekends, she's your gal. She can be reached at[email protected]. Please do not send technical questions to Margot. Please use the Community Forum (GPanswers.com/community) for that. Thanks !

GPanswers.com Helper Additions

After a long search, I'm proud to announce two helpers to GPanswers.com: Jakob Heidelberg and Eric Johnson. Jakob is a Danish Windows Expert, and well known blogger. If you read my blog, you'll be sure to love his as well. Click here for information about Jakob !and Be sure to read his blog !

Eric Johnson who works at a private healthcare firm will also be helping out at GPanswers.com. No blog from Eric yet, but maybe soon!

These two guys are going to help answer questions in the forums, and help with the Tips and Tricks section at GPanswers.com. In fact, if you look at some (most!) of the Tips and FAQ questions, you'll see Eric already hard at work. Many tips and such at the bottom will say:

" Verified by: Eric Johnson
Edited by: Eric Johnson
Last Edit date: June 30th, 2007
This question originally posted on August 7th 2004. "

That way, you get a good idea that we double-checked the accuracy of our tips and also the last time we touched them for a checkup. Hope you like that new GPanswers.com feature. If you want to submit a Tip / Trick / FAQ question .. there's only one place!

That's at the GPanswers.com/community forum, specifically in the "Submit a Tip / Trick" section here. You will need to register for a community forum account before submitting.


This Month's Newsletter Sponsored by: NetIQ

Download our new white paper, "Best Practices for Managing AD & Group Policy", to understand how your organization can improve its control over changes to Active Directory and Group Policy. You'll get the answers you need to assure changes are identified, tracked, and safely made across Active Directory and Group Policy.  

Click the link to learn more: NetIQ


Inside ADM and ADMX Templates

ADM files. You either love 'em or your hate 'em. Maybe both.

And that's because they're both necessary, but also confusing. And to add to the mix, Microsoft now has ADMX files which can only seemingly add to the confusion.

In this issue we'll tackle ADM files. Next issue -- ADMX files.

So, let's begin with the "unconfusion."

Why do we need ADM files?

Group Policy is made up of multiple areas. If you dive down into the Group Policy Object Editor (GPOE), you'll find lots of "stuff" you can do with Group Policy. For instance, Software Restriction Policy, Group Policy Software Installation, Folder Redirection. And yes, the one we play with most: "Administrative Templates" as seen here. The Administrative Templates node is on both the User and Computers sides. As suspected users can only embrace User side policy settings and Computers can only embrace Computer side policy settings.

But how do these magical settings get "born?"

It all starts when the stork brings us a new application. Really!

Okay, not really. But when new applications are "born" there's potentially some settings we can manipulate. That's where ADM files come into play. They describe the areas of the application that's ready to accept settings. ADM files are limited, right away, unfortunately, because they can only address registry settings within an application. But, an application might save it's settings in various places: .ini files, .js files, .XML files and other areas. ADM files can only address registry-based settings.

In the box ADM files

So how do all those policy settings in the box for Computer Configuration | Administrative Templates and User Configuration | Administrative Templates get there in the first place? If you right-click over the words "Administrative Templates" and select "Add/Remove Templates" in either the User or Computer side, you'll see the default templates which make up the standard configuration.

The breakdown of these files is:

  • Conf.adm -- NetMeeting settings.
  • Inetres.adm -- Internet Explorer settings, including connections, toolbars, and toolbar settings. It is equivalent to the options that are available when using the Internet Options menu inside Internet Explorer.
  • System.adm -- Operating system changes and settings. Most of the Computer and User Administrative Template settings are in this ADM template.
  • Wmplayer.adm --Windows Media Player 9 settings.
  • Wuau.adm -- Controls client's access to Windows Software Update Services servers' clients.

Adding your own ADM Template Files

Well, that's easy. First, just get the ADM template you want to use. Maybe you've downloaded one from GPanswers.com. (We have about a dozen interesting ones.) Or maybe you want to utilize the ADM files for Office 2003 or Office 2007. That's great.

Just click Add as seen in Figure 1 and add in the template. By default, templates are looked for in the Windowsinf directory, but there's no reason you cannot store them anywhere else. Here's something you may not know: once the ADM template is added, that ADM template gets added to the GPO itself.

For instance, in this example, I've added "nopassport.adm" which will let us squelch the "Do you want to add your passport?" message the first time a user logs into an XP machine. And also Word11.ADM (from the Office 2003 ADM template download.) You can see these additions in the "Add/Remove Templates" window.

Then, inside the GPO itself, specifically, the GPT, in the ADM directory, you can see the nopassport.adm and Word11.ADM file added. Click for larger graphic...

Why is it added to the GPO? Because if you then try to edit this GPO on another management station, you'll be able to see the settings contained within the ADM files.

Why Can't I see the ADM file additions?

Well, maybe you can, or maybe you can't see your ADM file additions. And this is causing a lot of confusion for a lot of administrators. Indeed, this is a top 5 FAQ at GPanswers.com, so I hope to put it to rest right here.

You should at least be able to see the results of adding the two templates as seen here. Two new nodes will appear. Computer Configuration | Nuisances (because of nopassport.adm) and User Configuration | Microsoft Office Word 2003 (because of Word11.ADM). If you dive down into the Word 2003 settings, you'll see a huge array of configurables, as seen here. Click for larger graphic...

But, you cannot see the settings within the new Nuisances node. Why not? To understand that, you need to understand the idea of "proper" vs. "improper" policies keys that an ADM template might affect.

Proper vs. Improper Policies Keys

Microsoft documentation states that four Registry areas are considered the approved places to create policies out of Registry hacks:

  • HKLM|Software|Policies (computer settings, the preferred location)
  • HKLM|Software|Microsoft|Windows|CurrentVersion|Policies (computer settings, an alternative location)
  • HKCU|Software|Policies (user settings, the preferred location)
  • HKCU|Software|Microsoft|Windows|CurrentVersion|Policies (user settings, an alternative location)

The settings contained within Word 2003's ADM writes to these "proper" locations. But the nopassport.adm file doesn't. Indeed, nopassport.adm writes to HKLM | Software | Microsoft | MessengerService | PassportBalloon

So, Microsoft puts up a little safety gate before it allows you to see these settings. The idea is that any of the settings that don't write to the proper Policies keys (listed above) will tattoo the registry. So, even if you whack the GPO, there's no way the setting will "revert" back. For example, let's say you added the nopassport.adm file, and chose squelch the "Do you want to add a passport?" pop-up balloon to every machine in your domain. Then, later, the boss said he really liked that setting. You've got a long road ahead of you because all computers now will embrace the setting - basically forever - until you expressly put that setting back.

In contract, regular policy settings have a "default" value. And if you whack the GPO, those settings will revert back to something. For instance, if you choose to prohibit access to the Control Panel using the built-in ADM templates. Then later, change your mind, all you need to do is whack the GPO and voila! The Control Panel comes back.

Again - not so with the Passport message - because the policy setting isn't in a place that will ever revert. So Microsoft protects you by (initially) not showing the policy settings at all - so you don't shoot yourself in the foot !

Seeing ADM templates

So, seeing the ADM templates isn't all that hard. The editor, by default, doesn't show you the settings. But it's easy. Click on the word "Administrative Templates" (either User or Computer half). Then select View | Filtering. Finally, uncheck (yes, uncheck) "Only show policy settings that can be fully managed." When you do, you'll see "Passport Solicitation" as a policy setting show up under the Setting column as seen here.  Click for larger graphic...

XP vs. Vista in the editor

Did you notice a subtle difference in the policy setting that just popped up? Look at the icons of policy settings that ship in the box. Click for larger graphic...

Now, look at the icon for a policy setting from an ADM template where the settings don't write to the proper Policies registry keys.  Click for larger graphic...

This blue vs. red icon differential helps you know which settings will tattoo, and which won't. But again, it's all based upon where the setting actually targets its settings. In Vista, by the way, the situation changes a bit when you use ADM files in your management station. ADM files show up in their own node called the "Classic Administrative Templates (ADM)" node, as seen below. What was red-dot settings now show up as a scroll icon with a downarrow (but while editing the setting itself, it has a little "No Enter" sign) all seen below.    Click for larger graphic...

The settings that were blue-dot (those that write to the proper Policies keys) show up as little scroll icons, as seen here. Click for larger graphic...

Next time..

This newsletter is about to get to be "too long." So, what we'll do is cut it off here, and talk more about ADM vs. ADMX files a little more in the next issue.

How PolicyPak Software Changes Things

Before I even jump to the good parts, let me just say that PolicyPak software is now ready for you to download and check out today! So, if you decide halfway through reading this, "I just gotta start playing !" ... well, you can! Just go to PolicyPak.com, register for an account, validate the account, and download the software you put in your download cart! As we've just learned, ADM templates are great, but, they're not the best solution to settings management. You still need to:

  • Figure out all the ways the target application needs to be controlled
  • Create the ADM files by hand

Then, those ADM files ...

  • "Tattoo" the Registry (boo!)
  • Can't even get to some areas of the Registry with ADM files at all! (Think reg_binary values or HKEY_Classes_Root.)

And finally,

  • The ADM language doesn't let you "craft" a look and feel similar to the application you're actually trying to control.

Not to mention that ADM files only manipulate the Registry. If your application has tweaks in .ini files, or custom configuration files or databases, ADM files just won't be able to get in there to adjust the settings you need them to.

Enter PolicyPak.

PolicyPak Software is a new venture of mine that offers software that lets you naturally control your existing applications with Group Policy.

How do we do it?

We have our own Group Policy CSE, a Client-Side-Extension. This isn't an "agent", it's an organic extension to Group Policy. Installation is super-easy. You run a component which extends the Group Policy Object editor on your administrative machine (where you create your GPOs). Then you deploy the CSE using Group Policy Software Installation to your target machines, and you're ready to control your applications using Group Policy.

  • Wanna control Adobe Acrobat Reader using Group Policy? Try PolicyPak for Adobe Acrobat Reader.
  • Wanna control Microsoft Windows Live Messenger using Group Policy? Use PolicyPak for Windows Live Messenger.
  • Wanna control WinZip using Group Policy? We're working on PolicyPak for WinZip (and lots of others...)
  • Wanna control something we don't support yet? Suggest an application at www.PolicyPak.com/suggest !

Click for larger graphic...

Our goal is to have lots of PolicyPaks to control the applications you already have.

You'll purchase them a la carte, so you'll get only the PolicyPaks you need.

Not only have we already "done the research for you", the interface looks almost exactly like the target application. No learning curve! You're gonna love them! In this example, we're changing the color of the Highlight Color in the Forms tab. Click for larger graphic...

Try doing THAT with an ADM template ! Or this trick.. Setting where files should be saved when users utilize Windows Live Messenger. Click for larger graphic...

So, how can you check them out?

We're ready for you to check us out and it for a test drive. Just mosey over to www.PolicyPak.com, register for an account and give our two PolicyPaks a whirl.


About GPanswers.com Training

Choosing the Right Course for You

Did you know that here at GPanswers.com, we have GP courses that fit what YOU need?

  • Are you dealing with mostly XP machines? We have an XP-focused course.
  • Are you warming up to Vista? We have a Vista-focused course.
  • Do you want to learn in an intensive format? Learn it in TWO DAYS.
  • Less intensive? Learn it in THREE days.
  • Want even more Advanced material? We've got that too.
  • Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?

You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take for your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private and public classes. Use the Rightsize tool to get a complete understanding of your options.

Public courses—2007 scheduled

So, here's the 2007 (first half) line-up:

  • August 8–9: Chicago, IL: Two-Day Group Policy Intensive Course (XP Focused)
  • August 10: Chicago, IL: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • Oct 23, 24 and 25: Netherlands: Three-Day Group Policy Less-Intensive Course (XP Focused). Sign up here.

For any public class, sign up online at: https://www.gpanswers.com/workshop/

What about the SECOND HALF of 2007?

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go for the first half!

Now tell me where you want me to go for the second half. The cities with the most "votes" get classes in their city.

Here's a deal you can't pass up!

Okay, let's assume I'll be in your city teaching a public class. But how would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two or three days, and you get a free student attendee!

Such a deal!

Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, the Security Team and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.

LIMITED TIME Private Course Special Offer

If you book three-days of private class training which completes before Sep 7, 2007, I'll include all travel expenses. So, maybe you'd like the Two-Day XP Training with the One-Day XP-To-Vista Catchup day. Or, maybe the Vista Two-Day and One-Day Advanced training.

Any three training days qualifies for this special offer.

I have some free time in the summer I want to fill, and want to give you an incentive to help me book that unused time. So, you pay no travel expenses if the class completes before Sep 7, 2007!


Get signed copies of...

Group Policy: Management, Troubleshooting, and Security

For Windows Vista, Windows 2003, Windows XP, and Windows 2000

-and-

Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

  If you’re in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Securitydirectly from me for $45 (including shipping).

  • If you order the book from me, I’ll sign the book for you, free! I’ve had many requests for this service, and I’m honored that you'd ask!
  • If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
  • The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
  • We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.

This book is in stock! We can ship it out today!
Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.

Order your signed copy today by clicking here.

Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0470106425 (GPO book)
 http://www.amazon.com/gp/product/0782144284 (WinLin book)


Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before! So, head on over to the Solutions Guide and see what other goodies are available! Our newest sponsors at the Solutions Guide:

  • FullArmor corp, with their Endpoint Policy Manager
  • PolicyPak Software, with their PolicyPak family of tools

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

.For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected] Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistant Margot at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

May 2007
31

Issue #23

GPanswers.com Special Mid-Newsletter Update

Are you going to be at Microsoft's TechEd next week?
I am, and I hope you'll come by and say Hi!
In fact, I've got some really big news, so I'm breaking it down in three bites to make it easier to digest.
I'm speaking at TechEd, and so are some other speakers you'll be interested in.
It's here: PolicyPak Software! Group Policy—Enable Your World!
More ways to connect at TechEd (free book signing and more!)
SPEAKING TIMES AT TechED
I'll be speaking twice—same talk (just repeated). Come to one, or both!
Topic: Deep Dive into Windows Vista Group Policy Changes and Troubleshooting

Session ID: CLI408
Time #1: Tuesday 8.45 Room S330
Time #2: Thursday 9.45 Room: N320 A

The beauty of Group Policy changes is not skin deep. There are some basic and detailed changes lying under the hood. And Jeremy Moskowitz of GPanswers.com and author of "Group Policy: Management, Troubleshooting, and Security" is just the guy to bring them to you. In this session, learn why you can't just run gpresult.exe anymore and get the results you want. Discover what happens if you reconnect to the network after a long absence. Learn how to crack open the new Vista event log and trace Group Policy flow to figure out what might be going on. Learn how other areas, like Offline Files and Group Policy Software Installation can be tweaked to give you just the information you need to fix what ails you. If you're looking for Group Policy answers to your troubleshooting questions, this is the session for you.

OTHER Group Policy Speakers and Speeches

Actually, there's so much Group Policy stuff going on I can't list it all! But here's a sampling. CLI331 - Using Group Policy with Windows and Windows Server 2008
Wednesday, June 6 10:15 AM - 11:30 AM, S330
And
Thursday, June 7 1:00 PM - 2:15 PM, S320 A
Speaker(s): Mark Williams and Jason Leznek

This scenario-based walkthrough uses a series of demonstrations to offer an in-depth understanding of new and enhanced Group Policy functions in Windows Vista, and plans for the Windows Server 2008 timeframe. This session showcases Windows Vista as a Windows Vista Group Policy administrative workstation. Learn about new Group Policy features in Windows Vista, including the new format and functionality of Administrative Template (ADMX) files (and interop with legacy ADM files), the ADMX central store, improved awareness of changing network conditions, using multiple local Group Policy Objects (MLGPOs), and Group Policy Management Console (GPMC) integration into the operating system. Demos include using the new event viewer ("Crimson"), and showcase a selection of the hundreds of new policy settings delivered with Windows Vista. Finally, we provide an introduction to the products acquired from DesktopStandard and discuss their future availability and roadmap.

CLI316 - Microsoft Desktop Optimization Pack: Advanced Group Policy Management (AGPM)
Tuesday, June 5 4:30 PM - 5:45 PM, N320 A
Speaker(s): Derek Melber, Winni Verhoef

Advanced Group Policy Management, a Microsoft Desktop Optimization Pack technology, adds an important level of control to Group Policy management. By adding delegation and workflow for Group Policy management, the enterprise administrator gains granular control over Group Policy deployment. This session explores the AGPM product and how it can help the Enterprise regain control over Group Policy management.

CLI03-TLC - ADMX File Creation and Management
Wednesday, June 6 3:45 PM - 5:00 PM, Yellow Theater 1
Speaker: Judith Herman

Microsoft Windows Vista introduced ADMX files to define Group Policy settings. This session describes how to create, edit, and manage ADMX files (and their associated ADML files for multi-lingual support). The discussion covers the syntax of these files and how they are used with the ADMX Central Store.

Okay—Here's the Big News: PolicyPak Software
Two TechEds ago, I had a flash of realization about Group Policy. Group Policy does some amazing stuff. It controls Windows itself really, really well. But what it doesn't control really, really well are third-party applications.
Sure, there's ADM templates. But ADMs are just NOT the ideal solution. With ADM templates you have to: Figure out all the ways the target application needs to be controlled Create the ADM files by hand Then, those ADM files "tattoo" the Registry All the while, you can't even get to some areas of the Registry with ADM files at all! (Think reg_binary.)

And finally, The ADM language doesn't let you "craft" a look and feel similar to the application you're actually trying to control. Not to mention that ADM files only manipulate the Registry. If your application has tweaks in .ini files, or custom configuration files or databases, ADM files just won't be able to get in there to adjust the settings you need them to.
Enter PolicyPak.
PolicyPak Software is a new venture of mine that offers software that lets you naturally control your existing applications with Group Policy.

How do we do it?
We have our own Group Policy CSE, a Client-Side-Extension. This isn't an "agent", it's an organic extension to Group Policy. Installation is super-easy. You run a component which extends the Group Policy Object editor on your administrative machine (where you create your GPOs). Then you deploy the CSE using Group Policy Software Installation to your target machines, and you're ready to control your applications using Group Policy. Wanna control Adobe Acrobat Reader using Group Policy? Try PolicyPak for Adobe Acrobat Reader. Wanna control Microsoft Windows Live Messenger using Group Policy? Use PolicyPak for Windows Live Messenger. Wanna control WinZip using Group Policy? We offer PolicyPak for WinZip.

Our goal is to have lots of PolicyPaks to control the applications you already have.
You'll purchase them a la carte, so you'll get only the PolicyPaks you need. And the interface looks almost exactly like the target application. No learning curve.
And PolicyPaks act a lot more like Group Policy than ADM templates do.
You're gonna love them!

So, how can you check them out?
Two ways:
Way #1: We're still in "private beta", but you can get on board if you send me an email letting me know that you're interested, and telling me how you plan to test our software out. This can be a simple test lab or a pilot group.
Way #2: Come to Booth #914 at TechEd and meet the Specops Group Policy Gurus. That's me, Darren Mar-Elia of GPOGuy.com, and SDM Software and the Specops Guys who make some awesome Group Policy software (www.specopssoft.com)! We'll be there most of the conference to show off our stuff and answer your tough Group Policy questions! And I'll have live demos of my new software and we can talk about what you think! We have a website, www.PolicyPak.com, with more information and images of the PolicyPak interface that you can check out, too. But right now there is no way to download the beta software. It is a PRIVATE BETA open only to people who email me directly. If you think you can get me some feedback before TechEd starts, I especially want to hear from you!

Book Signing at NetIQ's Booth At NetIQ's booth, I'll be giving away 100 free signed copies of my new book. All you need is one of my famous "Group Policy Book/Training Postcards" and then just be one of the first 100 people in line to get your free, signed copy. Come to NetIQ's booth before the free book signing on Wednesday from 1:00 to 2:00 for all the details!

More at TechEd to Love
There is likely going to be more news and stuff to love at TechEd this year, and when I find out about it, the quickest way I can tell you about it is via my blog at www.GPanswers.com/blog. Keep checking it for updates as they happen! See you at TechEd 2007 (booth #914!, mostly!)

May 2007
09

Issue#22

Newsletter 22. In this issue:

  • Jeremy Talks About Vista and Group Policy, and Other News from GPanswers.com
  • May the Fourth (Edition) Be With You . . .
  • Moskowitz, inc. Technology Takeaway®
    • Some tips about using GP to manage Office 2007
  • Public GP Training Schedule Update
    • Different course levels
    • XP and Vista coverage
    • Cities that are scheduled for public courses
  • Subscribe, Unsubscribe, and Usage Information

There's lots to tell you in this issue! There was so much, in fact, that I held some back for the next edition, which will be out much sooner than normal.


This Month's Newsletter Sponsored by: BeyondTrust Corporation

Enable users who don't have administrative privileges to run all applications!

BeyondTrust Privilege Manager was the first product to enable the security best practice of Least Privilege in Windows environments by allowing administrators to assign end users permissions to required or selected applications. Built for Windows 2000, XP, and Vista, and applied through Group Policy.

Click the link to learn more:BeyondTrust


GPanswers.com News

Holy cow—it's here! 786 pages!

You wanted it, and now you can get it. The biggest GP book of all time, and it's available RIGHT NOW. That's right, I've got an updated version of my popular Group Policy book. It's not called "4th edition", but that's really what it is.

Learn more at www.GPanswers.com/book (and in the note below).

In short, it's long. Fully updated for Vista, XP/SP2, and Server 2003.

200 new pages. You're gonna love it. Get a signed copy at www.GPanswers.com/book!

Jeremy talks about Group Policy and Vista

In case you missed it, here's a link to an interview conducted by Greg Shields of Redmond Magazine where he and I chatted about some of the new customizations in Group Policy that come with Windows Vista and why you should start implementing them now to prepare for what's to come in Windows Server Longhorn.

Download the podcast from here

Updated GPanswers.com/community forum

We've moved and shaken a little bit in the forums, and now things are more streamlined. If you have a question about something in the book, or something about the material that the same chapter in the book would cover, you can just post to one place. (Trust me, this makes sense when you check it out.) So, join the community forum today!

don't forget the blog

Some people have asked why they don't see as many newsletters anymore.

Because now I have my little blog, so that when I have a neat little nugget to share, I can do it immediately.

I don't have to compile all those little tips into a big newsletter.

So, I'm saving the newsletter for longer tips that I think tell a bigger story.

Getting to the blog is easy. Just shuffle over to www.GPanswers.com/blog and you can use the RSS link on that page to get updated whenever there are goodies to be had!

Welcome to Cynthia

I have a new right-hand here in the offices of Moskowitz, inc. Her name is Cynthia Talmage, and she can help you order a case of books, sign up for Public class, or help you get that Private class you always wanted. You can also ping her just to say Hi. You can say Hi by emailing [email protected].

Welcome to Eric

Eric has joined Adam to help out with the GPanswers.com community forum. As a long-standing member, he has already provided countless tips and nuggets of advice to other visitors, and now he is also helping to keep the forum in order to make it even easier to get the best quality information about Group Policy from your peers. A warm welcome to Eric. Why not join him and our other regulars in the GPanswers forum today?

Spread the Word

If you enjoy this newsletter and are anxious to read the material we had to leave out for next time, why not share the GPanswers love?

Spread the word! How?

Simply forward the newsletter email that you received to a colleague or friend and they can decide if they like the content, and if so, they can sign up here to make sure they don't miss out on future releases.

Or maybe you can mention the newsletter in your blog or just shout "I love GPanswers.com" to the guy next to you in traffic. However you do it—let people know why you think GPanswers is THE place to go for Group Policy information.


Fourth Edition of Jeremy's Group Policy Book... renamed:

Group Policy: Management, Troubleshooting, and Security

Every single chapter has gotten an update for Vista, but I still make sure you have all the information you need for both Windows XP and Windows 2000. Here are some of the highlights of the new edition:

  • A real lab guide makes it easier to follow along with all of the hundreds of examples. So, you can walk through everything with me if you want to.
  • Multiple Local GPOs for Vista with walk-through examples.
  • Understanding and troubleshooting Vista's method for determining if you're online or offline, and what that means for GP processing.
  • Troubleshooting in a Vista world.
  • Find out what happens with ADM and ADMX files when you create a GPO. Or what happens if you edit a GPO from Vista or XP. And back again!
  • Software Restriction Policies secrets.
  • Tricking Restricted Groups so it’s not “rip and replace”.
  • Controlling User Account Control, and tweaking it for specific scenarios.

There's so much more ... read more detail and some reviewers' comments here. You can order the book from popular online retailers, or get it SIGNED if you order it directly from me. Just click here !


Technology Takeaway®, a Service of Moskowitz, inc.

A quick look at Group Policy for Office 2007

Many of you will be facing the challenge of planning a deployment of Office 2007, or you may already have some early adopters in your organization. So in this edition, we'll take a look at how to implement some of the useful Group Policy controls for this new version of Office.

First things first—the ADM templates

Microsoft has released a collection of ADM files (yes, ADM files) so you can manage these policies from an XP or 2003 machine just as easily as from Vista/Longhorn. These can be downloaded as a single extractable file here: http://go.microsoft.com/fwlink?linkid=75729

A little side note: What's strange is that ADMX files for when you use Vista management stations are STILL missing in action. I've seen pre-beta versions, but they never seem to materialize.

Anyway, once you have downloaded and extracted them, add them to your GPMC by editing or creating a policy, then right-clicking Administrative Templates | Add/Remove templates | Add. Browse to the extracted files and add the ones you need.

There are settings available for the machines side or the user side but the vast majority target user settings.

Help your users save things properly

One gripe system admins often have is that their users simply don't follow corporate guidelines, ignore all their training, and save things where they should not—particularly in places such as My Documents. This is a little unfair—many users would argue that if you want them to save somewhere, you should make it an easy place to find. You might also consider just preventing them from saving anywhere else but the place you designate. Let's look at helping your users find the right place first.

On XP/2003/2000, you would look under User Configuration | Administrative Templates; with Vista go down one more level to "Classic administrative templates" (which indicates their ADM file format). There you will find Microsoft Office 2007 System | File open/Save dialog box.

The first section in there deals with the Places Bar—the "favorites" area of the Open and Save dialog boxes. You can add up to 10 locations which will appear in the order you enter them, and you can give them meaningful names—no more "X: (fileshare on SRV27)", but "Your shared work files". You can use UNCs and combine environment variables for profile locations, and so on.

So, we've made it easy to find the right place, how about blocking the "wrong" places? This requires a combination of two settings, both of them under the section "Restricted browsing". Enabling "Activate Restricted Browsing" will mean that in the Save As dialog, users will not be able to navigate to any folder which is not explicitly allowed by the second (multi-value) setting, "Approve locations". Note that if you set the first one, you MUST provide a list in the second one.

Notice that these settings restrict where users can save, but do not limit where they can browse to open files (which they might have previously put in the wrong place).

Using Corporate standard templates

Anyone working for a large company will likely be familiar with the idea that they should stick to certain corporate guidelines for their documents; in other words, layout, styles, fonts, etc. should be consistent between documents and between authors.

In order to facilitate this process, marketing departments (usually aided by IT, of course) often create standard templates for users to use for their letters, faxes, presentations, and so on.

When the process is implemented badly, users will save their own copies of these templates which become out-of-date once the originals are updated, and all their future documents then deviate from company standards. Here's some simple rules of thumb if your business has gone to the effort of making these standard documents:

  • Save them once in a central fileshare to which all users have read access and only a limited number of individuals have any modify permissions.
  • Tell users to use these and only these.
  • Better still, configure their Office apps to know where to find the templates, so when they create a new document, the application automatically gives them the right choices.

Now in Office 2000/2003, this was easy to do through the UI. In the always-connected world of Office 2007, however, it is just as likely for the app to try and find a jazzy-looking resume from the internet as it is to deliver the corporate memo template.

So, under Office 2007 System | Shared Paths | Workgroup Templates, set the UNC or the drive and folder where the templates are stored. (You can also do this for previous versions using the matching ADM files.)

Managing file types during your migration

There are lots of good reasons why the underlying file type has been changed after all these years, and many admins are thanking the development team for making all the files sitting on their fileservers and in their email systems so much smaller. But there is the potential problem of compatibility if your network is too big to upgrade everyone all at once.

You could download and install the Office 2007 compatibility pack on all your machines that have older versions, but this could be quite time consuming. As a short-term measure you might want to simply change the default for your Office 2007 applications to save in the older format.

Using Excel as our example, you need to look under User Configuration | Administrative Templates | [Classic Administrative Templates(ADM)] | Microsoft Excel 2007 | Excel Options | Save. The setting for "Save Excel Files as", once enabled, has a drop-down list of choices. The most likely option you would want is "Excel 97-2003 workbook".

Note that the application will use this as the default file format when saving, but does not prevent the user from making a different choice. It also does not prevent the user from changing the default in the UI by graying out the choice under the Office button | Excel options | Save. However, when they restart Excel it resets the policy setting, even before a GP refresh.

That's all the time we have for tips in this issue! Next time there'll be more about the way the GP engine works, and some information about the improved troubleshooting tools available under Vista. Please continue to submit your own tips or links to useful information in the GPanswers.com forums.


Choose the Right Active Directory and Group Policy Course for You

Did you know that here at GPanswers.com, we have GP courses that fit what YOU need?

  • Are you dealing with mostly XP machines? We have an XP-focused course.
  • Are you warming up to Vista? We have a Vista-focused course.
  • Do you want to learn in an intensive format? Learn it in TWO DAYS.
  • Less intensive? Learn it in THREE days.
  • Want even more Advanced material? We've got that too.
  • Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?

You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take for your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private and public classes. Use the Rightsize tool to get a complete understanding of your options.

public courses—2007 (First Half) scheduled

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go! So, here's the 2007 (first half) line-up:

  • May 21–22, Washington, DC: Two-Day Group Policy Intensive Course (XP Focused)
    • We almost have enough people to run this class. Sign up TODAY to secure your seat! We need you to sign up ASAP (or we might have to cancel!)
  • May 23–24, New York, NY: Two-Day Group Policy Intensive Course (XP Focused)
    • We almost have enough people to run this class. Sign up TODAY to secure your seat!
  • May 25, New York, NY: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • June 18–19, Phoenix, AZ: Two-Day Group Policy Intensive Course (XP Focused)
    • We almost have enough people to run this class. Sign up TODAY to secure your seat!
  • June 20, Phoenix, AZ: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • June 21, Phoenix, AZ: One-Day Group Policy XP-to-Vista Catch-Up Course
  • July 16–17, San Francisco, CA: Two-Day Group Policy Intensive Course (XP Focused)
  • July 18: San Francisco, CA: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • August 8–9: Chicago, IL: Two-Day Group Policy Intensive Course (XP Focused)
  • August 10: Chicago, IL: One-Day Group Policy Advanced Course (XP/Vista Focused)

For any public class, sign up online at: https://www.gpanswers.com/workshop/ Some notes:

  • This is the first time the Advanced Group Policy course has been made available to the public. If you've taken the Two-Day or Three-Day course, check it out. If you sign up for the Two-Day Intensive and One-Day Advanced at the same time, you'll get $100 off the third day.
  • Phoenix is the only place you can take the One-Day XP-to-Vista Catch-Up course right now.

Here's a deal you can't pass up!

Okay, so I'll be in your city teaching a public class. But how would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two or three days, and you get a free student attendee!

Such a deal!

Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Private Course Special Offer

If you book a private class which completes before August 31, 2007, I'll include all travel expenses. I have some free time in the summer I want to fill, and want to give you an incentive to help me book that unused time. So, you pay no travel expenses if the class completes before Aug 31, 2007!


Get signed copies of...

Group Policy: Management, Troubleshooting, and Security

For Windows Vista, Windows 2003, Windows XP, and Windows 2000

-and-

Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

  If you’re in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Securitydirectly from me for $45 (including shipping).

  • If you order the book from me, I’ll sign the book for you, free! I’ve had many requests for this service, and I’m honored that you'd ask!
  • If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
  • The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
  • We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.

This book is in stock! We can ship it out today!
Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.

Order your signed copy today by clicking here.

Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0470106425 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)


Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before! So, head on over to the Solutions Guide and see what other goodies are available! Our newest sponsors at the Solutions Guide:

  • Biscom Corp with their FaxCom Suite for Windows
  • BeyondTrust Corporation with their BeyondTrust Privilege Manager product
  • NetIQ with their GP Guardian product
  • SDM software with their GP Health Reporter

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

 

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistant Cynthia at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Jan 2007
12

Issue#21

Newsletter 21: Rounding off 2006 and looking ahead to 2007 In this issue:

  • It's Issue 21
  • Jeremy's joined the bloggers
  • Moskowitz, inc. Technology Takeaway (r)
    • The questions on everyone's lips about the next generation of MS software
    • A tip for protecting some accounts from the wrong GPOs
  • Public GP Training Schedule Released (first several months)
  • Subscribe, unsubscribe, and usage information

In this issue, I'm happy to say, we've got a full plate. We've got a link to my interview with Michael Dennis (who is leaving the Group Policy team after 9 years!), a bunch of tips and tricks, and my 2007 public training schedule (for the next few months.) So, let's get started!


This Month's Newsletter Sponsored by: NetIQ

As an IT professional, NetIQ is interested in your thoughts and opinions on managing group policy. We know these responsibilities are critical in today's enterprise, and we value your feedback. Please take a few minutes and complete our brief Group Policy Survey, co-authored by Jeremy Moskowitz. Respond by February 15, and you will be entered for a chance to win a $300 Amazon.com gift certificate.Take the survey today.


GPanswers.com News

Jeremy's GP blog keeps you right up to date

If you just can't get enough information about Group Policy, then my blog would be a good place to go to get the latest and most important stuff you need. Take a look at the GPanswers.com blog to make sure you don't miss out on any updates.

GPanswers.com excluSIve -- "Exit Interview with Michael dennis, Outgoing team lead for Group Policy"

Speaking of the blog, I got an exclusive opportunity to interview the outgoing Team Lead for Group Policy, Michael Dennis. Michael has been the lead Program Manager for 9 years and 9 months to the day before changing posts (this Monday.) Learn about where Michael feels Group Policy is going, what he feels is his top achievements are so far at Microsoft, and what's next for the King of Control. Again, this is on the GPanswers.com blog.

how can i best help GPanswers.com ?

If you've ever asked yourself, "How can I help GPanswers.com" out? Well, here's your chance.

Sure, we take tips and tricks to help others. But today, I'm asking for something more.

Indeed, you're not helping me out, you're really helping out Ron Hrehirchuk, our original GPanswers.com Guy Friday.

I don't want to get into too many details here, but Ron is gravely sick and is unable to care for his family. Ron has done more for GPanswers.com than I can remember, and he did it for you, our loyal fans for several years.

Now, it's Ron and Ron's family's time of need.

In short, I (Jeremy) am personally asking you to donate to Ron's family's fund.

Click here.

It's via PayPal and it's quick and easy to do. The link is here. And it would meen a lot to me, personally, to know that the GPanswers.com folks have made a difference in someone's life who tried to help make a difference in yours.


Technology Takeaway (r), a Service of Moskowitz, inc.

FAQs about Group Policy for the latest MS products

Can I install the Group Policy Management Console (GPMC) on Vista?

The GPMC for Windows 2000, XP and 2003 is still available, the latest version is "GPMC with service pack 1." You can download GPMC with sp1 from MS here. However, Vista will ship with GPMC v2 already built-in, so there's no need to download anything, just start using it! Note that the old version won't work in Vista, so don't try to install it.

What about converting my old custom ADM files to ADMX format?

Before we get too far along in this topic... who is making custom ADM files and what are you making them for? Drop me a line and let me know.

As you know by now, the method for storing available group policy settings for Vista is an XML-based file format known as ADMX. This is the format your new custom policy definitions need to use if you want to include them in GPOs you will create on a Vista machine, although the policies themselves can be applied to earlier OS versions.

So, the problem is how do you get your current ADM files to the brand new ADMX file version?

At first, Microsoft did not give any indication that they would provide anything to help update existing ADM files, but thankfully they must have been listening to the GP community and (in conjunction with FullArmor corp) have released a free ADMX migrator tool to convert ADM files. This tool also provides a GUI environment for creating and editing ADMX files. You might also want to look at the free XML Notepad 2007 editor which would also allow you to do this and includes useful tools like find and replace and the ability to compare two XML files to find the differences (maybe an old and new version of your custom policy file).

Here's the trick: I've used the tool, and it works as advertised, but can be a little hard to get the policy settings you're creating to come out "just right." So, be patient with the tool, and take some "time off" if you get a litle frustrated. (And, don't forget -- it's free!)

How do I know what GP settings are available in each WIndows version?

Whenever a new service pack or operating system is released, MS issues a complete spreadsheet of all the Group Policy settings, along with the Explaintext and which OS version the policy setting will affect.

The latest version of the Group Policy Settings file is up to date to Vista build 6000 - the RTM version of Vista.

The new file layout also includes columns to let you know if the policy requires a reboot or logoff in order for the policy to take effect. (Note, it's not 100% accurate .. it's missing some , but it's a darn good start.)

You can filter the list easily on these columns, and use the usual Find feature (CTRL-F) to search for particular text. The older file for versions of Windows up to 2003 sp1 / XP sp2 is still useful if you are not moving to Vista just yet, as it shows which ADM files you will find the settings in when working with these older systems.

I'm not using Vista but I want to manage my IE7 deployment, what can I do?

In the last newsletter we talked about how you can use the blocker toolkit which you can use to prevent the installation of Internet Explorer 7 if you / your users / some applications you need are not ready for it just yet. If you are ready and want to roll out, though, you might like to download the ADM files for IE7 which will let you create GPOs which manage IE7 on XP sp2 and 2003 sp1 (the supported OS for IE7). Why didn't these ship as ADMX files? No idea. I wish they did.

Notes from the field: Protecting your users and computers from an "inadvertant" link of GPOs

Imagine this: You've got an OU full of users or computers. But corporate policy says "Don't link any GPOs to them." Maybe these are lab machines, or your machines or some other type of machine or user accounts which just shouldn't get GPOs. Okay, super.

All well and good until someone doesn't get the memo and still links a GPO to this OU.

Oops.

Now you have a problem.

Turns out, there IS a way to guarantee that no one can link a GPO to the OU.

Here's the trick (and stay with me here): don't make it an OU.

That's right -- don't use an OU for these accounts, use a "container." Just as the default containers for Users and Computers prevent you linking policies to them, so do any other containers you create. The accounts in here will still get domain and site policies, of course (subject to security filtering), but you can guarantee that they won't get any additional policy settings.

How do you create a container? Bad news -- it's not something you can do within Active Directory Users and Comptuers. But it is easy enough to do: use ADSIEdit.

On an admin workstation which has the "Ssupport Tools" installed (or directly on a server) fire up Start > Run and type ADSIedit.msc. (Note: if you are logged on without domain admin rights you need to use runas and provide an admin account for this procedure to work). You should see something like the screenshot below.

Choose the relevant domain and right click, select New > Object as shown here:

 gp

Choose to create a new container object class, provide a useful meaningful name for the new object and finally click finish.

gp

So now you have a new container which will show up in AD users and computers for example, but simply will not appear in the GPMC or any other GP editing tool since you can't link any policies to it.

Simple yet effective.

That's all the time we have for tips in this issue. please continue to submit your own tips or links to useful information in theGPanswers.com forums.


Choose the right Active Directory and Group Policy Course for you

Did you know that here at GPanswers.com, we have three courses, including an ADVANCED course? You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a "Group Policy "Rightsize" Tool" which helps you decide the best course to take for your situation. We have both private and public classes, so use the Righsize tool to get a total understanding of your options.

For the first time ever, we're making the "Less Intensive Three-day" course as well as the "One Day Advanced" course available to the public.

As Vista becomes more popular, we'll make our Vista classes more available. Right now, Vista classes are only available as Private classes.

public courses -- 2007 (First Half) scheduled

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go! So, here's the 2007 (first half) lineup:

  • Feb 1, 2: Seattle, WA: Two day Group Policy Intensive Course (XP Focused)
  • Feb 27, 28: Chicago, IL: Two day Group Policy Intensive Course (XP Focused)
  • Mar 1: Chicago, IL: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • Mar 5, 6: Atlanta, GA: Two day Group Policy Intensive Course (XP Focused)
  • Mar 7: Atlanta, GA: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • Mar 13, 14, 15: Portland, OR: Three-day Group Policy Less-Intensive Course (XP Focused) -- Taught by James Conrad
  • Apl 17, 18, 19: Cleveland, OH: Three-day Group Policy Less-Intensive Course (XP Focused) -- Taught by James Conrad
  • May 9, 10: San Fran, CA: Two day Group Policy Intensive Course (XP Focused)
  • May 11: San Fran, CA: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • May 21, 22: Wash, DC: Two day Group Policy Intensive Course (XP Focused)
  • May 23, 24: New York, NY: Two day Group Policy Intensive Course (XP Focused)
  • May 25: New York, NY: One-day Group Policy Advanced Course (XP/Vista Focused)

For any public class, sign up online at: https://www.gpanswers.com/workshop/ Some notes:

  • This is the first time the Advanced Group Policy course has been made available to the public. If you've taken the two-day or three-day course, check it out. If you sign up for the "Two-Day Intensive" and "One-Day Advanced" at the same time, you'll get $100 of the third day.
  • I'm working on updating the Two-Day and Three-Day classes for Vista and hope to make them an available course offering by March - April.

Here's a deal you can't pass up!

Okay, so I'll be in the above cities teaching the private classes. But how would you like to get a FREE student in the class? Easy: be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two or three days, and you get a free student attendee! Such a deal! Lots of companies have been the hosts for public classes, and they've gotten free training. So, if you're interested in free training for one of your treammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6 - 8), the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan - or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/

For a private class, just contact me at [email protected] or call me at 302-351-8408.


Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)


Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and 3rd party products which extend the reach of Group Policy or let you do something you haven't discovered before!

So, head on over to the Solutions Guide and see what other goodies are available! New sponsors this time:

  • BeyondTrust Corporation with their BeyondTrust's Privilege Manager product.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected] Please POST your technical question on the GPanswers.com/community forum whenever possible. If you have questions about ordering a book, contact my assistantMark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Sep 2006
25

Issue#20

Newsletter 20: Looking ahead to Vista, IE7 and other upcoming software releases In this issue:

  • It's Issue 20
  • Industry Update
  • GPanswers.com updates
  • Moskowitz, inc. Technology Takeaway (r)
    • IE7 is on the horizon, how do I control my rollout?
    • What do I need to know about GP in Vista?
    • What about Exchange 2007, Office 2007 etc.?
    • How do I know what settings are available in each OS version?
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Upcoming conferences, appearances, and classes
  • Welcome new sponsors
  • Free Education!
  • Subscribe, unsubscribe, and usage information

This Month's Newsletter Sponsored by NetIQ

Download "Why Group Policy Matters," the informative whitepaper co-authored by Jeremy Moskowitz and NetIQ. This paper discusses the power of Microsoft's Group Policy and how organizations can better leverage the technology to address key business issues and help your organization attain its efficiency goals. Download the paper today.


GPanswers.com News

New assistant for the GPanswers.com community forum

While Ron takes a break, Adam Vero has stepped up to the plate to help keep GPanswers.com the best web resource for all things relating to Group Policy. Our thanks go to Ron for all his help in the past.

Adam has over 13 years of IT experience in a variety of fields including programming, teaching, systems management and now runs his own consultancy business, Meteor IT Ltd.

If you have not already joined in the discussions, why not come on in to the GPanswers.com forums and share your questions, answers, experiences and hot tips with other GP fanatics.  


Industry News: Microsoft Buys DesktopStandard

This, my friends, is a whopper.

If you haven't read the news, do so here. Now that you've done that, what exactly does this all mean?

Well, Group Policy (the engine) has a lot of moving parts called CSEs, or Client Side Extensions. There are 18 in XP and 21 in Vista. And DesktopStandard's PolicyMaker produc adds another 21 CSEs. So, if none get "cut", eventually we'll have 42 CSEs. (I predict several will be cut, like Powermanagement, because Vista already has a similar one.)

DesktopStandard also has (had?) a product called GPOVault: This is a "Check-in / Check-out" GP management system which is built right into the GPMC. I like this tool because, well, it's just built right in to the GPMC, which means I don't have to load ANOTHER console to do the dirty work. So, the idea is the Sally creates the GPO, Fred makes sure it's Kosher and Kirk puts it in play. All around a welcome addition.

The last "big" product DesktopStandard had was PolicyMaker Software Update. Imagine WSUS that actually worked with GPOs and that understood Active Directory. And, instead of using an SMS for the "really big guys", we could just deploy patches using GPOs! Wouldn't that be a great product? Well, that's what this was. However, I'm 99% sure this product won't see the light of day at Microsoft. Microsoft already uses WSUS for the "small" customers and SMS's patching technology for the big customers. This product kind of fit in the middle, and well, I bet that's about it for this product.

In the end analysis -- it's great. More stuff for GPO admins to know and love. And more power to do what they love to do.

Stay tuned for more info as it comes up. You bet I'll be all over this when I have more to share.

Technology Takeaway (r), a Service of Moskowitz, inc.

Looking ahead to Vista, IE7 and other upcoming software releases

IE7 is now at Release Candidate 1, so it's only a matter of time...

Maybe you have already tested IE7 and are happy that it interacts with your systems properly. Or perhaps you have some intranet application that either won't accept it (some look for a user-string of IE5 or IE6 specifically so they spit it out as being unacceptable) or don't work in some way (blocked popups causing issues for example). Or maybe you just haven't had a chance to test it yet. Either way, like all good system admins, you probably want to be sure that your users can get the most out of the new features and continue to work efficiently

You can download IE7 RC1 here if you have not already done so, and take a look at the new additions such as tabbed browsing and the phishing filter that mean Microsoft is closing the feature-gap on other browsers such as Firefox and Opera. Once IE7 is finally released it will be made available via Windows Update as a high-priority update. There has been much speculation that this means a high proportion of users will get the new browser before they know what to do with it, and before system administrators have been able to thoroughly test with intranets and other internal systems. Have no fear, it's a lot more controlled than that!

For starters, if you are using SMS, WSUS or SUS to manage all of your updates anyway, then read no further, you have it all under control (although if you are still using SUS 1.0 you should be aware that support ends on December 6th so you really ought to be upgrading to WSUS fairly soon).

So, if you're not using SMS or (W)SUS, what happens? Well, if your users are not local admins, then - nothing. They don't get prompted to install the update and it won't be pushed on them or automatically installed, period. If they are local admins then they will still get a choice to install or not - and we know how good some users are at making uninformed choices. For this scenario, Microsoft have kindly provided the IE7 Blocker Toolkit which will make sure that these less-managed machines won't get the new browser through Windows Update. In a nutshell, this blocking is done by creation of a registry key. The toolkit provides a script which can be run to create or remove this, and better still an ADM template to apply this via Group Policy. Here's a quick step-by-step on how to do this:

1) Download and run the IE7 Blocker Toolkit which will prompt for a location to extract the files, including the ADM file we will need in a moment.

2) Run the GPMC and create a new policy or edit an existing one which is linked to a location containing the computers which you wish to block from receiving IE7 via Automatic Updates

3) Navigate to Computer Configuration > Administrative Templates and right click > Add/Remove Templates. Click "Add" and Browse to where you extracted the files (see below)

 gp

4) Now that the ADM template is added, browse down to Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateAutomatic Updates Blockers. If you see "There are no items to show in this view" as shown below, then go to Step 5, otherwise skip to step 6

 gp

5) If you can't see the settings from the ADM file, you need to change the Filtering you have on. Go to View > Filtering and then CLEAR the box "Only show policy settings which can be fully managed" which is ticked by default as shown below.

 gp

6) Now you can see the setting to block the delivery of IE7 set it to "enabled" as shown below, and users will not get prompted by Automatic Updates to install this and if they do use the "Custom" feature of Windows Update they will be prevented from installing it.

gp

Unfortunately this won't prevent users with local admin rights from downloading and installing the browser as an MSI for themselves, but that's the reason to only let those who know what they are doing to have those admin rights in the first place, right?  

What do I need to know about Group Policy in Windows Vista?

Not much has changed, really - apart from a total re-write of the format for policy templates, where and how they are stored, and a whole bunch of new settings! The two most important things to understand are that your existing policies will simply continue to work on your existing machines, and that you can only edit policies for Vista and Longhorn on a Vista or Longhorn machine.So, what is happening to ADM files? The short answer is that any custom ADM files you have will continue to work and the new GPMC will be able to use them in creating or amending policies. But the new ADMX format and syntax (which is XML-based) provides a few key benefits.

The biggest of these is that you can create a single central store for ADMX files which are used by your policies, rather than each policy storing its own copy in the GPT, which can lead to sysvol "bloat" and slow down replication between DCs. The second important point here is the separation between the ADMX file which contains settings and their effects, and an associated ADML file which contains language-specific bits which are exposed through the GUI (the description of the settings and the "Explain" tab for example). So admins can view and manipulate the same policies using a different language interface, rather than all having to share a common language which may not be native to many of them. Of course, for in-house custom files the same is true - but someone has to write the ADML files to go with the ADMX.

You have probably heard that there are all kinds of new policy settings available to manage aspects of your Vista machines. Some of the most important classes are those for Power Management, Device installation and Removeable Storage. All of these are areas you may want to control centrally to manage costs (by reducing wasted power consumption) and business risk (reducing the ability of Joe from Sales taking the whole customer database with him on a USB thumbdrive when he leaves). Printer management and IE configuration have also both been made easier with GP for Vista. There's much more information on the MS website about these new Group Policy categories.

Other things which have changed in Vista Group Policy processing include:

  • the fact that the whole process now runs as an independent service
  • you can have multiple Local Group Policies (yes - policy local admins differently form your normal users at last!)
  • much better handling of connection status through "network location awareness" - slow link determination, or updating GP when a VPN is connected or a machine returns from hibernation for example

If you want to know more, get it straight from the horse's mouth by watching this 42-minute webcast:

Program Manager Mark Lawrence discusses the Group Policy improvements in Windows Vista 

(Live ID / Passport required to register)

One last thing for this edition while we're on the subject of Vista - your WSUS server won't get updates for Vista Beta editions without being configured to do so. Recommendation from MS is to configure a separate WSUS server (which must have WSUS sp1) just for your Vista Beta machines to update from, and configure this to fetch the updates from the MS Beta Update Server

Configuration is straightforward, simply by running a VBS script which is already on the WSUS server from a command prompt:

cscript.exe "%programfiles%update servicestoolsToggleMUUrl.vbs" beta

You can revert to the normal update server by repeating this command without the 'beta' on the end, but as already mentioned, you really ought to be doing this on a dedicated box anyway, and remove / reinstall WSUS completely once your Beta phase is over. More info here.    

What other GP goodies are there out now for upcoming products?

Just a couple of quickies about other upcoming bits of software which you may want to begin testing, and how this impacts on your GP world.

Firstly, Office 2007 brings with it a whole bunch of changes to the way it is deployed and of course more GP settings to control it. Significantly, to deploy from a central administrative install using GPSI you only need to point at the main MSI file and this will detect that this is being called by GP and go off to get all the MSI files it needs from the install point.

There is no longer on e single huge all-in-one "office.msi", in other words. Another big change for GP fans is that Outlook 2007 security can now be configured through regular Group Policies rather than having to configure a security template and publish this via the Exchange server. You can still do it the old way if you prefer, but for new installs a pure-GP method makes good sense. More about configuring security for Outlook 2007.

Of course, to manage Group Policy for Office 2007 you need to get the ADM files which are found in the Office 2007 Resource Kit here. (NB: this link only works if you are a registered Office 2007 Beta user, ie you installed the Beta, ran one of the apps and registered the product)

Exchange 2007 Beta can be run on 32 bit systems, although the final release code will only work on 64 bit and you won't get support if you put your production environment on the 32-bit version. However - for either platform you need to be running MMC version 3 (which we talked about in Newsletter 18) as well as .Net 2.0. Read more about MMC 3.0 here and download the version you need before you try and install the Beta. Click here to view the full system requirements for Exchange 2007 Beta 2  

How do I know what settings are available in each WIndows version?

A particularly common question, along with its cousin "where do I find the setting to do 'X'?"Periodically, MS issue a complete spreadsheet of all the Group Policy settings, along with the text you see on the explain tab to help work out what it does, and a column showing what the reuirements are (in other words, which OS version and other things are needed to make the setting work). You can filter the list easily on these columns, and use the usual Find feature (CTRL-F) to search for particular text.

The latest version of the Group Policy Settings file is up to date to Vista Release Candidate 1. If you are using Vista Beta 2 some of these settings do not apply, and you should check the Vista Beta2 GP settings instead, although the file is a lot less detailed. The older file for versions of Windows up to 2003 sp1 / XP sp2 is still useful if you are not moving to Vista just yet, as it shows which ADM files you will find the settings in.  

That's all the space we have for tips in this issue. please continue to submit your own tips or links to useful information in theGPanswers.com forums.


Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)


Choose the right Active Directory and Group Policy Course for you

Did you know that here at GPanswers.com, we have three courses, including an ADVANCED course. (It's true!) Online, we have a new-ish "Group Policy "Rightsize" Tool" which helps you decide the best course to take for your situation. We have both PRIVATE and PUBLIC classes. Again, use the Righsize tool to get a total understanding of your options.

Upcoming Public Classes, Appearances and Conferences

Public Two-Day Workshops for the Remainder of 2006:

  • Oct 12-13: Phoenix, AZ -- FULL ! (Come to Portland, Dallas or Seattle)
  • Oct 23-24: Portland, OR -- 11 seats left ! (Special note: No laptop required for this course. Leave your laptop at home if you want!)
  • Oct 30-31: Dallas, TX-- Lots of seats left
  • Nov 21-22: Seattle, WA -- Lots of seats left

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity! Learn more and sign up at: https://www.gpanswers.com/workshop

(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan - or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/

For a private class, just contact me at [email protected] or call me at 302-351-8408.

Free Education with Moskowitz / Microsoft / Techtarget / Dell Roadshow

Jeremy Moskowitz and TechTarget + Microsoft team up to bring you a 19-city roadshow tour titled: Deployment, Managing, and Monitoring: Getting the Job Done. Here, you’ll hear me talk about how to use the tools in the box to deploy your Windows XP, Windows 2003, and Vista systems, how to use Group Policy to manage your systems, and finally how to keep tabs on them with some slick free tools!

The roadshow is still rolling until November, so there’s a good chance we’ll be near you soon! Check it out and sign up here.

Upcoming Conferences

  • TechMentor: Oct 9-13 in Las Vegas. I'll be speaking on Win/Lin integration topics. All sorts of other good stuff. Check it out here. Use promotion code 'moskowitz' when signing up.
  • WinConnections: Nov 6-9 in Las Vegas. I'll be doing a pre-con on Group Policy, then some regular sessions on locking down computers, some awesome tips on Group Policy tools, and how to integrate Windows and Linux into Active Directory. Check it outhere.

Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and 3rd party products which extend the reach of Group Policy or let you do something you haven't discovered before!

So, head on over to the Solutions Guide and see what other goodies are available! 

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistantMark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Jul 2006
21

Issue#19

Newsletter 19: The File Server Migration Toolkit In this issue:

  • It's Issue 19
  • GPanswers.com updates
  • Moskowitz, inc. Technology Takeaway (r)
    • "Deep Dive" into the File Server Migration Toolkit
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Upcoming conferences, appearances, and classes
    • Classes and seminars
  • Welcome new sponsors
  • Free Education!
  • Subscribe, unsubscribe, and usage information

This issue, we've got another "big article". It's about the File Server Migration Toolkit. Why should you care? How is it related to Group Policy? Ah the suspense ! So, without further ado!


This Month's Newsletter Sponsored by NetIQ

Learn how to leverage Group Policy’s capabilities to secure and manage your desktop. Moderated by Active Directory guru Jeremy Moskowitz, this information-packed Webcast will show you how business objectives can be paired with Group Policy settings for a more secure and managed environment. Sign up today for the live webcast on July 27th.


GPanswers.com News

Announcing 1-day Advanced Group Policy Course

Have you already taken the two-day or three-day workshop? Are you looking to get "more" of what you already love? Then check out our one-day Advanced Group Policy course. We cover four big topics:    

  • How to create a “totally locked down” workstation
  • How to use Group Policy tools to increase your troubleshooting ability
  • How to zap registry punches down to your client machines with ADM templates and tools
  • How to leverage a test lab for good Group Policy deployment practices

It's a one-day hands-on course. Right now, it's only available as a private class. So, if you want me on site, you can add this on to you two or three day workshop class -- or just have me come by for the day!

New "Rightsizing Tool" for GPanswers.com Training

I'll talk about this a little later in the newsletter. But I haven't always done a good job making it easy to decide which Group Policy class is ideal for each person or organization. Now, online, I have a new “Group Policy ‘Rightsize’ Tool” which helps you decide the best course to take for your situation. Check it out here.

New "At a glance view" of newsletter archives...

People were telling me it was hard to know what was in each previous newsletter. Too much to read to find out. Well, now at www.GPanswers.com/newsletter you'll see an at-a-glance view of all our old archives. Just find the newsletter you want -- and enjoy!

In case you didn't get the memo...

Free gift to anyone who has ever taken a GPanswers two-day or three-day Group Policy workshop (where either James or I was the instructor).

It's about time I said thanks. So, thanks!

Here's the deal: the gift is free, the shipping isn't. Sorry, I'm a small business, and that's the breaks.

Shipping for your free gift is only $5, though.

And if you hate the gift, I’ll cheerfully refund your $5 and you can keep the gift. Really! (I sound like Ron Popeil, don’t I?)

Here's the fine print:

  • Shipping for the gift is a flat $5
  • We can accept Paypal or credit card for shipping
  • US residents only
  • If you can remember, please specify which public class or private class you attended (location and approximate month and year).

Note, that if you like the gift, but have never taken the two-day or three-day class, you can get one for a whole $12 (including shipping). Gifts ship right away.

Technology Takeaway (r), a Service of Moskowitz, inc. -- All About the File Server Migration Toolkit

Admit it. You've got 'em. Windows NT and Windows 2000 file servers that you just can't seem to shake. You know you want to get your file servers updated to Windows 2003/SP1 or Windows 2003/R2. And, we both know why you're not there yet: users are using UNC paths to point to shares on these file servers. And you know that if you move the data from the original servers to the new servers, all those users with UNC paths pointing to those shares are going to call the help desk (then the help desk is going to hunt you down, and you'll have to go into hiding.)

Or how about this sticky Group Policy problem: you got started using Group Policy Software Installation, and serving your installations using one file server. Now you have 50 GPOs deploying applications to your Windows XP and Windows 2000 machines. But, oops! You're ready to turn off that original file server.

But you can't.

Those 50 GPOs are depending on it.

What are you going to do?

A typical environment where files and software are originally being deployed from a Windows 2000 file server and/or Windows NT files is seen below.

gp
Figure 1: You're currently depending on NT 4 and Windows 2000 file servers (aren't you?)

So just turning off these servers isn't an option, and just copying the data to new shares on a new server isn’t an option. So what are you going to do? The good news is that there’s an answer [solution?] to these two tales of woe. Microsoft has a cool tool to help you take control of your old file servers and bring the data into the 21st century—seamlessly.

Enter the File Server Migration Toolkit . . .

    The File Server Migration Toolkit, or FSMT is a free download available here. The FSMT consists of three parts:

  • DFS Consolidation Root Wizard: This is another GUI tool which works some serious magic. It allows you to maintain the original UNC paths of the servers, even if you’re planning on ultimately turning those servers off.
  • DFSconsolidate.exe: This is a command line tool which is called by the DFS Consolidation Wizard. While it’s possible to use this tool on its own, we’re only going to explore its use in conjunction with the DFS Consolidation Root Wizard.
  • File Server Migration Wizard: This is a GUI tool which helps you plan your migration from the source servers to the target servers. Then, it actually performs the copy of the original files to the target destination. We’ll explore this a bit later.

Understanding Our Goals . . .

The first thing to know is where to start. You need to pick a source server (where the files are currently stored) and a target server (where you will migrate the files to). Let’s work through an example to help us understand where we are and where we’re going. Our Before Picture: You can see this in Figure 1. We have an NT 4.0 file server (nt04) with three shares containing user data. We have a Windows 2000 server with one share used to deploy software. Let’s take a closer look at what’s happening in our world. Our Windows XP machine needs access to the following:

    • nt04ntshare1
    • nt04ntshare3
    • w2ksoftware

Our Windows 2000 machine needs access to these servers and shares:

    • w2ksoftware
    • nt04ntshare2

Now, let’s introduce our target file server, fileserver6, whose job it will be to receive these shares and requests.

Our After Picture: The goal is to consolidate these existing shares onto fileserver6 and turn off the Windows 2000 and NT 4 servers. We need to perform this task in a way which preserves the original paths of each of the aforementioned shares. Yes, you read that right. We want to be able to access the data that’s currently on the computers we’re turning off as if they were still turned on. Oh, and of course, you want to make sure security is preserved all along the way.

 gp
Figure 2: Our goal is to turn off the NT 4

and Windows 2000 file servers but allow access to all data using the original server names (even though those computers are off

Here, in Figure 3 we can see our Windows XP machine accessing a directory of files on both nt04ntshare1 and nt04ntshare3 shares. The goal is for this Windows XP machine to continue to perform the same commands, using the same UNC paths after we move the files and turn the original file servers off.

gp 
Figure 3: Here, our Windowx XP machine is viewing files via UNC paths

To get to our promised land, we'll leverage a part of Windows that has been around for a while, but still isn't in widespread use: the Distributed File System, or DFS. DFS's goal is to accept incoming connections and route them to existing shares (this is sometimes called referrals). You might say it's like a "share of other shares" because it allows you to basically "hang" existing shares off a new DFS share, or, more technically the "DFS root". There are two kinds of DFS roots: standard and domain-based (sometimes called an Enterprise root). Standard roots only live on one server. Enterprise roots live at the domain level, which means that they're fault tolerant. If one server that's part of the DFS referrals goes down-no problem-referrals just keep on truckin'. Learn more about DFS (which is substantially different in Windows Server 2003 than in Windows Server 2003 / R2) by reading more at the following link.

Here's the roadmap to get to your destination:

  • You'll determine where you want to stash your new files. In our example we're going to be using fileserver6.demo.com.
  • You'll rename any file servers you plan on permanently retiring. Since you're retiring them anyway, it doesn't really matter much what the name becomes.
  • We'll be renaming our nt04 server to nt04-ret to signify that it's retired. Same goes for w2k to w2k-ret. Then, finally, when we're all done, we'll be turning off this server permanently.
  • We'll use the DFS Root Consolidation Wizard to control basically, "reroute" new incoming requests for the retiring servers (nt04 and w2k) to the new location (fileserver6). Note that I could use two separate servers in my migration example. That is, I could use one server to hold the DFS Roots and another to hold the files. However, to keep things simple, I'll use fileserver6 for both roles.
  • We'll actually move the files we need from the shares on our old servers to our new location on fileserver6.

So let's do it!

Getting Started with the FSMT and DFS Consolidation Wizard

The FSMT comes as a single MSI, but, as we stated has three separate components. The File Server Migration Wizard is meant to be run directly on the target file server. However, the DFS Consolidation Root Wizard and the Dfsconsolidate.exe command-line tool can be run anywhere; you can choose to run these tools on the target server or not.

Note the FSMT documentation makes special note of MSKB article 829885 which talks about a DFS hotfix. The implication is that this hotfix must be loaded upon the target DFS server. However, this hotfix is built into the Windows Server 2003/SP1, and is not needed when the target server is Windows Server 2003/SP1 (in my case fileserver6.) However, the FSMT documentation doesn't tell you one critical step: be sure the DFS service is started and set to Automatic for future restarts.

After the FSMT is loaded, as I mentioned earlier, we must change the name of NT04 server to nt04-ret and the name of w2k to w2k-ret (or something else that's meaningful to you). The reason why we must change the name is so that when clients try to connect to nt04 or w2k neither actually exists anymore. And, we'll be able to fool those incoming requests to nt04 or w2k into shimmying over to the new place on fileserver6.

In my tests, renaming an NT4 server wasn't as easy as I would have liked. Simply renaming it doesn't magically change the name in Active Directory (like it would if I renamed a Windows Server 2003 or Windows XP machine). I had to drop the machine into a workgroup, rename the machine, and rejoin the domain (demo.com.) And, of course, along the way several reboots were required. Finally, I had to delete an orphaned computer account for NT4 using Active Directory Users and Computers. In contrast, renaming the Windows 2000 server was a snap. Just rename and reboot -- easy. No muss, no fuss.

Now that my NT4 server and Windows 2000 servers are renamed, I'm ready to run the DFS Root Consolidation Wizard. The Wizard is pretty straightforward, asking only a minimum of information:

  • DFS root server: This is the location where the DFS root will be held. In DFS terms, this will be a "standard root"-which exists solely on the server you specify. Note that the root cannot be on a Domain Controller. In my example, I'm choosing to put the DFS root on the same server where the files will ultimately go-fileserver6. However, you can create the root on a server cluster if you want to increase the redundancy of the stand-alone root.
  • Local path of the folder: This is the top level directory where you want to store each migrated server. If we were migrating 10 servers, you would expect 10 subdirectories underneath this top level directory containing names of each migrated server. For my examples, I'm choosing the name c:migservers
  • Specify which servers to consolidate (as seen in Figure 4): Here, you'll map the original name to the current name (as seen below.). We're migrating two servers, (original name nt04, current name nt04-ret and original name w2k, current name w2k-ret) so we'll have two mappings in the list.

gp
Figure 4: The "DFS Consolidation Root Wizard" helps you map renamed servers to original names

If the Wizard finishes without errors, you've completed the first big step. Now, before you do anything else - take a moment to pause and check something out: Go back to your Windows XP machine (see first figure) and run those exact same dir commands access the servers and shares nt04ntshare1 and nt04ntshare3. Without rebooting the Windows XP machine (or logging off and back on), note those same dir commands just continue to work! This is because the DFS Root Consolidation Wizard has now mapped nt04 to nt04-ret-so all the shares via UNC paths still work.

And, let's take a quick second to see what really happened in the c:migservers folder on fileserver6. Below, you can see it created two subdirectories, which are each shared, and which contain another subdirectory of each server's original share.

 gp
Figure 5: The DFS Consolidation Root Wizard created a new share representing the old server

However, using Explorer locally and drilling down to one of the directories, say, ntshare1, will get you an error. This is because a DFS link only points to the right (new) location when using a remote referral (not a local one). Also note that each server is now represented by a share, #servername, such as #NT04, seen above. This was created by the DFS Consolidation Wizard.

It is possible to use the DFS Consolidation Wizard if your shares are on Domain Controllers. However, the same rule applies for Domain Controllers as for regular file servers. That is, the server (Domain Controller) must also be renamed. And unfortunately this can be a pain in the neck. Microsoft does have some Domain Controller renaming guidance:

  • For NT 4.0 Domain Controllers, see MSKB 150298
  • For Windows 2000 Domain Controllers, see MSKB 296592
  • And, even though it's easier still with Windows Server 2003, there's some guidance at MSKB 325354.

There is one piece of magic that the DFS Consolidation Wizard cannot directly help with, and that is if you already have hard coded, persistent mappings. Meaning that if someone has used the /persistent flag while using the net use command to map a drive letter (or the corresponding Explorer commands) those mappings will now fail. But if you're using log in scripts to map the drive letters each and every time a user logs in-no problem! This is because every time a request goes to the old server name, a new lookup to the DFS is generated and routed appropriately.

Actually Migrating the files

  To actually migrate the files, you create a project contained within the File Server Migration Wizard (FSMW), which appears as an icon on the start menu. The beginning steps are rather straightforward: create a new project, point the File Server Migration Wizard toward the new DFS consolidation point you created earlier (fileserver6), and watch it recognize the servers, as seen in Figure 6.

gp 
Figure 6: The File Migration Wizard should recognize your servers after you consolidate them using the DFS Consolidation Wizard

Then, you can tell the FSMW which directory you want to plunk the new files in. I chose a new directory on fileserver6 called c:migfiles.

A quick note on what is and is not copied. Of course the files themselves are copied. But the FSMW also copies both NTFS and shared folder permissions. What aren't copied are references to local groups. If local groups have permissions on the source's shared folders, you can use the Resource Kit tool SubInACL.exe to adjust the permissions before or after the migration to replace the local groups, or you can use a local group migration tool like the Active Directory Migration Tool (located here ).

When the project is formed, you then have the ability to make any micro-adjustments you might need (as seen in the circled area on the right of Figure 7). For instance, you might want to put the contents of ntshare1 in a directory named "Sales stuff" instead of ntshare1. This might boggle the minds of your users, but you may have a valid reason.

gp
Figure 7: You can change settings for each share if desired, then click Continue to step through the rest of the Migration.

Finally, you can just step through the rest of the process by clicking on the Continue button, circled above at the bottom of Figure 7. The process is painless, but could take a (long) while depending on just how many servers you are consolidating. For lots and lots of servers, consider breaking up the effort into multiple "projects" to allow for some settling-in time and attention to errors. If there are errors during the copying you'll have the ability to fix the errors and retry. A nice touch is that the target servers are still available during the copying phase. In other words, there's no server downtime from the copying of files from the source server to the target server. Additionally, because it's possible to repeat this phase multiple times to fix errors, another nice touch is that only failed copy attempts are retried. You don't need to copy the whole universe again if you've already copied 90% of it.

The last phase is called Finalize. This phase should really only be done when users won't be accessing the servers. That's because in this phase, you'll disable any original access to the source shares and close any open connections. Additionally, all other project settings are locked.

At this point, you're ready for your final test. Unplug the network connections from the original servers. Then, like we did with our Windows XP machine, make sure you can get to the copied servers using the original UNC path names.

Once you're satisfied that you can get to the copied data using the original UNC paths, you can turn off your old servers, recycle them, reformat them and redeploy them for another purpose, or make a fish tank out of them (or any another arts and crafts project you'd like).

The Future of the File Server Migration TOOLKIT?

The FMST is a great tool which gets the job done. However, there are some small nitpicky points that I’d love to see addressed going forward.

As stated, the FSMT uses what’s called “stand-alone” DFS roots to do the job. In other words, it puts the DFS root on one specific server. Sure, in my example, I used fileserver6 for both the storage of the standalone DFS root as well as the ultimate storage point for my migrated files. However, I could have also split the duty between file servers. That is, one server could house the DFS root, and another server could have held the data. So, what would happen today if that server holding the DFS root went offline? That would be a major problem, because there would be no way to route to the new file server(s). The ideal solution would be to use the more powerful domain-based roots which are fault-tolerant. Then if the one server holding the DFS roots should fail, the fault-tolerant nature of domain-based DFS would kick in. Today, FSMW doesn’t use domain-based, fault-tolerant roots, but I really wish it did. Again, as I mentioned earlier, a workaround would be to put the standalone root on a set of clustered servers. If one server went down, referrals would continue. The FSMT product team tells me that all parts of FSMT are fully cluster aware and compatible: it will create cluster consolidation DFS roots and add cluster names instead of DNS aliases if roots are hosted on cluster. So – nice touch.

Another problem is that you simply must rename the servers to do any of the redirecting magic. I would love to keep the server, name intact, and just redirect a specific share. This would allow me to keep using the server for whatever else it’s doing, but just migrate the specific shares I want to. To do this, we would need symbolic links within the original share that would route us to the new goal. But right now, Windows Server 2003 isn’t quite there. Perhaps with Longhorn server.  

The last note here is that you’re not actually forced to turn off servers you’ve migrated from. You can, if you so choose, keep the server online performing other roles. The problem is that it might be a challenge having other network services and clients find the newly renamed machine. DFS is some pretty strong magic, but it’s only for files; lots of other services won’t be able to magically find the newly renamed server.  

The FSMT is a cool tool, which works as advertised. And the price is right—free. It should be noted that as good as the tool is, it’s not meant to be a permanent solution. The help file notes that these consolidated DFS roots shouldn’t be maintained forever. The idea is that over time you’ll properly design your DFS, point users toward the new, updated structure, and then phase out the roots you created with the DFS Consolidation Wizard.  

Hopefully this will get you out of some tough jams, and into your 21st century file servers. Other FSMT resources:

  • Newsgroup support
    • You can use the microsoft.public.windows.server.migration newsgroup to ask questions about the File Server Migration Toolkit.
  • The FSMT Solutions accelerator (additional guidance)

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here. Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Choose the right Active Directory and Group Policy Course for you

Did you know that here at GPanswers.com, we have three courses, including an ADVANCED course. (It's true!)

And, historically, I haven’t done such a hot job in making it obvious what your available options are for public and private training. So, here’s the executive summary. Online, we have a new “Group Policy ‘Rightsize’ Tool” which helps you decide the best course to take for your situation.

Two-day intensive Group Policy workshop class

  • This course is best for Domain Administrators and qualified OU administrators.
  • This course has “intensive” in the name, so be prepared to work and learn!
  • This class is available as a private two-day course.
  • This class is available as a public two-day course.
  • Consider adding the One-Day Advanced course (below) as a third-day (if taking as a private two-day)

Three-day “Less Intensive” Active Directory warm-up and Group Policy workshop class

  • This course starts with a half day warm-up of Active Directory, managing users, and delegating permissions.
  • Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration experience can get a bit of the fundamentals before diving into the Group Policy waters.
  • This class caters more to OU administrators (than Domain Administrators)
  • This "Three-day less-intensive" course is ONLY available as a private course.
  • Consider adding the One-Day Advanced course (below) as a fourth day

One-day Group Policy “advanced” class

  • This class is a great “add-on” after your two-day or three-day Group Policy class. We cover four big concepts in this class:
    • How to create a “totally locked down” workstation
    • How to use Group Policy tools to increase your troubleshooting ability
    • How to zap registry punches down to your client machines with ADM templates and tools
    • How to leverage a test lab for good Group Policy deployment practices
  • This class is only available as a private course. Consider adding it to your two-day or three-day private course as an additional day.
  • It is suggested (though not required) that students attend either the two-day intensive or three-day less-intensive Group Policy workshop classes before this one.

Upcoming Classes, Appearances and Conferences

Public Two-Day Workshops for the Remainder of 2006:

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity! Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Free Education with Moskowitz / Microsoft / Techtarget / Dell Roadshow

Jeremy Moskowitz and TechTarget + Microsoft team up to bring you a 19-city roadshow tour titled: Deployment, Managing, and Monitoring: Getting the Job Done. Here, you’ll hear me talk about how to use the tools in the box to deploy your Windows XP, Windows 2003, and Vista systems, how to use Group Policy to manage your systems, and finally how to keep tabs on them with some slick free tools! Did I mention this is 19 cities?? So, there’s a good chance we’ll be near you soon! Check it out and sign up here.

Upcoming Conferences

  • TechMentor: Sep 25-29 in Las Vegas. I'll be speaking on Win/Lin integration topics. All sorts of other good stuff. Check it out here. Use promotion code 'moskowitz' when signing up.
  • WinConnections: Nov 6-9 in Las Vegas. I'll be doing a pre-con on Group Policy, then some regular sessions on locking down computers, some awesome tips on Group Policy tools, and how to integrate Windows and Linux into Active Directory. Check it outhere.

Welcome New Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and 3rd party products which extend the reach of Group Policy or let you do something you haven't discovered before! Recently we've added:

  • NetIQ: Group Policy Administrator
  • Smartline: Devicelock

So, head on over to the Solutions Guide and see what other goodies are available!

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistantMark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!