MDM & GP Tips Blog

Nov 2013

How I worked with Bob to improve Group Policy logon times by 15-30 seconds.

Let me jump to the end of the story: I didn’t really do anything here.

Bob did all the hard work.  I did POINT Bob in the right direction though and get him thinking about the problem.

Bob came to me with the following query: “We played with deploying printers via GP and ultimately decided not to.  However, despite removing the deployed printers from GP, every machine still goes through the “Applying Group Policy Printers policy” step even though there are no printers deployed that way and I can’t figure out how to get rid of it…  On some machines, it’s just a few seconds delay, but on others, it’s upwards of 30 seconds and I’d really like to get rid of it.  Any ideas?”

I THOUGHT Bob was talking about Group Policy Preferences Printers. But he wasn’t. He was talking about “Deployed Printers.”

This is totally different, and honestly, one of the parts of GP which isn’t my favorite.

Bob found the golden ticket all on his own. Here’s what Bob replied:

“I figured it out from this article:

The relevant info was:

While you ‘re in adsiedit, highlight the GPO node itself, “properties”, look for the attribute “gPCUserExtensionNames”. This is an array of an array of GUIDs.

Copy the entry to notepad, identify a block in square brackets (“[]”) that starts with the GUID {8A28E2C5-8D06-49A4-A08C-632DAA493E17} and remove the whole square brackets block. Then, look simply for the GUID {180F39F3-CF17-4C68-8410-94B71452A22D} (shouldn’be present, but better be careful) and remove just the GUID.

This cleans up the AD part of your GPO and afterwards, deployed printers will not be processed anymore during user gpo refresh.”

Logins are now 15-30 seconds faster.

Thanx for the help! 😀

So the moral of the story is.. if you’ve ever tried “Deployed Printers” and then.. well, stopped… then this could be something that helps you out if logon times have increased.

Nov 2013

Microsoft's Official Windows 8.1 and Server 2012 R2 GP Excel Spreadsheet

In the last post, I posted about how Ryan (a fellow GPanswers Team member like you) spent some quality time with the ADMX files from Microsoft and produced his own “What’s new in Windows 8.1” XLS spreadsheet.

This week Microsoft caught up..and the official spreadsheet is out. Note: As of THIS writing, the official ADMX file download is NOT out, but the spreadsheet IS.

The link is here:

Here are some tips:

  • First: Dont download the WRONG spreadsheet. The one you want is  WindowsServer2012R2andWindows8.1GroupPolicySettings.xlsx and is 319k.
  • Next: Use Column D and set it to TRUE to see the LATEST (Win 8.1 only / newest) policy settings.
  • Finally: Use the entire Security tab to see the security specific settings. And in that tab,  check out COL H and G.. Where Col H is “reboot required?” and G are interesting notes about those security settings.

Hope this helps you out !

Nov 2013

Exactly what's new in Group Policy Settings for Win8.1, RT and IE11.

Ryan Blaszczyk a GPanswers team member supplied this to me…

“I got impatient waiting on Microsoft. So after importing the ADMX files from my Win8.1 box into my lab’s Central Store, I took the painstaking time of going through every single setting looking for anything referencing:

  • Windows 8.1
  • Windows 8.1 RT
  • or IE11.

Obviously, I may have missed any net-new setting that Microsoft added that is backwards OS applicable.

And, obviously, anything that they removed.

Just thought I would pass it along to show off my massive copy/paste and Excel formatting skills. Just thought I would pass it along for some light reading.”

Here’s Ryan’s un-official Excel download: Windows8.1PolicySettings

Thanks Ryan !

Oct 2013

How to make the Ultimate ADMX Central Store

Guest post from Chris Jaramillo (a regular friend!) with a little help from Jeremy Moskowitz, Enterprise Mobility MVP.

Well, another OS release from Microsoft, and you “workin’ it” Group Policy Admins know what that means: Time to update the central store with the latest definitions.

GPO Definitions: Latest and Greatest

GPO’s definitions start out life on each operating system type. The newest (as of this writing is 2012 R2 and Windows 8.1.)

You would EXPECT them to ship with the same Group Policy definitions, right?

Think again.

Well, I (Chris) did a quick WinDiff of the PolicyDefinitions folders on fresh 2012R2 and Win8.1 builds:

Default on clean install of both Windows 8.1 and 2012R2 systems

  • 167 common ADMX files (and their corresponding AMDL)

ADMX files which are only on a clean install of 8.1:

  • deviceredirection
  • enhancedstorage (Available on 2012R2 via a Feature)
  • sdiagschd
  • search (Available on 2012R2 via a Feature)
  • shapecollector (Available on 2012R2 via a Feature)
  • winstoreui (Available on 2012R2 via a Feature)

ADMX files which are only on a clean install of 2012 R2:

  • grouppolicy-server
  • grouppolicypreferences
  • mmcsnapins2
  • napxpqec
  • pswdsync
  • servermanager (Available on Win8.1 via RSAT)
  • snis
  • terminalserver-server
  • windowsserver

ADMX files which you can get only on 2012 R2 Only, when you install a Role:

  • fileservervssagent

ADMX files which you can get on either 2012 R2 and Win 8.1, when you install a Feature

  • searchocr

So in short, you get the issue as last time. That is, you have to grab some of them from the workstation OS and others from the Server OS. And/or you need to turn on specific features or Roles to get these ADMX files to actually appear at all !

If you had to manually do this, this would make Central Store management almost unbearable.

It would require installing all Roles/Features on each of a Vista, Windows 7, Windows 8, Windows 8.1, 2008R1, 2008R2, 2012R1, and 2012R2 nodes, each with the latest Service Pack.

Then starting with Vista, copy the PolicyDefinitions folder, overwriting with 20018R1, then Windows 7, 2008R2, Windows 8, 2012R1, Windows 8.1, and finally 2012R2. Even then, I have seen instances where MS has removed certain older policy settings from certain newer versions of the same ADMX !

Jeremy’s 2¢

So, here’s my (Jeremy’s) 2¢: Chris is right, but there’s some good news. You DON’T have to go through ALL those gyrations to get the “latest pack” of ADMX files.

Traditionally, Microsoft makes available a download of all the latest ADMX files all in one shot.

The basic rule of thumb would be to simply always just overwrite what’s already in the Central Store *WITH* what Microsoft provides.

So if you had any “extras”.. that’s cool, they just stay there and you can use them. But you’re always overwriting the old ADMX files with the LATEST ADMX files.

As of this MOMENT, Microsoft doesn’t yet have the “latest” ADMX files from Win 8.1 and 2012R2 yet available. I’m pretty sure they’re coming soon. When they do, I’ll post about it.

If it were me, I’d just limp along a little while longer until MS produces them as a full download.

So, that’s the story: Standby for when it drops from MS.

Chris Final 2¢

Special notes: In the 2008R2 version of AppCompat.ADMX, “Prevent access to 16-bit applications” was a user AND computer option. In the 2012R2 version of the same ADMX, the user option is gone. I’m pretty sure I’ve seen IE settings disappear in a newer ADMX as well.) Add on the fact that certain applications (such as IE) have their ADMX/adml files updated when the application is released (sometimes out of band from the OS release), or that certain hotfixes (such as the 2012R1 WSUS patch that I forwarded you a week or two ago) will update ADMX/adml files, and it’s enough to make your head spin.

So, even with populating the latest versions of all of the possible ADMX files, that may not populate the admin templates with all available settings for all client/server/apps (which was kind of the point of a Central Store). However, doing so probably the closest thing to an all-encompassing Central Store that is possible.

Chris extra notes: My recommendation is to keep a copy of the PolicyDefinitions folder from each OS version (including Service Packs) handy, just in case you temporarily need a previous version of the ADMX.

Oct 2013

Can you speed up login times when using GPPrefs Printers deployment? (And does it matter?)

The Question: To pre-install or NOT to Pre-Install

On linked in, someone asked the following question: If you pre-install “big / universal drivers” on your target machine, will you will save login time when GPPreferences is used to deploy shared printers?

The idea is that the driver is “already there” and GPPrefs would just “do nothing.”

So.. SOMEONE had to figure it out. It might as well be me. 🙂

Tests and Methodology

Results: Here’s the result of my testing using the HP PCL 6 64-bit universal  printer driver. It’s a 17MB download. Then installing it on the server and doing a roundup of HP*.* I find 48MB of HP files within c:\windows\system32\spool\drivers\x64\3 after sharing a universal printer.

(Note: It doesn’t actually matter if the raw byte count is TRUE count or not, as the times I get on MY machine are RELATIVE to what you’ll see.)

I turned on the setting which enables me to SEE *WHEN* and *HOW LONG* each GP CSE takes to process. I also put a stopwatch next to it, then COUNTED HOW LONG these words appeared (

Here are the test cases / results.

Again, WARNING: I am on a ludicrously fast testlab / laptop. The point is NOT for me to report exact seconds or even total time to log on.  The point is the FINAL RATIO of how long each test case takes VERSUS another test case.

The FINAL RATIO should be the same for just about anyone based upon these numbers.

Scenario 1: No GPPrefs Printers linked anywhere.

Result: ZERO seconds / “Applying Group Policy Printers policy” never appear.

Scenario 2: Universal Printer Driver shared on server in \\DC\HPPRINT1. GPPreferences item is linked to West Sales Users OU. Mr. WestSalesUser 1 logs on.

Result: 29 seconds for the CLIENT to show “Applying Group Policy Printers policy”… then MOVE ON.

Scenario 3: Same as scenario 2. BUT.. Mr. WestSalesUser1 has already logged on and downloaded the driver. NOW Mr. WestSalesUser2 logs on.

Result: 3 seconds for the CLIENT to show “Applying Group Policy Printers policy”… then MOVE ON.

*INTERESTING RIGHT?!* – More insights and thoughts below. Let’s continue onward.

Scenario 4: Universal Print Driver is pre-installed on target machine. GPPreferences item is linked to West Sales Users OU. Mr. WestSalesUser 1 logs on.

Result: 6 seconds for the client to show “Applying Group Policy Printers policy”… then MOVE ON.

Scenario 5: Same as 4. Mr. WestSalesUser1 has already logged on and used the driver. NOW Mr. WestSalesUser2 logs on.

Result: 3 seconds for the client to show “Applying Group Policy Printers policy”… then MOVE ON.

So.. how do we interpret these results?

Answer: Pre-installing the “big / universal” printer driver BEFORE using GPPreferences yields an 80% time improvement for the first user and a 90% time improvement for user #2.

However, if the FIRST user “suffers” and downloads the print driver via GPPreferences / the network, the improvement for user #2 is the same for over the network AND local installs of the driver.

Counter-intuitive thinking (so stick with me)

You might think my final advice would be “Yes, of course pre-stage universal drivers.. you get an 80%- 90% improvement in first-user login time!”

But that is NOT what I would suggest.

My belief is and has always been “The First Login Time For Any User Doesn’t Matter.”

Even if it takes, say, 3 times longer than the NEXT login (for the same user, or for the second user on the same machine)… my feeling has always been… “SO WHAT?”

Before you throw things at me, think about it: The first login time is “forgettable”. Its not an every day occurrence.

Sure.. If there’s some delay that can be eliminated at EVERY login (from login 2 onward) you should do it. (Crappy login scripts which copy big files EVERY time, or things that CRAWL the file system, etc etc.) OF COURSE — dump that crap — and make EVERY login time faster.

But that’s not what we’re talking about HERE.

HERE, in the case of “Do we” or “Don’t we” pre-install big universal print drivers, we DONT gain speed at EVERY login.

So, my final thought is: Generally *DONT* pre-install big univeral print drivers. You don’t get benefit at EVERY login.

Is there an exception?

Sure. Here goes: If you use non-persistent VDI where EVERY login feels like the FIRST login, then I could likely get behind pre-baking in items like this which make EVEN THE FIRST LOGIN go faster.

Again: That’s only because every login ACTS like its the FIRST login.

There are possibly other time-critical logins (Nurse’s stations, Stock Floor Trader) where maybe, again, would I agree that baking them in feels like the right thing to do to save X number of seconds (because you don’t know who has NEVER logged into that machine before.)

There’s my wrapup on this topic. I hope it helps you out. Please make your insightful (but kind) comments below. Thanks !

Oct 2013

WSUS "fixed" for Win 8 and WS2012

Tip o’ the hat to Chris Jaramillo who first pointed this problem out to me -and- the solution.

Here’s the lashup:

  • You’ve got Windows 8 and/or
  • Windows Server 2012
  • You’ve got WSUS and
  • You’re using the existing GP settings to manage WSUS

And, darnit.. Win8 and/or WS2012 are simply not playing ball with the WSUS GP settings.

So Win8 and WS2012 machines are getting updates (but not WHEN you want) THEN they’re rebooting (also NOT when you want.)


Those systems (Win8 / WS2012) weren’t coded to read those policy settings.

But hark !!

A hotfix has been made available to make Win8 and WS2012 act like Win7 and WS08 with regards to “doing what’s in the WSUS GP” settings.

Here’s the Microsoft blog entry on the subject.

Here’s the hotfix download to get you there.

Thanks again to Chris Jaramillo for this tip !

Oct 2013

"Totally exposed" at the doctor's office.


I hurt myself, so I went to the doctor’s office.

And, it was one of these places which sees celebrity clients. Specifically, local sports stars in the Philadelphia area.

You know the routine: Take your shirt off, freeze half to death, then wait twenty minutes for the doctor to finally come in and tell you to take two Advil.

Gee, thanks.

But just before he came in, I took a picture of this computer.

(The red stuff, is obviously mine. And I blurred out a lot as I’ll describe below).

Let’s take a look at what a huge, mega error it was to leave me alone with this computer:

  • Item 1: That’s me highlighted in the blue bar in section 1. Then ALSO the FULL NAMES, BIRTHDATES and PATIENT IDs of 10 more clients. Full. Freekin’. Names. Hello HIPPA COMPLIANCE !? Also pointed to in item 1 is MY healthcare plan, so the doctor can determine if he should spring for various tests. The crappier the plan I guess, the less they try to perform tests.
  • Item 2: It’s XP. Great. So my medical records are protected by an operating system which will get no patching at all starting in April 2014. Grrrrrrreeeat !
  • Item 3: Thanks for the attack vector and giving me the computer name. When I call the nurse’s station pretending to work for IT, it’ll make me look more credible that I have this information in hand. (No no.. I wouldn’t do that.. right?)
  • Item #4: This is custom application. And, you can see the menu system: there’s a zillion settings for the Nurse, Doctor, or others.. (like me if I was being naughty) to misconfigure in this application. If they were using PolicyPak to deliver application settings, they could be guaranteed that those settings would be set and maintained. (What am I talking about? Attend my next webinar on application settings management at .
  • Finally.. The main item is.. the damn keyboard and mouse are just fully unlocked. I had 20 full minutes to poke around here. I didn’t just snap this picture when the Nurse left the room. I took it 20 minutes AFTER she left.

Did I *ACTUALLY* touch the keyboard and move the mouse around?

Look, I’m not 12 years old anymore, so.. no I didn’t.

But I could.

And if this was, instead, an APPOINTMENT for a 12 year old, you KNOW his or hands would be on that keyboard.

Are you doing everything you can at YOUR organization to be more secure? Learn how to ENSURE that the RIGHT settings are delivered so naughty people cannot do things they shouldn’t do.

In my training class, I show you exactly how to use the Group Policy infrastructure you already have to do it.

Next class: Las Vegas, Dec 2 – 6.

Sign up at .. And ensure your computers aren’t “totally exposed.”

Jul 2013

Good Group Policy Design. What it should "do" for you and your team.

One of the things I get asked about a lot is Group Policy Object “design.”

Design could mean a lot of things. Group Policy Design to me means:

  • What you name your GPOs.
  • What you put inside your GPOs.
  • What GPOs are linked where.
  • OU design.
  • Use of Blocked Inheritance and Enforced properties.

When I perform my (paid) Group Policy Health Check consulting service… these are the kinds of things I look at overall.

To be honest, and I’m just callin’ it like it is here… I don’t usually see ALL of these elements designed well.

Usually ONE, sometimes ALL of these elements are near impossible to discern what’s going on.

Here’s one big overriding tip I can suggest if you decide you want to think about design (or, more likely a redesign.)

Good: Could someone from the outside look at your design and be able to basically figure out what is going on?

Better: Could someone from the outside look at your design and be able to figure out WHY you did it?

Best: Could someone from the outside look at your design and figure out what you did and why you did it, and NOT need any extra documentation?

To be clear: I’m not saying “don’t document your naming conventions” or “don’t make careful notes about what you’re doing and why.”

I *AM* saying that a good design should “jump off the screen” at you. If you got a new boss TOMORROW and you needed to spend 10 minutes explaining WHAT was done and WHY it was done that way… would it make sense based on what you have, in Active Directory (OUs) and the GPMC (GPOs)… TODAY?

Here’s the best (two) parts about GP design:

  • Your design doesn’t have to look like anyone else. It just needs to make sense. 
  • If you screwed it up the first time, it’s not heinous to get it repaired. You do need some direction and a trusted guide though.

If “Cleanliness is next to Godliness” is a real thing, then maybe you should think about getting cleaned up.

If you’re feeling dirty all over right now, here’s your two options: take either my Group Policy training class (Live or Online) or have me perform my (paid) Group Policy Health Check consulting service … you and your company can get cleaned up .. fast.

If you’re serious about either one (training or consulting) then give Laura a call at 215-391-0096 for a quote.

You can also reserve a seat in the next live class (Denver Aug 12 -16, 2013) or get the Online University at

We have limited seats left in the Denver class, and I only take ONE Group Policy Health Check client per month. First come, first served.

See you soon.

Jul 2013

To BLOCK or NOT to Block.. That is the Question !

I got this fun email from Mads Lomholt from the Oslo Norway Norwegian Fanclub of (I didn’t know we had a Norwegian fanclub branch of, but I’m super happy to learn it’s alive and doing well!)  Here’s his question (and my answer!)

Mr Moskowitz! 😉 Do you take requests?

Is there any situation where blocking inheritance of GPOs (often followed by enforcing GPOs which are higher) is a good and lasting solution?

I am not an expert on this, but so far I have seen only bad things happen when people dive into blocking and enforcing GPOs.

To a certain extent I believe I understand the principles, but why not craft the OU structure to account for this instead of blocking/enforcing?

I’ve read that Microsoft states: “It is recommended that Enforced and Block Inheritance be used sparingly”, Okay. Sure.

Excited to hear the expert judgment of my question!

Mads Lomholt
Norwegian fanclub, Oslo 🙂

Jeremy’s answer:

Great question. Let’s clarify some items.
First: You don’t / can’t block inheritance of ONE GPO. People sometimes think that blocking is about a particular GPO. It’s not. Its about saying “From this point onward, we’re starting fresh and ignoring GPOs before this point.”
So, said another way, when you Block Inheritance upon an OU you’re starting fresh and saying that you don’t want policy setting (higher than here) from affecting your users or computers.
However, what’s also true is that you cannot block any GPOs where their links have the Enforced property. This means any GPO’s links that are enforced will always “make it through” any Block Inheritance.
So, when is Blocking Inheritance on an OU good? Well, anytime you want to “break free” from GPOs set higher up. I usually recommend Block Inheritance as a GOOD THING when OU administrators are really totally in charge of their own Group Policy desires.
For instance, in the domain, lets say Company X has:

  • North Sales OU
  • East Sales OU
  • All of Marketing OU
  • All of Research OU
  • Other OUs…

Let’s assume that the administrators in the company are:

  • Fred: OU admin, manages North Sales OU (and nothing else).
  • Mary: OU admin manages East Sales OU (and nothing else).
  • Gary: Domain admin, manages the domain AND “All of Marketing OU” and “All of Research OU” and some other OUs.

Gary might make some decisions at the domain which would affect Fred and Mary.

If Fred and Mary basically are allowed to “do their own thing” and don’t really answer to Gary, then they should Block Inheritance to create a clean slate for their OUs.
But, if there’s something REALLY important (like a security setting which should affect everyone) then Gary is able to link it to the domain and Enforce it, which will definitely affect everyone.

So, that’s a GOOD reason to use Block Inheritance.

However, going back to your original question: I often see Block Inheritance used way, way too much. And, as such, I see the Enforced property used way, way too much.

I would agree: designing first to try to avoid a lot of blocking and enforcing is ideal whenever possible. But in my case above there are perfectly fine times to use it.
Additionally, it should be noted that if administrators are well versed in Group Policy Preferences, then Item Level Targeting feature can be used to usually avoid Block Inheritances and subsequent enforces.

That’s because you’re specifically targeting WHICH users or computers should get whatever setting you want. (Note that PolicyPak ALSO hooks into the Group PolicyPreferences Item Level Targeting as seen in this demo So in this way you don’t have to have lots of weird design just to manage applications’ settings via Group Policy).

So, Mads, I think basically you answered your own question. You saw that having lots of blocking and enforcing cannot be good. But you also saw (I think) that there would be some times where you couldn’t architect around it.

I hope this article helps you and others out.

Thanks !

Jun 2013

Deliver IE Favorites using Group Policy Preferences

I created a video this morning, because I got a request from fellow team member like you — Thomas P from Massachusetts.

He wanted to know the answer to a common question, which I demonstrate in my ONLINE and LIVE Group Policy classes (

Next one: Denver, CO – Aug 12 – 16th !

He wanted to learn how to deliver IE Favorites using Group Policy. Well, Thomas P (and all the Thomas P’s out there who wanted to know) .. Here’s the video (sends you to YouTube):

Next: To see some other amazing stuff you COULD be doing with IE, here’s a second video:

Final thoughts for the day: It’s not too late to sign up for Denver for August. We DONT have unlimited seats (duh).

And you’ll be able to FINALLY learn the RIGHT WAY to transition from XP to Win7 or 8 without blowing up the network or looking like a dufus (or is it doofus?)

Regardless: You don’t want to look like one.

So, get your act together, get the training you need, and see you in Devner. (For Pete’s sake, or, really, for your own sake.)

(Course outline and pricing and stuff is right there.)