View Blog

Jan 2007

Newsletter 21: Rounding off 2006 and looking ahead to 2007 In this issue:

  • It's Issue 21
  • Jeremy's joined the bloggers
  • Moskowitz, inc. Technology Takeaway (r)
    • The questions on everyone's lips about the next generation of MS software
    • A tip for protecting some accounts from the wrong GPOs
  • Public GP Training Schedule Released (first several months)
  • Subscribe, unsubscribe, and usage information

In this issue, I'm happy to say, we've got a full plate. We've got a link to my interview with Michael Dennis (who is leaving the Group Policy team after 9 years!), a bunch of tips and tricks, and my 2007 public training schedule (for the next few months.) So, let's get started!

This Month's Newsletter Sponsored by: NetIQ

As an IT professional, NetIQ is interested in your thoughts and opinions on managing group policy. We know these responsibilities are critical in today's enterprise, and we value your feedback. Please take a few minutes and complete our brief Group Policy Survey, co-authored by Jeremy Moskowitz. Respond by February 15, and you will be entered for a chance to win a $300 gift certificate.Take the survey today. News

Jeremy's GP blog keeps you right up to date

If you just can't get enough information about Group Policy, then my blog would be a good place to go to get the latest and most important stuff you need. Take a look at the blog to make sure you don't miss out on any updates. excluSIve -- "Exit Interview with Michael dennis, Outgoing team lead for Group Policy"

Speaking of the blog, I got an exclusive opportunity to interview the outgoing Team Lead for Group Policy, Michael Dennis. Michael has been the lead Program Manager for 9 years and 9 months to the day before changing posts (this Monday.) Learn about where Michael feels Group Policy is going, what he feels is his top achievements are so far at Microsoft, and what's next for the King of Control. Again, this is on the blog.

how can i best help ?

If you've ever asked yourself, "How can I help" out? Well, here's your chance.

Sure, we take tips and tricks to help others. But today, I'm asking for something more.

Indeed, you're not helping me out, you're really helping out Ron Hrehirchuk, our original Guy Friday.

I don't want to get into too many details here, but Ron is gravely sick and is unable to care for his family. Ron has done more for than I can remember, and he did it for you, our loyal fans for several years.

Now, it's Ron and Ron's family's time of need.

In short, I (Jeremy) am personally asking you to donate to Ron's family's fund.

Click here.

It's via PayPal and it's quick and easy to do. The link is here. And it would meen a lot to me, personally, to know that the folks have made a difference in someone's life who tried to help make a difference in yours.

Technology Takeaway (r), a Service of Moskowitz, inc.

FAQs about Group Policy for the latest MS products

Can I install the Group Policy Management Console (GPMC) on Vista?

The GPMC for Windows 2000, XP and 2003 is still available, the latest version is "GPMC with service pack 1." You can download GPMC with sp1 from MS here. However, Vista will ship with GPMC v2 already built-in, so there's no need to download anything, just start using it! Note that the old version won't work in Vista, so don't try to install it.

What about converting my old custom ADM files to ADMX format?

Before we get too far along in this topic... who is making custom ADM files and what are you making them for? Drop me a line and let me know.

As you know by now, the method for storing available group policy settings for Vista is an XML-based file format known as ADMX. This is the format your new custom policy definitions need to use if you want to include them in GPOs you will create on a Vista machine, although the policies themselves can be applied to earlier OS versions.

So, the problem is how do you get your current ADM files to the brand new ADMX file version?

At first, Microsoft did not give any indication that they would provide anything to help update existing ADM files, but thankfully they must have been listening to the GP community and (in conjunction with FullArmor corp) have released a free ADMX migrator tool to convert ADM files. This tool also provides a GUI environment for creating and editing ADMX files. You might also want to look at the free XML Notepad 2007 editor which would also allow you to do this and includes useful tools like find and replace and the ability to compare two XML files to find the differences (maybe an old and new version of your custom policy file).

Here's the trick: I've used the tool, and it works as advertised, but can be a little hard to get the policy settings you're creating to come out "just right." So, be patient with the tool, and take some "time off" if you get a litle frustrated. (And, don't forget -- it's free!)

How do I know what GP settings are available in each WIndows version?

Whenever a new service pack or operating system is released, MS issues a complete spreadsheet of all the Group Policy settings, along with the Explaintext and which OS version the policy setting will affect.

The latest version of the Group Policy Settings file is up to date to Vista build 6000 - the RTM version of Vista.

The new file layout also includes columns to let you know if the policy requires a reboot or logoff in order for the policy to take effect. (Note, it's not 100% accurate .. it's missing some , but it's a darn good start.)

You can filter the list easily on these columns, and use the usual Find feature (CTRL-F) to search for particular text. The older file for versions of Windows up to 2003 sp1 / XP sp2 is still useful if you are not moving to Vista just yet, as it shows which ADM files you will find the settings in when working with these older systems.

I'm not using Vista but I want to manage my IE7 deployment, what can I do?

In the last newsletter we talked about how you can use the blocker toolkit which you can use to prevent the installation of Internet Explorer 7 if you / your users / some applications you need are not ready for it just yet. If you are ready and want to roll out, though, you might like to download the ADM files for IE7 which will let you create GPOs which manage IE7 on XP sp2 and 2003 sp1 (the supported OS for IE7). Why didn't these ship as ADMX files? No idea. I wish they did.

Notes from the field: Protecting your users and computers from an "inadvertant" link of GPOs

Imagine this: You've got an OU full of users or computers. But corporate policy says "Don't link any GPOs to them." Maybe these are lab machines, or your machines or some other type of machine or user accounts which just shouldn't get GPOs. Okay, super.

All well and good until someone doesn't get the memo and still links a GPO to this OU.


Now you have a problem.

Turns out, there IS a way to guarantee that no one can link a GPO to the OU.

Here's the trick (and stay with me here): don't make it an OU.

That's right -- don't use an OU for these accounts, use a "container." Just as the default containers for Users and Computers prevent you linking policies to them, so do any other containers you create. The accounts in here will still get domain and site policies, of course (subject to security filtering), but you can guarantee that they won't get any additional policy settings.

How do you create a container? Bad news -- it's not something you can do within Active Directory Users and Comptuers. But it is easy enough to do: use ADSIEdit.

On an admin workstation which has the "Ssupport Tools" installed (or directly on a server) fire up Start > Run and type ADSIedit.msc. (Note: if you are logged on without domain admin rights you need to use runas and provide an admin account for this procedure to work). You should see something like the screenshot below.

Choose the relevant domain and right click, select New > Object as shown here:


Choose to create a new container object class, provide a useful meaningful name for the new object and finally click finish.


So now you have a new container which will show up in AD users and computers for example, but simply will not appear in the GPMC or any other GP editing tool since you can't link any policies to it.

Simple yet effective.

That's all the time we have for tips in this issue. please continue to submit your own tips or links to useful information in forums.

Choose the right Active Directory and Group Policy Course for you

Did you know that here at, we have three courses, including an ADVANCED course? You can find out more about the different public and private courses available from the workshops section of

We also have a "Group Policy "Rightsize" Tool" which helps you decide the best course to take for your situation. We have both private and public classes, so use the Righsize tool to get a total understanding of your options.

For the first time ever, we're making the "Less Intensive Three-day" course as well as the "One Day Advanced" course available to the public.

As Vista becomes more popular, we'll make our Vista classes more available. Right now, Vista classes are only available as Private classes.

public courses -- 2007 (First Half) scheduled

You used the "Suggest a city" form at and told me where you would like me to go! So, here's the 2007 (first half) lineup:

  • Feb 1, 2: Seattle, WA: Two day Group Policy Intensive Course (XP Focused)
  • Feb 27, 28: Chicago, IL: Two day Group Policy Intensive Course (XP Focused)
  • Mar 1: Chicago, IL: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • Mar 5, 6: Atlanta, GA: Two day Group Policy Intensive Course (XP Focused)
  • Mar 7: Atlanta, GA: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • Mar 13, 14, 15: Portland, OR: Three-day Group Policy Less-Intensive Course (XP Focused) -- Taught by James Conrad
  • Apl 17, 18, 19: Cleveland, OH: Three-day Group Policy Less-Intensive Course (XP Focused) -- Taught by James Conrad
  • May 9, 10: San Fran, CA: Two day Group Policy Intensive Course (XP Focused)
  • May 11: San Fran, CA: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • May 21, 22: Wash, DC: Two day Group Policy Intensive Course (XP Focused)
  • May 23, 24: New York, NY: Two day Group Policy Intensive Course (XP Focused)
  • May 25: New York, NY: One-day Group Policy Advanced Course (XP/Vista Focused)

For any public class, sign up online at: Some notes:

  • This is the first time the Advanced Group Policy course has been made available to the public. If you've taken the two-day or three-day course, check it out. If you sign up for the "Two-Day Intensive" and "One-Day Advanced" at the same time, you'll get $100 of the third day.
  • I'm working on updating the Two-Day and Three-Day classes for Vista and hope to make them an available course offering by March - April.

Here's a deal you can't pass up!

Okay, so I'll be in the above cities teaching the private classes. But how would you like to get a FREE student in the class? Easy: be the "host" of the class. Allow me and our students to use your conference room for the two or three days, and you get a free student attendee! Such a deal! Lots of companies have been the hosts for public classes, and they've gotten free training. So, if you're interested in free training for one of your treammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6 - 8), the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan - or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at:

For a private class, just contact me at [email protected] or call me at 302-351-8408.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)


Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here: (GPO book) (WinLin book)

Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at Inside, you'll find both free and 3rd party products which extend the reach of Group Policy or let you do something you haven't discovered before!

So, head on over to the Solutions Guide and see what other goodies are available! New sponsors this time:

  • BeyondTrust Corporation with their BeyondTrust's Privilege Manager product.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected] Please POST your technical question on the forum whenever possible. If you have questions about ordering a book, contact my assistantMark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Comments (0)

No Comments!