MDM & GP Tips Blog

I'm not going to beat up Charlie Sheen in this blog post.  You'll see where the Charlie Sheen stuff comes into play. Lets get right down to GP bizness.

Lets pretend you had this setup. I have two GPOs linked to the East Sales Users OU: GPO 111 and GPO 222.

And, lets also pretend that they affect the same policy setting: Remove Games Link from Start Menu.

If we run a Group Policy Results report we can quickly see that BOTH GPOs (GPO 111 and GPO 222)

were correctly applied to the client machine (Win7Computer-32). As seen here.

Now, remember, I've said that GPO 111 and GPO 222 conflict on how they apply the Remove Games Link from Start Menu setting.

So, which one is going to win ?

Well, the quickest way to see the Winning GPO is to run the Group Policy Results report as seen here. In my not too complex (on purpose) example here we can see that GPO 111 is Winning over GPO

But what if we add something at another level, say the Domain level and Enforce those settings down?

If the GPO is Enforced, then that GPO should be the Winning GPO, and in my re-run GP Results report example here, that’s precisely what has occurred.

So, in short, the Winning GPO is the one which ultimately gets to express the setting upon the client computer.

If you can't figure out WHY a particular value is appearing on the client, look no further than looking for the one that's Winning !!

A fellow reader like you, named Dave King emailed me this screenshot.

Dave asked me a short, sweet question and included a killer screenshot.

First the question, then the screenshot

Jeremy..

If I set a GPO to be applied at the SITE level and it is working fine, and set another at the DOMAIN level and it is working fine…

When I go to the node and look at the applied Policies it shows only the one linked at the DOMAIN level.

What happed to the SITE one?

It is there and working, and when I run a Resultant set of Policy on the node it DOES show the SITE GPO and the DOMAIN GPO.

But it does not show the SITE GPO’s influence on the Node without running the RSOP.

Is there any explanation for this behavior?

Thanks,

*Dave*

First,  Dave, THANK YOU for having this so clearly marked up, expressing exactly what your problem was, and how I can help. This makes the job of helping you MUCH EASIER. (That is to say, if you are looking for a little help, I would please first encourage you to use the GPanswers.com forums.. THEN ask for help.) And if you ARE going to ask for help or look to get a question answered, THIS is exactly how to do it.

Now, lets take a look at the screenshot. (Seriously.. this is the EXACT screenshot I got from Dave. I didn't make these markups.. he did. Thank you Dave !)

What Dave is witnessing is completely normal. Dave is noticing that Site-Linked GPOs (in this example Hide Screen Saver Option, linked to Default-First-Site-Name) is actually WORKING on the client. He explains this when he tells me that he sees it show up in the RSOP (gpresult /R) report on the client.

Cool.

So the question really is.. Why can't I see it here, in the Group Policy Inheritance tab?

The answer is simple. The GPMC itself cannot know WHO will be in that site at any given time. So, to avoid confusion it won't show site-based GPOs in the Group Policy Inheritance tab.  For instance, lets pretend that Default First Site was really named Detroit. And, lets also pretend that there was a second site named Dublin (either Ireland, or Ohio.)

Now, if there is a GPO linked to Detroit and others linked to Dublin what is the Resultant Set of Policy RIGHT NOW for anyone in the Human Resources OU? Answer? We don't know.

We don't know, because we don't know if we're talking about users in Detroit or Dublin. So, the GPMC Group Policy Inheritance tab simply doesn't show (ie: assume) where the user (or computer) is at that moment.

Therefore, you'll see the GPO in the RSOP reports on the computer (because the computer ITSELF knows where it's at).. but the GPMC simply cannot make any assumptions.

Mystery Solved !

Thanks Dave.. This was a fun one !

I thought I would tip the hat this week to a Microsoft Premiere Field engineer who attempts to answer the age old question:

Windows Group Policy vs. Logon Scripts. What's the right option?

Since in a previous blog post of mine, I demonstrated why I personally feel Group Policy has the advantage, I thought I would share what I recently found about a balanced rationale about why one might one to use the built-in AD Users and Computers, versus Group Policy for logon scripts.

Here's the link to his article. Enjoy.

https://blogs.technet.microsoft.com/mspfe/2011/03/15/windows-group-policy-vs-logon-scripts-whats-the-right-option/

PS: My remaining seats in my April 11 14th Denver class are melting away like snow on a warm spring day. Don't wait if you're still interested. Confirm your seat TODAY by using www.GPanswers.com/training and signing up online or call 302-351-4903 and Diane will help you with a PO. Discounts for large teams !

This came up today with a group of new friends I met today in Wisonsin at a K12 education conference.

Someone asked How can I prevent people from stopping login scripts as they run?

I thought about this for a second, and realized, he was using Active Directory Users and Computers and running an old school script like this.

It was an easy fix. Simply start using Group Policy Scripts, which can be found here:

Doing it this way, if you DID want to run Logon Scripts visible, you would need to set

User Configuration | Policies | Administrative Templates |System | Logon/Logoff

Run Logon Script Visible.

Hope that helps !

This one has been bugging me for a LONG time, and likely affects your life too.

You're going along, typing in the name of a GPO, then.. Uh-oh.. a little typo.

You hit backspace, and Crappers.. it doesn't work !

My own personal workaround to this is to use Ctrl-Shift + Left arrow and wipe out the whole entry, or, of course, use the mouse to fix.

But, there's a hotfix, waiting for you, and it's right here.

Here's the weird part.. apparently, this hotfix isn't inside Windows 7 SP1or Server 2008 SP1 (if I'm reading the article correctly.) And the hotfix download page seems to say that it will only be part of SP2 !!

So, even AFTER you apply SP1 (when available) you should apply this hotfix to your machines running the GPMC.

The link to the hotfix is here: http://support.microsoft.com/kb/2466373

Special Thanks to Mark Parris who provided the inspiration to this tip. His blog can be found here: https://markparris.co.uk

One thing that seems to be confusing for the newer GP-practitioner is what GPMC version should I use?

The answer: Always the latest one.

That one, right now, is the GPMC for Windows 7 or Windows Server 2008 R2.

Those are equal in their capabilities.

You can install the Windows Server 2008 R2 as a feature of the operating system using the Server Manager utility as seen here.

You can install the Windows 7 GPMC by installing a downloadable piece called RSAT Remote Server Administration Toolkit.

That RSAT utility is found here, and note.. there are 32-bit and 64-bit versions.

Once installed (and it takes a while) you can install the GPMC in the Turn Windows features on or off as seen here.

Then, run GPMC.MSC, and you'll be off and running using the GPMC console !

By using the latest GPMC, on either Windows 7 or Server 2008 R2, you'll always have access to the latest abilities. Like GP Preferences, or creating AppLocker policies.

So, if you're using the old XP GPMC, get on board with the latest, greatest GPMC. You'll be happy you did !

Thanks to GPanswers.com member Bart for the meat of this tip !

You might have a situation where you want GPOs to apply to a collection of computers but only within certain time blocks.

Sure, you could manually link and unlink the GPO when the proper times come. But you're too busy for that.

Instead, use PowerShell, and automate the task!

First things first. Make sure the policy refresh interval on the workstations is set small enough to apply the activated GPO settings during the times you want. Normally, computers update every 90 120 minutes. To use this tip, you might want to tighten up the refresh interval just for this collection (like a Training room OU or Kiosk OU or something.) I wouldn't recommend you do this for your whole population. Do this using the policy settings located at “Computer Configuration | Administrative Templates | System | Group Policy | Group Policy refresh interval for computers.”

Where this came in handy was to activate and deactivate additional (outgoing) firewall rules specifically for a classroom setup for specific classes.

To use, simply set up a scheduled task to LINK and UNLINK the GPOs as needed.

To Enable:
Powershell -importsystemmodules -command “& {set-gplink -name ‘GPO_Computer_Classroom Outgoing Firewall’ -target ‘ou=classroom,ou=computer management,dc=yourdomain,dc=local’ -linkenabled YES}”

To Disable:
Powershell -importsystemmodules -command “& {set-gplink -name ‘GPO_Computer_Classroom Outgoing Firewall’ -target ‘ou=classroom,ou=computer management,dc=yourdomain,dc=local’ -linkenabled NO}”

PS: For more information, the PowerShell Cmdlets for managing GPO’s come with Windows 7 and W2k8-R2. For an overview of all GPO Cmdlets have a look at the TechNet site: http://technet.microsoft.com/en-us/library/ee461027.aspx

The Lockdown Question

Hey Jeremy, what's the best way to lock down my Windows machines? I hear this question dozens of times a year from students who are sitting down at the first day of my Group Policy training workshops. They are often very eager to get right down to business and wrestle this particular problem to the ground because they know that when they go back to their offices and implement what they're about to learn, that their environment will be more predictable and more secure.

See, I know we all feel it would be best if our pesky users would just stop playing with stuff within Windows, their applications and on their desktops.

And, sure, that's part of the art of desktop lockdown. But my suggestion would be to look at desktop lockdown from a holistic and incremental approach. There's no one best way to lock down your Windows machines.

But what is true, is that the technologies built-in to Windows 7 have enabled more control than ever and enabled a wide variety of situations. Lets explore some of my favorite ways to get started with desktop lockdown, then I'll give you some tips on how to expand your controls as you need to.

Lead with Group Policy and Group Policy Preferences

This pair of technologies is arguably the most powerful arrow in your quiver. But using Group Policy, you can restrict a user from some of Windows most tempting locations such as the control panel, desktop, Start Menu, Task Bar and more. Once a GPO is created, most of these settings are found within the User Configuration | Administrative Templates section. There are way too many settings to review here, but I would encourage you to poke around, take stock of the ones that are most interesting to you then try them out in your test lab — before rolling out into production.

When performing lockdown tests, I would suggest that you use two people, a designer and a tester. The Designer should set up the Group Policy settings and lockdown tests, then the Tester would validate the tests and try to wiggle around the designers intentions. Using two people during testing ensures good feedback. One person always validates the other.

As you're working through your resting, do note that some policy settings are reliant upon other policy settings being enabled or other conditions being set or present on the client machine before you actually see the result you're expecting. So again, having a Designer design and a Tester test helps make sure the settings you want to achieve have actually occurred on the client machine.

Group Policy Preferences also enables you to deliver desktop settings. Though not specifically designed for desktop lockdown, they can helpful in guiding users away from temptation and toward standardization.

Caption: The Group Policy Preferences can implement IE settings

Sometimes what the doctor ordered is a blend between both Group Policy and Group Policy Preferences. For instance, you might want use Group Policy Preferences to set a particular setting, plus use Group Policy controls to lock down certain areas of IE.

This is an advanced skill, which takes a little practice and patience. But with enough time, you'll find the right balance using the two.

I would also suggest that you check out a favorite document of mine entitled Group Policy Settings for Creating a Steady State which can be found here with literally dozens of ideas to help you get started.

Focus, then Expand

So going back to my students who ask me Hey Jeremy, what's the best way to lock down my Windows machines? As you can tell, I love to lead with the core lockdown starting with Group Policy and Group Policy Preferences, then expand outward using additional Windows 7 technologies.

If you're looking for more hard-core controls, you might want to consider checking out this the recently published document from Microsoft entitled Creating a Steady State by Using Microsoft Technologies.

Inside you'll discover some extra ideas you can try out, such as mandatory profiles, working with AppLocker to prevent applications from running, and even wiping back the hard drive of a machine every night!

We've just scratched the surface. For additional specific tips and tricks on desktop lockdown, it's a common feature in my GPanswers.com Tip of the Week. You can sign up the free tip of the week at https://www.gpanswers.com/register. You can also get hands-on experience with Group Policy and desktop lockdown in my in-person or online-based Group Policy Master Class at www.GPanswers.com/training.

BIO:

Jeremy Moskowitz, GPanswers.com and PolicyPak.com

Jeremy Moskowitz is a Enterprise Mobility MVP, the Chief Propeller-Head for GPanswers.com and Founder of PolicyPak, which makes software to increase desktop lockdown using Group Policy. Thousands of IT professionals have taken his Group Policy training. GPanswers.com was ranked as one of “The 20 most useful Microsoft sites for IT professionals” by ComputerWorld magazine. Jeremy is also a STEP member.

Presenting.. “Jeremy Moskowitz’s guide to how to backup your computer (which should be enough for most mere mortals who are not IT pros.)

If you ARE an IT pro, I would encourage you to PRINT and hand-deliver this to everyone during your Xmas or NY-eve party. It may seem like a weird gift NOW, but your friends and family will thank you that you took a moment to set them up with the protection they need.

In a departure of my usual IT-focused subject matter on GPanswers.com, this guide is not specifically geared toward IT managers or even IT pros. Again, this is a guide that you should give to anyone and everyone you know with a computer.

IT backup and restore procedures will be significantly different than this.

This is for “regular Joe and Jane” with one, two or maybe three computers in the house. I wrote this document up after I saw this picture (See below). In short, you never know what is going to happen to your data.There are *EIGHT* things you need to do to keep absolutely safe. Omitting any of these steps is not advised, but I can see if you only performed just ONE, you would still be BETTER OFF than almost most everyone I know. Doing all seven is a near guarantee you will not be “up the creek when the water really hits.”

The Motto I live by: “There are people who back up their data, and those who will.” That’s because DISK DRIVES ALWAYS FAIL. ALWAYS. It’s is a guarantee.  Even the newest ones with no moving parts. They all fail. Eventually. Read more to discover how “mere mortals” (not IT folks) should be backing up their data to prevent disaster.

Look at this picture. Ow. You never know what’s going to happen.

I know.. You’re thinking “Holy cow, Moskowitz. Really? Seven things I gotta do? You’ve got to be kidding me.”

Sorry. Yes. One method isn’t enough. Two *CAN* be enough. But you cannot count that any ONE method will always work.

That’s why you need at LEAST TWO. And the others are GOOD IDEAS.

Let me explain how I do it, and you can copy or otherwise parrot what I do. Or not. For the record, I haven’t lost any data since 1994, your mileage may vary.

Thing #1: Get an online backup service.

What is an online backup service?

It’s a little application that runs on your PC or Mac and constantly backs up your files to the online service thru the Intertubes. I use Carbonite.com (don’t sign up until you read this whole thing.) Others seem to like Mozy.com.

Q:How does it protect you:
A:You tell it where your “data” is.. (or let it decide) and if you DELETE a file, or a directory, you go online and RESTORE it.

Q: What happens if I blow away my whole hard drive or change hard drives
A: You can get it all back.. your data. Pictures, docs, etc. Not applications. You can transfer your subscription to other computers at the same time.

Q: What about applications I’ve installed:
A: You should have another copy of these somewhere. At least a LIST of what’s important, offline, somewhere. See my answer a little later.

Q: What about if I overwrite a file by accident
A: Carbonite says they keep 3 months of backups of a file. Never used it.

Q: What does it cost:
A: $55 a year for “all you can eat.” Multi-year discounts. Get it. It’s a freekin’ no-brainer. $55 a year per computer.. GIGS of storage. They do not monitor storage usage unless it's clearly over-the-top, crazypants Gigabytes.

Q: Mac and PC?
A: Yes. Get it.

Q: Do I need to license each computer in my house?
A: Yes. Do that.

Q: Does it take 90 years to upload all my stuff?
A: Yes. The first time is quite painful for your internet connection. After that, easy.

Q: Are there other backup services like this?
A: Yes, lots. I happen to use this one. Carbonite.com. Others like Mozy.com.

Q: Does it handle open files? If my Outlook is running does it back that up?
A: No. This is a pain in the neck, and you'll occasionally have to just reboot your machine, log on, then go to sleep (leaving the computer on.) Only then will 100% of the files be uploaded to the service.

Q: Is it safe? Do they sell my personal data to the mafia?
A: In the last century, you decided to trust your banks with your money. Now, in the 21st century you have to have some trust in services that hold your data. My stuff is up there as are millions of other peoples. Seems safe. But, make sure, ya know, you're not using a lousy password to access the stuff through their web page.

Thing #2: Get a full-disk backup program

If you’re not using Windows 7, do that soon. Inside Windows 7 is a very decent “Full Disk backup” program. XP has one too, but it’s not quite as good.

In Windows 7, just type “Backup” at the start prompt. The Windows 7 default backup routine is to take a full disk backup. If you ARE an IT Pro reading this, or a home user capable of using the command prompt, my suggested command to run to automate the process is:

wbadmin start backup -backuptarget:O: -include:C: -allcritical -quiet

(Where O: is whatever drive letter houses an external USB disk.) This will ensure that all the Windows 7 important bits are captured and ready to be placed upon the disk. I have found this to be more reliable than the GUI version of the backup tool.

Macs have a built-in excellent program called Time Machine. Check it out, and use it.

If you’re using XP, or even Windows 7, I might suggest something like

http://www.acronis.com/homecomputing/products/trueimage/ (Able to successfully backup and restore to same machine. Have not tried their Universal Restore option.)
or
http://www.symantec.com/norton/ghost (personally, this did not work for me; tried it and didn't get 100% backup, posted to their forums and got lousy responses.)

These products take full SNAPSHOTS of your machine, (and increments) and puts them on an external USB disk (more later). When the crap hits, you boot off a CD (that you make) and .. whamo.. pull from your recovery backup.

Thing #3: Backup to an external USB drive (and back up MOST important stuff here.)

In Step #2, you saved an “image” of your PC somewhere. Where? Here. External USB disks are just DIRT CHEAP.

Here’s 250GB for $39.99. More Googling with yield better results, even.

http://www.tigerdirect.com/applications/searchtools/item-details.asp?EdpNo=18657&csid=_21

Get two or three. See next FAQ for why.

Thing #4: Don’t keep all your backups / computers in your house !

Keep one backup in the house at all times, another at your Mom’s or in the safe deposit box at the bank. True, the bad guys can break in and steal your backup at Mom’s, so a safe deposit box is actually way better.

Why are you doing this “offsite backup?” So, if your house burns down, so does your laptop, -AND- the backup you have in the house. Having another at your Mom’s or in the Safe at the bank is a GOOD IDEA.. But this takes DILLIGENCE.

I know someone who did thing #3 (above) but his laptop *AND* his backup were caught in a flood. If he did Thing #4 as suggested here, he would still have been protected.

So, what do *I* do? Every Monday, I rotate my sets of drives such that I always have TWO in the bank and ONE coming back to me for making a new backup for the next week.

Thing #5: Making DIRECT copies of your most critical data to the external disk drives

If you have EXTRA room after thing #2, then make a DIRECT copy (drag and drop, xcopy, etc) of your MOST IMPORTANT STUFF directly to the external disk drive.

Why? Because if something got CORRUPTED in the snapshot backup of step #2, you at least have YOUR MOST IMPORTANT STUFF as just regular “plain ol’ files” for you to recover.

Just plug in your USB backup and, COPY BACK.

This year, I blew up my humongous .mp3 collection. This became a no brainer for me to repair. I backed up 3 days earlier. I simply deleted all the MP3 on my desktop, and copied the backed up files to their normal home. Boom. Done.

Thing #6: Rotate between AT LEAST two, possibly three USB drives.

This is similar to #4, but three is better than two. This gives me THREE weeks to get something back from the dead if I messed up.

Thing #7: Keep copies of your ORIGINAL disks, downloadables, KEYCODES and Drivers.

I have some key “special” folders in case I need them:

• Keycodes: c:datakeycodes. It has WORD and TXT files with all the keycodes of everything I’ve ever bought, ever.
• ISOs: c:ISOs.  This is a collection of the DVDs and CD-ROMs I have physically purchased, including Quickbooks and Microsoft Visio. If you're unfamiliar with how to take your store-bought DVDs and CDs and make ISO files, consider asking your IT friend for a tutorial. This usually requires (free or cheap) software to convert your CDs and DVDs with applications on them to ISO files.
• Drivers: c:Drivers: This has every driver I would need to get my Laptop and desktops system back going again (sound, video, network, disk, etc.)

This collection is enormously helpful if need to restore them or repair them, or I’m building / re-building a system.

I built a new Windows 7 machine last Thursday and was up and running in 3 hours because I had all my ISOs, keycodes and drivers — all in one place, ready to go.

Thing #8: Test your restore procedure.

This can be really tricky, especially for item #2 (full snapshot backup.)

For laptops, invest in a second hard drive, even if you use it JUST for this test. That’s right. For about $70 or so, you can get, say, this drive:

http://www.newegg.com/Product/Product.aspx?Item=N82E16822148374&cm_re=500GB_laptop_drive-_-22-148-374-_-Product

And then TEST RESTORE from Step #2 onto this drive. MOST laptops can quickly pull out the drive, replace it with this new drive, and allow you to test your restore in full.

Then, when your test is complete, keep using that disk, or swap back to the original. Do this every 3-6 months or so.

For Desktops.. same deal. Get another drive. Get a technical friend to help you if you need to. This procedure IS harder on a desktop than a laptop.

But do TRY to do a similar “full recovery” test. You will be SO GLAD you did this NOW and find problems NOW, as opposed to WHEN the problem occurs and you cannot correct from it anymore.

If you don’t want to do this, at LEAST try to do perform test restores of your DATA from your ONLINE service and your external USB-drive extra-copies

For extra credit, try to recover data from ANOTHER COMPUTER, in case yours becomes a smoldering mess or you drop it in a lake or something.

Other advice:

1. If you do just ONE thing on this list, do #5: copy your most critical stuff to cheap external USB disks. You’re a total fool if you do not at this point because USB disks are so cheap, and they work on Macs and PCs.

2. Its better to do at least ONE of these than NONE of these. I’ve outlined 8 steps here. But if you only want to do one, but do it religiously, it’s better than doing NONE.

3. Don’t count on one method working 100% of the time. That’s why I use three methods and hope ONE of them works when the time comes.

4. Keep it simple. The LESS COMPLICATED you backup and restore procedure is, the better.

5. If all else fails, and you didn’t listen to me AT ALL, and your hard drive dies, and you DON’T KNOW WHAT TO DO Go here:

http://www.ontrackdatarecovery.com/hard-drive-recovery/

For a SMALL FORTUNE, they will open your hard drive and try to recover your data.

It’s not surprising that these companies stay in business. Most people do not back up. Will you pay NOW (cheap backup) or LATER (expensive recovery service that doesn’t always work?)

It’s up to you.

That is all.

Good luck.

This is a short and a sweet one. Sort of.

Google has announced an MSI file for deploying their Chrome browser, en-mass to your PCs.

How?

Well, they've got an MSI now. And you can use, say, your favorite software distribution mechanism, like.. oh, gosh, I don't know the in-the-box-and-widely-under-used Group Policy Software Installation ?

Check out the link here.. Now before you DO, I suggest you read onward.

http://www.google.com/apps/intl/en/business/chromebrowser.html

The trick appears to be that, while the MSI is available to anyone, I'm actually NOT SURE if anyone (everyone) is allowed to use it unless they're a Google Chrome for Business company. I clicked on the link to download the MSI, and saw a huge EULA in front of me. I copied and pasted it into Word (take THAT, Google Docs !) and it was a whopping 13 pages and 6,553 words.

Ohkay.

First things first Item 1.3 in the Eula has double-word typo, as in 1.3 Your agreement with Google will also include the the terms I'm not above typos myself, but then again, I don't have 11 billion lawyers working for me.

Next.. I did try to buzz through the document looking for words like Customer and other such stuff to help me learn what the scoop is. But I really can't tell if I'm allowed to use it. Honestly, this isn't my area of expertise, so I don't have direct advice on whether or not it's legal, quasi-legal, or totally illegal to use this MSI if you're not a Google Chrome for Business member. I guess- I could contact Google Sales, and maybe they'll get a hold of me.

But, if you KNOW the answer, then just email me, and I'll post a follow-up.

Part II of this little story is that there's also ADM and ADMX/ADML files as well.  Once you put the ADM, ADMX & ADML files in the right place, you're cookin with gas and configuring Chrome a-go-go.

The link to THAT is here:

http://www.google.com/support/a/bin/answer.py?hlrm=en&answer=187945

Interesting stuff.

That's it for now.

PS: Learn how to deploy MSI files, upgrade them, manage them, patch them, revoke them and more.  Learn how to manage ADM, ADMX and ADML files and not shoot yourself in the foot or blow up your network.

I still have the <bleep>-ing discount going for my GPanswers.com Home Study Course – Silver Kits. Gotta email me for the <bleep>-ing discount code.

Check out my Group Policy training with the Online University here:

https://www.gpanswers.com/training/sign-up-now-online/

Talk soon!