View Blog

May 2004

In this issue:

-Jeremy's put together his first newsletter!
- Moskowitz, inc. and updates:
- It's OUT! The most anticipated sequel of the year!
- How to get your copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000
- Join us at
- Upcoming Group Policy intensive class: onsite and public
- Upcoming conferences and appearances
- Moskowitz, inc. Technology Takeaway (r): five juicy questions (and answers!)
- Subscribe and unsubscribe information


Can it really be true? Jeremy's put together his first newsletter!

If you're getting this newsletter, it probably means that you've handed me, Jeremy Moskowitz, a business card at a conference, meeting, or seminar -- or you've specifically asked to be part of this list. I've converted your email address from the business card to this email listserver, which can easily handle subscribing and unsubscribing, as well as offering a host of other features. All information on subscribing and unsubscribing can be found at the end of this newsletter. If you choose to unsubscribe, you won't get any more newsletters like these.

However, I hope you stay with me! This newsletter's intent is to keep you updated on the comings and goings of Moskowitz, inc. and, provide a technical tip or three, and generally keep you apprised of the state of affairs. In the words of Scott Adams, the creator of Dilbert, this newsletter will come out "roughly, whenever I feel like it." Some newsletters will have lots of news. Other issues will be shorter. In all cases, I'll try to make efficient use of your time.

I do hope you'll stay aboard. Moskowitz, inc. and updates

Here's a brief rundown of what's new at Moskowitz, inc and


It's OUT -- March 22nd! The most anticipated sequel of the year!!

...and it's 100% Jar-Jar Binks free!

That's right! The follow-up to the wildly successful Windows 2000: Group Policy, Profiles and IntelliMirror is here! It's called Group Policy, Profiles and IntelliMirror for Windows 2003, Windows 2000, and Windows XP. If you liked the first one, you're going to love this edition!

It's not an update -- it's an OVERHAUL!

The best news is that 90-95% of the material is applicable to Windows 2000 users. Even if you have just one Windows XP machine in your domain, you'll want to take a look!

Here are the major changes:

- We shifted the focus primarily to Windows 2003 Server and Windows XP (from Windows 2000 Server and Professional). The Group Policy Management Console (GPMC) changes everything.

Warm-ups and usage are in Chapters 1 and 2. We continue all examples of Group Policy application by demonstrating the GPMC in the remaining chapters of the book.

- The "secret underbelly" of Group Policy Processing has changes for Windows XP. Come to Chapter 3 to find out what. I've also made sure to have the most technically accurate information for Windows 2000 processing possible. (Chapters 1, 2, and 3)

- Group Policy Troubleshooting is never easy, but with additional techniques in Chapter 3 and Chapter 4, you'll have that extra edge!

- If you're getting into automation with scripting, Chapter 7, "Scripting Group Policy Operations," is for you. This chapter, written by the one and only Bill Boswell, will quickly get you up to speed with a gaggle of great stuff you can do once you learn the scripting interface. All in all, this chapter will just make your life easier. We even have a super-secret trick in the book to script the "push" of GPOs to your client systems! Zowie!

- There are lots of new add-on tools available for Group Policy management. Some are in the Microsoft Windows 2003 Resource Kit, others are third-party products, and others are free tools. There's even one feature of the GPMC which can be thought of as an add-on to help us migrate GPOs from one domain to another. It's all in the chapter entitled "Group Policy and Profile Tools."

- Security is a hot topic. Group Policy lets you access the heart of the security within Active Directory and across your whole network. Chapter 6, "Group Policy Security Implementation," is completely revamped to home in on this important subject. There is information here that is simply not available in any other text.

- Other changes you'll find in the book include new strategies for ADM template management (Chapter 5), Windows XP Profile behavior (Chapter 8), Windows XP folder redirection changes (Chapter 9), Group Policy software distribution changes (Chapter 10), remote Installation Services changes (Chapter 11), migrating GPOs with the GPMC (Appendix B), and a third-party tools list (Appendix B).

- Oh, and did I forget to mention the five downloadable web resources? Everything from Restricted Groups tables to a quick reference of all the newest policy settings for Windows 2003, Windows XP, Windows XP + SP1, and Windows XP + SP2!

So I hope you'll agree with me: this edition isn't just a revision, it's a total overhaul! This book is in the Mark Minasi Windows Administration Series. And Michael Dennis, the Lead Program Manager of Group Policy at Microsoft, kindly provided the Forward. Here's an excerpt from the Foreword:

At Microsoft, we have a lot of downloadable documentation on Group Policy, Profiles, and IntelliMirror (r). What Jeremy provides with this book is a "one-stop-shop" for practical, how-it-works information, including real-world examples of implementing and troubleshooting Group Policy, Profiles, and IntelliMirror. Indeed, his digging and prodding into the Group Policy internals means that there is information in his book that you simply cannot find anywhere else. Jeremy has always provided an independent eye into how Group Policy works. Best of all, his writing style will keep you engaged throughout the entire book.

Jeremy's book uncovers the basics of Group Policy and GPMC and then reveals the hidden nuggets that truly unleash the power of Group Policy. He describes the many underlying and overt changes since Windows 2000 that make this book a valuable successor to his previous work. The practical, (often prescriptive) technical information just keeps rolling in -- chapter after chapter.

-- from Michael Dennis, the Lead Program Manager of Group Policy


Buy Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 in three ways!

If you're ready to get crackin' with your Group Policy workout, you can get the new book in one of three ways:

- You can order it from Amazon for $35.00 plus shipping by clicking here:

- You can order it from Bookpool for $30.95 plus shipping by clicking here:

- If you order the book from me, I'll sign the book for you, free! I've had many requests for this service, and I'm honored that you would want it! If you order it from me, you get the book, shipping included! Usually, I try to ship out the week's orders on Mondays and Thursdays. If you need a guaranteed shipping date, then Amazon might be a better choice. The cost is $45. The slight extra cost goes toward the shipping from SYBEX to me, then me to you (not for the signature.) Again, note that shipping -is- included.

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards just fine.) Thanks for understanding! Order your signed copy today by clicking
Join us at


You've got questions, we've got answers. And we won't ask for your home phone number like Radio Shack. Come join your peers at for the following goodies:

- All the Web downloads from the book (you don't have to track them down at SYBEX's Web site)
-Additional ADM templates
-Additional VB scripts
-Pointers to all the best Microsoft Group Policy stuff
-Newsletter archives
-And an ongoing battery of new stuff as it comes up!

Best of all, there's the Discussion Forum!

Here, your peers are waiting to chat with you about all sorts of Group Policy, Profiles, and IntelliMirror topics: everything from troubleshooting to trying something new! And you never know who might be lurking and posting -- just waiting to answer your question or hear your feedback.

We've already received a lot of buzz... so, c'mon and join the fun! Note that joining the Forum doesn't automatically join you to the newsletter, so, if you're receiving this newsletter because someone forwarded it to you, be sure to sign up for both!
Subscription information can be found at the end of this newsletter.


Now Available! Group Policy intensive class! Public and Onsite!

You've asked for it, and here it is: a two-day Group Policy intensive workshop! It's really three days of stuff presented in two days. If you need to get up to speed and get using that Active Directory you've got lying around, then this is the class for you! It'll consist of about 50% instruction, 50% demos, and 50% hands-on practice. Okay, somehow, that's 150%! But would you expect anything less?

You can see an outline of the course here: And... This class can be taught as a private class within your company (with all the personalized attention that affords). Just email me at [email protected] for details.


Technology Takeaway (r), a service of Moskowitz, inc.

Here are some questions on people's minds recently...

QUESTION 1: Can you have different policies governing different types of users within the Domain? Specifically I am looking to have non-privileged users expire and change passwords every 45 days and privileged users every 30.

ANSWER: Unfortunately, no. You cannot have different Account or Password policies within the domain. If you must perform what you describe, you must have two domains.

QUESTION 2: I have a standalone PC with Windows XP Professional and I want to create a few users with restricted use. For example, remove the icons on the desktop or take away "run" in the Start menu. Now I have tried this with GPEDIT.MSC, but when I do, even the Administrator account is affected. How can I log on as an Administrator and restrict users for certain parts but not get the restriction myself?

ANSWER: You should avoid using GPEDIT.MSC on local machines. When you do this, you have the least amount of control over your Active Directory. Really, you're only able to control just that one machine. Instead, you should set up GPOs linked to the domain-level or OU-level to affect your users or computers. You can use Group Policy filtering (via user groups) to specify which specific users or computers will be affected. You can remove Administrators from the processing in this fashion.

QUESTION 3: Can you restrict the use of floppy and/or CD-ROM drives on workstations in a domain with Group Policy?

ANSWER: Yes. Check out these two policy settings: User Configuration|Administrative Templates|Windows Components|Windows Explorer | Hide these specified drives in My Computer And User Configuration|Administrative Templates|Windows Components|Windows Explorer | Prevent access to drives from My Computer

QUESTION 4: We have a Win2000 Server network environment and are running AD. About 95% of our end-user PCs are Win98 SE. How do I set Group Policies so that I can restrict end users' ability to change wallpaper, etc?

ANSWER: Bad news. Active Directory Group Policy cannot affect Windows 98 clients. Group Policy only affects Windows 2000, Windows XP, and Windows 2003 machines. You'll need to use old-style SYSTEM POLICY, which creates CONFIG.POL files. Remember -- these SYSTEM POLICIES will be permanent entries in your registry until you specifically change and invert the settings (a distinct disadvantage to Active Directory Group Policy).

QUESTION 5: I want to leverage GPOs such that a temporary user can log on only to the computer he is given. Once there, I want him to only be able to use Word, Excel, Acrobat, and Internet Explorer, but not be able to access Windows Update, Yahoo, or Hotmail. I am new to both Active Directory and Group Policy, and I don't want to mess with other users.

ANSWER: This question has a fourfold answer:

1. First, load a workstation with the specific software you want him/her to run. Your list above is fine. You can do this manually, or via Group Policy Software Installation.

2. To restrict a user to a specific computer, you need to be running NetBIOS. Then, in the user's Account tab, click the "Log on to" button and specify the computer you want to restrict the user to.

3. Users, that is, non-administrators, cannot go to Windows Update. You don't have to do anything to restrict access to this site.

4. To restrict users from all other Web sites, you'll need to get familiar with how to implement Internet Explorer Maintenance policies -- either via local GPOs or via Active Directory GPOs. The process is fairly detailed, but here are the steps in a nutshell: Configure a computer's IE settings to be as restrictive as you want, then use the Internet Explorer Maintenance Settings (specifically, those located in User Configuration |Windows Settings | Internet Explorer Maintenance | Security | Security Zones and Content Ratings) to import the current computer's settings. Then the other computers you apply the GPO to will embrace the same settings as well.

In short, you may be new to Group Policy, but you'll have to get familiar with it to do lots of tasks -- so, better get started learning!


Subscribe and Unsubscribe Information

- subscribe to this newsletter
- unsubscribe from this newsletter

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:

Thanks for reading!

Comments (0)

No Comments!