View Blog

May 2004

In this issue:

  • Moskowitz, inc. and, er, updates
    • Help rise to the top!
    • Helping your fellow Group Policy administrator!
  • Upcoming conferences and appearances
    • It's free! Windows Server 2003 Group Policy Essentials Webinar
    • Not free... but worth it! Upcoming classes.
  • Moskowitz, inc. Technology Takeaway (r): five juicy questions (and answers!)
  • Get a signed copy of Group Policy, Profiles andIntelliMirror for Windows 2003, Windows XP and Windows 2000
  • Subscribe and unsubscribe information

Moskowitz, inc. and, er...

It's stunned analysts everywhere. Okay, actually,no one seemed to notice. But, I've decided to change the name of to

Why the change?

Well, the GPO (Group Policy Object) is the "molecule" that makes the Group Policy world go round. However, the name wasn't all encompassing enough.

In reality, the forum and the web site is about all aspects of Group Policy, not just the GPO "molecule."

To that end, I've renamed it to be Note that will still point to the same place.

Help rise to the top!

There's only one "go to" location for Group Policy help on the web. And that's.!

Only problem? Our Google rank is in the tank.

I'm not a "Google-head" -- that is, I don't have a genuine understanding of the Google-rhythm, or whatever the algorithm is called that pushes certain pages to the top of the ranks.

Long story short, the only thing I know that helps is if others POINT to the web site. So, if you're interested in helping out the community, then, please create a web site link from your web site to

You'll be helping everyone who is interested in getting some extra Group Policy help.  

Helping your fellow Group Policy administrators!

Hopefully, you're finding the updated resources of useful. We have some dedicated folks in the forum ( constantly knocking out questions for others in need.

If you're an expert (or use Group Policy a lot) we would encourage you to help out others! That's the spirit of the forum ...give a penny, leave a penny... er, ask a question, answer a question.

Also, if you come across something that's new and exciting which EVERYONE should know about, then let me know.

I'll make it a permanent link in the site.

Note that I've changed the policy of the forum a bit. That is, we now require that you are a registered member of the forum to post. This is because guests don't have the ability to receive emails when someone responds to their posts. And we want to make sure that all answers are getting to their respective question-askers.

Upcoming Conferences, Appearances and Classes

It's free!

Windows Server 2003 Group Policy Essentials Microsoft Technet Webinar


From the Microsoft site:

Just getting started with Windows Group Policy? Unsure of where WindowsR Group Policy applies or how to manage them? In this session you'll learn just what Group Policy is, and how you can deploy it correctly. Join this webcast to hear Active Directory and Group Policy guru Jeremy Moskowitz (from and author of the recently overhauled "Group Policy, Profiles and Intellimirror for Windows 2003, Windows 2000 and Windows XP teach you the ropes. Learn how to modify Group Policy objects to lock down desktops and manage your user environments. Gain insights into the thorny issues surrounding permissions. Discover how to delegate the job of creating Group Policy. Last, you'll learn how to troubleshoot Group Policy --through tools and with your bare hands.

Sign up here:

Not free... but worth it! Upcoming classes

We'd love to see you in the upcoming two-day Group Policy intensive training and workshop class. Here's what one IT manager said after taking the training:

Facing the challenge of upgrading our multi-site user environment I was very concerned with my staff's limited knowledge of Group Policy.

Much like most sites we struggled with estimating outside resource requirements for our Active Directory project. Looking for Group Policy specific training proved to be a challenge and I turned to a resource from my computer security group who recommended Jeremy.

After speaking with Jeremy about the classes I immediately identified him as someone who would be a valued resource, as he clearly understood many of the problems I was facing. After the class which wrapped up on 4/24 I find myself adjusting my project plan, as my staff went from being unsure of the challenge ahead to being able to confidently plan and implement a strong Group Policy environment.

The class was very detailed and Jeremy really knows how to control the class. The labs are great assuring that everyone can touch and feel Group Policy. Jeremy proved to be a solid professional, and from what I can tell one of the few who can drill down to the expert level in Group Policy.

Maurice McClain,
GSEC Manager IS Operations

Thanks Maurice!

Also, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

Indeed, at TechEd 2004 Mark Williams from the Group Policy team encouraged the 1500 attendees to check out the new Group Policy book and the training! In fact, he dedicated a whole slide to the book, the training, and for each of his sessions!

Wow! Thanks, Microsoft!

So, to sign up for an upcoming public class, and check out the full course outline, be sure to visit:

Or... If you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you on-site! Just contact me at [email protected] or call me at 302-793-3957. If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!)


Technology Takeaway (r), a service of Moskowitz, inc.

Here are some questions on people's minds recently...

Question 1:

I implemented an Account locked out policy on my domain. I set the policy to lockout after 3 tries, but most user accounts still get locked out with our old account policy. So, next, I tried to disable the policy but my domain Administrator account still gets locked out according to the old lockout policy. What could be causing this?

Answer 1:

This sounds like you have a DNS problem. I know, I know – how can this possibly be a DNS issue, you ask? I submit that perhaps not all of your Domain Controllers are receiving the updated domain policy. Hence, they are retaining some other policy you set. So, my advice? Make one DNS server the authoritative source and have all Domain Controllers (temporarily) use that DNS server for resolution. Hopefully, the latest policy will take affect, and you'll be updated.

Question 2:

How do restrict users from opening and editing the registry in Windows XP. All domain controllers are 2003 server.

Answer 2:

Software Restriction Policies to the rescue! There are plenty of great Microsoft articles on Software Restriction Policies in Technet or online. (Or, you can get it in plain English in my book.) Don't forget, though, that Software Restriction Policies are only valid for Windows XP or Windows 2003 as clients – those with Windows 2000 clients are out of luck! Oh, and it doesn't matter if your DCs are 2000 or 2003.

Question 3:

Are Group Policy Objects cumulative? If a GPO is linked to the domain and then a separate GPO is linked to an OU, do features of the domain GPO "flow" down to the OU and apply with features set in the OU GPO as long as they don't conflict? I thought that if a GP was assigned to an OU then its features would overwrite any features set by a GP assigned to a level above.

Answer 3:

If you have no GPOs that conflict anywhere in your SOM (scope of management), they will apply cumulatively. However, if you have a GPO which says to do one specific thing at, say, the Domain level, and another GPO which ways to do a specific thing, at, say the OU level, the one "closer" to the user (or computer) will apply. So, here's a simple example: At the domain level, imagine that you restrict the control panel, but at the OU level, you make it available again. Since the GPO linked to the OU is closer to the target account, thataffect will take effect.

Question 4:

I blew up the Default Domain Policy in my Windows 2000 domain. How can I recover that?

Answer 4:

You're in luck! (Well, not really since you blew up a critical GPO.) Microsoft has just released RecreateDefPol.exe. It restores the Default Domain and Default Domain Controllers policy GPOs in case of accidental deletion. This tool is for use exclusively on Windows 2000 Server, Advanced Server, and DataCenter Server. Do not use this tool on Windows Server 2003; use Dcgpofix.exe instead (included in Windows Server 2003). You can download the tool directly from Microsoft here:

Question 5:

I love using the Group Policy Software Deployment functionality. However, recently I tried to decommission a file server we were using, and well, chaos ensued. Any recommendations or "best practices" for using Group Policy Software Deployment?

Answer 5:

Use DFS in conjunction with software deployment, and you'll be in clover. Why? Because DFS will abstract the REAL severname from the equation. That is, you can bank on the DFS share being there, even if you change the underlying file server name. So, my recommendation is to use {dfsname}{rootshare} like corp.comsoftware instead of {specificserver}{sharename}. This way, if you change servers, you can easily move the file share to the new server, change the DFS pointer, and everything just keeps on truckin' !


Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards just fine.) Thanks for understanding!

Order your signed copy today by clicking here: Thanks for reading! And, as promised I'll send out the next newsletter "Roughly whenever I feel like it" or whenever big news hits. Until next time!

Subscribe and Unsubscribe Information

- subscribe to this newsletter
- unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address :

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at !

Comments (0)

No Comments!