MDM & GP Tips Blog

Let’s take a step back and get some of the terminology of Group Policy down. I find that when I’m talking with IT folks, sometimes they “blur the lines” here and there.

I’m a “precise” kind of guy, so if you are too, hope you’ll enjoy these definitions.

() Group Policy: The mechanism in Active Directory which allows administrators to perform
change and configuration management and policy-based management.

() Group Policy Object: This is the “noun” of Group Policy. The “thing” you create which allows you to make the control happen.

() Policy setting: This is one possible setting within a GPO you can perform. For instance, “Prohibit access to the Control Panel” is one Policy Setting.

() Enabled: One of the three usual settings within a policy setting. Enabled means “do this thing at this level.” So if you “Enable” something, you’re saying to “do it.”

() Disabled: Disabled can have several meanings. But usually it means “if set at a higher level, then un-do it.” For instance, if at the Domain Level you ENABLE “Prohibit Access to the control panel” then at the OU level you “Disable” it, you’re effectively reversing the setting.

() Group Policy Preferences: Sometimes called Group Policy Preferences Extensions. In the book I call these GPPEs or GPPrefs for short. GP Prefs are 21 new superpowers which add to the original 18 “in the box” superpowers.

() Item: Any time you create a new “thing” with GP Prefs, you create an “item.” Items can be Shortcuts, drive mappings, ODBC settings and a whole lot more.

() RSoP: Resultant set of Policy. This is the “sum total” of all the settings a user or computer is supposed to get. You can run various tools to see RSoP reports, but not all reports work the way you would expect with the new GP Prefs.

() GPMC: Group Policy Management Console. There are several versions of this tool. The latest works on Windows 7 or Server 2008 R2.

() RSAT: Remote Server Administration Toolkit. Remember “Adminpak” for WS03? RSAT is kinda like the Adminpak, but it works on Win7 or Server 2008 R2 and has the newest GPMC.

() AGPM: Microsoft’s Advanced Group Policy Management tool. It’s an add-on to the GPMC you already know and love. It doesn’t add more “stuff” to the desktop, but adds “Change management” and workflow to Group Policy.

() GPanswers.com: Your secret place to get smarter in Group Policy. Pass it on. (Not everyone is on this super secret newsletter, but if you think they should be, please send them to GPanswers.com where they can just sign up.)

This is GP 101.. If you’re ready to take your game to the next level, join us in San Francisco on Dec 5th 2011 for a 5 day intensive GP training workshop!

www.GPanswers.com/training !

Here’s the deal: You know what cookies are. They’re little text files which save little bits of data about you. Say, the username of your favorite website, when you click "Remember me."

When you clear our your Internet Browser’s cache and cookies (say, in IE, Firefox, Chrome, etc) you wipe these files out.

Poof. Easy.

But what if a website decided to do a handful of "evil things." First, let’s say they read these cookies on your computer. Next, they used these cookies to build a "profile" about you, then store that profile in a secret area that cannot be quickly cleared out.  So, here’s the one-two-three punch:

() Punch #1 — the "profile" part is built so they can target you with ads on things they know you’re searching for. Say, Diapers, Diamonds, or Disinfectants.
() Punch #2 — the normal cookies part isn’t stored in your web browser’s normal cookies location. It’s often stored in the special cache within something you likely have on every desktop: Flash Player.
() Punch #3 (theoretical): Sell your personal / company data to the REAL bad guys.

Ow ow ow ow ow.

So, yes, indeed. Flash Player has a cache that can be used to store data — any kind of data, like personal data.

Hence the term — Supercookies. Because when you "clear cache and cookies" you don’t clear this out.

Great ! Just what we need .. another computer threat !

Okay, so how do you prevent the threat? There are two kinds of people I want to give the answer to: NON-IT folks and IT folks.

NON-IT Folks:

This advice will help if you have a handful of computers, because you’ll need to run around to each machine.

Option 1: Control Panel

Go to your Windows Control Panel, type in the word Flash as seen here then click on the Flash icon that appears.

Then, on each computer change the setting to "Block all sites from storing information on this computer" as seen here.

Boom. No more supercookies.

Option 2 (Still for Non-IT folks, but untested.):

There’s a special web page you can go to which should perform the same thing — only it’s a web page, and not your real control panel.  I’ve read that this MIGHT work for some versions, and not for other versions, so I wouldn’t rely on it if you really needed to… but I’m adding it here for completeness. Here’s the page anyway (use at your own risk.)

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html#117498

IT-Folks (Protecting your enterprise)

So, I’m sure you know where I’m going with this if you’ve got a lot of computers to manage: Use Group Policy!

Problem time though… Flash has no ADM / ADMX template to manage. It turns out Flash stores it’s files in a weird place, in a weird format, and as a system file.

So, you can’t use "out of the box" Group Policy to configure it.

Not to get all "commercial", but I created a video for you to see how lots of companies are handling this latest security threat.

Here’s the link: https://www.policypak.com/products/manage-flash-player-using-group-policy.html

TIP: If you’re truly impatient, fast forward to the 3.00 minute mark.

TIP 2: Sign up for one of my webinars and see how you can mitigate other security threats lurking in Acrobat, Java and other key components of your systems!

Here’s the link: https://www.policypak.com/component/gpa/?view=webinar

Talk soon!

Jeremy Moskowitz, Enterprise Mobility MVP

This week’s tip isn’t technical. It’s philosophical.

I had a mentor who once said to me: "The EASY way is the HARD way. The HARD way, is the EASY way."

What the heck is he talking about?

Here’s an example. I live in the city, and I own a scooter.

I usually take my scooter to the scooter shop all the way across town. A whole 12 minutes away! I’d also need to be "picked up" and wait half the day to get it done. OMG, who has time for THAT !?

So I figured, okay, why don’t I just bring my scooter to my corner car repair guy — who is awesome and reasonably priced, and does great work on my cars. He says he can do my oil change in a ‘jiffy’ (oil change pun intended.)

I take the scooter over there. Its a mere 60 seconds from my house (maybe less.) And he says "No problem I can just do this while you wait."

"Awesome!" I think.. "All the TIME I’ll save."

Then he starts taking various things apart. The WRONG things apart. I literally see a spring pop out of the whatever-the-heck-he’s-working-on and it (no joke) rolls down the street.

He gets the spring, puts it back together and says.. "Oops.. that wasn’t it."

Then he does end up finding the right oil drain. And drains the oil to transfer to an Eco-Friendly recycle vessel.

He comments: "Oh wow.. this oil weird. Its green! That’s wild.. I’ve never seen that before."

Now I have sinking "pit of my stomach" feeling that I’ve just done something wrong. Wrong guy — wrong tools — wrong skills.

"So, Jeremy, what kind of oil does it take? 10w-30 ?"   Arrgh.. I’m NOT the car / scooter professional. How the heck am I supposed to know?

So, now I’m finding holding the owners manual, flipping thru it, and it says "HP4 oil only" which is apparently a Honda-specific thing, and.. so, he pokes around his shop, and, of course, doesn’t have what I need.

I -could- have scooted to Pep Boys and maybe get it myself, but now my oil is drained out the scooter — rendering it unscotter-able, and I’m stuck there. Grrr.

"Hmm.. Pep boys can deliver it to us.. will take most of the day to get it." he says.

What started at 9.00 AM is now done by 5.00 PM. Fine, all fine. We got what we needed and it’s all done and fine.

But… What’s the moral of the story?  

The EASY way was the HARD way.  The HARD way was the EASY way.

So, when we try to take the EASY way, it quite often "ends in tears" (as a friend likes to say.)

We TRY to take a shortcut.. using the wrong tools, people or technology to get the job done. Hoping to save some time, or a buck.

And what do we get? Sometimes, you get lucky and it works out great. But, if you’re like me, any "easy" shortcut ends up hurting — painfully.

What would the "hard" way have looked like:

• Using the RIGHT place — the scooter shop.
• Using the RIGHT people — the professional scooter dudes.
• Using the RIGHT tools — the right OIL they have in stock.

The "hard" part about this would have been to get picked up or just wait the hour to get it done at the RIGHT place. Indeed, the HARD way really wasn’t that HARD at all, now was it?

And, going the "hard way" — I would have saved the heartache of seeing my scooter "spring apart" by the wrong guy.

Oh sure.. the scooter is fine now. But was it worth the risk of going the "easy way?"

Next time you have an important decision to make remember: The EASY way, is the HARD way. The HARD way, is the EASY way.

This tip is a blast from the past, but I've re-tooled it for today, because this has been on my mind again recently.

But we all have troubles with computers. That's our job. But if you can follow these simple suggestions, you can troubleshoot yourself out of just about any computer problem Group Policy or otherwise.

So, let’s dig in and talk about the Zen of Enterprise Computer Troubleshooting.

First thing’s first: duplicate it.

Having one machine, in isolation does NOT a big problem make.

It FEELS like a big problem when Sally’s machine isn’t processing GPOs, or when my own laptop refuses to run Application XYZ today, but it did yesterday.

It’s frustrating, and infuriating, annoying, and .. well… that’s not the point.

The point is, my friend, it’s an "isolated issue." And honestly, isolated issues are just that. Isolated.

Until you can get another machine to do exactly the same thing, you really have no problem to troubleshoot at all, enterprise speaking.

Your problem feels big. But, honestly, until you can duplicate it, it’s shaky grounds for troubleshooting.

If the problem is in virtual world, like VMware, or HyperV, try to reproduce it in the physical world just to rule that out. Weird stuff can live inside those virtual worlds sometimes.

Second thing: Log Files — The application log and Windows Logs and the applications log

Next, let’s not forget about log files.

Many areas of the computer have various logging levels. When it comes to troubleshooting, 8 out of 10 times, I just lose my brain and forget to check the most obvious of places: the logfiles !

Start out by checking Windows Application and System logs. An application may quietly write the secret answer to your problem in those logs, and bingo.. problem solved.

Logs help you keep your sanity, because you can prove to yourself, after 20 hours of working on something (and you’re starting to see flying purple elephants)… that the thing  you think you’re seeing is something you’re actually seeing.

Many applications, themselves, have log files. Digging into those can sometimes be key gateway to figuring out what the problem is.

Third Thing: Shoot a video of the problem

If you're trying to reproduce a problem that you can't easily produce, use Camtasia or some other screen capture utility to actually watch yourself reproduce the problem. This is the ultimate tool to prove to the developer (or the boss) there really is a problem here.

It could get you a quicker repair, more time to troubleshoot, or the funding you need to take your problem to the next level.

In a recent case for me, I saw the problem.. got it on video .. then was never able to reproduce it again.

Having it on video was awesome to have, because at least I knew I wasn't crazy. After hours of trying to reproduce the issue again, at least I had something to prove I did get the problem to fire off one time. Closer inspection of the video (the next day) showed I had a different networking connection the first time, versus all the next times.

And.. Bingo. That was my problem.

Forth thing: Ask for help

Googling / Binging / Technetting for a solution can only take you so far. Don’t be afraid to ask a college or trusted friend for help, look over your shoulder, or help in troubleshoot. That's a good way to show someone what you've done so far and what did and didn't work.

(PS: This shouldn’t be blanket permission for everyone to just email me when they’re having their own personal Group Policy struggles.. For that we have the community forum at GPanwers.com, okay? ?

Additionally, give that "helper friend" permission to suggest WILD IDEAS. You’ve already thought of all the easy stuff. Now give them permission to "go a little crazy" and suggest some off the beaten path solutions to your problems.  In short, I’m saying to leverage the resources you have. I have my own "inner circle" to leverage when I need help, and you should foster yours. Know where to post and request help for issues when you need help, and learn the kinds of responses you can get from those systems.

Fifth thing: Learn to Give up.

Here’s something about me that you may not know. I do yoga.

I’m no "yoga superman" or anything. I’m 6 ft 2 and weigh, well, more than I should.

But the point is, that I really love it. And why? Well, beyond the health reasons, there’s  something more.

I get to understand my own limitations. Instead of stretching my body to a stupid level — where I might grab my legs behind my ears and actually hurt myself– I know to "give up" and do something else more productive during that time.
Even if I’m little embarrassed that the WHOLE CLASS can do the stretch (whatever it is), and I can’t – I don’t care. I try to put that whole "pride thing" behind me and learn to acknowledge my own abilities. Why? Because I’m 6 ft 2 "big guy", and not 5 ft 3 "Yoga gal." We’re going to have different limitations. I can’t stretch like she can, and she can’t lift two 5 gallon water bottles into her house up two flights of stairs at the same time.

Why bring this up now? Because after you’ve done all the proper troubleshooting you can, and after you’ve asked all the people in your inner circle, and after you’ve hit the books, and after you’ve Googled / Binged your brains out… it’s time to give up.

Learn to GIVE UP.

But learn to give up in the right way. Microsoft product support (PSS) is there for you to troubleshoot your Microsoft related stuff.

Heck, you might have free support incidents as part of a Microsfot Technet Plus subscription or other channel.

The point of all of our jobs, at its core is to SOLVE PROBLEMS with the TOOLS WE CHOOSE.

I can swing a hammer only so much before I need to call in a carpenter and show me what

I’m doing wrong.

It doesn’t help our companies or our personal sanity to keep swinging the hammer only to find we really needed a screwdriver and a blowtorch and a lesson in how to use those tools in the first place.

Not to get all "touchy feely" here, but there is a point we all need to find it within ourselves where we say: "I’ve done all we can. It’s worth X dollars in value to me to get the answers I need to continue being effective."

So I do personally call Microsoft Product Support Services when I'm at the end of my rope.  They do an AMAZING job and will not close the support call until YOU are satisfied the problem has been solved. I love that.

How does this tie in to Group Policy Troubleshooting?

I want you to think of the above steps as overall advice, and not specifically for Group Policy.

As for Group Policy troubleshooting, or troubleshooting in general, my (recapped) suggestions are to:

• Validate your findings on another machine. Just one machine in isolation does not a "problem" make (even if you’re tempted to feel that way.)
• Try similar and dissimilar machines. If the problem is happening on XP, does it happen with Windows 7 too? Vice / Versa?
• Have you been able to take screenshots or videos to share with others?
• Have you asked someone on your "inner circle" to look over your shoulder to make sure you didn’t just make a bone-headed mistake?
• Have you enabled all the logs you can? In GP, for instance, there’s at least three Windows event logs and also some auxiliary logs for "GP-related" functions like MSI packages, etc.

Of course in my class, you'll learn incredibly practical tips on troubleshooting Group Policy specifically, with precise step-by-steps using what I've learned over the years.

That will help you get out of hot water faster and back in business usually the same day.

See you in class.. !

If you haven’t yet utilized the updated GPMC’s new "Comments" feature, it’s pretty neat. The idea is that you can specify a comment over a GPO about, say, who created it,  who supports it, and what it’s supposed to be doing.

But something came up in my last class that I was teaching and I thought was neat and I wanted to share with you.

Someone wanted to know how they could create a comment ONE TIME, then "recycle" that comment to other GPOs.

So, imagine I had a comment in a GPO which says: "Mean Man Moskowitz made me make this GPO." An then imagine that comment could be applicable to multiple GPOs.

But, how do you repro the comment over and over again?

Turns out: it’s short and sweet. And no scripting or programming required.

The comment is inside the GPT (SYSVOL) portion of the GPO in a file called "GPO.CMT."

Just copy that file to the ANOTHER GPO’s GPT (that’s the portion that lives in SYSVOL) and.. whamo !

You’ve copied the comment.

I don’t know if this is "officially sanctioned" or not, but it seemed to work pretty well when I tested it out! So, use at your own risk, I guess.

I know lots of people who used them, then decided to dump ’em.. only to begin recently using them again.

What gives?

Let’s go back.. way back.. to a time you may not remember. That’s right: a time when your organization DIDN’T have AD. That’s right.

Before Caring about AD.

Or, BC AD.

So, when your world was BC AD, you couldn’t use AD-based GPOs to do all the dirty work for you. That’s because you didn’t have AD. (I do realize that many people grew up only starting with Windows 2000 and newer. And for that, be happy my friends.)

Anyhoo.. that’s when LGPOs were handy. LGPOs, or Local Group Policy Objects were great, because you got the power of Group Policy, but kind of in 1 on 1 sort of way. LGPOs mean that you walk up to a machine and type "gpedit.msc" and edit the Local Group Policy.

When you do — EVERYONE on that machine is affected. Sounds great! Let’s "Prevent access to the Control Panel" for everyone and give everyone the same "Active Desktop Wallpaper." Whee.
Great. Until you realize that when YOU want to log on, you’re stuck without Control Panel and can’t change the desktop background to that Porsche 911 Carerra you always wanted.

So, Vista and Windows 7 have a new trick up its sleeve called MLGPOs, or Multiple Local GPOs. I cover MLGPOs in huge detail in the updated Green book . But, here’s the summary. There are now THREE levels of Local GPOs for that matter.

Level 1: Affects everyone
Level 2A: Affects the person if they’re a Joe User
Level 2B: Affects the person if they’re a local Admin
Level 3: Affects a specific person based on username

So, you see there are three levels. But, there are four lines listed above, because a person can only be a USER *OR* an Admin. Not both.

Therefore, MLGPOs affect "Everyone First" then get more specific as they apply DOWN toward the most specific — the specific person based on username.

Now, if people stopped using LGPOs, do MLGPOs matter? Yep.

Here’s a scenario: imagine you wanted to implement a baseline of setting on your machine. Then, once you make contact and join a domain, you want the AD-based GPOs to override the local settings.

Neat! So now if you machine gets "lost in transit" between your "build shop in the basement" and it’s final destination in Kenya, you’ve at least got some baseline setting built-in. And, provided you set up the AD-based GPOs perfectly, you’ll be able to "revert" the LGPO settings on the machine.

But wait. I have an even better idea. There’s a new policy setting — just for Vista and later. And it’s called "Turn Off Local Group Policy Objects Processing." My suggestion would be to take a GPO and link it to a place in AD where you computers join after the machine makes it to Kenya.

So, the machine makes it to Kenya, safe and sound, but full of Local GPO settings that would usually affect everyone on the machine.

But, now that you’ve set up that special policy setting in the domain, you get a little magic.

The machine joins the domain, and LGPOs are immediately neutralized the moment the machine is joined.

Neat, right ?

Last week, I finished giving a Group Policy Master class. In the middle of the class one of the guys asked me "Jeremy, now that we’ve been using GP a little while, and are really embracing GPOs, things are a little bit slower sometimes when new users log on."

And my response might shock you.

I said "Awesome !"

He was a little taken back. And I know why. He thought he had a problem. But he doesn’t. He just missed a key point about how GP works.

Let’s imagine that you wanted to do something a little crazy. And, I know you wouldn’t really want to do what I’m about to describe; it’s just something for us to hang our hats on, okay? So, imagine you wanted to (yikes) re-ACL your entire hard drive. Yep. That’s the directive. Ouch. Again, it’s just theoretical, so go with me here.

So, in simple terms you have a handful of options:

• Use a startup-script which manually does the deed
• Manually run a script which does the deed on each machine
  or
• Use GP to deliver the same set of instructions via the NTFS security node

They all do the same thing, right? Right. And the action they’re taking (the actual
"thing" they’re doing) is kind of slow and painful ,right?

So is the GP engine the cause of this "slowdown?" No. It’s the "action" you’re doing. The theoretical re-ACL’ing of the hard drive.

So I was kind of excited when he said that sometimes things are slower because that means he’s actually DOING something with GP. So, I like to say that GP is a "Blame the message, not the messenger" technology.

A little later in the GP 2.0 Catch-up class I showed him how to bust apart Windows 7’s new logging mechanism and see — precisely — how long a "GP Cycle" takes. That way he can be really really sure how long GP was taking to process each step if he wanted to. Heck, it might not even be that anything he’s DOING with GP is even causing the slowdown!

In other words — Group Policy might not be likely to blame AT ALL for any slowdown. By showing him how to "bust apart" the logs, he could see that GP wasn’t taking long at all ! The culprit was, well, something else.

But in any case, the next time you think "Hey, the computer is running a little slowly" take a step back. It means it’s working. (But also consider getting smarter in GP troubleshooting it too, to be 100% sure GP isn’t the culprit !)

This tip is a "blast from the past"… I talked about this some time ago, and bringing it back, as it appears to be a hot topic right now.

Let’s start with Replication Problems.

Remember that a GPO is make up of two halves: the GPC and GPT.

And they get replicated to all DCs. What if one of your DCs isn’t getting the message about the updated GPO? And then, some of your client machines are trying to ask that DC for the latest GPO information.

Right, they get either no information or the wrong information.

So what can you do?

First, try GPOtool. It’s a download from the Microsoft 2003 Resource Kit. It can help you troubleshoot to see if the GPC and GPT are on all of your DCs.

But, here’s another tip: try creating a new user and then using Active Directory Users and Computers to "Change Domain Controllers" and verify that new account "makes it" to all your DCs. That will verify the path of the GPC.

Similarly, try creating a new text file (like a readme file or something) and dropping it into SYSVOL. Then, check out the SYSVOL on all DCs and make sure that readme file "makes it." This will verify the path of the GPT.

If the GPC and GPT are successfully replicating to all DCs (and you’ve verified that replication itself is working A-OK) there are lots of other things to check, which we’ll examine in other tips !

My pal and fellow MVP Jeff Hicks noticed something. He noticed that the Group Policy Powershell cmdlets had a Backup-GPO and Restore-GPO (seen here…)

But there was no way to really get into the "Manage Backups" stuff that you can only get to within the GUI.

So he created it. You can see Jeff’s interesting blog post about using PowerShell to get to this part of the world here: http://jdhitsolutions.com/blog/2011/05/get-gpo-backup/

Also, I wanted to say THANKS to the folks who showed up for my "Secret Group Policy Meetup" at TechEd.

We got to the bottom of some sticky issues for those who attended and had a really fun overall "rap" session.

We even had several guest stars: Aaron Margosis, Microsoft Technical Services and fellow TechEd speaker, Thorbjorn Svolvold, Group Policy big-brain from Specops software and Zach Alexander from the Group Policy team at Microsoft. Thanks everyone for attending !

Photo Credit: Takayuki Shodai also in attendance, but not shown, since he’s taking the picture. Thanks Takayuki !

I ran GPupdate today on one of my Windows 7 machines and got this. . .

It's kind of a mouthful, but here's the short, sweet story here.

Group Policy relies on the Kerberos protocol. Kerberos relies on the clock. If the clock between your client and your server is skewed by more than the allowable value (normally 5 minutes) then you won't process GPOs correctly !

So, this warning, is saying: My clock is weird versus the domain controllers.

No problem. Usually, a reboot fixes this kind of thing. Or it gets fixed on it's own when the time sync service does its thing.

But, one of the key troubleshooting steps for GPOs is to VERIFY that your clients time is within 5 minutes of your DCs times.

Do this, and you’re off and running (sometimes.) ?

PS: Quick update from Jeff L. who suggested I also turn you on to this Microsoft KB article: http://support.microsoft.com/kb/816042