MDM & GP Tips Blog

Jan 2013

Killing Java using Group Policy and other notes

Hello Team.. This last week was a biiiiig week. In no particular order

1. All the book orders have shipped, so if you don’t have yours yet, it should be very, very soon. (If you’re new and don’t know what I’m talking about, my latest 800 page book on Group Policy is available at, as a signed copy.) (More about the book at the end of today’s email.)

2. Speaking of NEW PEOPLE, we had a huge influx of people join us after reading the article "Hone your IT skills with these five web apps". is #3 in this article:

I’m not sure qualifies as an "app", but — hey, I’ll take it !
Thank you and welcome to all of our newest Team members !

3. So, the big news story of last week was.. Java.

Unless you were under a rock, you learned that the Department of Homeland security suggested that everyone (literally, not joking) DISABLE Java (at least for now.)

The rationale, is that even with the "fix" (Java 7 u11) , the fix isn’t really a "fix" at all. But rather, it simply updates the warning levels and messages to end users. (And users are so grrrrrrreat at knowing what to do when they see warning messages.) Um, no they’re not.

Okay. So, how, exactly would you stop Java capital N, NOW on all of your machines? (At least until the dust settles?)

I can tell you that there is no "in the box" way to perform this function, and ensure it’s going to work in all browsers, consistently. However, I’ve created a video (two videos really) at my "other" blog at to show you Exactly how to turn off Java NOW in your enterprise:

I did find some other "ideas" floating around on the internet. I tried those ideas and make it work, for about  two hours of banging my head against the wall, but had to give up. Sometimes you gotta just get the right tool for the right job.

Hope this helps you out and makes your company more secure..

PS: This article has some good, reasoned information about the problem and where it’s going.

4. I have some notes for folks still thinking about getting a copy of the book:

Note 1:

  I decided to "buy my own book".  That is, I wanted to see for myself how good or bad the Amazon version of my latest book was. I have to say, I found it to be a very pleasurable experience reading the book on the iPad Kindle app. (That’s all I tested it on, so your mileage may vary.)

First, on the iPad Kindle app, all the figures are in COLOR. Which is really great. I like that.

Second, what I had heard from readers about the PREVIOUS edition of the Kindle book was that figures were hard to see sometimes and tables were difficult to manage. Something must have improved in the process, because in my experience in the new book, figures will "Zoom" in and become full screen if you want. And tables have a special function to look at different cells with <- and ->  buttons. In short, I thought it was awesome and personally approve of how it works on an the iPad Kindle app.

Caveat 1: Again, I don’t own a Kindle DEVICE. I tried this out on the Kindle iPad app, so that’s all I tested.

Caveat 2: If you buy the Kindle edition of the book and hate the experience, please don’t blame me — take it up with Amazon. I only wrote the text and have zero to do with the Amazon or printed edition’s final results.

Note 2:

There are a handful of very small errata (errors) in the book. The most notable is Figure 1.1.. Yes, the first official figure in the book is misprinted. (Don’t shoot the messenger.. I went back to my writing notes, and something happened between my directive to change it, and the printing process.) In Figure 1.1, I show Vista as your management station and not Windows 8, as might be expected in a Win 8 book.
There are a handful of other little issues, and I’ll be posting the errata to the website at some not-so-far-in-the-future point. But for now, that’s the big "headsmacker".
Note that the same figure can be seen in the "Look inside" in Amazon and also when you buy the Kindle version.

5. Last call to get your own copies before I stop talking about it for a while (no guarantees).

Here’s exactly how to do it:

1.    Signed from me, "printed on dead trees" edition:

2.    Cheaper, not-signed, "printed on dead trees" edition from Amazon:

3.    Even cheaper Kindle edition:

REMEMBER: Get the version with the LEAF on the cover. All others are now.. older.
Bonus eChapters available for free at

Oct 2012

Deploying Office 2013 Using Group Policy


I found this document on Microsoft’s website I thought you might like. It’s only a mere 353 pages and describes how to deploy Office using various techniques. The one that gets the LEAST amount of talk? Group Policy.

Which is too bad. I mean, sure. If you have a killer software deployment tool already; then, yes, you should use it. I’m not saying "Don’t use it." I am, however, saying, that there are plenty of reasons you might want to use Group Policy to perform your next Office deployment.

First.. it’s free.
Second, it works.
Third, while there are multiple steps (12 steps to be exact) they are very straightforward. (If you know the steps, and do it in the right order.)

It’s straightforward in the same way where putting together a computer from scratch is straightforward. Its not hard; you just need to know how to do it and get a few tips along the way.

So of the 353 pages in the guide I just pointed you toward exactly FOUR pages focus on deploying Office using Group Policy. FOUR. F-O-U-R. Four. Four pages on deployment.

The bad news: I’m sorry. The doc just doesn’t spell it all out to ensure you’re not going to fail.
The good news: There are lots of tips on specific policy settings to use for, say, Outlook, Excel, and the like. Those are neat and helpful.
The best news: If you want to deploy Office 2010 or 2013 using Group Policy. I cover this topic in easy-to-follow detail in my "Jeremy’s 12 Step Office Deployment Program" in my LIVE and ONLINE Group Policy Training.

(Note: "Jeremy’s 12 Step Program" not to be confused with other helpful 12-step programs.)

Yep, in about an hour, I show you exactly how to deploy either Office 2010 or Office 2013, giving you the exact step-by-steps and tools and scripts you need to make this happen. Then, here’s what happens next: You try it out for yourself and see if you can do it in the lab, with me there ready to help you if you trip up.

Look, I know deploying Office 2010 or 2013 using Group Policy isn’t for everyone. Use the guide I pointed you toward for tips on Office 2013 deployment regardless on how you deploy. I think it’s a good guide with helpful stuff.

But if you want to learn how to really deploy Office 2010 or 2013 using Group Policy, I’ll see you in class.

For my USA peeps…

I’ll be teaching my 5-day FULL Group Policy Master Class (Dec 3- 7) in Tampa, FL
Click here: to check it out and/or secure your seat. We DO still have some seats left (down to seven), and we DO give discounts if you bring 3+ people or become a PolicyPak customer before your class. Call 215-391-0096 for POs or to check on discounts.

For my UK, Scandinavian, and European friends…

I’ll be teaching my 3-day ACCELERATED Group Policy Master Class. (Nov 13 – 15)
in Sweden. (Click here:
The super-general outline on the page is in Swedish.

To be clear: The Office 2010 / 2013 talk & lab is NOT included in this accelerated class. But I’ll make the lesson from my Online University available to anyone in the class who wants it as a free bonus for attending !

So, I don’t speak Swedish, so I’ll be teaching in English. This is an AMAZING opportunity to get the training you’ve always wanted, faster, from me, without a huge expense. If you only speak English like me, then CALL them at +46 08 10 20 00 and they will save you a seat. Also: if you want my full ACCELERATED class outline for this class, email me directly. Its not specifically on the site.

Jeremy Moskowitz (Group Policy Community)    (PolicyPak Software)

Oct 2012

ManageEngine ADManager Plus - Free AD Utilities to Try

The Internet is full of free Active Directory tools out there. Some are worthwhile, some aren't.

I kind of like it when companies provide free tools. Of course, they do it to increase brand awareness for their pay tools.

But thats okay by me if the tools work and do some magic that would be hard for me to do on my own, without looking up commands, functions, and tons of documentation with lots of steps.

My friends at ManageEngine offer a package suite of free AD tools called ADManager Plus. Most of these tools center around the objective of simplicity. They take cumbersome or annoying AD tasks and make them simple and straightforward. All of the tools in ADManager Plus are based on Powershell cmdlets. This requires PowerShell to be installed on the machine where these tools are run. Most of the tools list the PowerShell cmdlet the tool is based on if you prefer to simply use PowerShell. The entire suite installs in less than a minute and very intuitive to use right from the get-go.

Lets take a look at three tools in their set. The set can be downloaded here.

Note: It should be noted that ManageEngine does advertise on, but this is an independent and hopefully un-biased review. Besides, these are free tools. How can you go wrong?

Domain Controller Roles Reporter

The first free tool is their Domain Controller Roles Reporter. We all know the traditional but complex process of opening up three separate AD tools (AD Users and Computers, AD Schema and AD Domains and Trust) to figure out which DCs host the five operation master roles as well as which servers act as global catalog servers. Instead of utilizing multiple tools, Domain Controller Roles Reporter lists each DC in your AD structure as well as their assigned roles; all in one easy to view list. Imagine obtaining all of your DC roles in less than a minute. That is easily obtainable with this tool. Although my demonstration domain consists of only one domain controller, you can get the drift of this easy-to-use utility in the screen shot below.


Active Directory Replication Manager

Another great simplifying tool is their AD Replication Manager.

Any domain administrator knows the rigmarole of using AD Sites and Services to replicate designated DCs within their domain structure. Again, ManageEngine offers you a simple design in this utility. With the single click of a mouse, one can replicate all of the DCs within your domain or even forest. It will even allow you the ability to replicate any two DCs of your choosing whether they are assigned as AD Connectors or not. Each of these capabilities is illustrated in the screenshost below.




Last Logon Reporter

The Last Logon Reporter may be the standout of the bunch.

Every administrator has been asked at some point within an organization about when the last time a particular employee logged onto the network.

In an AD environment consisting of many domain controllers, this can be a time consuming task. Just trying to find which domain controller the user last logged onto is a time consuming enough. Once again, ManageEngine provides a one stop utility that allows you the ability to retrieve the information you need quickly and efficiently. Below is a demonstration of the simple two-step process that provides you with the last logon time for any user in your domain.





Terminal Session Manager

How many times have you attempted to use the Windows RDP client to connect to a remote server, only to be informed that the server has exceeded the maximum number of allowed connections. You then had to access the terminal services manager for that server from another machine in order to log the sessions off.

ManageEngine's Terminal Session Manager will search your network for remote sessions and list them all, again in one viewable list. You can then obtain information concerning any of these sessions and either disconnect them or log them off. This two-step process is outlined below.



Believe it or not, we've barely scratched the surface in covering all of the great applications that make up the ADManager Plus suite.

Other tools include a Password Policy Manager, a Local User Management utility and a DC Monitoring utility. Other applications help identify AD object name duplicates, empty passwords and we still haven't covered them all. ADManage Plus may be free, but it offers definite value to the network administrator today who will find at least one of these tools a fantastic addition to their network administrator tool belt.

Hope you like the tool roundup !

Sep 2012

7 Things I think you'’ll like this week

Team: This is a variety pack of interesting stuff. Here goes..

Item 1: My Group Policy Master Class in Florida is ON. That is, we have enough people signed up to run the class, and I’ll be there with bells on. (See the end of this email for signup details.)

Item 2: Are you following me on Twitter? Why the heck not? I have two accounts (one for each of my two lives): jeremymoskowitz and policypak. Don’t miss out on the direct line to my brain.

Item 3: Article on how the most common fingerprint reader software can be “worked around” by the bad guys.

I like what the security team found, but it misses the fact that if the machine was using Bitlocker (see my previous musings on Bitlocker) then this attack would not be possible. To perform this attack, the user would need to boot OUTSIDE of Windows (say, using Windows PE or Linux Boot disc) then get the information that way.

Item 4: New eBook by my pal Darwin Sanoy.

I’d say something like 40 – 70% of organizations are jumping from 32-bit XP to 64-bit Windows 7. In my estimation there’s very little reason not to.

But, there are some pitfalls associated with 64-bit Windows and the applications which run on them.

So, Darwin came out with this eBook called: Under the Microscope: Deploying and Supporting Applications on 64-bit Windows


When I reviewed the book, I told him to price it at $29.99, then another $20 for the lab manuals. But he must have messed up and priced the whole kit and caboodle instead, at $9.99.

Darwin: If you’re reading this man, personally, I don’t get it. $9.99 is waaaayy too little to charge for all the awesome stuff in this book.

The eBook is 95 pages, and jam packed of stuff, I, personally didn’t even know existed. So, I love that. Thanks Darwin.

That link again is . Get a copy.

Item 5: Windows Server 2012 is out.

You can download the evaluation ISO or VHD here:

Item 6: A neat free ebook on Windows Server 2012 is out.

Introducing Windows Server 2012 (RTM Edition).

Item 7: I like this article from Greg Shields:

“We’re not allowed to access GPPs [Group Policy Preferences] because they’re handled by the Active Directory team.” it what Greg Shields hears all the time.

If this is your problem: Read this article, print it out, hand it to the boss, then ask him nicely if you can get the Group Policy training you need.

Where you ask? (See next note!)

Final thoughts..

Okay Team… my next class is in Tampa, Florida. December 3 – 7.

Sign up here:

Again, the class in on, dittily on, neighborino. So, get on a plane or hop in a car, and get your butt trained in Group Policy awesomeness already.

Yes, you’ll learn all you need to know for XP, Windows 7 and Windows 8. Yes the class is fully guaranteed. Yes, it’s me teaching the course. Yes, the costs are right on the webpage. Yes, we can give you a discount if 3+ people from your company show up. No, you cannot have any drinks from my mini-bar in my hotel room.

Instead of thinking of all the reasons you CANNOT come to the class… turn it around.

Think of all the amazing skills and knowledge you’ll have when you return.

You’ve always wanted to take my class. If you have to move a mountain or two to get here, will it be worth it?

See you in class.

-Jeremy Moskowitz

PolicyPak Software

Aug 2012

Sometimes, you gotta ask the duck.

I was going to entitle this blog post What the duck?

But I thought better of it.

Here's the deal: People often ask me how to troubleshoot things. Very, very specific things.

Instead, let's take a step back and talk about two (similar) techniques to get YOUR troubleshooting skills better aligned.

Method one: What do you think?

In Galaxy Quest, this was a deleted scene. But I loooove it. At 1 minute and 10 seconds to 2 minutes 14 seconds in, Tech Sargent Chen is being asked how to fix something". It doesn't really matter what that SOMETHING is.

Watch how he handles it end to end

How to actually perform troubleshooting (1 minute 10 seconds to 2 minutes 14 seconds.)


Yes, laugh at it of course.. but there's some actual validity to what is going on here. By simply asking What does that mean? during  a crisis, you can quickly get to the bottom of many many issues and find the root causes of a world or problems.

This very recently helped me troubleshoot a problem on my web site, but can be used for just about anything.

Method two: Ask the duck?

I had never heard of this one before, but fan John Straffin pointed this out to me when he wrote in and said he had an Ask the duck moment.

I had NO idea what he was talking about, but he pointed me toward this Livejournal entry: 

and this Wikipedia entry:

Reading it says it all. In short, re-explaining your challenge to a fake friend can help reframe your brain and make discoveries in all kinds of unique ways.

Now, I Ask the duck all the time.

Aug 2012

Bitlocker .. it aint just for Laptops


I went to the doctor today. Nothing major. (Cough, cough.)

Anyway.. I’m walking down the hall, and I see this:

Look closely at the door name: Nope, nothing special in THERE.
Then, look toward the handle. Yep… KEY in the DOOR.

That’s okay. It’s only my personal medical records in there. No biggie, right? Sigh.

So, this got me thinking about, ya know.. being Evil.. which I am not.. and none of you are. (Little known fact: Everyone on and goes thru a strict pre-screening regiment to ensure only "Non Jerkfaces" are getting these tips, thoughts, and updates.)

Anyhoo.. seeing this totally unlocked and MARKED door made me think about what it would take to be Evil if I wanted to.

And the most evil thing I could think of, was taking a drive out of a server. (No, I didn’t go in the door, and don’t know if that’s possible without a screwdriver.)

Some servers use RAID of course, which stripes the data across multiple drives. Could stealing just one drive mean I get anything? Well, with enough elbow grease I suppose I could go "block level" on that drive and see what I could find. Not easy, but, hey, possible…at least PLAUSABLE.

So this is making me think about how to protect against "Un-Jeremy stealing a server disk.

The answer is simple: Bitlocker.

If I stole a drive in the 60 seconds it took me to make the photo, I would have $100 in metal, and not much else.

I know people think of Bitlocker as a great idea for LAPTOPS. No brainer, sure.

But desktop and servers are equally vulnerable, honestly.. they’re just LESS PORTABLE.

Yes, you may have some physical security.. but.. that’s possibly circumventable. (How many times have you seen the cleaning crew in a bank branch late at night? Here in Philly at least, it’s ALL THE TIME ! No joke.)

So you could have "theoretically high" security, but still "circumventable security."

Bitlocker in Windows 8 and Server 2012 have some new features, which make me pretty happy. For my own systems, I use Bitlocker, but the big pain in the neck is WAITING for a drive to FULLY Bitlocker itself. Windows 8 now can use "Used Disk Space Only" .. which is awesome when I throw a new 1TB drive up.

For desktop and servers, there’s "Network Unlock" which also auto-unlocks machines as they boot (when they see that they’re on the network.) If they’re OFF the network, those drives, once again, become $100 pieces of metal.

So, in short, if you’re hesitant to consider Bitlocker for DESKTOPS and SERVERS.. reconsider, then start thinking about it.

I did.. in the 60 seconds it took me to take that photo.

PS: Class is filling in nicely in Tampa, FL. Smart, good looking NON-Evil people like you are joining up to learn more about managing Windows 7, 8, Server 2008 and 2012. Tampa, Florida, December.. Be there:

Q&A: Yes we take POs. No we cannot "save" a seat for you without a CC or PO. Price is right on the website. Yes, we do group discounts. Call Laura at 215-391-0096 for help with a PO or group. Yes you will get smarter. No it’s not boring. Yes, it’s me teaching. Yes, you will be tired and loving every second of it. Yes, you could possibly get a raise after taking the class because you’re smarter (no guarantees.)

Jeremy Moskowitz (Group Policy Community)    (PolicyPak Software)

Jun 2012

Group Policy Powershell for Beginners and Experts

Folks.. People are asking me how to learn more about Group Policy + PowerShell.

Well, at TechEd 2012, I worked with Jeff Hicks (PowerShell MVP) to give a one-two combo talk on Group Policy + PowerShell.

First, here is a link to the whole darn talk… !

Next, here's a link to Jeff hicks page which has the Show Notes.

Lastly.. Here are some fun pictures Jeff played the part of Professor PowerShell and I played the part of The Pointy Haired Boss.

PS: This talk mentions my Group Policy Health Check service.. which can help orgs of all sizes reduce login times, increase security, and figure out precisely what you're doing right and wrong with GP. Make contact by clicking here.

2005-01-10 14.54.122005-01-10 15.06.582005-01-10 15.31.112005-01-10 15.40.58

Jun 2012

TechEd 2011 US WrapUp


I am back from TechEd Orlando, and … Holy Moly.. I cannot fathom how much "stuff" goes on at TechEd every year.

First.. THANK YOU to everyone who I met in person, came to my talks and got to spend some time with. You guys really make TechEd fun for me.. because the amount of work leading up to TechEd is backbreaking. Thanks for being so .. great !

So, at TechEd, in my own little piece of the TechEd world, I had FOUR "duties."  Three speeches and a book giveaway and signing. I have pictures from two of these events:

Here are pictures from the Viewfinity Book Signing Event:

Yes.. that’s the line.. and EVERYONE got a copy of my Group Policy book for Windows 7. Killer !
The best part was.. MOST people were already part of the Team, and when and where to be there.. Awesome !

Also, super fun, was my speech with Jeff Hicks, PowerShell MVP. Jeff played the part of "Professor PowerShell." I played the part of the "Pointy Haired Boss." Here are the pics:

If you couldn’t make TechEd Orlando, I hope to see some of you in TechEd Europe.

If I won’t see you NEXT week, here are two other things you might want to check out THIS WEEK:

1) Tomorrow .. Tuesday, June 19th … for those in my local area (like 100 miles of Philadelphia) I’ll be speaking at the "GR8 Exchange Lync & System Center Conference." It’s not free, but it’s a really good deal at only $179. Me and lots of other speakers I think you’ll like. Check it out here:

2) Also Tomorrow.. Tuesday, June 19th… My friends at Avecto are having a webinar that DOESN’T have me. But, it looks interesting anyway, so I thought I would share. 10.00 AM EST.

Okay… Thanks Team.. and.. talk with you soon !

PS: I got a tremendous amount of feedback from my speeches at TechEd. Here’s my favorite comment:

Mr. Moskowitz is a fantastic presenter, and an absolute treat to see. His presentation showed me ideas I’ve never thought of implementing before, and now I’m VERY eager to use them at my business (although I don’t think my users will be as enthusiastic!) ? Thanks, Mr. Moskowitz!

Thanks whoever-you-are ! If you’re interested in getting me at your own organization for a private class, please email me, and make contact. I’ve got some available dates now that TechEd is over, but I’m assuming those dates will fill up fast.

Thanks !

Jeremy Moskowitz (Group Policy Community)    (PolicyPak Software)

May 2012

Warning: Group Policy Isn’t just for Swedes !

Sweden was… AWESOME ! And now I’m back and ready to kill it here in the USA.

While I was away in Sweden.. something magical happened. We had 10 people already sign up for the Salem, OR class. Holy crap. Maybe the fastest "ON" we’ve ever had. So.. um… don’t wait if you’d like to get smarter in Win7 / Win 8 / Security / GPOs and have some fun. (

So, in Sweden, I recorded a podcast in front of a super nice and warm live studio audience.

Special thanks to my hosts at (Michael Anderberg, and Johan Person, Michael Nystrom), who were super awesome to me during my time there. In this podcast you’ll learn:

– What its like to be an MVP (and if there’s a secret handshake).

– Why did I get starting diving deep into Group Policy?

– Why my childhood helped me become the GP geek I am.

– Learn a GP trick to .. um… be an Evil Genius. (Don’t do this.)

– What the big secret of GP is, that most people don’t know.

– What GP does GREAT and also NOT so great (and how to fix it.)

And.. like lots of other fun stuff.

The link is…

Enjoy.. ! And leave a comment / Tweet it. And, if you’re not following me on twitter.. whatruwaitingfor ?

Twitter: jeremymoskowitz