MDM & GP Tips Blog

Apr 2008
01

Interview with Outgoing GP Team Lead -- Michael Dennis

Hello GPanswers.com blog readers. There are some big changes in the world of Group Policy. The Lead Program Manager, Michael Dennis is shifting roles within Microsoft after 9 years and 9 months on the job (to the day!).

In this GPanswers.com exclusive, I was able to interview Michael Dennis for an "Exit Interview" to find out some inside scoop about his tenure on the Group Policy team, and where he's going inside Microsoft.

Note to other websites and news sources: because this content is exclusive to GPanswers.com, you may site and source GPanswers.com. But please do not copy it wholesale to other websites.



 

---

 

[Jeremy Moskowitz, GPanswers.com]: Michael, thanks for this interview. I think lots of people would want to know what you would consider your best achievements during your time running the Group Policy team.
[Michael Dennis, Microsoft]: The biggest achievements go back some time ago, where we concentrated on developing what was to be known as "Group Policy". We had System Policy in NT 4.0, looked at that and it's problems. And, since this was in the middle of Active Directory's development, we looked at where we needed to better address the manageability of clients and servers.

The idea that Group Policy was to be built in a hierarchy and that this idea had never been done before was a big deal to us. So, we concentrated on core infrastructure: client processes, integration with Active Directory.

The byproduct of our "best achievement" was also our worst achievement. That's because the GUI that we shipped in Windows 2000 was problematic. People needed a "PhD" in Group Policy to use it effectively because administrators needed to know how "the whole thing worked." I wished we could have created the GPMC and RSOP and delivered it back then (it was in the specs.)

The other big achievement, I would say, is that you can pretty much "count on it [Group Policy] working." And we're honored that people can just count on Group Policy doing it's job. Because of that, our team has been even more focused on keeping that idea [of it "just working"] in the forefront. We have a very strong test team to make sure Group Policy does continue to "just work."

[Jeremy Moskowitz, GPanswers.com]: How did "Group Policy" get its name?
[Michael Dennis, Microsoft]: (Laughs). We were talking about this thing called "policy".
My thought at the time was that the word by itself was too broad. It means too many things to too many people.

So, when we took a step back and tried to figure out where we managed things, we saw "groups" of places that we targeted. Active Directory is used for containment [of Group Policy Objects] and also for the targeting of GPOs. So, right there that's three "groups" of things. Site, Domains and OUs can be "groups" of things in the logical sense. Then we also deal with Users and Computers: that's another two "groups" of things. And, while Group Policy objects don't link directly to security groups, we do leverage them for filtering. So, there's "groups" again.

So, "Group Policy" became the name, and I've been questioned about it ever since.

Could there be a better name? Perhaps, but in all the years that have passed nothing better has been suggested. And, regardless, "Group Policy" now has a life of it's own, both as a solution and as a technology.

[Jeremy Moskowitz, GPanswers.com]: What items do you wish could have made it into the Group Policy experience?
[Michael Dennis, Microsoft]: The good news is that the things I have been wishing for all along have been seen the light of day. Along the way, my wishes, my vision, the things I've wanted since Windows 2000's release are here now in Vista. Things like RSoP, the GPMC, the increased settings, etc make me feel very good about where Group Policy is today! I do wish we could have done those things a whole lot sooner.

Additionally, I wish that the Group Policy infrastructure was a more extensible system by partners. Our server side / client side extension model is heavy handed and requires a good deal of work by developers. Though it could be argued that our ADM/ADMX template structure does provide an easily extensible methodolgy. But, it would be even better if that part of the system enabled people to extend even more types of settings.

Lastly, I wish that the GPMC was more extensible from a reporting perspective to [3rd party tools.] That's an area which 3rd party tool vendors have been pretty vocal.

[Jeremy Moskowitz, GPanswers.com]: What are some things people don't know about the Group Policy team?
[Michael Dennis, Microsoft]: Sometimes, it's not clear to people where the Group Policy team "fits in" to the overall picture. The idea is that we build the infrastructure, we build the transport, and we build the server and client side pieces. But in Vista alone we partnered with about 120 different teams at Microsoft to get the new settings in place for this release. We're the "middleman." So, if you see a Group Policy setting who's behavior seems odd, or has "Explain text" [the text within policy settings] that could be clearer, that's not specifically the Group Policy team's doing.

Another thing is that Group Policy is not to blame for system "slowdown" issues at boot or logon. It's the Group Policy payload that's to blame if things are slow. If you tell Group Policy to do something that's heavyweight, it's going to just "do it." For instance, if you tell it to install Microsoft Office on a per-machine basis, great. But just know that it will do what you asked for, it will install all of Office before you get a logon prompt. Is that a slowdown? You betcha, but as an admin that deployed it, it's exactly what you wanted the system to do.

The good news is that Group Policy will do these things, then, once it's done it, it doesn't have to do it again, and doesn't get in your way "the second time" because we check to see what it's already done.

[Jeremy Moskowitz, GPanswers.com]: What's your favorite thing to "show off" using Group Policy ?
[Michael Dennis, Microsoft]: These days, I like to show off some of the new settings that made it into Vista. The removable devices settings [to restrict things like USB sticks, etc]; those settings people had been clamoring for. There are about 2400 settings in Vista, which brings a significantly larger level of control to the admins, so I like asking customers "What do you want to control?" and then show them how.

[Jeremy Moskowitz, GPanswers.com]: Why did you change from ADM to ADMX files?
[Michael Dennis, Microsoft]: Technically, we didn't have to get to ADMX to get to the new central store feature with Windows Vista. The big push for converting to ADMX was to allow us to support multiple languages appropriately.

In the old way, in Multilanguage environments, you would often run into a situation where the contents of the ADM files inside a GPO would be inadvertently written by another language. Historically, we borrowed the ADM format from NT 4.0 which had borrowed it from 98 which had borrowed it from 95. If XML had been around then, it would have been a good candidate for our file format.

But, now that we have XML, it became easier to support multiple languages, and it presents us future opportunities to make registry and settings enhancements with our now schematized language.

[Jeremy Moskowitz, GPanswers.com]: What was the biggest internal challenge you had to overcome while working at the GP team?
[Michael Dennis, Microsoft]: The most ongoing problem that our team faces is when we try to get other components of Windows to policy enable their feature.

Team X might respond "We just built this great new feature... why would anyone want to turn it off?" And we can understand that. But, for the most part, we worked through a lot of those issues.

Other challenges are the technicality of policy enabling some things. For instance, the new Windows Firewall with Advanced Security (WFAS). WFAS was tough to do. It's not easy or straightforward to policy-enable it right. The interface that the WFAS team did for Vista is superb, but doing it right has been tough.

The removable device policy settings, enabling these was a technical challenge, because three OTHER teams (plus the Group Policy team) had to come together to enable that in the system.

Over time, (since Windows 2000 and every release since) we've spent a fair amount of energy to put forth the right set of policy settings enabled in the system.

In versions of Windows before Vista, the product teams themselves didn't always think about policy-enabling their components. But, during Vista's development, a fair amount of teams, proactively recognized that they needed to policy enable their sections of the world, to be more manageable. They would come to us and ask "Please tell us how."

That was huge!

[Jeremy Moskowitz, GPanswers.com]: What's next for you?
[Michael Dennis, Microsoft]: I'm moving to the "Mobile Information Worker" team which is responsible for Smart Phones, PocketPCs, etc. My role will be to extend some of the management technologies in Windows Server System to Windows Mobile devices.

I will try to take my same vision and passion for manageability and apply it in this new space. Meanwhile, I'm leaving the Group Policy team in an outstanding position to move things forward without me.

[Jeremy Moskowitz, GPanswers.com]: Who is your successor?
[Michael Dennis, Microsoft]: That announcement will probably be made in another week or two. We're working on how things need to be organized, who's the right person, and how that be done. There's no rush to make an announcement. It might be a few more weeks (or maybe just a few days.)

I'll leave it to the Group Policy team to let you know so you can tell your folks on GPanswers.com.

[Jeremy Moskowitz, GPanswers.com]: Anything else you'd like to tell the GPanswers.com audience?
[Michael Dennis, Microsoft]: All thru the development of Group Policy, one key focus was to "get in front of customers" and understand what they're trying to do (from a scenarios perspective). This idea, of "scenarios that solve problems" is now imbedded in the team.

If a customer, has a well structured opinion about scenarios they'd like to see Group Policy cover, and they have a business case for doing something, they need to find a way to communicate that back to us.

We have a good feedback mechanism that's available to anyone at any time

Http://www.WindowsServerFeedback.com

There, you'll find a Group Policy button.

If your folks can say "here's my problem, here's my business case, and I need the system to be able to do this and here's why" that kind of information is very, very valuable to us. Those who make decisions about Group Policy going forward read every entry that comes thru that source.

Again, if you want to have an impact in Group Policy moving forward, tell us about what you need. But please don't just tell us "We need a policy setting that does X" without telling us "why."

The "how" is our job to figure out. What the Group Policy team really needs to know is the "why."

[Jeremy Moskowitz, GPanswers.com]: Thanks for taking the time to tell us about your experiences on the Group Policy team at Microsoft. All the best !
[Michael Dennis, Microsoft]: Thank you Jeremy, and thank you, members of GPanswers.com

Apr 2008
01

Yay and boo

Yay: I've been accepted as a Group Policy MVP for my third time. Thank you for all who helped me acheive that!

Boo! I found _another_ Vista bug {sigh}.

Here's the lashup...

If Vista recognizes that your hardware has changed enoughthat you must re-validate.. you are prompted to do so when your next user logs on. After validating, I found the following to be true:

1. Delegated permissions required to see your own GPresults are not available

2. Computer-side policy fails to execute

3. Remote Desktop into the machine becomes impossible

All is cleared up with a reboot of the affected machine after validation.

In short... After validation, you simply must reboot to get a normal experience.

But Vista doesn't make you reboot.



Apr 2008
01

Takeown

Did you know Vista has a take ownership command right in the box?

I used to have to do this with a command called "Chown" which I had to download seperately. Now, "takeown.exe" is right there for me.

Also, my favorite unix command of all time (whoami) also ships in the box. With whoami /all you can figure out what groups you're in and what privileges you've got. What's neat is that because Vista has "split token" SIDs, you won't actually see all your Privileges -- even if you log in with Domain Administrator credentials. You only get to USE those privs when you elevate thru UAC (User Account Control.)



Apr 2008
01

Bugs in the ointment (one in a series)

There are -lots- of bugs in Vista RTM. Some are in the Group Policy space.

I'm not beating up the GP team in any way by reporting these facts to you. Indeed, it's my goal to help locate these bugs, and let you and the team know of them (together). That way, YOU can work around these bugs and THEY can whomp 'em.

So, stay tuned for lots of little things here and there which need a little spackle.

Bug #1: GP Filtering

The final policy settings appear not have been scrubbed such that there was one "At least" requirements for Vista.

 

There are two main sets of Vista-specific policy settings, each with their own "Requirements."

One set is: "At least Windows Vista"
The other set is: "At least Microsoft Windows Vista"

Most are in the later set. However, the FIRST set is first when you click in the "Fillter by Requirements information" so, most people (like me) will likely click that puppy and be "surprised" when most vista-specific policy settings aren't showing up.

Took me two weeks to figure out why I wasn't seeing it.
(I guess I'm slow.)

Apr 2008
01

What?? No MSI for ForeFront Security from Microsoft?

"Microsoft has released the public beta of Forefront Client Security - their new malware product. Currently deployment of the client via GPSI is not supported (there's not a single MSI file). This is due to the complexity of the install process. Which means creating your own might be unlikely as well. Deployment via script is the only remote deployment option.

This issue has been brought up on the beta test newsgroups and Microsoft has asked for feedback.

A product suggestion has been submitted - Feedback on this suggestion can now be submitted by voting on its priority (1 lowest - 5 highest). If the lack of GPSI integration would influence your decision to use this product you can vote on the suggestion priority at https://connect.microsoft.com/feedback/default.aspx?SiteID=27

Thanks to John Richardson for this alert !



Apr 2008
01

About BeyondTrust and DesktopStandard

Today I had a nice chat with CEO of BeyondTrust John Moyer. We talked about the Microsoft acquisition of his previous company, DesktopStandard and where he's going with BeyondTrust.

The Old
--------
On the subject of the acquisition, former DesktopStandard CEO, Moyer said, “we had a great run with DesktopStandard and greatly appreciate all the support from our customer base and thought leaders like you, Jeremy. The acquisition validated not only the capabilities of the DesktopStandard team, but also Microsoft’s commitment to Group Policy. I am very happy that Microsoft will distribute DesktopStandard products to an even broader base of potential customers to help them manage their desktops and leverage their investments in Active Directory.”

The New
--------
Moyer has transitioned to a new role as CEO of BeyondTrust Corp. BeyondTrust was spun out of DesktopStandard to focus on enterprise security products. When I asked Moyer about BeyondTrust and why DesktopStandard’s PolicyMaker Application Security Product was not part of the Microsoft transaction he had the following to say,

“Simply put, we didn’t want to sell PolicyMaker Application Security. It was DesktopStandard’s fastest growing product. We recognized that the market for this product was just starting to take off. And we already had a successful and experienced team in place so this just made good sense.

PolicyMaker Application Security, which we have renamed to Privilege Manager, will form the backbone of BeyondTrust Corp. BeyondTrust is a new type of security company focused on helping customers to move beyond the need to place trust in users.

BeyondTrust’s flagship product, Privilege Manager, enables customers to implement the security best practice of Least Privilege. With it end-users can run all required applications and perform all required system tasks without administrative privileges. Currently, there is too much trust in IT security. Users must often be given admin privileges in order to do their jobs, forcing IT to ‘trust’ those users. The result is that these same users are often overrun by malware and can expose the network to serious threats through malicious activity.

BeyondTrust will continue to leverage Group Policy. Privilege Manager policy is applied by rule creation in the Group Policy Object Editor.”

Apr 2008
01

ADM to ADMX Converter tool

You're not using Vista yet, but FullArmor and Microsoft are thinking of you. That is, with Vista the new ADMX file format will supplant the ADM file format. But what if you've already got a bunch of ADM files out there? Are you going to learn the ADMX format for a one time conversion? Not anymore. Microsoft and FullArmor are releasing a free tool, found here to help automatically transition ADM to ADMX files. Thanks, guys !! (Are you reading this blog? If so, send me a short email, and just tell me. Trying to figure out if this blog thing is useful for you guys or not. And tell me if you're reading it from the web page, or via RSS or another way. Thanks !)