MDM & GP Tips Blog

May 2012

Warning: Group Policy Isn’t just for Swedes !

Sweden was… AWESOME ! And now I’m back and ready to kill it here in the USA.

While I was away in Sweden.. something magical happened. We had 10 people already sign up for the Salem, OR class. Holy crap. Maybe the fastest "ON" we’ve ever had. So.. um… don’t wait if you’d like to get smarter in Win7 / Win 8 / Security / GPOs and have some fun. (

So, in Sweden, I recorded a podcast in front of a super nice and warm live studio audience.

Special thanks to my hosts at (Michael Anderberg, and Johan Person, Michael Nystrom), who were super awesome to me during my time there. In this podcast you’ll learn:

– What its like to be an MVP (and if there’s a secret handshake).

– Why did I get starting diving deep into Group Policy?

– Why my childhood helped me become the GP geek I am.

– Learn a GP trick to .. um… be an Evil Genius. (Don’t do this.)

– What the big secret of GP is, that most people don’t know.

– What GP does GREAT and also NOT so great (and how to fix it.)

And.. like lots of other fun stuff.

The link is…

Enjoy.. ! And leave a comment / Tweet it. And, if you’re not following me on twitter.. whatruwaitingfor ?

Twitter: jeremymoskowitz

Jan 2012

Clean Naming for GPOs (Notes from the field): Part II


I wanted to share with you some of your peers humble suggestions for Group Policy naming. Again, what works for THEM might NOT work for you, but at least it can give you some food for thought.

From Ondrej in Slovakia:

I use names for GPO and I think it’s good way to have them this way:

-    GPO – to make unique name for GPOs
-    RDS – name of part of change (Remote Desktop Services)
-    APP – managing APPlication (Software Restriction)
-    Office2010 – name of application
-    V01 – version of GPO

-    GPO – to make unique name for GPOs
-    DisableIPV6 – short accurate name of changes in GPO
-    V01 – version of GPO

I think it’s very good to have versioning of GPO policies. When I change GPO I increase version number and I keep max 2 older GPOs for just history and help to find out changes I made.


From Charl in South Africa

who has 2,000 GPOs !

(edited a little for clarity):

"Here’s what we do:

-If the policy is domain linked, the GPO will start with the name of the domain it’s in; this works very well if you have multiple domains.

– For the GPOs linked to our old servers structure we kept the names as starting with "Servers" and these are slowly being migrated to the new servers OU structure and the names for these GPOs start with NS (New Servers – OK, it’s actually my company’s name that starts with an N, followed by S for servers).

– The OU is "Nxxxx  Servers". Next up is the GPOs linked for the XP OUs and they start with XP and similarly the Windows 7 GPOs start with NUW (Again, first letter of my company’s name being an N followed by U and W which stands for Users and Workstations).

– The next part of the name is followed by a dash (-), C and/or U and then another dash (-). This indicates whether the GPO has the Computer, User or both nodes enabled.

– The next part of the name indicates what the function of the GPO is and if there are multiple functions, these are separated by commas (,).

– Lastly, the name ends with a colon (:) followed by the department who ‘owns’
this GPO, i.e. Security, ServerOps, End User Computing, etc. Again, we only have about 5 owners.

So, on a daily basis I use the GPMC scripts to dump all the GPO names into a single file, DTS/SSIS then into SQL and then the fun starts:

– By using the dashes, commas and colons as separators, I can see with a stored procedure, which GPOs do not have owners as there is no colon and one of the owners defined after the colon. Which GPOs do not indicate whether they are Computer, User or both nodes-enabled GPOs.

– I can see which GPOs do not conform to the proper naming convention. It it does not start with a one of the five top-level GPO names, I know immediately that I have a problem.

– Digging a bit further (all automated now!) I can even see who made a GPO and indicated it is a Computer GPO, but the User node is still enabled. The exception reports only run IF something is wrong and the GPO guys from Server Ops know that Big Daddy form Security is watching them.

– For GPOs linked lower down, we use the abbreviations of the child OUs in the GPO name as well just after the top-level name.

So, by looking at a GPO name, I can identify where it is linked, whether is Computer/User/both, function and owner. Here’s an example:

I.e. XP-C-Power management, Screensaver lockdown:SO

I can quickly parse this, and see that the GPO is linked to OU containing XP machines, Computer node enabled, sets power management and screensaver and belongs to Server Ops.

How’s that for being in empowered?"

Jan 2012

A Clean naming Convention for GPOs

Many people ask me: Is there an ideal way to name GPOs?

Well, yes and no.

First, the big problem is that the swimming pool where the GPOs live that is, the Group Policy Objects node in the GPMC just sort of all runs together. One big blaaaah of all the GPOs.

So, first off there is no way to partition them or organize them. They're all just there.

Therefore, having a naming convention that works for your company could prove to be a lifesaver.

There no right or perfect way to create a GPOs name. One suggestion is a four part naming convention.

Part I: The Where.

Part II: The What.

Part III: The Who

Part IV: The Type.

For instance a GPO might be in charge of opening Port 123 on Sales Computers. Great. So, here's a name I might use:

EAST SALES COMPUTERS Firewall Open Port 123 (C) – JeremyM

All four elements are there. And in the Group Policy Objects list, all the GPOs are listed Alphabetically, so you'll see each Where together quickly. The (C) tells me that the C-omputer side of the GPO is used and not the user side. The name on the end shows who is the ultimate owner of the GPO or who is in charge or who to contact for issues or updates. (You could also put this in the GPO comment fields.)

Another perfectly fine choice is to re-arrange this list. Like:


This will sort with all the Computer side GPOs grouped together first, then WITHIN that, all the EAST SALES COMPUTERS linked GPOs.

Again you're welcome to have the names be anything you want.. just note that whatever's first that's what's sorted upon based upon Alpha. Having all four elements makes things a lot easier, in this guys opinion.

A final trick here, is that sometimes I use an Underscore character _ to signify GPOs which are domain linked or are special in some way. For instance  _PolicyPak License GPO Expires 1-1-14 will bubble up to the top quite easily seen by everyone (as underscore is sorted BEFORE the letter A.) q

What's your naming convention? There's Shoot me your email with your solution. Thanks !

Dec 2011

Office 365 - Lync download (broken. Annoying.)

If this saves you an hour, I have done my due diligence.

In short, if you’re trying to get a new Win7 machine going with Office 365, installing the Lync client is the first step.

Except the download won’t "start."


I even ran Process Monitor against it to see what it was doing, and the install is in an endless loop looking for an MSI registry key that doesn’t exist.


Well, there IS a workaround, but I had to dig for it.

Look for a nice post from a helpful Microsoftie here. This helped me out, and hope it will help you out too.

Nov 2011

Managing XenApp using Group Policy - Part I

I’ve been playing with XenApp 6.5 the last couple of weeks. I’ve been thinking a lot about Group Policy with regards to Citrix and XenApp servers. Really, there’s two pieces:

  1. Managing Applications and settings for users on XenApp servers … and…
  2. Managing the XenApp servers themselves.

This is just part I: Managing Applications and Settings for Users on XenApp Servers.

Managing Applications and Settings for Users on XenApp Servers Using Group Policy

One of the things that people ask me over and over again is… "On my Citrix XenApp servers, is there any way to manage my common applications’ settings using Group Policy?"

Here are the three normal ways you can do this:

Application Has an ADM/ ADMX template

Unless the application has a managed way to deal with it’s settings (ADM or ADMX template) you’ve got a problem. Office applications have ADM templates. Great. But name five other applications with ADM or ADMX templates.

In short: You can’t.

Managing XenApp Applications Using GP Preferences

In some circumstances, you could use Group Policy Preferences if you knew exactly what registry punch to punch (if available.)

Here’s a blog entry from Mr. XenApp Blog (Eric Haavarstein), on exactly how to do this. And, he shows how to use a tool from Fellow Enterprise Mobility MVP Mark Heitbrink which converts registry punches to GPPReferences Registry items. Awesome !

So, the blog entry is:

And Mark’s tool is found here:

True Application Lock Down PLUS non-Registry based Applications

I like the tip from Eric and the tool from Mark. They’re great if that’s all you need to do.

But they DO have two major limitations. How to you still perform:

  • Dynamic changes if you want to. Do you know what to tweak any specific entry if you needed to to make a simple change? Ouch. Painful.
  • True lock down so users can’t work around your settings? You can’t do that with Group Policy Preferences. Users can just change the setting you put down.
  • File-based applications like FireFox, OpenOffice, Flash player, or others? You can’t manage those with Group Policy Preferences (since their stuff doesn’t live in the Registry.)

So what are you going to do?

Good news.

PolicyPak Software ( can do this. Big time.

Here is a video to show you exactly how you would do this.

The "cherry on top" is that PolicyPak is fully CitrixReady and also works with XenDesktop. Here’s a video for that too:

If you’re interested in trying this out for yourself, you’ll need to sign up for a demonstration at After that, you can get the download can give this a try yourself.

Oct 2011

Why isn't Group Policy Working on this Client?

Answer: Did You Check the DNS Configuration of the Client?

One of the most frequently encountered problems with Windows 2000 and above is that things just ‘stop working’ when DNS gets out of whack.

Specifically, if you’re not seeing Group Policy apply to your client machines, make sure their DNS client is pointing to a Domain Controller or other authoritative source for the domain. If it’s pointing to the wrong place or not pointing anywhere, Group Policy will simply not be downloaded.

As a colleague of mine likes to say, ‘Healthy DNS equals a healthy Active Directory.’

Moreover, in the age of multiple forests and cross-forest trusts, Group Policy could be applying from just about anywhere and everywhere. It’s more important than ever to verify that all DNS server pointers are designed properly and working as they should.

For instance, if clients cannot access their ‘home’ Domain Controllers while leveraging a cross-forest trust, they won’t get Group Policy.

Finally, to put a fine point on it, DNS leverages only the fully qualified name.

It’s not enough to verify that you can resolve a computer named xppro1 as opposed to

The first is actually the NetBIOS name and not the fully qualified domain name.

The second is the fully qualified domain name.

If you find yourself in a DNS resolution situation where resolving the NetBIOS name will work, but the fully qualified name will not work, then you have a DNS problem that needs to be addressed.

Oct 2011

I'm not perfect

But I do try. ?

Sometimes "imperfections" make it into my book. So, with that in mind, I’ve posted a list of the known errata for my Group Policy: Fundamentals, Security and the Managed Desktop book. It’s right here:

Also, for item #3, I created a video to show you how it’s done. Check it out here:

Enjoy, Thanks !

Sep 2011

Group Policy "Vocabulary"

Let’s take a step back and get some of the terminology of Group Policy down. I find that when I’m talking with IT folks, sometimes they “blur the lines” here and there.

I’m a “precise” kind of guy, so if you are too, hope you’ll enjoy these definitions.


() Group Policy: The mechanism in Active Directory which allows administrators to perform
change and configuration management and policy-based management.

() Group Policy Object: This is the “noun” of Group Policy. The “thing” you create which allows you to make the control happen.

() Policy setting: This is one possible setting within a GPO you can perform. For instance, “Prohibit access to the Control Panel” is one Policy Setting.

() Enabled: One of the three usual settings within a policy setting. Enabled means “do this thing at this level.” So if you “Enable” something, you’re saying to “do it.”

() Disabled: Disabled can have several meanings. But usually it means “if set at a higher level, then un-do it.” For instance, if at the Domain Level you ENABLE “Prohibit Access to the control panel” then at the OU level you “Disable” it, you’re effectively reversing the setting.

() Group Policy Preferences: Sometimes called Group Policy Preferences Extensions. In the book I call these GPPEs or GPPrefs for short. GP Prefs are 21 new superpowers which add to the original 18 “in the box” superpowers.

() Item: Any time you create a new “thing” with GP Prefs, you create an “item.” Items can be Shortcuts, drive mappings, ODBC settings and a whole lot more.

() RSoP: Resultant set of Policy. This is the “sum total” of all the settings a user or computer is supposed to get. You can run various tools to see RSoP reports, but not all reports work the way you would expect with the new GP Prefs.

() GPMC: Group Policy Management Console. There are several versions of this tool. The latest works on Windows 7 or Server 2008 R2.

() RSAT: Remote Server Administration Toolkit. Remember “Adminpak” for WS03? RSAT is kinda like the Adminpak, but it works on Win7 or Server 2008 R2 and has the newest GPMC.

() AGPM: Microsoft’s Advanced Group Policy Management tool. It’s an add-on to the GPMC you already know and love. It doesn’t add more “stuff” to the desktop, but adds “Change management” and workflow to Group Policy.

() Your secret place to get smarter in Group Policy. Pass it on. (Not everyone is on this super secret newsletter, but if you think they should be, please send them to where they can just sign up.)


This is GP 101.. If you’re ready to take your game to the next level, join us in San Francisco on Dec 5th 2011 for a 5 day intensive GP training workshop! !

Aug 2011

Supercookies.. the ugly snack you can kill using Group Policy

Here’s the deal: You know what cookies are. They’re little text files which save little bits of data about you. Say, the username of your favorite website, when you click "Remember me."

When you clear our your Internet Browser’s cache and cookies (say, in IE, Firefox, Chrome, etc) you wipe these files out.

Poof. Easy.

But what if a website decided to do a handful of "evil things." First, let’s say they read these cookies on your computer. Next, they used these cookies to build a "profile" about you, then store that profile in a secret area that cannot be quickly cleared out.  So, here’s the one-two-three punch:

() Punch #1 — the "profile" part is built so they can target you with ads on things they know you’re searching for. Say, Diapers, Diamonds, or Disinfectants.
() Punch #2 — the normal cookies part isn’t stored in your web browser’s normal cookies location. It’s often stored in the special cache within something you likely have on every desktop: Flash Player.
() Punch #3 (theoretical): Sell your personal / company data to the REAL bad guys.

Ow ow ow ow ow.

So, yes, indeed. Flash Player has a cache that can be used to store data — any kind of data, like personal data.

Hence the term — Supercookies. Because when you "clear cache and cookies" you don’t clear this out.

Great ! Just what we need .. another computer threat !

Okay, so how do you prevent the threat? There are two kinds of people I want to give the answer to: NON-IT folks and IT folks.


NON-IT Folks:

This advice will help if you have a handful of computers, because you’ll need to run around to each machine.

Option 1: Control Panel

Go to your Windows Control Panel, type in the word Flash as seen here then click on the Flash icon that appears.



Then, on each computer change the setting to "Block all sites from storing information on this computer" as seen here.


Boom. No more supercookies.

Option 2 (Still for Non-IT folks, but untested.):

There’s a special web page you can go to which should perform the same thing — only it’s a web page, and not your real control panel.  I’ve read that this MIGHT work for some versions, and not for other versions, so I wouldn’t rely on it if you really needed to… but I’m adding it here for completeness. Here’s the page anyway (use at your own risk.)


IT-Folks (Protecting your enterprise)

So, I’m sure you know where I’m going with this if you’ve got a lot of computers to manage: Use Group Policy!

Problem time though… Flash has no ADM / ADMX template to manage. It turns out Flash stores it’s files in a weird place, in a weird format, and as a system file.

So, you can’t use "out of the box" Group Policy to configure it.

Not to get all "commercial", but I created a video for you to see how lots of companies are handling this latest security threat.

Here’s the link:

TIP: If you’re truly impatient, fast forward to the 3.00 minute mark.

TIP 2: Sign up for one of my webinars and see how you can mitigate other security threats lurking in Acrobat, Java and other key components of your systems!

Here’s the link:


Talk soon!

Jeremy Moskowitz, Enterprise Mobility MVP