View Blog

Jul 2004

In this issue:

  • Moskowitz, inc. and
    • Partnering with the GPTF.ORG
  • Upcoming conferences and appearances
    • Not free... but worth it!
  • Moskowitz, inc. Technology Takeaway (r)
    • XP's SP2 is imminent (save this email!)
    • Bonus!: Kill Spyware with Group Policy!
  • Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000
  • Subscribe and unsubscribe information


Moskowitz, inc. and

It's issue three of the Moskowitz, inc. newsletter. As promised, it's strategically put out "Roughly whenever I feel like it."

And I feel like it!

Why? There's a lot of Group Policy buzz! There's a lot happening lately, and I want to be the first to bring it to you. So, let's kick off this issue.

I suggest you save a copy of this newsletter (print, inbox, etc) because when Service Pack 2 for XP hits, you'll want to recall some of the juicy goodies we'll be exploring in this issue.  


Introducing the GPTF.ORG

Harmony. Cooperation. Working together.

These phrases are not something that is normally associated with rival product vendors. But, that's exactly what is going to be happening with an upcoming group I've helped create called the "Group Policy Task Force" or, GPTF.

The GPTF is a consortium of vendors which make Group Policy product add-ons. Many vendors hook-in to what Microsoft's Group Policy already offers and takes it to the next level. Even Microsoft, themselves are a member. This strong showing of support from all vendors involved demonstrates their commitment to the Group Policy "way of life" which we know and love to use every day.


So, Where do I fit in?

I came up with the idea because there was no direct avenue for Microsoft to hear vendors' requests, assess how important those requests were to administrators like you, and actually get the wish into the next version of Group Policy product.

Additionally, because Group Policy is becoming more and more important it's only a matter of time before vendors start to want to have some interoperability between their products.

I will be helping with ongoing coordination efforts My official title in this role is called "Group Policy Evangelist" (how cool is that!?) If I only got a scepter or something to wield around... now that would be cool. But I digress.
(Actually, this one is pretty cool)

So, where do you fit in?

While the GPTF is not open for membership to the community-at-large (ie: network administrators) directly, there are two ways you can help.

First, you should communicate with your 3rd party product vendor about what you want to see regarding interoperability. If you see an avenue for cross-over between vendors, there's a good chance that we can make it happen now.

Also, if you have a specific wish you might want built right into Group Policy itself, we have a new forum at the bulletin-board entitled "Group Policy Functionality Wish List" where you can post what you want! No guarantees that your wish is going to be embraced, but, if you don't A-S-K, you won't G-E-T.

You can check out the GPTF.ORG web site to see which vendors are participating. And, you can check out our official press release here.


Upcoming Conferences, Appearances and Classes

Not free... but worth it!

The number one thing holding back administrators from using Group Policy more is LACK OF TRAINING. Well, there's no excuse anymore!

Join us for one of my upcoming two-day "Group Policy Intensive Training and Workshop" classes.

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At both MMS 2004 and TechEd 2004 Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!

In fact, he dedicated a whole slide to the book, the training, and for each of his sessions! Wow! Thanks, again Microsoft!

So, to sign up for an upcoming public class, and check out the full course outline, be sure click here.
Or... If you think you might want your own in-house training of the course (with all the personalized attention that affords),

I'd love to join you on-site! If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!)

Just contact me at [email protected] or call me at 302-793-3957.

Technology Takeaway (r), a service of Moskowitz, inc.

XP's Service Pack 2 is almost ready to burst forth on the scene.

Are you ready?

If I were you, I'd be glued to Microsoft's SP2 site for Microsoft professionals which is here.

I'm quite sure there will be some upcoming prescriptive guidance for it's proper deployment and implementation, so stay tuned. However, Release Candidate 2 (RC2) is out, and you can play with it today. And, you should. This is because when you apply XP/SP2 to an existing XP system, you get new functionality, new power, and the ability to manage more stuff with about 90 new policy settings to play with! (Correction for anyone reading the archive version of this newsletter, that should have read 611 new settings if you include al the IE ones)

I have a link to Microsoft's latest spreadsheet which helps bring our the differences here. The biggest thing to expect with XP/SP2 is the fact that the Windows Firewall (formally known as the Internet Connection Firewall) is ENABLED (that is, turned ON) by default. So, as soon as XP/SP2 is installed, there's a good chance things won't work as expected.

Once the Windows firewall is turned on, you won't even be able to ping your XP/SP2 machines. In other words, all INCOMING client communication to your clients will be prohibited (though as of XP/SP2 RC2, there is an exception for Remote Assistance on port 3389.)

So, what do you do?

Here are some suggested avenues to mitigate your potential upcoming pain.

Option 1: Turn off the Windows Firewall in XP/SP2

If you're thinking "I'm already working just fine, I don't want the Windows Firewall at all" you can disable it when users authenticate to your domain controllers.

The new policy setting is located here: Configuration | Administrative Templates | Network |Network Connections | Windows Firewall | Domain Profile and is named Windows Firewall: Protect all Network connections policy setting

This policy setting is a little weird. In order to turn off the Windows Firewall, you need to set the policy setting to DISABLED. This is because, the new default sets XP/SP2 to have the firewall ENABLED; so you're essentially REVERSING the edict.

Turning off the Windows firewall might be just the thing, or it might be overkill. If you think it might be overkill, read onward!

Option 2: Leave the Windows Firewall on, but make sure I can still manage my client computers

Like I said earlier, once the Windows Firewall is on, all inbound client communications is kaput. But, you'll occasionally need to talk TO your clients from the servers.

Specifically, if you use GPRESULT or the Resultant Set of Policy tools built into the GPMC, you won't be able to ask the client "What's going on?" without adjusting the XP/SP2 client.

So, how do you fix it?

Drill down to Configuration | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile and ENABLE the policy setting named Windows Firewall: Allow Remote Administration Exception

Now your requests will successfully go through.

Also, according to some sources, this is the same policy setting you would enable if you have your Active Directory Administration tools running on your XP/SP2 machine, such as Active Directory Users and Computers or the GPMC. This is because ENABLING this policy additionally opens up port 445 which is essential for these tools to work between Active Directory and the XP machine from where you do your administration. However, in my testing Active Directory Users and Computers, AD Domains and Trusts, and many other administration tools worked just fine without me needing to open up port 445 via this setting. Your experience might be different depending on the tools you use.

A common question is: "How do I get these XP/SP2 policy settings to show up when I create a new Group Policy Object?"

A Microsoft article on how to do that is MSKB 816662, entitled: "Recommendations for managing Group Policy administrative template (.adm) files."

Or, an explanation in plain English with some extra advice for a holistic approach to ADM template management can be found in Chapter 5 of my new Group Policy book.


We're just giving it away!
-- More Technical Takeaway Tips


Want to preemptively kill spyware and the like leveraging GPOs? This BLOG demonstrates how to use SpywareBlaster to leverage GPOs to configure your clients.

Use at your own risk. I haven't tried it out, but it sounds good on paper.

Thanks to contributor Bill Avellan for locating this!


Are your incremental backups larger than you think they should be? Maybe it's a bug with Group Policy. Check out the fix here. It corrects a problem if you're using Group Policy to change file permissions.

Thanks to contributor Gary Busby for this one!

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards just fine.) Thanks for understanding!

Order your signed copy today by clicking here:

Thanks for reading! And, as promised I'll send out the next newsletter "Roughly whenever I feel like it" or whenever big news hits. Until next time!

Subscribe and Unsubscribe Information

- subscribe to this newsletter
- unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at !

Comments (0)

No Comments!