MDM & GP Tips Blog

Jul 2006
21

Issue#19

Newsletter 19: The File Server Migration Toolkit In this issue:

  • It's Issue 19
  • GPanswers.com updates
  • Moskowitz, inc. Technology Takeaway (r)
    • "Deep Dive" into the File Server Migration Toolkit
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Upcoming conferences, appearances, and classes
    • Classes and seminars
  • Welcome new sponsors
  • Free Education!
  • Subscribe, unsubscribe, and usage information

This issue, we've got another "big article". It's about the File Server Migration Toolkit. Why should you care? How is it related to Group Policy? Ah the suspense ! So, without further ado!


This Month's Newsletter Sponsored by NetIQ

Learn how to leverage Group Policy’s capabilities to secure and manage your desktop. Moderated by Active Directory guru Jeremy Moskowitz, this information-packed Webcast will show you how business objectives can be paired with Group Policy settings for a more secure and managed environment. Sign up today for the live webcast on July 27th.


GPanswers.com News

Announcing 1-day Advanced Group Policy Course

Have you already taken the two-day or three-day workshop? Are you looking to get "more" of what you already love? Then check out our one-day Advanced Group Policy course. We cover four big topics:    

  • How to create a “totally locked down” workstation
  • How to use Group Policy tools to increase your troubleshooting ability
  • How to zap registry punches down to your client machines with ADM templates and tools
  • How to leverage a test lab for good Group Policy deployment practices

It's a one-day hands-on course. Right now, it's only available as a private class. So, if you want me on site, you can add this on to you two or three day workshop class -- or just have me come by for the day!

New "Rightsizing Tool" for GPanswers.com Training

I'll talk about this a little later in the newsletter. But I haven't always done a good job making it easy to decide which Group Policy class is ideal for each person or organization. Now, online, I have a new “Group Policy ‘Rightsize’ Tool” which helps you decide the best course to take for your situation. Check it out here.

New "At a glance view" of newsletter archives...

People were telling me it was hard to know what was in each previous newsletter. Too much to read to find out. Well, now at www.GPanswers.com/newsletter you'll see an at-a-glance view of all our old archives. Just find the newsletter you want -- and enjoy!

In case you didn't get the memo...

Free gift to anyone who has ever taken a GPanswers two-day or three-day Group Policy workshop (where either James or I was the instructor).

It's about time I said thanks. So, thanks!

Here's the deal: the gift is free, the shipping isn't. Sorry, I'm a small business, and that's the breaks.

Shipping for your free gift is only $5, though.

And if you hate the gift, I’ll cheerfully refund your $5 and you can keep the gift. Really! (I sound like Ron Popeil, don’t I?)

Here's the fine print:

  • Shipping for the gift is a flat $5
  • We can accept Paypal or credit card for shipping
  • US residents only
  • If you can remember, please specify which public class or private class you attended (location and approximate month and year).

Note, that if you like the gift, but have never taken the two-day or three-day class, you can get one for a whole $12 (including shipping). Gifts ship right away.

Technology Takeaway (r), a Service of Moskowitz, inc. -- All About the File Server Migration Toolkit

Admit it. You've got 'em. Windows NT and Windows 2000 file servers that you just can't seem to shake. You know you want to get your file servers updated to Windows 2003/SP1 or Windows 2003/R2. And, we both know why you're not there yet: users are using UNC paths to point to shares on these file servers. And you know that if you move the data from the original servers to the new servers, all those users with UNC paths pointing to those shares are going to call the help desk (then the help desk is going to hunt you down, and you'll have to go into hiding.)

Or how about this sticky Group Policy problem: you got started using Group Policy Software Installation, and serving your installations using one file server. Now you have 50 GPOs deploying applications to your Windows XP and Windows 2000 machines. But, oops! You're ready to turn off that original file server.

But you can't.

Those 50 GPOs are depending on it.

What are you going to do?

A typical environment where files and software are originally being deployed from a Windows 2000 file server and/or Windows NT files is seen below.

gp
Figure 1: You're currently depending on NT 4 and Windows 2000 file servers (aren't you?)

So just turning off these servers isn't an option, and just copying the data to new shares on a new server isn’t an option. So what are you going to do? The good news is that there’s an answer [solution?] to these two tales of woe. Microsoft has a cool tool to help you take control of your old file servers and bring the data into the 21st century—seamlessly.

Enter the File Server Migration Toolkit . . .

    The File Server Migration Toolkit, or FSMT is a free download available here. The FSMT consists of three parts:

  • DFS Consolidation Root Wizard: This is another GUI tool which works some serious magic. It allows you to maintain the original UNC paths of the servers, even if you’re planning on ultimately turning those servers off.
  • DFSconsolidate.exe: This is a command line tool which is called by the DFS Consolidation Wizard. While it’s possible to use this tool on its own, we’re only going to explore its use in conjunction with the DFS Consolidation Root Wizard.
  • File Server Migration Wizard: This is a GUI tool which helps you plan your migration from the source servers to the target servers. Then, it actually performs the copy of the original files to the target destination. We’ll explore this a bit later.

Understanding Our Goals . . .

The first thing to know is where to start. You need to pick a source server (where the files are currently stored) and a target server (where you will migrate the files to). Let’s work through an example to help us understand where we are and where we’re going. Our Before Picture: You can see this in Figure 1. We have an NT 4.0 file server (nt04) with three shares containing user data. We have a Windows 2000 server with one share used to deploy software. Let’s take a closer look at what’s happening in our world. Our Windows XP machine needs access to the following:

    • nt04ntshare1
    • nt04ntshare3
    • w2ksoftware

Our Windows 2000 machine needs access to these servers and shares:

    • w2ksoftware
    • nt04ntshare2

Now, let’s introduce our target file server, fileserver6, whose job it will be to receive these shares and requests.

Our After Picture: The goal is to consolidate these existing shares onto fileserver6 and turn off the Windows 2000 and NT 4 servers. We need to perform this task in a way which preserves the original paths of each of the aforementioned shares. Yes, you read that right. We want to be able to access the data that’s currently on the computers we’re turning off as if they were still turned on. Oh, and of course, you want to make sure security is preserved all along the way.

 gp
Figure 2: Our goal is to turn off the NT 4

and Windows 2000 file servers but allow access to all data using the original server names (even though those computers are off

Here, in Figure 3 we can see our Windows XP machine accessing a directory of files on both nt04ntshare1 and nt04ntshare3 shares. The goal is for this Windows XP machine to continue to perform the same commands, using the same UNC paths after we move the files and turn the original file servers off.

gp 
Figure 3: Here, our Windowx XP machine is viewing files via UNC paths

To get to our promised land, we'll leverage a part of Windows that has been around for a while, but still isn't in widespread use: the Distributed File System, or DFS. DFS's goal is to accept incoming connections and route them to existing shares (this is sometimes called referrals). You might say it's like a "share of other shares" because it allows you to basically "hang" existing shares off a new DFS share, or, more technically the "DFS root". There are two kinds of DFS roots: standard and domain-based (sometimes called an Enterprise root). Standard roots only live on one server. Enterprise roots live at the domain level, which means that they're fault tolerant. If one server that's part of the DFS referrals goes down-no problem-referrals just keep on truckin'. Learn more about DFS (which is substantially different in Windows Server 2003 than in Windows Server 2003 / R2) by reading more at the following link.

Here's the roadmap to get to your destination:

  • You'll determine where you want to stash your new files. In our example we're going to be using fileserver6.demo.com.
  • You'll rename any file servers you plan on permanently retiring. Since you're retiring them anyway, it doesn't really matter much what the name becomes.
  • We'll be renaming our nt04 server to nt04-ret to signify that it's retired. Same goes for w2k to w2k-ret. Then, finally, when we're all done, we'll be turning off this server permanently.
  • We'll use the DFS Root Consolidation Wizard to control basically, "reroute" new incoming requests for the retiring servers (nt04 and w2k) to the new location (fileserver6). Note that I could use two separate servers in my migration example. That is, I could use one server to hold the DFS Roots and another to hold the files. However, to keep things simple, I'll use fileserver6 for both roles.
  • We'll actually move the files we need from the shares on our old servers to our new location on fileserver6.

So let's do it!

Getting Started with the FSMT and DFS Consolidation Wizard

The FSMT comes as a single MSI, but, as we stated has three separate components. The File Server Migration Wizard is meant to be run directly on the target file server. However, the DFS Consolidation Root Wizard and the Dfsconsolidate.exe command-line tool can be run anywhere; you can choose to run these tools on the target server or not.

Note the FSMT documentation makes special note of MSKB article 829885 which talks about a DFS hotfix. The implication is that this hotfix must be loaded upon the target DFS server. However, this hotfix is built into the Windows Server 2003/SP1, and is not needed when the target server is Windows Server 2003/SP1 (in my case fileserver6.) However, the FSMT documentation doesn't tell you one critical step: be sure the DFS service is started and set to Automatic for future restarts.

After the FSMT is loaded, as I mentioned earlier, we must change the name of NT04 server to nt04-ret and the name of w2k to w2k-ret (or something else that's meaningful to you). The reason why we must change the name is so that when clients try to connect to nt04 or w2k neither actually exists anymore. And, we'll be able to fool those incoming requests to nt04 or w2k into shimmying over to the new place on fileserver6.

In my tests, renaming an NT4 server wasn't as easy as I would have liked. Simply renaming it doesn't magically change the name in Active Directory (like it would if I renamed a Windows Server 2003 or Windows XP machine). I had to drop the machine into a workgroup, rename the machine, and rejoin the domain (demo.com.) And, of course, along the way several reboots were required. Finally, I had to delete an orphaned computer account for NT4 using Active Directory Users and Computers. In contrast, renaming the Windows 2000 server was a snap. Just rename and reboot -- easy. No muss, no fuss.

Now that my NT4 server and Windows 2000 servers are renamed, I'm ready to run the DFS Root Consolidation Wizard. The Wizard is pretty straightforward, asking only a minimum of information:

  • DFS root server: This is the location where the DFS root will be held. In DFS terms, this will be a "standard root"-which exists solely on the server you specify. Note that the root cannot be on a Domain Controller. In my example, I'm choosing to put the DFS root on the same server where the files will ultimately go-fileserver6. However, you can create the root on a server cluster if you want to increase the redundancy of the stand-alone root.
  • Local path of the folder: This is the top level directory where you want to store each migrated server. If we were migrating 10 servers, you would expect 10 subdirectories underneath this top level directory containing names of each migrated server. For my examples, I'm choosing the name c:migservers
  • Specify which servers to consolidate (as seen in Figure 4): Here, you'll map the original name to the current name (as seen below.). We're migrating two servers, (original name nt04, current name nt04-ret and original name w2k, current name w2k-ret) so we'll have two mappings in the list.

gp
Figure 4: The "DFS Consolidation Root Wizard" helps you map renamed servers to original names

If the Wizard finishes without errors, you've completed the first big step. Now, before you do anything else - take a moment to pause and check something out: Go back to your Windows XP machine (see first figure) and run those exact same dir commands access the servers and shares nt04ntshare1 and nt04ntshare3. Without rebooting the Windows XP machine (or logging off and back on), note those same dir commands just continue to work! This is because the DFS Root Consolidation Wizard has now mapped nt04 to nt04-ret-so all the shares via UNC paths still work.

And, let's take a quick second to see what really happened in the c:migservers folder on fileserver6. Below, you can see it created two subdirectories, which are each shared, and which contain another subdirectory of each server's original share.

 gp
Figure 5: The DFS Consolidation Root Wizard created a new share representing the old server

However, using Explorer locally and drilling down to one of the directories, say, ntshare1, will get you an error. This is because a DFS link only points to the right (new) location when using a remote referral (not a local one). Also note that each server is now represented by a share, #servername, such as #NT04, seen above. This was created by the DFS Consolidation Wizard.

It is possible to use the DFS Consolidation Wizard if your shares are on Domain Controllers. However, the same rule applies for Domain Controllers as for regular file servers. That is, the server (Domain Controller) must also be renamed. And unfortunately this can be a pain in the neck. Microsoft does have some Domain Controller renaming guidance:

  • For NT 4.0 Domain Controllers, see MSKB 150298
  • For Windows 2000 Domain Controllers, see MSKB 296592
  • And, even though it's easier still with Windows Server 2003, there's some guidance at MSKB 325354.

There is one piece of magic that the DFS Consolidation Wizard cannot directly help with, and that is if you already have hard coded, persistent mappings. Meaning that if someone has used the /persistent flag while using the net use command to map a drive letter (or the corresponding Explorer commands) those mappings will now fail. But if you're using log in scripts to map the drive letters each and every time a user logs in-no problem! This is because every time a request goes to the old server name, a new lookup to the DFS is generated and routed appropriately.

Actually Migrating the files

  To actually migrate the files, you create a project contained within the File Server Migration Wizard (FSMW), which appears as an icon on the start menu. The beginning steps are rather straightforward: create a new project, point the File Server Migration Wizard toward the new DFS consolidation point you created earlier (fileserver6), and watch it recognize the servers, as seen in Figure 6.

gp 
Figure 6: The File Migration Wizard should recognize your servers after you consolidate them using the DFS Consolidation Wizard

Then, you can tell the FSMW which directory you want to plunk the new files in. I chose a new directory on fileserver6 called c:migfiles.

A quick note on what is and is not copied. Of course the files themselves are copied. But the FSMW also copies both NTFS and shared folder permissions. What aren't copied are references to local groups. If local groups have permissions on the source's shared folders, you can use the Resource Kit tool SubInACL.exe to adjust the permissions before or after the migration to replace the local groups, or you can use a local group migration tool like the Active Directory Migration Tool (located here ).

When the project is formed, you then have the ability to make any micro-adjustments you might need (as seen in the circled area on the right of Figure 7). For instance, you might want to put the contents of ntshare1 in a directory named "Sales stuff" instead of ntshare1. This might boggle the minds of your users, but you may have a valid reason.

gp
Figure 7: You can change settings for each share if desired, then click Continue to step through the rest of the Migration.

Finally, you can just step through the rest of the process by clicking on the Continue button, circled above at the bottom of Figure 7. The process is painless, but could take a (long) while depending on just how many servers you are consolidating. For lots and lots of servers, consider breaking up the effort into multiple "projects" to allow for some settling-in time and attention to errors. If there are errors during the copying you'll have the ability to fix the errors and retry. A nice touch is that the target servers are still available during the copying phase. In other words, there's no server downtime from the copying of files from the source server to the target server. Additionally, because it's possible to repeat this phase multiple times to fix errors, another nice touch is that only failed copy attempts are retried. You don't need to copy the whole universe again if you've already copied 90% of it.

The last phase is called Finalize. This phase should really only be done when users won't be accessing the servers. That's because in this phase, you'll disable any original access to the source shares and close any open connections. Additionally, all other project settings are locked.

At this point, you're ready for your final test. Unplug the network connections from the original servers. Then, like we did with our Windows XP machine, make sure you can get to the copied servers using the original UNC path names.

Once you're satisfied that you can get to the copied data using the original UNC paths, you can turn off your old servers, recycle them, reformat them and redeploy them for another purpose, or make a fish tank out of them (or any another arts and crafts project you'd like).

The Future of the File Server Migration TOOLKIT?

The FMST is a great tool which gets the job done. However, there are some small nitpicky points that I’d love to see addressed going forward.

As stated, the FSMT uses what’s called “stand-alone” DFS roots to do the job. In other words, it puts the DFS root on one specific server. Sure, in my example, I used fileserver6 for both the storage of the standalone DFS root as well as the ultimate storage point for my migrated files. However, I could have also split the duty between file servers. That is, one server could house the DFS root, and another server could have held the data. So, what would happen today if that server holding the DFS root went offline? That would be a major problem, because there would be no way to route to the new file server(s). The ideal solution would be to use the more powerful domain-based roots which are fault-tolerant. Then if the one server holding the DFS roots should fail, the fault-tolerant nature of domain-based DFS would kick in. Today, FSMW doesn’t use domain-based, fault-tolerant roots, but I really wish it did. Again, as I mentioned earlier, a workaround would be to put the standalone root on a set of clustered servers. If one server went down, referrals would continue. The FSMT product team tells me that all parts of FSMT are fully cluster aware and compatible: it will create cluster consolidation DFS roots and add cluster names instead of DNS aliases if roots are hosted on cluster. So – nice touch.

Another problem is that you simply must rename the servers to do any of the redirecting magic. I would love to keep the server, name intact, and just redirect a specific share. This would allow me to keep using the server for whatever else it’s doing, but just migrate the specific shares I want to. To do this, we would need symbolic links within the original share that would route us to the new goal. But right now, Windows Server 2003 isn’t quite there. Perhaps with Longhorn server.  

The last note here is that you’re not actually forced to turn off servers you’ve migrated from. You can, if you so choose, keep the server online performing other roles. The problem is that it might be a challenge having other network services and clients find the newly renamed machine. DFS is some pretty strong magic, but it’s only for files; lots of other services won’t be able to magically find the newly renamed server.  

The FSMT is a cool tool, which works as advertised. And the price is right—free. It should be noted that as good as the tool is, it’s not meant to be a permanent solution. The help file notes that these consolidated DFS roots shouldn’t be maintained forever. The idea is that over time you’ll properly design your DFS, point users toward the new, updated structure, and then phase out the roots you created with the DFS Consolidation Wizard.  

Hopefully this will get you out of some tough jams, and into your 21st century file servers. Other FSMT resources:

  • Newsgroup support
    • You can use the microsoft.public.windows.server.migration newsgroup to ask questions about the File Server Migration Toolkit.
  • The FSMT Solutions accelerator (additional guidance)

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here. Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Choose the right Active Directory and Group Policy Course for you

Did you know that here at GPanswers.com, we have three courses, including an ADVANCED course. (It's true!)

And, historically, I haven’t done such a hot job in making it obvious what your available options are for public and private training. So, here’s the executive summary. Online, we have a new “Group Policy ‘Rightsize’ Tool” which helps you decide the best course to take for your situation.

Two-day intensive Group Policy workshop class

  • This course is best for Domain Administrators and qualified OU administrators.
  • This course has “intensive” in the name, so be prepared to work and learn!
  • This class is available as a private two-day course.
  • This class is available as a public two-day course.
  • Consider adding the One-Day Advanced course (below) as a third-day (if taking as a private two-day)

Three-day “Less Intensive” Active Directory warm-up and Group Policy workshop class

  • This course starts with a half day warm-up of Active Directory, managing users, and delegating permissions.
  • Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration experience can get a bit of the fundamentals before diving into the Group Policy waters.
  • This class caters more to OU administrators (than Domain Administrators)
  • This "Three-day less-intensive" course is ONLY available as a private course.
  • Consider adding the One-Day Advanced course (below) as a fourth day

One-day Group Policy “advanced” class

  • This class is a great “add-on” after your two-day or three-day Group Policy class. We cover four big concepts in this class:
    • How to create a “totally locked down” workstation
    • How to use Group Policy tools to increase your troubleshooting ability
    • How to zap registry punches down to your client machines with ADM templates and tools
    • How to leverage a test lab for good Group Policy deployment practices
  • This class is only available as a private course. Consider adding it to your two-day or three-day private course as an additional day.
  • It is suggested (though not required) that students attend either the two-day intensive or three-day less-intensive Group Policy workshop classes before this one.

Upcoming Classes, Appearances and Conferences

Public Two-Day Workshops for the Remainder of 2006:

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity! Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Free Education with Moskowitz / Microsoft / Techtarget / Dell Roadshow

Jeremy Moskowitz and TechTarget + Microsoft team up to bring you a 19-city roadshow tour titled: Deployment, Managing, and Monitoring: Getting the Job Done. Here, you’ll hear me talk about how to use the tools in the box to deploy your Windows XP, Windows 2003, and Vista systems, how to use Group Policy to manage your systems, and finally how to keep tabs on them with some slick free tools! Did I mention this is 19 cities?? So, there’s a good chance we’ll be near you soon! Check it out and sign up here.

Upcoming Conferences

  • TechMentor: Sep 25-29 in Las Vegas. I'll be speaking on Win/Lin integration topics. All sorts of other good stuff. Check it out here. Use promotion code 'moskowitz' when signing up.
  • WinConnections: Nov 6-9 in Las Vegas. I'll be doing a pre-con on Group Policy, then some regular sessions on locking down computers, some awesome tips on Group Policy tools, and how to integrate Windows and Linux into Active Directory. Check it outhere.

Welcome New Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and 3rd party products which extend the reach of Group Policy or let you do something you haven't discovered before! Recently we've added:

  • NetIQ: Group Policy Administrator
  • Smartline: Devicelock

So, head on over to the Solutions Guide and see what other goodies are available!

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistantMark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Jun 2006
09

Issue#18

Newsletter 18: Grab Bag and Major Announcements In this issue:

  • It's Issue 18
  • Free Giveaway!
  • Moskowitz, inc. Technology Takeaway (r)
    • Three juicy tips
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Upcoming conferences, appearances, and classes
    • Classes and seminars
  • Free Education!
  • Welcome Mark!
  • Subscribe, unsubscribe, and usage information

This month, there’s a lot of stuff to talk about. (This is where you ask me, “Jeremy, in which month isn’t there a lot of stuff to talk about?”) Last month, I asked you which newsletter format you liked most: small tips, one large tip, or a mix. The mix wins it! So, since I’ve had several “one large tip” emails in the last few newsletters, this one is a gaggle of small tips. Gotta mix it up.

Quick TechEd Notes

A quick note for those of you who are going to TechEd: I'll be speaking on Windows & Linux Integration (session SVR211), Monday 1.30 PM in Room "156 ABC". Hope to see you there! Even though I'm not speaking on Group Policy stuff, doesn't mean there aren't some great talks! Be sure to check out the following GP related talks:

  • Mark Williams (GP Team @ Microsoft):
    • MGT310 Group Policy: What's New in Windows Vista Wednesday, June 14 2:00 PM - 3:15 PM, 210 ABC
    • MGT310R Group Policy: What's New in Windows Vista (Repeat Session) Friday, June 16 1:00 PM - 2:15 PM, 259 AB
  • Emily Hill, George Roussos
    • CLITLC09 Group Policies in Windows Vista to Control Devices and Drivers Friday, June 16 2:45 PM - 4:00 PM, CLI/MGT/SEC/SVR Theater 2
  • Derek Melber (DesktopStandard and all-around smart GPO-meister):
    • MGT425 Troubleshooting Group Policy Friday, June 16 10:45 AM - 12:00 PM, Grand Ballroom A

So, without further ado!


This Month's Newsletter Sponsored by Centrify

Now you can use Group Policy to manage Mac desktops just as you do Windows.

Centrify DirectControl not only delivers Active Directory-based single sign-on and access control for Mac OS X, but it is also the only solution that enables IT managers to centrally secure and configure Macs via Group Policy. Use GP to require screensaver password locks, lock down system sharing and firewall preferences, and centrally configure other security settings. Request an evaluation of DirectControl for Mac OS X today.


 

Announcement From the Better Late Than Never/Use Your Manners Department:

Free gift to anyone who has ever taken a GPanswers two-day or three-day Group Policy workshop (where either James or I was the instructor).

It’s about time I said thanks. So, thanks!

Here’s the deal: the gift is free, the shipping isn’t. Sorry, I’m a small business, and that’s the breaks.

Shipping for your free gift is only $5, though.

And if you hate the gift, I’ll cheerfully refund your $5 and you can keep the gift. Really! (I sound like Ron Popeil, don’t I?) Here’s the fine print:

  • Shipping for the gift is a flat $5
  • We can accept Paypal or credit card for shipping
  • US residents only
  • If you can remember, please specify which public class or private class you attended (location and approximate month and year).

Note, that if you like the gift, but have never taken the two-day or three-day class, you can get one for a whole $12 (including shipping).

It may take a little while for you to get the gifts (like a week or two.. but rest assured, they'll get there.)  

Technology Takeaway (r), a Service of Moskowitz, inc.

Tip 1: How to troubleshoot a machine that claims it cannot find a Domain Controller.

(This tip comes to us courtesy of Dan Home from Intelliem.com.) Two computers out of the 1000+ systems in our central site had these “Event 1054” errors. Unfortunately, these two systems were mission-critical systems. And, most interesting of all, there were NO OTHER VAGUELY RELATED ERRORS OF ANY KIND, visible or logged, on these systems. They just weren’t getting policy [“getting policy” ok terminology?] correctly (everything else was fine).

I said to myself, “Self, if they’re having these errors there must be something insidious going on.”

Here is a screenshot of the 1054 error on the machine:

gp After MUCH back-and-forth testing, we discovered the source of the problem: LINK NEGOTIATION! The switch between these systems and the DCs had one tiny little misconfiguration, and these particular systems weren’t “discovering” quickly enough what kind of network link they should have. So, in a final test, I hard-coded the NICs to 100/Full.

And the errors vanished like . . . well, something that vanishes.

Thanks again Dan Holme from Intelliem.com for this cool, simple troubleshooting tip!!

Tip 2: How do I get MMC 3.0 functionality on my Windows XP machine?

Last month, you read about how to control printers using GPOs. And we did so using Windows 2003/R2’s new Print Management Console. You might have noticed that it had a different look and feel to it. That new look and feel is the MMC 3.0 (as opposed to MMC 2.0) which can be seen in this screenshot.

gp
(Click on image for a larger view)

Since you likely control your Active Directory universe from an Windows XP machine (and not a Windows 2003/R2 machine) you might want to step-up to the MMC 3.0 look and feel on your Windows XP machine. Here’s how we do it:

  • Ensure that your Windows XP machine has SP2 installed.
  • Get the MMC 3.0 interface (one for 32-bit Windows XP and one for 64-bit Windows XP)
  • Enable the MMC 3.0

We’ll assume you already have Windows XP / SP2. Now, to get the 32-bit version of MMC 3.0, click here. To get the 64-bit version of MMC 3.0, click here: . Note that it seems as if 64-bit Windows XP systems get “second class citizen” status here, as there doesn’t seem to be a “final” version of the code, rather, that link for 64-bit Windows XP MMC 3.0 seems only to be Release Candidate 1.

Update: You can now download from Microsoft a copy of MMC 3.0 for XP x64 and MMC 3.0 for 2003 sp1 as well as 2003 x64 and ia64 Finally, once installed on your Windows XP machine, edit the registry to add a new key.

  1. Navigate to HKEY_LOCAL_MACHINE | SOFTWARE | Microsoft | MMC.
  2. From the Edit menu, select New, Key. (Yes, ‘key’, not value)
  3. Enter “UseNewUI”.

Note that the new Action pane seems to be available regardless of whether the setting is performed or not. However, the new “Add/Remove Snap-ins” is definitely different once you perform the setting, as seen below. gp (Click on image for a larger view) You may not see much “new stuff” while you’re inside your console (such as when you’re inside the “Actions” pane.) That’s because each snap-in needs to specifically take advantage of MMC 3.0 goodies.

Tip 3: Ready for Vista?

  While not specifically a Group Policy–related tip, I thought y’all would find this interesting. You can do a quick “health check” on your existing hardware (running Windows XP) and figure out if it’s a good candidate to put Windows Vista on it.

Just trot on out to the machine in question, and click here.

You’ll get asked a handful of questions about what you want to DO with Windows Vista. Then, out pops a suggestion about which version of Vista you should get and which areas need attention. You’ll get an HTML report (IE-readable-only, of course) that tells you which features are A-OK and which might not work. You also get a report about the drivers on your current machine and how they’ll fare with Vista (see second screenshot below).

 gp

 gp
(Click on image for a larger view)

Note that some items are peripherals (like my Brother MFC-3220C printer), but some are built into the machine (like the SigmaTel C-Major Audio device.) Let’s hope all these drivers are available by Vista showtime.  

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Now Available: Private GP Course in "Less-Intensive" Format

Everyone knows the two-day Group Policy course is really three days of material packed into two intensive days. However, some customers have asked for a less intensive format.

Your wish has been granted!

This course starts with a half day warm-up of Active Directory, managing users, and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration experience can get a bit of the fundamentals before diving into the Group Policy waters.

This "three-day less-intensive" option is ONLY available as a private course. Note, the "two-day intensive" option is available as either a private or a public course. Learn more about the Group Policy courses here.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy intensive training and workshop. Students LOVE the class, and managers LOVE the results.

You BOUGHT and IMPLEMENTED Active Directory—now DO SOMETHING with it.

Public Two-Day Workshops for the Remainder of 2006:

Because I got invited to do a 19-city roadshow with TechTarget and Microsoft (see next section) I had to move around some of my class dates.
July 11–12: Denver, CO
July 25-26 (changed dates): Austin, TX (by popular demand!)
Aug 23–24: Phoenix, AZ
Sep 25–26 (changed dates): Seattle, WA
Oct 31–Nov 1 (changed dates): Portland, OR

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.  

Free Education!

I’m honored to announce that I’m working with two pairs of vendors to get you free stuff in the upcoming year starting in June! (Y’all know how much I love free stuff!)

Announcement #1:

Jeremy Moskowitz and NetIQ + FullArmor team up to bring you, over the next year or so, some webinars, whitepapers, and roadshow opportunities. Here, you’ll see me outline some of the difficulties that administrators have when working with the native Group Policy toolkit. Then, NetIQ + FullArmor will talk about how their products fill in those gaps ! I’ll keep you posted with mini-updates via “un-newsletters” when a webinar or roadshow date is approaching.

Announcement #2:

Jeremy Moskowitz and TechTarget + Microsoft team up to bring you a 19-city roadshow tour titled: Deployment, Managing, and Monitoring: Getting the Job Done. Here, you’ll hear me talk about how to use the tools in the box to deploy your Windows XP, Windows 2003, and Vista systems, how to use Group Policy to manage your systems, and finally how to keep tabs on them with some slick free tools! Did I mention this is 19 cities?? So, there’s a good chance we’ll be near you soon! First two cities are Charlotte, NC (June 27, 2006) and Atlanta, GA (June 28, 2006).

The best two places to see the city list will be my web site calendar (which runs along the right-hand side), and also here, the official TechTarget/Microsoft web site. Dates will be added when confirmed. Hope to see you there!  

Welcome Mark, my new assistant!

Also, a big welcome to my new assistant. His name is Mark, and he can be reached at [email protected]. He can help you get signed up for a class, get you a case of books, or troubleshoot a gift order. He’d love to get a welcome email from you! However, please don’t send Mark any technical questions. Post those to GPanswers.com/community.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Mark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Apr 2006
25

Issue#17

In this issue:

  • Your opinion please!
  • Windows 2003/R2 Printer Magic
  • Get a signed copy of...
    • my GP book: Group Policy, Profiles and IntelliMirror
    • my Windows & Linux Integration book
  • Now Available: Private GP Course in "Less Intensive" format
  • Public Group Policy Intensive Training and Workshop Schedule Update
  • Subscribe, Unsubscribe, and Usage Information

It's all about more control, baby

This Newsletter’s “big topic” is printers, and deploying them via Group Policy. But, before I talk about that, I have to ask you folks a thing or two.

Thing #1:

  • Do you like these newsletters with one big topic in them?

or

  • Do you like the original format with lots of little questions and lots of little answers?

Send your one word vote of BIG or LITTLE to [email protected]. Or, if you have more than one word to say, you can do that too.

Thing #2:

Want to be famous? I’m working on a project which highlights “creative uses” for Group Policy. So, if you think you’ve got a special implementation using Group Policy—I want to hear about it. For instance, one company I know uses Group Policy to lock down PCs as cash-registers. That’s cool! Another company I know wrote some sweet custom scripts to automate their entire Group Policy universe. Wow! That’s the kind of stuff I want to hear! Or, do you have a special “process” behind your Group Policy that goes beyond the “in the box” delegation? Anything neat or cool—special implementations are what I’m looking for. And, like I said, you can have your name in lights (if you so choose).

Give me a paragraph or two on your cool implementation, and what you’re doing that makes your organization unique. Send to[email protected] with a subject line of SPECIAL.

Now, on with the show!

Be sure to read through to the end. I’ve got a gaggle of new dates and cities for the public Group Policy course for the rest of 2006.


Newsletter Sponsored by: DesktopStandard

Provide all of your Windows 2000, XP and Windows 2003 end-users easy access to the correct printers via Group Policy, today!

Configuring printers is one of the essential desktop management tasks for which there is no built-in Windows solution. DesktopStandard's PolicyMaker Standard Edition solves this issue and many others. It includes both Shared Printer policy and TCP/IP Printer policy for managing printer connections. Standard location-based filters allow targeting of print connections so that jobs can automatically print to the most appropriate printer based on where the computer is located.

Click the link to learn more: PolicyMaker Standard Edition


Windows 2003/R2 Printer Magic

Let me guess what one of your biggest headaches is.

Printers.

Yes, it’s that “little thing we don’t like talking about much.” But, it’s been on my mind lately, so let’s figure out how we can “Do more with Group Policy!”

Are you one of Microsoft’s customers who is implementing Windows 2003/R2?

Or, are you one of Microsoft’s customers who just read the above line and is saying to themselves, “What the heck is Windows 2003/R2?”

Windows 2003/R2 can almost be thought of as “Windows Server 2006.” But that’s not what it’s called. It’s Windows 2003/R2. To use “R2” you need to load it upon a Windows 2003 Server with SP1. Then you load the R2 bits, and voila! You’ve got an R2 machine!

R2 has an armload of neat-o new features. And if you’re interested in reading about all the neat-o features it has, read here.

But only one of those features has any Group Policy-related goodness. But, oh friends, it is very good!

It’s the Print Management Component—a new add-in that R2 brings to the table. The Print Management component does a LOT of keen-o-rific stuff, like centrally manage almost all aspects of all of the printers on your Windows network. What’s not to like about that? And even better, it brings an extra superpower to the table: the ability to deploy printers to users or computers via Group Policy.

ZAAAP! You can just “beam” printers down to your mere mortals.

That’s right. You can now say “Whenever Sally moves from XPPRO1 to XPPRO12, she keeps her printer mappings.” Or, you can now say: “Whoever sits down at XPPRO5 will get the same printer settings.”

The god-like power you have using Group Policy is truly compelling!

Keen readers of my Group Policy book will note I had a tip (on pages 139-140 of the 3rd edition) about using loopback policy to perform the same idea. That is, by sitting down at any given machine you can dictate the printers. Now, finally, it’s part of the operating system.

Getting ready to perform the magic

Before we can get started with the Print Management Components, we need to perform several steps:

1. Update our Windows 2003 schema to Windows 2003/R2 schema

2a. If we want to use our Windows 2003 server as the place where we perform our printer management, we need to load the Print Management Component on our Windows 2003 machine.
 -or-
2b. If we want to use an Windows XP machine as the place where we perform our printer management, we need to load the Adminpak for R2 tools on our management station.

Updating the schema and installing R2

Updating the schema is likely the hardest part of the job, because you’ll need approval from your Active Directory big-wigs that this is an OK procedure to do. Once you have approval, this operation is best performed directly upon the Schema Master in your domain.

The reason for the schema upgrade is that to-printer connection objects get a new “fast query” lookup via LDAP in Active Directory. This way, the Print Management Console (which we’ll explore in a bit) doesn’t have to inspect every GPO in the domain to figure out where printers are currently deployed.

Just pop in the R2 media. You are then presented with the option to “Continue Windows Server 2003 R2 Setup.” If you click that, however, you get the message seen below.

 gp

 gp
Figure 1: In order to upgrade Windows 2003 to R2, the schema must be upgraded. (Click image for larger view)

The dialog box says it all. In short, you need to run the command adprep /forestprep which is located in the R2 CD-ROM in the cmpnentsr2adprep directory.

 gp
Figure 2: Once you press ‘C’ to continue, your schema will be upgraded to the R2 schema.(Click image for larger view)

From here, we’ll assume you want to test drive this on your Windows 2003 Server and upgrade it to R2. We’ll also assume that you want to manage your printers from there (as opposed to an Windows XP management station).

Once the schema update has been performed, you can then run the “R2Auto.exe” on the root of the R2 CD-ROM and select to “Continue Windows Server 2003 R2 Setup.” At this point, you may be informed that you have a service pack installed (and continuing will prevent any possibility of uninstalling it). Select “Yes.” Once you do, you’ll be at the “R2 Setup Wizard.” The Wizard is self-explanatory.  

Installing the Print Management Components

Next on the docket is loading the Print Management Component. Again, this is a comprehensive tool which allows you to manage many facets of your printer universe. To load the Print Management Component, go to Add/Remove Programs | Windows Components | Management and Monitoring tools and select Print Management Component, as seen below.

 gp
Figure 3: You can load the Print Management Console components into a Windows 2003/R2 server.

Note that next time the (annoying) Configure Your Server Wizard appears, you’ll see that it’s been installed as seen here:

 gp
Figure 4: The Configure Your Server Wizard now has a new option. (Click image for larger view)

Now that the Print Management Components are loaded, you’re ready to deploy printers to either your users or your computers. You can do this “by hand” using the regular Group Policy editor snap-in, or using the tools provided in the Print Management console.

Deploying printers using GPOs

Let’s deploy printers by hand first using the Group Policy editor, then we’ll move on to the Print Management console.  

First step: Define Deployed Printers

To zap a printer down to your users or computers, you start out by creating a GPO and linking it to an OU containing either users or computers. Say, the Sales Users OU.

When you edit your next GPO, you’ll see a “Deployed Printers” node in both the computer and user half of the GPO along with a new Action called “Deploy Printer” in the Action menu as seen below.

 gp
Figure 5: You’ll be able to manage printers directly within the Group Policy Object editor (Click image for larger view)

Note that if you don’t see the “Deployed Printers node”, it’s likely that you don’t have the updated Adminpak tools on your management station (the computer from which you’re editing this GPO). To get the latest tools, get the R2 Adminpak here. Note that it isn’t “one big .msi” like Adminpak.msi. Rather this is a collection of smaller files for specific updated components like the Print Console.

Once you select User Configuration | Deployed Printers | Deploy Printers (as seen in Figure 5 ) or Computer Configuration | Deployed Printers | Deploy Printers, you’ll be ready to blast new printer assignments down. Just type serverprinter into the “Enter printer name” dialog (shown below), click Add, and you’re done.

gp
Figure 6: Enter the UNC path of the printer you want to push. (Click image for larger view)

Or are you? Here’s where the going gets tough. That is, just when you think you’ve got it super-easy, you need to go the last mile of this journey manually. All you’ve done right now is define which printer the folks affected by this GPO should get. But now you need to actually tell them to get it. That trick is done through a little executable program that you have to kick off via Login script (for printers assigned to users) or Startup script (for printers assigned to computers).

Second Step: Assign the PushPrinterConnections executable

The “moving part” to make the printer assignment is a little .exe called pushprinterconnections.exe. If you’re deploying printers to users, the .exe needs to be run in the user’s Login Script. If you’re deploying printers to computers, it needs to be run in the computer’s Startup Script.

The pushprinterconnections.exe gets placed on your R2 server in the windowsPMCSnap directory along with some other bits associated with the Print Management console (which we’ll talk about in a minute). You can see that here.

 gp
Figure 7: You’ll need to copy the pushprinterconnections.exe to each GPO’s script container. (Click image for larger view)

The key point is that the location where it starts out isn’t the location where you need to run it from. Your job is to take the file and plunk it directly into the GPO itself. Here are the rough steps to do this:

  1. While editing the GPO, drill down to the script type (User Login, or Computer Startup).
  2. Click the Show Files button.
  3. Copy the pushprinterconnections.exe into the window that opens up.
  4. Back at the properties of the script, click Add, locate and select the pushprinterconnections.exe file.
  5. Click OK

gp
Figure 8: Call the pushprinterconnections.exe from directly within the scripts portion of the GPO. (Click image for larger view)

Note: If you want to enable troubleshooting logging information, type –log in the Script Parameters box. A per-user debug log file will be written to %temp%. A per-machine debug log will be written to %windir%temp. (Note that these are totally different directories.) It’s worth noting that you shouldn’t use the –log parameter in a production environment—you wouldn’t want the utility filling up your client machine hard disks with megabytes of log files.

A quick “future looking” note about Vista. This utility isn’t required for Vista. The ability to push down printer connections is built in.

So, the first thing that PushPrinterConnections.exe does when you run it is to check if it is running on Windows Vista. If it is running on a Vista machine, the utility exits without doing anything. So network administrators don’t have to worry if they accidentally push out the pushprinterconnections.exe utility down to Windows Vista clients.

The results!

At this point, you should see goodness when you log in as the user or restart the computer. Note that these printers won’t “change” during background refresh after you’re already logged in. That’s because the pushprinterconnections.exe only runs at login or startup.

gp
Figure 9: Success on an Windows XP machine! (Click image for larger view)

The easier way to do it (sort of)

We just deployed printers to our users or computers by hand using the Group Policy editor. However, there’s an alternate method: using the Print Management Console. The Print Management Console gives a “one stop shop view” of printers deployed via GPOs. In this list, you can see each of my printers (HPLaser1 and HPLaser2) and which GPOs they’re being dictated in, and which side—user or computer—is being forced.

 gp
Figure 10: The Deployed Printers node in the Print Management Console “hunts down” GPOs which are using the Deployed Printers feature. (Click image for larger view) However, the Print Management Console has another trick up its sleeve: the ability to zap printers directly by creating GPOs of its own.

Using the Print Management Console, just drill down to Print Management | Custom Printer Filters | All Printers, locate the printer you want to zap down to a computer or user, and select “Deploy with Group Policy”, as shown below.

 gp
Figure 11: You can see any printer in the Print Management Console and zap it down using Group Policy. (Click image for larger view) With no disrespect to the designers of R2, this is where it starts to get a little bit difficult to work with. It starts out innocently enough as you can see in the “Deploy with Group Policy” dialog box below.

gp
Figure 12: The interface for deploying printers via GPOs using the Print Management Console. (Click image for larger view)

The interface from here on out is, well, almost a throwback to pre-GPMC days…and we all hated those days. But that’s the interface we have here after we perform our next step.

The idea here is to click Browse and either find a GPO you happen to know is linked to a Site, Domain, or OU (because, of course, you have that memorized) or drill down into an OU and choose to create a new GPO that’s linked to the level you drilled down to. You can see this in Figure 13.

gp
Figure 13: Click to create a new GPO to affect your target OU. (Click image for larger view)

And, of course, you all knew that an icon of two people with a little star over their heads means “Create a new GPO and link it here.” Right? (Maybe not.) Thankfully, the tooltip tells the tale of the inexplicable icon.

Once you’ve created the GPO and linked it, it’s time to deploy the printer. Here you select which side of the house you want to deploy to: users, computers, or both. In my case, I’m deploying to Nurse Users, so I’m choosing users.

Now, here’s where you gotta stay with me—so I’ve numbered the steps like a “follow the bouncing ball.” Before I reveal these steps, I want to confess that I tried this procedure no less than 5 times before I finally figured it out.

 gp
Figure 14: Steps to deploy a printer using this dialog. (Click image for larger view)

Why did I go though the painstaking trouble to number the steps and show you exactly where to click? Because the procedure is to:

  1. Choose the user and/or computer side of things.
  2. Click the Add button.
  3. Then click OK

In short, I kept missing the ADD button and was driving myself completely nuts! I think I was missing it because “Add” is ever-so-slightly higher in the dialog than the checkboxes, and my brain thought “Why would I need to click here? I should just click OK and be done.” But my brain was wrong. Learn from my brain.

Here’s the trick: Deploying printers via the Print Management Console doesn’t do 100% of the required steps. That is, while it puts the printer in place in the Deployed Printers node, it doesn’t jam the pushprinterconnections.exe into the Logon Script or Startup Script. this means you have to go back in, via the GPMC, edit the GPO, and jam in the pushprinterconnections.exe (basically, what I showed you in the first part of the article). Frustrating? A little, but now you know what you have to do!

If I’m missing something here, dear readers, don’t be shy. It’s a mystery to me why this whiz-bang Print Management console only does half the job while using the “Deploy with Group Policy” feature.

Final thoughts

Clearly, this ability to zap printers down to either users or computers is a nice leap forward. But, the bad news is subtle: That is, this new magic isn’t built on the client-side extension goodness that IS Group Policy. Rather, this is a little hack that Microsoft put together to zap printers down to users. What I’d like to see is the ability for users to get a changed GPO, and have the printers change on the fly with the background refresh interval. It’s not there yet, but appears to be coming soon with Vista.

One more note about all this before we move on:

  • Windows 2000 machines only support per-user printer connections.
  • Windows XP or Windows 2003 support per-user or per-computer printer connections.

Finally, if you want to learn more about the Print Management Console for the other goodies it brings to the table, be sure to read the “Print Management Step-by-Step Guide for Windows Server 2003 R2” found here.  

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

  Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)  

Now Available: Private GP Course in "Less Intensive" format

Everyone knows the two-day Group Policy course is really three days of material packed into two intensive days. However, some customers have asked for a "Less Intensive" format.

Your wish has been granted!

This course starts with a half day warm-up of Active Directory, managing users, and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration experience can get a bit of the fundamentals before diving into the Group Policy waters.

This "three-day Less Intensive" option is ONLY available as a private course. Note, the "two-day intensive" option is available as either a private or a public course.

Learn more about the Group Policy courses here.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.

You BOUGHT and IMPLEMENTED Active Directory—now DO SOMETHING with it.

So, learn to properly drive that "Ferrari" you bought by coming to a class!

Classes for remainder of 2006:

  June 7–8: Austin, TX (by popular demand!)
July 11–12: Denver, CO
Aug 23–24: Phoenix, AZ
Oct 24–25: Portland, OR
Nov 21–22: Seattle, WA

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Here's a testimonial from someone at a major upscale jewelry retailer who said his knowledge of Group Policy helped him and his SMS team be more efficient all around.

Jeremy, We actually use the SMS+ZTI (Zero Touch Installation) scripts you talked about in your last two newsletters. For us, we could only be successful with SMS+ZTI in conjunction with Group Policy settings -- a lot of which you taught. I made a Staging OU and redirected all new systems which get added to the domain to this new OU. The GPOs for this OU are quite restrictive. It makes the machine basically unusable. Heck, I make sure they’re presented with POPUPS which instruct users to call the help center if they get the popup message. This forces our deployment team to move the machine to a correctly managed OU. Some additional things that have accomplished via Group Policy since your class:
  • Our new laptops come with Wireless cards. But, I needed to make sure they are initially disabled. Then, only turned on for the “right” people -- if you know what I mean. I created a wireless access GPO that disables the wireless service from starting (and removed administrators from enabling it as some extra protection.) I also used a technique in your class to guarantee who gets Wireless turned on, and who doesn’t. So now when we want to enable the access it’s just a quick change!
  • I set up Restricted Groups for different OU’s. This helped with Sarbanes Oxley’s local admin requirements. Using a MOF through SMS we now report who has local admin rights.
  • We implemented Microsoft Live Communicator – through Group Policy we restrict the settings.
So yes, your class was very helpful in getting me on my way. I can only hope it helped other administrators “see the light” like I did! Thanks, Jeremy!

Sponsor Update

At GPanswers.com, we want to welcome the following sponsors to the Solutions Guide:

  • FullArmor Corporation
  • Smartline, inc.

Be sure to check out their cool tools and all other vendor's tools at the Solutions Guide.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Jon at: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Mar 2006
28

Issue#16

Why is this follow-up newsletter needed?

I want to thank you all for your comments and observations about my "Newsletter 15" rant. Some of you opted to post in my community forum, and there are some nice comments there. Others posted "side discussions" on, say, the SMS lists.

(PS: This whole newsletter update is being posted to the GPanswers.com newsletter folks and the SMS-list folks.)

I've spent the extra "quality time" getting to know the BDD a bit better. I'm ready to put this whole thing to bed, and I'm grateful for the insights everyone has brought to the table.

Again, if you have comments, my preferred way to handle them is via the Community forum. Or, if you're getting this on the SMS-list, then, feel free to post there too.

Special thanks to the BDD team (Michael Niehaus) for making contact to help me get to the bottom of some of my questions, as well as key members of the SMS-list (Rod Trent and Todd Hemsell) who chose to reach out to help everyone better understand why this is important to them.

Thanks, all.

PS: If you wish to respond, please do not email me about this topic. If you want to participate, please post herehttp://tinyurl.com/htaxw on my community forum.  

Findings

Ultimately, here are my findings after seriously going through the BDD materials. (Yes, true, I went thru them semi-seriously before. But this pass was even more so.)

Indeed, I found some videos of the whole process here and watched every single one and I suggest anyone interested in learning this better also watch them.

Warning: Whomever is giving the talk is clearly just READING from a script. And, hence, it's a little easy to "tune out" even though the information is quite good. With all that re-exploring, here is the Reader's Digest version on my findings:

About BDD/Standard

I seem to have been correct that the BDD, at the end of the day, deploys "Ghost-style monolithic images." These images are based on an "assisted scripted process" which helps wrap up all the steps (including hardware-specifics and timed reboots into the process.)

But in the words of the BDD team in a personal email: "In the end, this is captured as an image."

I think, in the end analysis, this is the big dealbreaker for me.

Let's say I change hardware. Or add something that requires another step.

Sure, I can go BACK and tweak my script to then create ANOTHER Ghost-style image. But that seems like more work to me. And now I've got different images running around.

Not that the BDD team or Microsoft needs my advice, but here it is: Take a hard-line stand, and support ONE method.

And that method should be a 100% automated, scripted install.

Here's why: People who already use Ghost-style tools already USE those tools without the process and guidance the BDD offers. And, the manufacturer of those Ghost-style tools should provide any process around them -- Microsoft shouldn't.

I don't think folks already using Ghost-style tools would necessarily jump ship over to BDD. I do think the BDD team could attract more flies by answering the problem of "How can I build a glorious, sexy scripted install that works on ALL my hardware, even if my hardware changes a lot?"

While it has a lot of excellent prescriptive guidance, I would be surprised to learn that many, many people use the BDD/Standard edition.

The BDD team has expressed that they do not assume AD is in place with the BDD/Standard edition. Therefore, none of the process involves any use of GPOs or scripts with GPOs. My suggestion to the BDD team: Start assuming people have AD and can "get it together" enough to use GPOs.

Seriously, even SBS installations run AD and most use GPOs, and they have 10-50 users.

If the target audience for the BDD doesn't even have ONE DC (hence, no AD) I think it's safe to assume that they DONT or WONT want to use a tool like this.

Do people WITHOUT AD really think "process" when doing anything? If the BDD's target audience really assumes about 500+ machines, then, c'mon -- we're ONLY talking AD here. :-)

About BDD/Enterprise

I think this is where the majority of administrators will find usefulness. The ZTI scripts which are part of the BDD really do add the "finishing touches" that SMS needed when the OSD was released.

And, I think that was my confusion, too. That is, that the OSD doesn't, by itself, come with the ZTI scripts. No no.. THOSE only come with BDD/Enterprise.

So, my overall suggestion would be to roll up the USEFUL BITS of BDD/Enterprise and marry them RIGHT to the OSD. I mean, is there a majority case in using ZTI without the OSD? If not, put the goodies where the SMS admins can just use 'em.

It seems, overall, that the SMS admins and I agree on the general "philosophy". That is SMS admins seem to often use BDD/Enterprise to smoke "broken" machines then use SMS to lay down their applications. That sounds awfully familiar when I teach about smoking a machine using RIS then laying down applications with GPOs. It's the exact same theory. (Yes, it’s true that GPOs require MSI packages, where SMS can deliver just about anything.)

There are some differences, and some similarities.

Difference #1.

With RIS, I need to walk out to the machine to kick it off -vs-With SMS, if the client is loaded and responding, I can kick it off remotely. If the SMS client isn't responding I need to either use RIS to boot WinPE or run out there with a WinPE CD-ROM. (Meanwhile, WinPE is still a "licensed" entity. RIS is included as a component for all Windows servers.)

Similarity #1

Both RIS and SMS/OSD seem to use the same "idea" of how they store files. That is, they're not “Ghost-style Monolithic images.” RIS stores "bunches of files" stored on the RIS server. SMS/OSD uses a "WIM" format. Both formats store about 20% less information than a "Ghost-style monolithic image."

So, at the end of the day, an SMS/OSD and a "naked" RIS install are going to take about the same amount of time. (That is, unless you're doing something tricky with the ZTI scripts and downloading a true Ghost-style image with your Ghost-style tool.)

My only question today is: If they're so SIMILAR in the underlying technology, why do we have two ways to skin the same cat? In the future, the BSD team tells me we won't. That's the right idea.

Advantage #1

SMS has always done a good job "staging" files in secondary sites. And, if you have a very large environment, say, with 25 branch offices, using RIS can be a challenge. This is because you'll likely want to load ONE RIS server and replicate it to all your branches. You would use Robocopy, XCOPY, DFS, or something else to copy that one RIS server to your 25 branches. But this route could be fraught with peril. (However, I would suggest that with the improvements with WS03/R2 this might be vastly improved.)

Onward and upwared

This isn't a BDD comment, specifically. But I think it's simply silly that that I must "run out" to a bare-metal machine with a WinPE disk, or have a RIS server available alongside my SMS just to boot WinPE to then get bare-metal installs up to speed. Unless I'm missing something, this is a kind of a big hole that the SMS team needs to address. I don't know enough about SMS 4.0 to know if this hole is plugged.

I like the idea that the ZTI scripts are "open" and customizable. And this, I think, is why SMS admins are "passionate" about the BDD in general. Again, however, my suggestion (for what it's worth) is to put the ZTI scripts right into the OSD if that's the people who use them.

Ultimately, the BDD has a nice message: Put some process around the way you do your deployments.

I can't rant about that. Clearly,

I'm not a huge fan of "Ghost-style monolithic images." I'd rather see you script the whole install, even if it takes longer. But the BDD's goal is to prescribe some repeatable guidence for those who choose to use Ghost-syle tools. Again, I can't argue with that -- if that's the way you're choosing to do your deployment. As I said in the original newsletter -- if you're happy with Ghost and their ilk, then keep on using it. The BDD helps you put some "process" around that deployment method if you choose to use it.

That's just good thinking all around.

However, in this "Son of rant" I've made some suggestions going forward I hope might be well received by both the BDD and SMS teams going forward.

One last piece of the puzzle: BDD will surely evolve in the Windows Vista timeframe. I would expect it to take on the new WIM/XIMAGE/IMAGEX formats Vista will support. But, that's another discussion for another day, isn't it?

PS: The BDD team responded in full to this content before it went live. And I've tried to inject the relevant feedback about the current state of the BDD and SMS/OSD back in before we went live. However, I'm currently seeking permission to print a full transcript of the conversation so you can read the response directly from the BDD team. In that response the BDD team discusses future directions, which are certainly interesting. When available, it will NOT be a newsletter. It will only be posted here http://tinyurl.com/htaxw on my community forum.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Jon at: [email protected] We endeavor to respond to everyone who email

Mar 2006
22

Issue#15

Newsletter #15

  • My Rant: Why imaging? Why SMS?
  • Get a signed copy of...
    • my GP book: Group Policy, Profiles and IntelliMirror
    • my Windows & Linux Integration book
  • Public Group Policy Intensive Training and Workshop Schedule Update
  • Upcoming appearances and schedule
  • Thanks Netpro!
  • Subscribe, Unsubscribe, and Usage Information

This issue is (I’m sorry folks) a rant. It’s not about the war, or politics—but about something close to us, that we can all rally behind: disk imaging and management products.

So, without further ado, my rant.

After I rant for a while, I'll give you an update on my 2006 Group Policy Class Schedule and suggest some other great stuff for you to check out.

Before I forget—the Sacramento, CA Two-Day Group Policy class is ON for March 30, 31. We have three seats available. If you want one of those seats—sign up soon at www.GPanswers.com/workshop.

PS: A hearty THANK YOU to the folks who came and saw me and Tom present Win/Lin topics at this season's TechMentor in Orlando. I'm gone now (off to the next thing).. but thanks for brightening our days there -- you were a super audience !


Newsletter Sponsored by: Special Operations Software

Sometimes the out-of-the-box Password Policy in Windows isn't just enough. If you need many Password Policies perActive Directory domain or more granularcontrol of howpasswords can be created you should have a look at Specops Password Policy.

Redmond Magazine says that "Password Policy is easy to install and easy to use. It provides much more granular control and doesn't have a long learning curve."

Click the link to read more on how Specops Password Policy can benefit your organization with increased security.


As Dennis Miller says I don't mean to go off on a rant here

My good friends at TechNet Magazine have recently released their March/April 2006 magazine. And, let me tell you—it’s excellent, specifically, if you’re running SMS to roll out your desktops and/or contemplating using the new Business Desktop Deployment (BDD) to roll out desktops.

And, I have some questions (and please don’t answer me directly via email. Please, please, please answer this question or agree/disagree with this rant by going to http://tinyurl.com/htaxwon my community forum and post your 2 cents there.)

My three questions are:

  1. Why does Microsoft have 7 ways to deploy a desktop?
  2. Why bother with image-style desktop deployments at all? and
  3. Why bother with SMS-style tools?

So, let’s get started on this very special “rant” issue.

Microsofts desktop deployment options

By my count, Microsoft has seven ways of “officially” deploying a desktop: Category 1: via winnt.exe

  • Put in the CD and restart the machine. This basically runs winnt.exe and installs Windows.
  • DOS-style Network boot disk to connect over the network to run winnt.exe
  • WinPE-style to again run winnt.exe (almost the same as a DOS-style network boot disk in practice)
  • Remote Installation Services (via PxE) where winnt.exe gets invoked

Category 2: via image

  • SMS + Operating Systems Deployment Pack (OSD)
  • Business Desktop Deployment (BDD)
    • Standard Edition and
    • Enterprise Edition
    and
  • Vista’s all-new image-based deployment

The methods in Category 1 “build” a PC from scratch, loading Windows step by step (or via answer file), but fundamentally “create” a PC by formatting it and loading each file.

The methods in Category 2 “photocopy” from an image source in Ghost style.

So, here’s the question (again): why bother using either the Zero Touch Deployment for SMS (with the Operating System Deployment pack), the BDD, or the upcoming Vista image-based methods to roll out your desktops?

First of all, unless I’m missing something—these latest tools from Microsoft compete with each other for your desktop rollout attention. Not to mention that Vista will also come with its image-style based deployment mechanism. So, between the BDD, SMS+OSD and Vista’s Imaging mechanism—I’m one confused guy—and I’m trying to understand why each has it’s place.

So, that’s three image-style mechanisms to do the same job. That’s my real question: can someone (anyone) explain why I might choose, say, the BDD over the SMS+OSD even if could deploy both at exactly the same hard and soft costs. (Again, don’t reply here…post about it, at http://tinyurl.com/htaxw.)

To me, it seems a main selling point of both the BDD and SMS+OSD appears to be that it will “maintain state” as you do a desktop upgrade from say Windows 2000 to Windows XP. With a little elbow grease, you use the built-in User State Migration tool, shoot up a copy of the user’s important stuff, blast down a new desktop, and restore the important stuff (like desktop backgrounds, etc., etc.)

Great. But again, why bother specifically saving the state?

If you’re using the network to store the important stuff (say, by using Roaming Profiles), and use Group Policy to maintain your application settings, why specifically go out of your way to preserve any of it? Those of you who’ve heard my talks on desktop deployment know it will still be there waiting on the network when you deploy that new desktop to the user.

So, if you want to educate me… please do so. Again, respond by posting to http://tinyurl.com/htaxw.

Beyond the Microsoft image-based deployments

Since I'm already off on a rant here, let me take it one step farther…

Truthfully, I don't even see the point of having any image-style/“photocopy-style” deployments (including other non-Microsoft image-style deployments a la Ghost, PowerQuest, or anything else). Those of you who’ve seen me speak at conferences or those who have taken my more in-depth two-day Group Policy course know my feelings about image based deployments. Yes, they’re fast—but, ultimately, they’re a “photocopy.” To recap the process, you essentially wrap up a “perfect” PC with a set of “core” applications and make a big image. Then, you deploy that image to a zillion machines. And you do it fast.

Great.

But, this means several downsides when thinking long term. First, there’s the problem with the “photocopy” aspect in terms of hardware deployment.

Yes, I know—Windows sysprep is supposed to be the answer. Sysprep’s job (especially with the -pnp switch) is to shut the machine down for photocopying. Then, once the photocopied machine is turned back on, it’s supposed to magically discover all the correct hardware, and birds will land on the computer singing and chirping.

Except it’s not guaranteed (especially the birds). Not to mention the problem with photocopying from one machine to another—the required drivers might not be there. If you’re photocopying the same image for a Dell Latitude and an IBM Thinkpad—you let me know how that’s working out for you. If you can sleep at night while doing this, you’re a stronger man than I.

Okay, I’m sure the BDD and SMS+OSD deployment have some provisions to handle this situation. But, I was at a loss on specifically how to add new drivers to either the BDD or SMS+OSD if, say, a new network card showed up in your next desktop shipment. What I am sure of is that in each case, the WinPE image (which provides you the ability to access the image) would indeed need to be tweaked to accommodate this (already a hassle). But my confusion is what about the drivers for when Windows is actually running? If I’m pulling down a fully formed image, how can I jam in new drivers? If you know, and can educate me, please do so.

Even if there is a native way to do this (easy or cumbersome) it appears that Binary Research (the original makers of Ghost) has created something to help fail-safe the process. Their “Universal Imaging Utility” product (found here) is supposed to help inject a bazillion drivers into your images—specifically to remediate this very problem I’m describing.

The next big problem with the photocopy is—it’s obsolete the very day it’s placed into service. Why? Let’s explore a typical photocopy-style rollout. Let’s say we’re deploying our image to 1000 desktops. Just to give it a name, we’ll call our project OurImage 1.0. After rolling out 300 of our 1000 desktops someone on the deployment team realizes they’ve forgotten a critical application patch, or bite-sized application, or a configuration setting, or misspelled a directory, or any number of a 1,000 things that can go wrong during image building. So, the desktop engineering team cleans up the image, and rolls out OurImage 1.1. They then roll out to the next 300 desktops. (And, of course, the problems weren’t big enough to retrofit the first 300 desktops and disrupt users.) So, now, you have 600 desktops deployed: half on OurImage 1.0 and half on OurImage 1.1.

Not ideal, to be sure.

Then, one of the applications in the image has a new minor version (which the manufacturer strongly recommends you start deploying right away). Back to the drawing board, and a new revision, OurImage 1.2, is created. The deployment rollout must go on! And OurImage 1.2 is now deployed to the next 300 clients.

So, now, that’s three somewhat-different images over 900 clients. Now when any of those users calls the helpdesk for help, which version of the image are they using? Remember each version of the image has slightly different application versions tucked inside.

Or, consider this case: the image is rolled out to 300 people—both Sales and Marketing. But Sales is constantly playing around with applications in the image they have no right to even use. Should those applications have ever been in the image at all? Sure,those applications are needed for the Marketing guys. But not for Sales. So what do some IT departments do? They send someone to trot out to the Sales desktops and manually uninstall those applications (or script it, or touch it with SMS or something).

So, it must appear as if I’m “down” on photocopy-style desktop deployments such as Ghost, SMS+OSD or the BDD. It’s not that I’m down on them, just utterly confused why anyone would use them.

With that in mind, what’s my proposed desktop deployment solution?

Group Policy of course (with a little help from Remote Installation Services)!

Why RIS? Because RIS doesn’t “photocopy” an image. It “builds” the computer from scratch, installing just the software it needs in order for Windows to run. And, there are provisions for centrally adding new and updated drivers when new hardware comes out (like NICs, sound cards, etc.).

Why Group Policy? Because you can deploy just the applications you need to just the specific people who need them. If Fred in Sales shouldn’t get an application only Marketing would use, then it’s not in any photocopy where you’d have to worry about it. Fred only pulls down applications Fred needs.

Yes, I know the downside to my strategy. That is, in order for my suggested strategy to be successful, you have to be 100% committed to the MSI promised land (or buy 3rd party Group Policy tools to deploy applications other than only MSI apps).

Now, before you napalm my house—let me wrap up this section with this one thought:
I AM NOT SAYING TO ABANDON GHOST, POWERQUEST OR ANY OTHER IMAGE-BASED TOOL IF IT’S WORKING FOR YOU.

I know lots of people are quite attached to their desktop deployment methods. If something is working for you, and you’re happy—keep on truckin’.

Don't let me stop you.

The main reason I'm down on image-type deployments is for the reasons I mentioned above:

  • Again, first, it’s a photocopy, and even though sysprep -pnp should work from machine to machine, it doesn’t always. If it does work for you—fantastic. Consider yourself blessed, and continue to make use of the speed that photocopying provides.
  • However, consider the second problem: “core applications” in the image make it difficult to customize each user’s experience for them. If you get away from photocopying, you get away from deploying unnecessary apps (or forgetting to put apps in your image).

So again, yes I know RIS is slow. Slower than a photocopy, yes. And, if you’re comfortable photocopying machine to machine to get the OS deployed then, again, keep on doing that. All I’m asking is for you to consider not imbedding the applications in the image.

My problem

Now, if you want to help me out you can explain a few things to me.

  1. If you’re actually using the SMS+OSD—how is it really “zero touch” as it’s touted? I don’t get it. I’ve read countless pieces of documentation, but it still appears as if the client needs to be “seen” by the SMS system in order to zap a new photocopy upon it. That means it needs to be an SMS client. If I’m cracking out a desktop or laptop from the cardboard box and put it on the wire, I’m totally unclear how SMS will “find” this new machine and zap it my corporate photocopy. From what I’m reading it seems (dig this) that the prescription is to actually use RIS to deploy that initial desktop, then get the SMS client loaded, then zap down the remaining applications. Wait a second—that sounds like “The Jeremy Prescription” (except you substitute GPO for SMS!) If I’m missing something, and you’re an expert here, please, please educate me.
  2. The BDD has lots of wizard-driven steps to help you create your photocopy and then deploy it. Why would anyone would use the BDD at all, for any reason, when there are clearly other options which do the job? And, unless I’m looking it wrong, it seems the BDD requires a Ghost-style imaging tool to do the work. Indeed the documentation talks about the Powerquest tool quite a bit. Again, I’m at a loss to understand why the RIS/Group Policy/MSI combo wouldn’t be the preferred way to go here—or just about anywhere.

More stuff to rant about(Or, why I'm already unpopular with the SMS team at Microsoft)

Since I'm ranting about SMS anyway

The issue of TechNet magazine I mentioned has a whole article dedicated to SMS troubleshooting. When people ask me if I’d prefer SMS over Group Policy, I’ll tell them “Even if you gave me all the licenses I need for SMS, I’d still pick Group Policy over it any day.” Yes, yes, I know SMS has more features than Group Policy does.

But a Dodge Caravan has more features than a Mazda Miata. Get the picture?

In the end analysis what are the features people use when they buy that Dodge Caravan, er, SMS? Let’s look:

  • Software Deployment with targeting (which can be done with Group Policy Software Installation and WMI filters)
  • Hardware and software inventory (which can not be done natively with Group Policy but is, I hear, coming soon with 3rd party Group Policy tools.)
  • SMS has Software Metering tools—but no one I know uses it much.
  • SMS has compliance/patch-management tools. I do know some companies which do make use of these—but only because the free WSUS wasn’t yet available, and now they feel like they’re “locked in.”

So, why would I pick Group Policy over SMS even if someone handed me unlimited free licenses? The TechNet article in the same issue entitled “No Desktop Left Behind: SMS Troubleshooting Basics” about sums it up. Not to saturate you with all the steps the author expertly describes, but, holy cow does it ever take some troubleshooting skillz (that’s skillz with a ‘z’) to get to the bottom of things when SMS stops working. In a nutshell: SMS has about a zillion moving parts. The author expertly demonstrates how to “trace” where the problem is within all those moving parts.

In a basic (very basic) comparison, the same operation (software deployment) for Group Policy is refreshingly simple. There are, in short,many fewer moving parts to troubleshoot when things go wrong. Yes, okay, maybe I’m a little biased due to my love of all things Group Policy. And that isn’t to say Group Policy always works, either.

What I am saying, however, is that when Group Policy “breaks” it’s a much easier proposition to figure out where the problem is, then actually get to fixing it. For the record, in case you think I’m making stuff up here to specifically beat up SMS, I am certified in SMS 2.0 and do know a little about what I’m talking about. (And, yes, I know SMS 2003 is a different, though similar animal.)

Simpler is better

Okay, poor SMS. I just beat it up a little bit, and I’m feeling a little guilty here. But, ask yourself if you need a tool like SMS at all.

If you need it—you need it.

But, the question is do you really need it?

I've personally met a handful of people who seem to be with me; ditching SMS and Tivoli (and the like) for a pure Group Policy-based solution to their management.

Here's the thought process: By not introducing an SMS-style tool, you’re reducing complexity.

Again, the Group Policy moving parts are already built-into the operating system.

So, if you can make use of the moving parts inside the box, my advice is to do so.

Now, let me be super-clear before the hate mail comes in from the SMS team (or SMS-style product companies). As I said: if you need it—you need it. That’s the trick, and the trap I see many organizations fall into. Many organizations inadvertently increase their complexity by adding an SMS-style management tool for not a lot of benefit. When I ask people “Why did you end up deploying your SMS-style tool?” The #1 response I get is “We needed a way to distribute software.” And 10% actually use the overall “power features” SMS provides over Group Policy.

So, again, my feeling is that, yes, an SMS-style tool is great—if it truly gives you something you cannot achieve a different way. Again, SMS provides software distribution, hardware and software inventory, patch management, image deployment, and software metering. If you need something on this list that Group Policy cannot do natively (or enhanced with third-party tools) then, yes, go get it.

But, if you don't need it—why introduce it, even if you’re getting the licenses for free?

Wrapup

For the love of Pete (whoever he is) do NOT email me directly about this rant. While I strive to answer everyone’s email, I’m making an exception in this case. It’s not because I don’t love you, it’s because I want you to respond publicly here where we can all talk about it. Key points to talk about:

  • If you’re using the BDD…why? What does the BDD give you that other methods do not?
  • If you’re using SMS+OSD…why? How’s it working out for you?
  • How can you add drivers when Windows runs using the BDD or SMS+OSD?
  • If you’re using the “Jeremy Method” of RIS + Group Policy + MSI, how’s that working out for you? Was getting to the MSI promised land a tough haul? Did you succeed, or give up?
  • Why save user state and restore it using the USMT during the BDD or SMS+OSD process? If you’re using the network properly (redirected MyDocs and Application Data), what precisely are you saving by using the USMT?
  • Has anyone introduced an SMS-like product only to then realize it was overkill and the same task could be performed via Group Policy? How did you handle that?
  • Or, is SMS your life blood and you’re using it for a task I didn’t describe here?

Thanks for listening.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)  

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.
You BOUGHT and IMPLEMENTED Active Directory—now DO SOMETHING with it.
So, learn to properly drive that "Ferrari" you bought by coming to a class! Classes for first half of 2006 (lots of date changes since the last newsletter. Sorry about that.):
Mar 30-31, 2006: Sacramento, CA—This class is ON. If you want a seat, I suggest you sign up now. Only three seats left!
Apl 18-19: Atlanta, GA
Apr 20-21, 2006: Tulsa, OK (not Okla. City, as previously reported.)
Apr 26-27, 2006 (new class): Richmond, VA
May 15-16, 2006: London, England

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop (Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or,if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Upcoming Appearances and schedule

It's going to be a busy month for me. Embrace the travel! Love the airport. Embrace the security dweebs patting me down. Well, maybe not.

Here's my ever-so-brief schedule.

NetPro Directory Experts Conference: Mar 26 - Mar 29

I'll be speaking on Windows/Linux authentication integration. My speech is 9.15 Tuesday the 28th. www.dec2006.com/agenda_tues.cfm

Linuxworld Boston: Apl 3 - Apl 6

Again, on Windows/Linux authentication integration. My specific speech date is 4/4/06 and it'll be at 2.30 PM. Hope to see you there !tinyurl.com/7dspg

WinConnections Orlando: Apl 9 - Apl 12

I'll be speaking on a variety of topics at this WinConnections. "Group Policy Toolbelt", Shared Computer Toolkit" & "Windows–Linux Integration: Authentication Services" and a 3-hour Group Policy Pre-Conference warm-up. www.winconnections.com

Microsoft Teched Boston: Jun 11 -1 5

Again, on Windows/Linux authentication integration. Don't know my exact speech date yet. tinyurl.com/7lktw

Thanks, Netpro!

Recently Netpro had a cool webinar, and they mentioned us—GPanswers.com. Neat! Thought I’d return the favor. Here’s how to check out the webinar with a good message for anyone managing Active Directory. WEBCAST: 16 Steps to a healthier and happier Active Directory

Before going about securing Active Directory, you should make sure that certain configurations have not created unexpected security holes. In this webcast, NetPro CTO Gil Kirkpatrick will examine various aspects of Active Directory, from backup to DNS configuration to Group Policy management, that, when executed properly, can ensure a secure installation. Register here.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected]

If you have questions about ordering a book, contact my assistant Jon at: [email protected] We endeavor to respond to everyone who emails.

Thanks for reading!

Jan 2006
17

Issue#14

Welcome to 2006

  • Technology Takeaway (r), a service of Moskowitz, inc.
    • Just one LOONG tip: Creating a Bulletproof desktop with the Shared Computer Toolkit.
  • Get a signed copy of...
    • my GP book: Group Policy, Profiles and IntelliMirror
    • my Windows & Linux Integration book
  • Free, Free, Free speeches by Jeremy
  • By popular demand: The three-day less-intensive GP Course in PA
  • Upcoming Public two-day GP Classes for 2005 / 2006
  • What's new from GPanswers.com
  • What's new from Microsoft
  • Subscribe, Unsubscribe, and Usage Information

Moskowitz, inc. and www.GPanswers.com

This issue, we tackle something that's near and dear to me: Desktop Lockdown. It certainly feels as if all the Group Policy settings available to us would allow us full control over our desktops. But, there's something missing. In this issue, we'll explore the Shared Computer Toolkit which makes your Ultimate Desktop Smackdown vision possible.

After we talk about this, I'll give you an update on my 2006 Group Policy Class Schedule and show you some cool new features we've added to GPanswers.com.


Newsletter Sponsored by: DesktopStandard

Built-in Windows security management features simply don't give you enough granular access. As a result, administrators run applications with full administrative access - even if it is not required. This exposes the network to unnecessary security risks like viruses and spyware.

DesktopStandard's PolicyMaker line of Group Policy Extensions solves this problem with Application Security policy. Click the link to learn how you can empower your users to be more secure today.


Technology Takeaway®, a service of Moskowitz, inc.

Bulletproofing your shared desktop -- with the shared computer toolkit

One of the top requests I get at GPanswers.com is how to take machines and “lock them down.” People want ways to ensure their machines can’t be broken by Joe User or Harry Badguy. The “out of the box” Group Policy settings can go a long way towards solving this common conundrum. But the settings in the box can only take you so far.

The situations involving computer lockdown can get complex–fast. You might not even know the people who are walking up to the machine, but you still have to give them some portion of your network resources like Internet browsing, file viewing, or printing.

You would typically find computers like these in places like universities, airports, hotels, community centers, museums, kiosk stands, and conference centers . So, these aren’t the kinds of machines that your typical business users utilize day to day; these are the kinds of machines where people need sporadic access, and they are people that you may or may not trust. And by “not trust” I mean they’re potentially downloading infectious junk off the Internet. They may be inadvertently adding spyware–or worse, they’re really out to get you and are going out of their way to try to damage your public-access PC.

What you need is a way to restrict anything from being written to the Windows partition. You need a way to trap the bad stuff, but keep the good stuff–like critical Windows updates and antivirus updates. You need a way to lock down Windows so it’s much harder to get to the under-the-hood Windows stuff, like the C:Windows directory. And you need a way for new users to get a guaranteed profile, so you’re dictating their experience, not fighting to clean up after them. However, if you’re dreaming a little bit, you might also want to manage exceptions. That is, you might want to have a known or trusted user use this shared PC for some specific task, and to make sure that their data and settings stick around.

What you need is the Shared Computer Toolkit, or SCT. While the SCT can be many things to many people, it’s not specifically meant to be loaded on every desktop to restrict the actions of day-to-day employees (though I’m sure some enterprising geeks will attempt to roll it out corporation-wide). It’s also not really meant as a “parental control” device either, though there might be some attributes of the SCT which might be useful there.

Requirements

To use the SCT, you need a Windows XP/SP2 machine with at least 1GB of unallocated space (though having 10% of the hard drive unallocated is recommended.) This unallocated space will be converted into a special “protection partition” by the SCT Additionally, you might want a second “Data” partition to store persistent data from trusted users to whom you specifically grant access. For instance, if someone uses this machine for their daily work, you might want them to be able to save Word documents on this additional partition.

One of the tricks is getting a machine which already runs Windows XP/SP2 and carving out some unallocated space. Typically, when Windows is installed the entirety of the hard drive is used, therefore there is no unallocated space. However, any repartitioning tool will make it possible, such as Symantec Partition Magic, Terrabyte BootIt Next Generation, or Acronis Partition Manager (part of the Acronis Disk Director Suite). The Microsoft documentation for the SCT specifically mentions the first two, but I already own the Acronis product and used that one with no problems.

There are two main ways to use the SCT: when machines are not joined to the domain, or when machines are joined to the domain. We’ll examine both scenarios here.

Getting Started with the SCT

After you’ve re-partitioned the machine, you’ll take the following steps to use the SCT:

  1. Install all the applications that you want to make available on the shared computer.
  2. Remove Windows components that you don’t want people to use (or would be potentially dangerous for people to use) like IIS, or Outlook Express.
  3. Install the SCT after installing the required User Profile Hive Cleanup Service (UPHClean).
  4. Configure the SCT.

Once SCT has been configured, its goal is to keep your computer as clean as the day you installed it. Therefore, be careful that you’re not actually loading “junk” on your shared computer as you’re preparing it for use.

At the heart of the SCT is the Windows Disk Protection service, or WDP. The goal of WDP is to “trap” writes to the Windows system volume, and temporarily store them on the Protection Partition so the bad guys can’t actually do any permanent damage to the real Windows partition. Once the session is over, so is any accompanying potential damage.

However, the SCTs cannot prevent certain attacks from being attempted. Even though the SCT will help you lock out Windows functions like Explorer, that doesn’t mean an application you’ve installed and made available for use doesn’t have Explorer-like capabilities. For instance, many applications allow you to browse the contents of the hard drive when you’re in their File | Open dialog boxes. Again, the SCT will ultimately prevent the disruption of Windows because of the WDP—that is, the WDP ultimately discards any writes to the system volume. However, it is incapable of preventing this kind of “poking around” attack if your application lets them poke around.

To download the SCT, go to Microsoft’s website here. What I like most about the website is the opening graphic where three kids are ostensibly “learning” on the machine. However, what we really know is that they’re right-clicking over your favorite disk partition and selecting “Format.” With the SCT, you’ll be protected from rascals of all age groups.

The SCT installation is Wizard-driven, and is a snap to use. However, it requires an additional package, called the User Profile Hive Cleanup Service, or UPHClean. UPHClean is popular with Terminal Services administrators whose users have difficulties logging off Terminal Services and having their User Profiles setting saved. It’s interesting to note that UPHClean is now a required component for this SCT. It would have been nice if the SCT installation didn’t make you download it separately, but (since you need it anyway) simply made it part of the SCT installation.

Configuring the SCT in 8 Easy Steps

Once SCT has been installed, configuring it is made easier with a Getting Started page (seen in Figure 1), which steps you though the configuration process.

 gp
Figure 1: The SCT Getting Started page is a like a guided setup (click on figure to enlarge)

After the Getting Started guide appears, it’s easy to walk step-by-step through the process. The second step, as seen in Figure 2, is mostly configuring security-related Group Policy settings which are being set within the local GPO. In most cases, you’ll want to make sure all boxes are checkmarked.

 gp
Figure 2: Step 2 mostly deals with security-related Group Policy settings (click on figure to enlarge)

Step 3 simply has you create a new local user and give it a name of your choosing, such as Public.

Step 4 has you actually configure the user account the way you want: configure the desktop wallpaper, accept first-time run settings and license agreements (for programs such as Windows Media Player, Microsoft Office, and Acrobat Reader), add printers, etc. Whichever way you configure this profile is how all public users on this machine will see it.

Step 5 has you select the Public profile and locking down some additional settings, as seen in Figure 3. There are too many options to delve into right here. Thankfully, the recommended settings are all located in one place and can be selected with one Checkboxwhich highlights all of them. Defaults here include the restriction on running applications from USB thumb drives, restricting the running of system tools (such as regedit.exe), and preventing users from right-clicking within Internet Explorer.

Optional Restrictions, such as “Remove CD and DVD burning features” and “Prevent printing from Internet Explorer” are welcome additions.

 gp
Figure 3: It’s easy to administer perform the kinds of restrictions you want to apply to all users (click on figure to enlarge)

Step 6 has you actually testing the Public profile before you go into lockdown mode. This enables you to see what the user will see, but still makes it easy for you to go back and make changes in the SCT Getting Started steps.

Step 7 contains the secret sauce–the Windows Disk Protection service, which requires a reboot before it can be configured. Here, you can specify whether or not to retain changes made by public users, and how critical updates are handled, as you can see in Figure 4.

 gp
Figure 4: Once Windows Disk Protection is turned on, you can Clear, Save, or Retain changes as you see fit, as well as schedule Critical Updates, and set other options. (click on figure to enlarge)

The WDP features a very, very strong protection mechanism with four choices:

  • “Clear changes with each restart”: Once this function is turned on, the system is officially protected. All historically “sensitive” parts of the system, such as the registry, services, even critical boot files like boot.ini and NTLDR are protected from permanent harm.
  • “Save changes with next restart”: Once the CST has been running for a while, you might realize you want to add another application to the system, or make another permanently desired change. To do this, you need to specifically select “Save changes with next restart” and you’ll have skirted around WDP this one time and integrated your changes. A quite note before this function’s use: be sure to restart the computer before you load your new application, so as not to keep something bad or unknown. Then, once loaded, select “Save changes with next restart.”
  • “Retain changes for one restart”: If you’re adding a new application, and that application requires a reboot to finish its installation, select this option. Then, once you’re convinced you’ve loaded and configured the application correctly, pick the “Save changes with next restart” option to permanently seal in your changes.
  • “Retain changes indefinitely”: If you want to load many applications and watch their interactions over time, you might select this option. Once you’re ready to accept your changes then select “Save changes with next restart.” If you want to back out of all changes, select “Clear changes with each restart.” For example, this functionality is great for computer training centers where a new class comes in every week and you want students to have free rein over the computer. You can let them do what they want and they can restart the computer us much as they need to. At the end of the week, just clear the changes and the computer will be restored to its Monday morning state.

Another way to think about these settings is that once WDP is turned on, all changes are written to the Protection Partition (this was the previously unallocated space you carved out) until you choose “Save changes with next restart”, and they are merged with the real partition.

It’s likely your other corporate computers are downloading critical Windows updates from Microsoft or from WSUS by themselves (see my article in Technet Magazine about corporate WSUS settings.) However, computers using the SCT need a little TLC. That is, these computers need you to manually grab these updates. When it’s time to automatically install patches, the interactive user is logged off, and during the Critical Updates installation time, no users (other than administrators) can log on. It should be noted that when Critical Updates are downloaded, they are always written directly to the “real” Windows partition and not the Protection Partition. The process is quite elegant: An automatic reboot clears any potentially damaging changes users might have introduced, andthen the updates are written. This ensures that only the Critical Updates make it onto the disk.

Additional Ways to Configure the SCT

So far, the discussion has been for one standalone PC–not a domain environment. One PC is a good start, but not likely how corporations, schools, and the like will ultimately roll this out. The two additional scenarios to consider are:

  • Domain-joined SCT machines, and
  • Mass deployment of the SCT (domain-joined or not)

If your target SCT machine or machines are domain-joined you can, of course, go through all the steps listed above to get the job done. But that means you have to visit each and every machine to do the job. Instead, the SCT team (thankfully) rounded up their hard work and made a Group Policy ADM file which just snaps right in to the Group Policy Editor. This file (SCTSettings.adm) is located in the C:Program FilesMicrosoft Shared Computer Toolkitbin directory. This enables you to make mass changes on multiple SCT-enabled machines, as seen in Figure 5. The ADM template is a little rough around the edges and could use a little cleaning up of the Explaintext entries to be as useful as possible, but it’s a really good start.

 gp
Figure 5: You can mass-implement changes to SCT-enabled machines via Group Policy (click on figure to enlarge)

There are some additional technical obstacles to overcome with domain-joined machines. For instance, how do you run around to 1,000 SCT-enabled machines and reconfigure their disk-protection settings? Thankfully, there’s a DiskProtect.wsf provided which you can use to script the behavior of your SCT-enabled machines. You also need to manually implement the suggested Software Restriction Policy settings which prevent System Tools and unwanted programs to run. This is all very well spelled out in Chapter 10 of the Shared Computer Toolkit Handbook, which is titled “The Shared Computer Toolkit in Domain Environments.”

The next hurdle is the mass deployment issue. That is, how do you get the SCT bits and pieces on the target machines in the first place? The suggested avenue here is to imbed the pre-installed SCT and corresponding bits inside your “Ghost-style” or “RIPrep” image build. Or, if you deploy “clean” machines, you could simply script the UHPClean and SCT installation using post-installation script commands. My first choice would be to use Group Policy Software Installation and simply assign both UHPClean and the SCT to your shared computers via Active Directory and Group Policy.

Once you have the required bits on the machines, simply use the included Group Policy ADM and .VSB files to control the computers after they’ve been deployed.

However, there are still two more hurdles to overcome. Every Windows machine must be expressly validated by Windows Genuine Advantage. This becomes a bit of a problem because each machine needs to be “touched”, either by installing an IE Active Xcontrolor running an HTA application.

The last problem is, how do you remotely repartition a computer’s hard drive if you don’t want to trot over to it? Remember, every SCT computer needs the required Protection Partition. If you have your own ideas of how to “mass validate” computers via GTA or remotely repartition a computer, don’t keep it a secret! Let me know and I’ll post a follow-up on GPanswers.com.

Final Outcome

Once the computers have been deployed, your users log on with the username you set; in our examples it was “Public”. And if you were using a domain account, you could feel free to use that as well. Once they’re logged on, it really is a restricted, bulletproof machine as seen in Figure 6.

 gp
Figure 6: The final outcome of an SCT-enabled machine with restrictions enforced (click on figure to enlarge)

This is a really great tool with lots of potential uses. The tool itself as well as the documentation is well thought out, and the additional control via Group Policy is just icing on the cake for a Group Policy control freak like me.

Online support for the tool is available at Microsoft’s newsgroups, here.

Additionally, before running headlong into a real deployment using the SCT, I suggest you read the included Shared Computer Toolkit Handbook, which is well-laid-out PDF file.

For a 1.0 release, this tool really gets the job done.

SPECIAL THANKS to the Shared Computer Toolkit team at Microsoft for reviewing this article for technical accuracy. This article will appear in the July issue of Microsoft's TechNet Magazine. Consider subscribing. Click here to check out the magazine.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Free, Free, Free!

Well, the price is right, even if it stinks. But it won't stink -- I promise you'll learn something, or DOUBLE your money back!

Windows & Linux: Perfect Together (Online Roundtable)

Jan 26, 2006 from 2.00 to 3.00 PM EST (11.00 to 12.00 PST) This will be a live talk with me, my co-author of my Windows/Linux Integration book (Tom Boutell) and others! The topic: Windows & Linux Integration -- so sign up and see you online! Bring your questions! Click here to register.

WSUS Architecture Crash course

Feb 10, 2006 from 12.00 to 1.00 PM EST (9.00 to 10.00 PST) Patches and updates can be a real headache to manage. Microsoft Windows Server Update Services (WSUS) is here to make your life easier. Have you implemented it yet? This is a "Power Hour" webcast with 30 minutes allotted to talk and demos and 30 minutes allotted to questions and answers. Click here to register.

By popular demand: The "Less Intensive" Group Policy course is available as a trial in Pennsylvania

Last month I debuted my new three-day "Less Intensive" format. I explained how this course was only available for PRIVATE courses.

Well, as an experiment, I'm making it available as a PUBLIC course in Newtown, PA in February 7, 8 and 9.

This course starts with a half day warm-up of Active Directory, managing users and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration can get a bit of fundamentals before diving in to the Group Policy waters.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point to how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.

You BOUGHT and IMPLEMENTED Active Directory -- now DO SOMETHING with it.

So, learn to properly drive that "Ferrari" you bought by coming to a class!

Classes for first half of 2006 (lots of date changes since the last newsletter. Sorry about that.):

Feb 7, 8, 9: Newtown, PA (Three day, "less-intensive" AD/GPO course). Newtown, PA is near Trenton, Philly, and other major metro areas.
Feb 21 - 22, 2006: San Antonio (We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)
Feb 27 - 28, 2006: Portland, OR
Mar 2 - 3, 2006 : Atlanta, GA
Mar 15 - 16, 2006: Washington, DC
Mar 30 - 31: Sacramento, CA
Apr 20 - 21, 2006: Tulsa, OK (not Okla. City, as previously reported.)
May 15 - 16, 2006: London, England

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or ... if you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Other Changes around GPanswers.com

In the last issue, I explained about our "mini-web overhaul." I'm trying to keep the new features coming so you can have the best Moskowitz,inc. / GPanswers.com / WinLinAnswers.com experience. New since last time:

  • The FAQ/Tips and Tricks area has even BETTER categories, which makes things easier to search
  • Did you know the GPanswers and WinLinAnswers community forums are RSS enabled?
    • The RSS feed for the GPanswers.com/community room is: https://www.gpanswers.com/community/rss.php
    • The RSS feed for the WinLinanswers.com/community room is: http://www.winlinanswers.com/community/rss.php
  • If you're not a big fan of RSS, you can get new posts on any given forum MAILED to you. I've been waiting FOREVER for this feature. You need to enable it for any and every forum you want to "watch". When any new post appears in the forum -- you get a little email summary. This is great for the Announcements forum, or any specific technical forum to make sure you don't miss a great question, or a great answer. Click on the graphic below to see where this feature is found.

gp (Click picture to enlarge)

  • We're working on a global GPanswers.com search -- which should also be able to buzz through PDFs and all questions in the forums. Not there yet with this one, but stay tuned.

What's new from Microsoft?

Lots, actually! Microsoft has three new documents to help better understand GP. Well, the first one isn't really a "document" but rather a(nother) FAQ for GPOs. Yes, we have one here at GPanswers.com, but I guess it's okay that the boys in Redmond have their own too, right? :-)

Additionally, they released to documents to help understand how Vista and Longhorn will change with Group Policy.

So, how do you find all these new resources? You could Google for hours and not find it! Of course, we have the links, right off ourMicrosoft Resources page. Just scroll to the bottom to check out the new docs.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Jon at: [email protected] We endeavor to respond to everyone who emails.

Thanks for reading!

Nov 2005
25

Issue#13

edit

  • It's Issue 13 ... Do you feel lucky?
  • Technology Takeaway (r), a service of Moskowitz, inc.
    • Tips and tricks
      • Just one tip: Delegated permissions, the perils therein and how to pull back the reigns
  • Get a signed copy of...
    • my GP book: Group Policy, Profiles and IntelliMirror
    • my Windows & Linux Integration book
  • Something new... Two Training Options: Intensive Two day and "Less Intensive Three Day"
    • Upcoming Public GP Classes for 2005 / 2006
  • What's new around GPanswers.com
  • Subscribe, Unsubscribe, and Usage Information
     

Moskowitz, inc. and www.GPanswers.com -- Issue 13

It wasn't long since the last newsletter, but... when I get busy working on something that affects a lot of people, I want to make sure you get it ASAP!

I think you're really going to like this newsletter. It's HUGE and has *TONS* of graphics for this massive how-to. Don't be scared away by the "unlucky" number 13. Okay, so the big problem we tackle this month is large. The lucky part is that you found this newsletter, and will be well prepared to correct for it!!

After we talk about this, I'll give you an update on my 2006 Group Policy Class Schedule and talk about some other stuff.


Technology Takeaway, a service of Moskowitz, inc.

Delegation... the perils therein, and how to pull back the reigns

One of the key things for your organization to get right is the proper balance of power. Specifically, you need to decide just who creates GPOs and who can link them to areas in Active Directory.

Sometimes, it's just the people in the Domain Admins group. That's fine, if that works for your organization. But if you're the only Domain Administrator, or, if there's only a handful of you, then managing Group Policy for hundreds or thousands of users could be a troubling, cumbersome task which you're always doing again and again. When there's something to be tweaked - you're the one who's called - every time.

Again, if you like it that way - that's great. I'm not proposing to take that away from you. However, if you want some helpers with your GPO comings and goings, then enter the magical world of Group Policy delegation.

The idea is simple: give someone else the rights to create GPOs in the domain, and you won't have to do it. Before you run away and say "My people can't handle this task!!" let's actually analyze this for a second.

First, you need to ask yourself, "Who knows my users best?" Sometimes, that is the Domain Administrator. Sometimes, however, it's the OU administrator, or even, perhaps someone else. We'll call these people (whomever they are) "helper-administrators." For our definition, "helper-administrators" don't have Domain Administrator rights - they're just average Janes and Joes with some ability you've delegated them.

When it comes to Group Policy implementation, one often-successful strategy is to get the power in the hands of the helper-administrators that are closest to the users. So, even though by default, the only people who can create GPOs are Domain Administrators, you might want to re-consider and delegate the permissions such that other administrators (usually OU administrators with non Domain Administrator powers) can also create GPOs.

Delegation 101

In this picture, you can see the basic procedure which permits people the ability to create new GPOs. First, click on the Group Policy Objects node. Then, click on the Delegation tab. Finally, click on Add (at the bottom of the page) and add in the user you want to delegate the ability to create GPOs.

 gp
Figure 1: Delegation to create new GPOs occurs at the Group Policy Objects node in the delegation tab (Click on figure to enlarge)

In this example, we'll anoint a helper-administrator, Nurse1 to create GPOs. Now, just because this helper-administrator can create GPOs doesn't mean they can actually do anything useful, like linking them somewhere. In other words, the simple fact that a GPO is createddoesn't inherently mean it's doing anything or affecting anyone. For that, there's another delegation tab, which you'll find at the level in Active Directory you want to delegate (for instance, domain or OU).

In this example, you can see the delegation tab at the Nurses OU.

 gp
Figure 2: The Delegation tab at the OU level determines who can link GPOs to this OU (Click on figure to enlarge)

Now that the user Nurse1 can create GPOs, and link them to the Nurses OU, you've empowered this helper-administrator. The idea, again, is that this helper-administrator knows the user population very well, and has the proper knowledge of creating GPOs which (hopefully) won't "break stuff" (to use a technical term.)

However, there are some pitfalls in allowing a helper-administrator to do this. One fear that Domain Administrators (rightly) have is that these delegated helper-administrators can do bad, bad things. This is always a possibility, but then again, you wouldn't delegate someone to drive your Ferrari unless they took a lesson or two, right? (Subtle hint to get your Domain Administrators and OU admins into my highly acclaimed two-day Group Policy Intensive Training and Workshop class, but I digress).

It's very similar here; and as Domain Administrators, sometimes we have issues letting go. :) Let's put aside that specific fear of a helper-administrator messing something up inside a GPO and affecting users, but rather move on to a different sort of problem. The problem of that helper-administrator trying (or inadvertently) "hiding" access of the GPO from the Domain Administrator.

When Good Admins go Bad

Specifically, the person who creates the GPOs also owns the GPO as you can see in this picture.

gp
Figure 3: Someone who is delegated the right to create a GPO also owns the GPO (Click on figure to enlarge)

Because the helper-administrator user owns the GPO, they can basically do whatever they want to the GPO. The idea here is that you're granting someone you trust the ability to create GPOs and use them wisely. Hopefully, these helper-administrators will use the power wisely; but, sometimes, administrators are rogues (as Microsoft calls them) or jerks (as I call them).

Rogue-like (or Jerk-like) behavior could include changing the permissions on the GPO so even the Domain Administrator can't see the GPO. In this example, the helper-administrator has set the permissions on the GPO that she has access to as follows:

gp
Figure 4: The helper-administrator has removed permissions from the Domain Administrator with an explicit Deny on all attributes

In other words, the Domain Administrator is Deny-ied access from even seeing the GPO. Now, when the Domain Administrator looks at the Group Policy Objects node in GPMC, the GPO is simply not listed because it is being hiddenby the explicit Deny properties the Nurse put on the GPO.

Note, however, that when Nurse1 linked the GPO to a location in Active Directory the GPO's properties are still viewable though Inaccessible as seen below.

 gp
Figure 5: The GPO is now missing from the Group Policy Objects node in the GPMC. However, you can see an Inaccessible marker where it's been linked. (Click on figure to enlarge)

Depending on your perspective, this could be a problem.

On the one hand, the GPO is, in fact, working as advertised and nothing is technically wrong here. The Nurses will get the GPO applied to them and everything will continue functioning normally. The only problem is an unruly helper-administrator who is hiding his or her actions from the Domain Administrator. At this point, you can choose to do two things: nothing, or perform a Take Ownership upon the GPO and put the power back in to your hands.

Reclaiming the Fort: Taking Ownership

Let's examine what it takes to Take Ownership of a GPO as a Domain Administrator and restore the GPO back to health. First, the Group Policy Objects node in the GPMC is a representation of the two halves of a GPO: the GPC (the part that lives in Active Directory) and the GPT (the part that lives in the SYSVOL). In order to perform this, we need to take ownership of both halves.

Let's first examine how to take ownership of the GPC part, because this is the part that controls visibility of the GPO in GPMC.

To do this, we need to go back to the old-school way we used to manage GPOs: Active Directory Users and Computers. To get started, you need to view Advanced Features as seen here in Active Directory Users and Computers.

gp
Figure 6: To dive in and see the GPC, we need to enable Advanced Features in Active Directory Users and Computers.

Once Advanced Features is enabled,you can dive down into the GPC part of the Group Policy. You do this by diving into System | Policies and looking for the GUID of the GPO object that currently has the problem. What's interesting in this view is that you cannot see the GUID of the GPO in the left pane, but only in the right pane listed as Unknown.

 gp
Figure 7: Inaccessible objects show up in the right pane as Unknown. (Click on figure to enlarge)

When you go to the properties of this object and click the Security tab, you'll see the error message in Figure 8 below.

gp
Figure 8: The ACL editor forbids you, the Domain Administrator, from seeing the permissions because you are expressly Denied. (Click on figure to enlarge)

From this point, you might be tempted to give the Domain Administrator, say, Full Control rights. But, if you try it, it won't work. What you really need to do first is to take ownership of the object.

 gp
Figure 9: You need to select the Administrators group as the new owner and select Apply. (Click on figure to enlarge)

Unfortunately, once you've taken ownership of the object, you cannot immediately give the proper permissions back to the object. You need to close the ACL editor, and then right-click on the GPC portion again and select Properties | Security. Only now can you actually change the permissions.

 gp
Figure 10: To fix the GPC portion, click Full Control | Allow for the Domain Admins group

Taking Ownership of the GPT

Once you've granted Domain Admins Full Control over the GPC again, you're about halfway finished. Again, all you've fixed is the GPC. Now, it's time to dive into the GPT and perform the same Take Ownership tasks.

The GPT part of a GPO lives on every Domain Controller, typically in the windows system sysvol sysvol {domain-name} policies directory. (Yes, that's two sysvol directories.) Then, inside this directory are directories for each GPO's GPT. In my example here, my GPT has a GUID starting with 0f8D1AD2 (as seen in Figures 7, 8, and 10 among others). So, we need to locate that directory, and take ownership of it in the same way we did with the GPC. You can see this in Figure 11.

gp
Figure 11: Take ownership of the file-based GPT the same way you did with the Active Directory based GPC (Click on figure to enlarge)

Once performed, you'll have to (again) exit the ACL editor and re-enter it. Then, ensure that Administrators have Full Control similar to the way that you did with the GPC. Though in this case, note that the default permissions should automatically set Administrators (not Domain Admins) to Full Control.

The Final Fixeroo

If you were now to go back to the GPMC and refresh the Group Policy Objects node, you would now see the previously-hidden GPO. However, when you click on it, you might get a message similar to what is seen in Figure 12.

 gp
Figure 12: The GPMC recognizes that permissions are amiss between the GPC and GPT. (Click on figure to enlarge)

This is exactly the gift we wanted! Clicking OK will copy the permissions from the GPC over to the GPT. However, the bad news is that you might not actually get this message! If you don't get this message, you have to manually kickstart permissions synchronization between the GPC and GPT.

To do this, click on the Delegation tab of the GPO and click the Advanced button. When you do, you're able to edit the actual ACLs of the GPO, which should (simultaneously) affect both the GPC and GPT. Make a change (any change) and apply it even if it's something temporary. For instance, add a new user and grant that user Read access. Then apply that change. Then, remove that user. The point is to make any change. When you do this, you are writing the ACLs to both the GPC and GPT.

Now they're in sync, and now you've fixed the problem.

gp
Figure 13: Make a change any change (and apply it). When you do, the GPC and GPT will be simultaneously adjusted to reflect the ACL change. (Click on figure to enlarge)

Moral of the Story

Delegation is a very good thing if you trust the people to whom you're delegating. You can't cover every base, however, and some helper-admins are just going to be jerks. For that reason, this tutorial on how to restore permissions on hidden GPOs will help you know how to take back control.

SPECIAL THANKS to Darren Mar-Elia, CTO for Infrastructure Management Solutions at Quest Software, and operator of GPOguy.com for helping work out this problem with me.


Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Now available: Private GP Course in "Less Intensive" format

Everyone knows the two-day Group Policy course is really three days of material packed in to two intensive days. However, some customers have asked for a "Less Intensive" format.

Your wish has been granted!

This course starts with a half day warm-up of Active Directory, managing users and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration can get a bit of fundamentals before diving in to the Group Policy waters.

This "Three-day Less Intensive" option is ONLY available as a private course. Note, the "Two-day intensive" option is available as either a private of public course.

Learn more about the Group Policy courses here.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point to how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.

You BOUGHT and IMPLEMENTED Active Directory -- now DO SOMETHING with it.

So, learn to properly drive that "Ferrari" you bought by coming to a class!

Classes remaining in 2005:
Dec 13 - 14, 2005: Minneapolis (Bloomington), MN (We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)

Classes for first half of 2006:
Jan 16 - 17, 2006: Philly / Berwyn, PA (moved from Nov 2005) (We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)
Jan 24 - 25, 2006: Sacramento, Ca
Jan 26 - 27, 2006: Portland, OR
Feb 21 - 22, 2006: San Antonio (We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)
Mar 2 - 3, 2006 : Atlanta, GA
Mar 15 - 16, 2006: Washington, DC
Apr 20 - 21, 2006: Oklahoma City, OK
May 15 - 16, 2006: London, England Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity! Learn more and sign up at: www.gpanswers.com/live-class
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or ... if you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services and Product Support Services teams at Microsoft!

For a public class, sign up online at: www.gpanswers.com/online-class
For a private class, just contact me at [email protected] or call me at 302-351-8408.  

Other Changes around GPanswers.com

We've had a mini-web overhaul lately. It might not look a whole lot different, but there's a lot of things, here and there that have been changed.

  • There is no more "downloads" section off the main page. The downloads that were there were moved to the FAQ/Tips and Tricks
  • Speaking of the FAQ/Tips and Tricks area, the Tips and Tricks are now in categories, which makes things easier to search
  • The book downloads (and any updates) are now centrally located right off the main page. It's now called "GP Book Resources"
  • We came up with a way to be able to click on any graphic and have it pop-up to full page view. We're working on backfilling all Tips and Tricks, Solutions Guide, and other areas which have scaled-down graphics to enable pop-ups to full size.
  • We're working on a global GPanswers.com search -- which should also be able to buzz through PDFs and all questions in the forums. Not there yet with this one, but stay tuned.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Nov 2005
07

Issue#12

In this issue:

  • It's Issue 12 ... Wow.. a new format!
  • Group Policy Intensive Training and Workshop Schedule Update for 2006
  • Technology Takeaway (r), a service of Moskowitz, inc.
    • Juicy tips and tricks (Jumbo sized!)
      • All about login scripts (Offline and Online)
      • All about WSUS settings
  • Upcoming Conferences, Appearances, and Classes
    • Upcoming GP Classes for 2005 and 2006
  • Additional Technical Tidbits
    • All about VMware's new gizmo and Microsoft's whizbang licensing!
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Get a signed copy of Windows & Linux Integration
  • Subscribe, Unsubscribe, and Usage Information
     

Moskowitz, inc. and www.GPanswers.com -- Issue 12

This is the first newsletter for a LOT of people I've met in the last several months. I've been to:

  • SMB Nation in Seattle
  • Two or three Microsoft TS/2 Roadshows
  • WinConnections
  • TechMentor
  • and more !

So, a big hearty WELCOME to all those people who signed up via giving me a business card at an event.

As you can see, our newsletter format has changed a bit. It's now online as a full web page, instead of being a mail-delivered document. Of course, you got the notification via email -- and that's going to stay the same. The good news about putting things in a web page like this is simple: I can inject graphics and other HTML goodies without getting your spam filters all huffy at me.

Let's get right to the goodies, then I'll give you an update on my 2006 Group Policy Class Schedule and talk about some other stuff.

Technology Takeaway (r), a service of Moskowitz, inc.

Here's what's on people's minds recently...

Can logon scripts be set to run when a user re-docks their laptop? (or otherwise force user login script GPO processing via a command or script?)

Scenario: A notebook user can log on to their computer with cached credentials (ie: not connected to the network.) When this happens, it appears that their logon script that maps their drives does not run. Upon returning to the office they dock their computer, but they still do not get their network drives.

So... Can logon scripts be forced to run when the user returns to the office?

The answer in this case is no. Logon GPOs are processed in the foreground, so since they are already logged on using cached credentials, they only get a background refresh, so the logon script settings in this GPO does not run.

This question was submitted recently via email, and it's a good one (so good, we added to the FAQ at www.gpanswers.com/faq).

Is there any advantage to running a login script from the network or from the local PC?

This is something you should consider for laptop users. If you place a script on the local drive of the client and point the GPO to it, the script will run upon logon even if the laptop it is not connected to the network. BUT, it can only perform tasks that don't require the network, so things like mapping network drives won't work.

Oftentimes, administrators choose to perform tasks like mapping network drives and other things which are simply impossible if the network is not available. However, again, technically, the script is trying to run - even if it cannot perform the command you want.

If you have a script that performs some other action that does not depend on the network, login scripts should perform those actions.

How can I configure a workstation to download updates from my WSUS Server (or SUS I haven't upgraded) instead of Windows update?

Windows XP / SP2 comes with the latest "wuau.adm" ADM template which contains the power you need to point your workstation anywhere you want it to retrieve its updates from. The settings are under Computer Configuration | Administrative Templates | Windows Components | Windows Update as seen here.

 gp

Here you find the following ten settings (a more detailed explanation of each can be found on the settings Explain tab).

  • Configure Automatic Updates

This setting must be enabled if you want to specify the settings the workstation needs to retrieve automatic updates using Group Policy. It is essentially the same as using the Control Panel applet to configure the download option, and the installation schedule.

Note there are four potential settings... #2, #3, #4 and #5 as seen below.

 gp  

When you set up an OU which contains regular workstations, you'll likely want to set this value to #4 -- which will auto download AND install the patches. This can often mean a reboot, so, be sure to educate your users to SAVE their files before going home for the say.

For the least amount of disruption for your users, you'll want to set your installation to happen off hours, say 3.00 AM.

When you set up an OU which contains SERVERS, you'll likely want to set this value to #3 -- which will auto download, but then notify an administrator who logs on locally to that server that patches have been downloaded. The idea here is that you wouldn't want a server just rebooting at 3.00 AM! You want to control that installation and reboot process a little more closely.

  • Specify intranet Microsoft update services location

This setting allows you to point the workstation to the WSUS (or SUS) server in your organization (e.g http://wsus1.company.com). Note that both fields need to point to the same server. It is an invalid configuration to have different entries here.

 gp

  • Enable client-side targeting

In WSUS, you can create groups for your workstations to belong to. Note that these "groups" aren't NT-style groups. I wish Microsoft had called these "collections" to make the distinction. And, what's more WSUS really doesn't hook in to Active Directory beyond this one setting.

The idea is to have several collections, er, groups then approve specific updates differently as you see fit. For instance, you could have a pilot test group before you roll the update out to everyone. Or, you might manage Doctors differently than Nurses.

The one trick here is that you must first pre-create the groups on the WSUS server. Then, once your client receives this setting you're delivering via Group Policy, they'll automatically find the group.

  • Reschedule Automatic Updates scheduled installations

What happens if the workstation is off when it's supposed to be installing your approved patches? In this case, the update will be installed at system startup. This setting allows you to tell the workstation how long to wait after system start before installing the update, and rebooting the workstation.

Be careful not to have the computer wait too long after startup, as your users may start working away and all of the sudden their machine says is about to reboot. Chances are, your user will turn on their computer before they grab their morning coffee, so if you can set the delay to less then five minutes, chances are they won’t even notice!

  • No auto-restart for scheduled Automatic Updates installations

If you have “Reschedule Automatic Updates scheduled installations” setting enabled, you can also enable this setting if you do not want the computer to automatically reboot after the installation. The user will be notified that a reboot is required to complete the installation.

  • Automatic Updates detection frequency

You can tell the workstation how often it should check in with the Update Server by enabling this setting. The detection frequency is the hours specified, minus zero to 20 percent of the hours specified. The default setting 22 hours.

  • Allow Automatic Updates immediate installation

If an update that is approved can be installed without interrupting Windows service and does not restart Windows, it will be installed immediately upon detection if this setting is enabled.

Although an update like this has yet to have been seen, it’s a nice idea, to have the update apply as soon as possible.

  • Delay Restart for scheduled installations

By default, Windows will wait five minutes after installation before rebooting the computer. This setting allows you to specify how many minutes the computer should wait before reboot.

  • Re-prompt for restart with scheduled installations

This setting allows you to set the amount of time that passes before re-prompting that a restart is required to complete an installation of updates.

If you are automatically installing updates and restarting machines after hours, this setting isn’t necessary.

  • Allow non-administrators to receive update notifications

Enabling this setting will allow non-administrators to receive notifications either before downloading or before installation of updates.

Again, If you are setting your computers to install and restart during off hours, this setting isn’t necessary, unless you really want your users to install the updates and restart their computers during the workday.

Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point to how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.

You BOUGHT and IMPLEMENTED Active Directory -- now DO SOMETHING with it.

So, learn to properly drive that "Ferrari" you bought by coming to a class!

Classes remaining in 2005:
Nov 28 - 29, 2005: Philadelphia (Berwyn, PA)
(We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)

Dec 13 - 14, 2005: Minneapolis (Bloomington), MN
(We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)

Classes for first half of 2006:

Jan 24 - 25, 2006: Sacramento, Ca
Jan 26 - 27, 2006: Portland, OR
Feb 21 - 22, 2006: San Antonio
(We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)
Mar 2 - 3, 2006 : Atlanta, GA
Mar 15 - 16, 2006: Washington, DC
Apr 20 - 21, 2006: Oklahoma City, OK
May 15 - 16, 2006: London, England

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or ... if you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.  

Additional technical tidbits...

Even though the thoughts in this section aren't necessarily Group Policy related, I thought these tidbits might be something you all would find interesting.

Tidbit #1: Microsoft gets really generous with virtualization licensing Microsoft has a new press release regarding their upcoming virtualization strategy here: http://tinyurl.com/c78kf

There's a lot here, but there's one key sentence which rocked my world (and I quote):

"Licenses for the upcoming Windows Server 2003 R2 Enterprise Edition will allow customers to run up to four virtual instances on one physical server at no additional cost..."

And, this licensing deal is also expected to carry through to Longhorn (Enterprise) Server as well.

In a word: WOW. This means that if you buy one copy of Enterprise server, and you run it virtually, you basically get 4 copies of Enterprise server for the price of one! Now, of course, the key word here is "Enterprise." This is the more (much more) expensive version of Windows Server. Note that Windows Standard server (the less expensive sibling) is left out in the cold here.

The other issue is... is this deal only good when you use Microsoft's Virtualization technology (Virtual PC or Virtual Server?) In other words, if a shop chooses to use VMware as their virtualization platform, does the deal hold up? Well, there's nothing here in this press release which specifically says you can't use VMware if you wanted -- which is good news. However, before rolling out a bazillion (free) copies of Windows R2 Enterprise Server, be sure to consult with your licensing mavens, just to be sure.

Tidbit #2: VMware gets really generous with free virtualization technology!

Rumors have it that Windows Vista will have a free free free built-in version of Microsoft Virtual PC. There will be a small restriction on it, though: you can only have ONE running virtual-machine at a time. I think when VMware heard this upcoming plan, they got a little nervous, and came out with {insert fanfare music here} the VMware Player. The VMware Player takes existing VMware virtual-machines and allows you to, you guessed it -- use them for free anywhere you like. And you're not limited to just ONE running virtual-machine. So, in short, if you've already CREATED your virtual-machine with, say, VMware Workstation or VMWare GSX server -- just copy the files to a friend, give him or her the free VMware Player application -- and -- they're running your virtual-machine! Way to go VMware! It's in beta (thought it looks like production quality software to me.) You can download it here. Again, the only thing you really CANNOT do in VMware Player is CREATE new virtual-machines. Other than that -- it's quite similr to VMware Workstation.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here: https://www.gpanswers.com/book/

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

New Forum in the GPanswers.com/community

Want to have an ongoing discussion about anything in this newsletter? Then head on over tohttps://www.gpanswers.com/community/viewforum.php?f=33

where you can talk with your peers about anything in this newsletter (or previous ones!) Be sure to use the newsletter number when you post!

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Sep 2005
04

Issue#11

In this issue:

  • It's Issue 11 ... So much news, I can't take it!!
  • Big News Item #1: Updated Group Policy Book!
  • Big News Item #2: A New Book and a New Website for Windows/Linux Integration!
  • GPanswers.com "Suggest a City" a Success
  • Group Policy Intensive Training and Workshop Schedule Update
  • Technology Takeaway (r), a service of Moskowitz, inc.
    • Three juicy tips and tricks
  • Upcoming Conferences, Appearances, and Classes
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Subscribe, Unsubscribe, and Usage Information

Moskowitz, inc. and www.GPanswers.com -- Issue 11

There's so much news, I simply don't know where to begin.

First, however, I want to welcome about 100 new people since the last newsletter, which went out only about three weeks ago.

I got to meet a lot of great people in my own home town of Wilmington, DE at a Microsoft / TS2 event.

People here are downright excited about Windows Server Update Services (WSUS), and specifically, how an admin can use GPOs to control WSUS even more granularly than the older Software Update Services (SUS).

We'll address some of those issues in this newsletter, right after we announce all these goodies!

Big News Item #1: Updated Group Policy Book!

I have a Third Edition of my popular Group Policy book (Group Policy, Profiles and IntelliMirror) coming out THIS MONTH (September).

What's more -- you can pre-order a SIGNED COPY!

In this edition, we're building on the last, but adding in the bits and pieces for Windows 2003 / SP1 and Windows XP / SP2.

And, since I cannot leave well enough alone, there are lots of little adjustments and improvements throughout. Here are the TOP 12 things that have been updated since the previous edition...

  1. More "prescriptive guidance" is peppered throughout the book, based on additional experiences over the years.
  2. In the last book, I tested using XP/SP2 *BETA*. I made educated guesses how XP/SP2 *WOULD react*. This time, I made sure.
  3. We had Kevin Sullivan, a fellow Group Policy MVP, as the Technical Editor and reviewer. That means additional assurance of technical accuracy in all areas of the book.
  4. We give guidance about how to deal with XP/SP2's built-in firewall. Because some aspects of Group Policy won't work with the firewall enabled, we give specific guidance on how to deal with this feature.
  5. We've added clearer guidance on what happens during backup and restore operations.
  6. We've added more troubleshooting guidance.
  7. We've added more guidance on how to ensure that you can "see" all the settings for XP/SP2 and Windows Server 2003 / SP1.
  8. We fully cover the Windows Server 2003 / SP1 "Security Configuration Wizard." Specifically, we demonstrate how to make your servers more secure via Group Policy. This is a really big addition for this edition.
  9. We've included some newly updated information regarding Windows Installer 3.0.
  10. ALL of the URLs are "tiny" now. Not a big deal, but now you're not typing in 300 characters for a URL to Microsoft.
  11. We've addressed a notorious quirk when dealing with GPOs. Have you ever had to press "OK" 52 times when editing a GPO? This is "The Retroactive Bug That Ate New York." In this new edition, we squash this bug with a rock.
  12. And last but certainly not least, there are lots of little things that have been clarified, fixed, adjusted, and generally made better.

Oh, and all the web downloads will be updated (really soon!). We've gone through the effort to document every single Group Policy Setting and made these available. Again, stay tuned for updated web downloads just as soon as the publisher releases them!

So, the big question that I'm sure you have is: "Do I NEED this edition?" It's a tough call, because the book DID NOT go through a MAJOR re-write like it did from the First Edition to the Second Edition. Here's what's the same:

  • All chapters from the Second Edition are here again in the Third Edition.
  • The book has the same cast of characters.
  • The book has the same "flow" and the same holistic approach.
  • The scripting chapter is 100% unchanged. (It's the only untouched chapter in the book, though.)
  • In short, it really is the same book.

So, again, the question is: "Do I NEED this edition?"

I know it's not easy forking over your hard-earned dough to get a copy of a book that's, well, very similar to the previous edition. So, how can you make the best decision? Here's my take on it...

  • If you're rolling out XP/SP2 and Windows Server 2003/SP1, I'd say Yes, this new addition is for you. Again, I updated the book expressly for this purpose. And, while I was here, I cleaned up anything I wasn't 100% happy with.
  • If you're NOT rolling out XP/SP2 and/or Windows Server 2003/SP1, then just the "bug fixes" alone aren't worth plunking down the dough to get a copy. The bad news, however, is that the book's "bug fixes" alone are not availableas a download on GPanswers.com. This is because there really were too many pages changed between this edition and the last.

Hopefully, that makes sense, and gives you some direction on whether or not you should get the updated edition.

-If you want a signed copy ($45, includes shipping), the place is www.GPanswers.com/book
-If you want a cheaper copy from Amazon ($32.99), the place is: http://www.amazon.com/exec/obidos/tg/detail/-/0782144470 (For some reason, the cover image says "Second Edition," but I assure you that it's the "Third Edition.")
-If you want an even cheaper copy, from Bookpool ($31.50), the place is: http://www.bookpool.com/sm/0782144470 (Again, for some reason the cover image says "Second Edition," but I assure you that it's the "Third Edition.")

Big News Item #2: A New Book and a New Website for Windows/Linux Integration!

I know, I know. I can hear you from here ... "Whaaa? Jeremy, I thought you were the Group Policy dude. I didn't think you did that 'Linux thing.'" Well, I do.

It's interesting, exciting, and coming to an IT shop near you. And you'd better be prepared for it.

There are plenty of books you can get that try to describe how to "walk away" from your Windows investment and ... blink! ... go 100% Linux.

But there are two problems with the "walk away from Windows" idea:

  • First, it's often not possible. That is, there is a good chance you will always have Windows applications that run your business. And they might never be able to run natively on Linux.
  • Second, it's simply not realistic. Assuming every application could be re-coded for Linux, you've already got a lot invested in Windows desktops, applications, architecture, training, personnel, and more.

And yet, Linux offers undeniable advantages of its own. Compelling open-source applications, like the Apache web server and the MySQL database engine, are available today and will continue to appear. And the option of running these applications on an open-source operating system presents undeniable cost advantages. Yes, Linux has its own costs, such as re-training users and administrators familiar with Windows. But the presence of Linux in your business can save money and solve problems today.

In short, neither Windows nor Linux is leaving this planet (or the datacenter) any time soon. And for that reason, it's more important to be able to cooperatively utilize what "the other guy" has to offer, instead of trying to punch his lights out.

My new book is entitled:

Practical Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

And, along with a book, I'm launching a new web site: www.WinLinAnswers.com
WinLinAnswers.com is similar to GPanswers.com. It has:

  • Its own newsletter
  • Its own community forum
  • Its own downloads (many, many downloads for the book)
  • Its own links and other resources
  • Coming soon, its own Win/Lin Integration Training course
  • And more...

It shares the same look and feel as GPanswers.com and shares the same "Where is Jeremy?" calendar that runs along the right-hand side.

For the record ... No, no, no! I'm NOT abandoning GPanswers.com for other pastures. I am not going to stop living and breathing Group Policy. I'm simply expanding a little bit and hope you'll join me for the ride.

For now, if you want to receive Win/Lin updates, you'll have to specifically sign up for THAT newsletter at www.WinLinAnswers.com/newsletter.

(For the record, I may change my mind in the future and go to one unified newsletter. But for now, they're separate.)

You can find out more and pick up a signed copy of the new Windows / Linux Integration book at www.winlinanswers.com/book.

GPanswers.com "Suggest a City" a Success

People are using the new "SUGGEST YOUR OWN CITY" service. The idea is for YOU to tell ME where you want a Group Policy class.

Simply click on the workshop page and find the link to SUGGEST YOUR OWN CITY.

Or, go directly to www.GPanswers.com/suggest

Once we get 5-7 interested people in the same city, we've got a class!

Maybe your city is already listed? Check it out and add your suggestion. (It takes, maybe, 10 seconds.)  

 

Group Policy Intensive Training and Workshop Schedule Update

Learn more and sign up at: https://www.gpanswers.com/workshop
-or-
Suggest your own city at https://www.gpanswers.com/suggest  

 

Technology Takeaway (r), a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks

TIP 1

Q. Can I upgrade from SUS to WSUS?

A. Before we get into upgrading SUS to WSUS, there's good news. If you're still on SUS, Microsoft is providing 6 more months of support. That's a good idea ... because getting to WSUS could take a while. I suggest that if you're working with SUS and want to move to WSUS, you should check out this resource: TechNet Webcast: Migration from Software Update Services to Windows Server Update Services (Level 300)

About the talk (Copied from Microsoft's website):

Marc Shepard, Program Manager, Microsoft Corporation Many customers today use Software Update Services (SUS) to deploy Windows updates across their businesses. During this session, which was highly rated when presented at TechEd 2005 in Orlando, Florida, as MGT350, learn how to upgrade from SUS to Windows Server Update Services, the next version of SUS, to reap the benefits of the enhanced capabilities and broadened application support. Learn best practices and pitfalls to watch out for to help you upgrade seamlessly.

TIP 2

Q. Are there any bugs in the GPMC that you know about?

A. The "GPMC with SP1" has been out for some time, and it squashed lots of the remaining bugs. But not all. Here's one I know of...

If you select a GPO link in the GPMC, select the 'Details' tab, and set the GPO status to 'All settings disabled', the link itself will grey out, but the actual GPO doesn't.

So is it disabled or not?

Actually, it is. Just right-click on the domain name and select Refresh, and the icon will grey out.

Ok, it's not really a tip, but it is something to keep in mind!

TIP 3

Q. How can I script ... ?

A. There are just a GAGGLE of Group Policy goodies waiting for you on your scripting adventure. They are located in a 'scripts' folder in the installation folder of the GPMC.

Samples include a script to back up all GPOs (handy if you want to schedule the backup), a script to find unlinked GPOs, a script to copy a GPO. And lots more. Check 'em out!

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com) I have a neat-o calendar that I'm always updating with any public (and private) appearances. So, check it out any time for up-to-date information!  

Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes. These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

  • "Fantastic Presentation !"
  • "Can't wait to go back to share the wealth !"
  • "Would recommend to other IT people in my company."
  • "I had a foot in the GPO door, and now I can hold it open."
  • "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.
For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)  

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.

SPECIAL THANKS

I want to say "thanks" for a killer book review from one of our subscribers, "AVero".

The review was originally posted here.

but is also posted on GPanswers.com here.

Pick one if you're interested in reading it. Thanks again!

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

Aug 2005
05

Issue#10

In this issue:

  • It's Issue 10... Wow.. the big 10 !
  • GPanswers.com Growth Spurt
  • Moskowitz, inc. Technology Takeaway®
    • Three juicy tips and tricks
  • Upcoming conferences, appearances, and classes
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Subscribe, unsubscribe, and usage information

Moskowitz, inc. and www.GPanswers.com -- Issue 10

I love it when new people come to my class and they say ..."I think I'm on your newsletter list, but I've never seen one."

Well, the idea is that this newsletter comes out "Whenever I feel like it."

And I feel like it again!

As always, you can forward this newsletter to your friends -- but please do so in one whole piece (please don't just cut and paste).

GPanswers.com Growth Spurt

Here's a little collection of updates and facts about GPanswers.com:

  • We have 606 Community Forum Members
  • We have 1,966 newsletter recipients
  • We have seven sponsors and freeware vendors in the Group Policy Solutions Guide. There's more tools than ever in the "GP Solutions Guide." So, be sure to click on the GP Solutions Guide off the main page to check it out!
  • I now have a "Jeremy's GP Resources" section of the website. It's a collection of all articles I've ever published on Group Policy and related bits.
  • I've installed Google Adsense in the forum. Before you throw rotten eggs, and think I sold out to "The Man" this turns out to be a huge benefit. Adsense is sometimes smart enough to actually advertise solutions to problems people are actually having. So, please view this as a service while inside the forums. If you end up hating this, do let me know. (Though I do think it looks pretty unobtrusive.)
  • New "SUGGEST YOUR OWN CITY" service. Simply click on the workshop page, find the link to SUGGEST YOUR OWN CITY. Or, go directly to www.GPanswers.com/suggest Once we get 5-7 interested people in the same city, we've got a class! This is still in beta, but hopefully will help us all out !

     

Technology Takeaway (r), a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks

TIP 1

Q. Can I disable the Startup Splash Screen in Adobe Acrobat Reader 7?

A. Yes you can. We've just added a custom adm file in our Tips section at GPAnswers.com. Thanks to Dan Thomson and Neil Toepfer for your help and support.

TIP 2

Q. I just added a custom ADM file (from GPanswers.com or from elsewhere), but I when I edit the GPO, I can't actually *SEE* any of the settings. What's going on?

A. Chances are the ADM settings are _Preferences_ not _Policies_. You will know this for sure if the icon before the setting has a red dot on it, and not a blue dot. In the Group Policy Object Editor you need to click the view menu, and choose Filtering. In the Filteringdialog box, you'll need to clear the last checkbox, which says Only show policy settings that can be full managed. And there you go! Your settings automagically appear!

Unfortunately the filtering setting is not saved when you close out the Group Policy Object Editor, so you need to un-select it every time.

If anyone has figured out a way around this, please let Ron, our tip guy know !

TIP 3

Q. Can I copy the settings from a GPO to another GPO? (From our FAQ)

A. The easiest way to do this is to make a copy of the original GPO, and rename it. Then you will have a new GPO with all of the settings of the original. To do this, open the GPMC and drill down to the Group Policy Objects node. Right-click over the GPO you want to use, and select Copy. Then, immediately select Paste. It will create a new GPO named "Copy of {oldname}". Simply rename it what you wish, and you're in business!

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com)

I have a neat-o calendar that I'm always updating with any public (and private) appearances.

So, check it out any time for up-to-date information!  

Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes. These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

  • "Fantastic Presentation !"
  • "Can't wait to go back to share the wealth !"
  • "Would recommend to other IT people in my company."
  • "I had a foot in the GPO door, and now I can hold it open."
  • "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.
For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)  

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.

HIDDEN EASTER EGG PART OF THE NEWSLETTER

You made it to the end of the newsletter... So, goodies await you!

WS03/SP1 Blocker Tool Available

In the same way that XP/SP2 could be blocked from Automatic Updates, so too can WS03/SP1. If you want to roll out WS03/SP1 on YOUR SCHEDULE, and not automatically accept it via Automatic Updates, I highly suggest you read this FAQ. The link to download the actual tool is found in the little gray box on the page on the right.

Another Group Policy Perspective

My pal Mark Russinovich had an interesting thought or two on Group Policy recently. A very interesting read..It echoes a similar statement I make all the time..if your users are local administrators, you could be in for a world of hurt.  

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

.If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !