View Blog

Feb 2005

In this issue:

  • It's Issue 7...
  • Moskowitz, inc. Technology Takeaway®
    • Three juicy tips and tricks
  • Upcoming conferences, appearances, and classes
    • Free live events
    • Classes and seminars
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Even more good stuff!
  • Subscribe, unsubscribe, and usage information

Moskowitz, inc. and -- Issue 7

Welcome to issue 7 of the Moskowitz, inc. newsletter.

It's just cold cold cold where I live, and that's no fun. But, thankfully, I get to travel a bit to San Francisco and Los Angeles and a bunch of other warm places before the winter is up.

In this newsletter, I've got updated class dates, some fun new tips and tricks, and more. As always, you can forward this newsletter to your friends -- but please do so in one whole piece (please don't just cut and paste).

Also, I'd like to announce that I have a "Full Time Tips Man" helping out at It's Ron Hrehirchuk, who knocks out questions in the forum and does a lot of work getting the FAQ/Tips and Tricks section looking great! If you want to help add to the FAQ / Tips and Tricks section, the best way is to post a message inside the Community forum here. (Note that you must register for the forum to post.)

Thanks Ron, for all you do!  

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks
TIP 1/Question 1

I've been asked this question three times this month, so it must be on people's minds.

"Jeremy, can you explain to me why I might want to put users and computers into seperate OUs? We're debating how to implement our OU structure with regard to Group Policy. Any advice you have here would be helpful."

I've never been asked the same question three times in a month. Here's the acoop...Segmenting users and computers into different OUs is, first and foremost, a Microsoft Best Practice. And, it's a Best Practice for a good reason.

Here are three good reasons to separate users and computers into different OUs:

  • Easier troubleshooting
    • When users and computers are separated into different OUs, you can more easily figure out what's going on when you run Resultant Set of Policy tools (ie: GPRESULT, or the Group Policy Results Wizard in the GPMC.) You'll know precisely which GPOs are affecting the OU. True, you'd see this anyway, but by segmenting them, there's never a question about which half of the policy (user or computer) is affecting the target.
  • Easier delegation
    • You might want to grant others in your organization the ability to perform certain functions upon your structure. By seperating out users and computers, you can delegate some people to create user accounts and others to create computer accounts.
  • Easier implementation of loopback policy
    • The loopback processing attribute affects the computer object. By distinctly separating out computers (especially those which need loopback) it makes loopback troubleshooting a world easier.

TIP 2 / Question 2

Under an Active Directory user's properties (Account Tab | Log On To settings), you can restrict what computers a user can log into. This works great but it's not currently set for all of our "lab users" (and its a fair amount of work to set this manually). So here's the question: How can this be set via GPO?

Answer: There is no Group Policy settings which control this. However, using Active Directory Users and Computers, you can simply "multi-select" several users and select Properties. Simply click each user while holding down the CONTROL key to multi-select.

Then, in the Account tab, select Computer Restrictions and go from there!


Windows Server 2003 has the ability to allow two Remote Desktop connections for administrative purposes. This can be enabled by going to the properties of "My Computer", clicking on the "Remote" tab and enabling "Remote Desktop".

This can also be enabled on each server individually, using the registry setting below, or by creating a custom adm template and deploying the setting via Group Policy.

Registry Settings Involved:

Using regedit, navigate to
HKEY_LOCAL_MACHINE|SYSTEM|CurrentControlSet|Control|Terminal Server

If the value "DenyTSConnections" does not exist, create it as a DWORD.

Setting it to 0 will permit remote desktop connections and setting it to 1 will prohibit them.

Wouldn't it be great if you could set this up with Group Policy so ALL your servers just did this??

Well, you can. On we're working on a custom .adm Template that can be deployed via Group Policy by creating an .adm file using included code. After you implement it, you won't know how you did without it.

It'll be up this week in the FAQ/TIPS section! So stop by and tell your friends!

Upcoming Conferences, Appearances, and Classes

On (or I have a neat-o calendar that I'm always updating with any public (and private) appearances. So, check it out any time for up-to-date information!

Free Live Events

New date: Friday, December 03, 2004(was November 19th): 8:00 AM -- WEST COAST 11:00 AM -- EAST COAST Seminar #3 in the "The Group Policy Power Hour!" It's 1/2 hour of talk and demos, and 1/2 hour of Q&A! Here's the intro:

One of the key skills to master is to know what's going on at your client system. In this talk, Jeremy will demonstrate the various methods to get the Resultant Set of Policy, or RSOP, for your client systems. Both command-line tools and the GPMC can be used to gather this knowledge, so join Jeremy for this Power Hour session!

Registration is available here.


Classes and Seminars
Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

  • "Fantastic Presentation !"
  • "Can't wait to go back to share the wealth !"
  • "Would recommend to other IT people in my company."
  • "I had a foot in the GPO door, and now I can hold it open."
  • "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.

For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)  

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.  


Technology Takeaway®, a service of Moskowitz, inc. (Supersecret, hidden, Easter-egg Part of the Newsletter)

We're just giving it away! --

More Technical Takeaway Tips (My way of saying thanks for making it all the way to the end of the newsletter!)


  Is your company starting to use Firefox? Terrific, except out of the box, it's not Group Policy enabled... Buuut... check out: for a way to make it enabled! (We're working on making this a permanent section within our Tips collection.)


Check out
It's a way for people to simply "add what they know" to a common body of Group Policy knowledge.
I've contributed a bit, my pal Darren Mar-Elia (who runs has contributed a bit and Microsoft has contributed a LOT. Add your 2 cents! It's helpful and fun!

Useless Time Waster

Go here. (Don't ask.) In a nutshell, I drink a LOT of Snapple, and one of my best friends noticed. Any Java enabled web browser will do. Trust me, you won't be disappointed.

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at !

Comments (0)

No Comments!