MDM & GP Tips Blog

May 2010

Copier Machine Threat - Hard Drive Scare / Encryption

I came across this little piece of reporting by CBS news.

I have to admit.. I was totally caught off guard by this one.

Seems “gobsmackingly obvious” now that I think about it. But I never did.

This is a report on how all the major brands of copiers STORE the images on local hard drives. Making it SUPER EASY for the bad guys to get your (recycled) copiers and get your important corporate data. Watch this, then, please, figure out who to contact in your company and decide HOW your copy machines are recycled.

What else can you do? Well, from a Group Policy perspective, on our Windows PCs (and not copy machines) here are three ideas:

Idea 1:
Computer Configuration | Policies | Administrative Templates … | System | File System | Enable NTFS pagefile encryption

Idea 2:
“Clear Page File at Shutdown”…
Check out
(not a group policy setting, but can be delivered as a registry preference.)
PS: This one likely wouldn’t beat the forensics apps, but it’s better than nothing.

Idea 3:
You could of course, go “Full disk encryption” like BitLocker or TrueCrypt.. that would do the trick as well.

So, that’s three things to at least CONSIDER in thoughts around this problem for high security machines that COULD be recycled.  True.. I’ve seen companies that literally “shred” the drives in a big “drive cruncher machine”.. but, that seems extreme considering there are software solutions to this very problem.

Note, of course, that enabling these items could slow down your system (especially that second one at shutdown time.) But it might be worth it depending on the situation. For what it’s worth, I’m using BitLocker on one machine, TrueCrypt on another and notice no appreciable slowdown.

Speaking of security, and “doing all you can” to thwart the bad guys… I’m doing my weekly PolicyPak demonstration tomorrow at 2.00 PM Eastern. If you want “extra thumbscrews” to ensure that your security is maintained at all times, then join me for this free informative talk.

Here’s the link:


PS: And my pants are already back on, thank you very much.

Jeremy Moskowitz (Group Policy Community)    (PolicyPak Software)

May 2010

Group Policy: Disabled

Hey Team:

Short sweet tip, and a short sweet announcement.

Short sweet tip first:

You are the King or Queen of your castle, er, domain.

I like to think of every policy setting as a little “edict” that I’m forcing my user population to embrace.

Well, on the Policy side of the house there are a zillion policy settings that can be set to one of three states:

– Enabled,
– Disabled,
-or Not Configured.

Enabled means: “Do this thing, and do it at the level I’m currently working within.”

So, if you’ve got a GPO, link it over to the domain (thus affecting all user accounts in the domain) and Enable a policy setting like “Prohibit Access to the Control Panel.” Then, as expected, everyone in your kingdom will magically embrace the stone-cold fact that their days of messing around within the Control Panel are now over!

Huzzah! Mission accomplished! You and your other network sovereigns cry out with joy!

Except this decree affects YOU as well. Oops… Seems like you poured the burning hot oil on yourself on this one.

Okay.. Great. What are you to do?

Disable that same policy setting from earlier — but now, at a level that affects YOUR (the King and Queen’s men) accounts.

That’s right. Disable.

Disabled’s job isn’t (generally) to “disable” stuff. No, no!

The “Disabled” setting’s job is to “invert” a higher-level policy.

So, assuming you had an OU called “Exalted Leaders OU” and your account was in there, you could simply create a new GPO, link it over to the GPO named “Exalted Leaders OU” and edit the policy setting for the SAME SETTING — “Prohibit Access to the Control Panel.”

Except this time.. instead of ENABLING the policy — you’ll DISABLE it, thus rendering it innocuous to your user account.

It’s like your own “suit of armor” to avoid the burning hot oil.

Try it out and let me know what you think, either in the comments of this blog post on

Okay.. and now for the short, sweet announcement:

That is.. the upcoming Washington DC (Northern VA) class — July 19th is OFFICIALLY ON.

We already have 10 people signed up with guaranteed seats, and another 9 people “swearing on a stack of Group Policy Bibles” that they are working on POs and whatnot.

Since we only have so many seats, ensure your butt is in the right place by securing your seat before they’re all claimed!

Go to

And to answer your question before you ask it: Yes, yes.. the class is fully updated for WS08 and Win7. The result is that after the class is over, you’ll actually KNOW WHAT TO DO when you’re rolling out and managing Windows 7 and Windows Server 2008 and R2.

On that page, you can:

[] Read what the class is all about, and check out the hands-on lab content.
[] Watch the 20+ video testimonials.
[] Click SIGN UP and we’ll send you a Welcome letter. 

Oh, again: Everyone taking the class gets my newly updated book (Which, by the way, is FLYING off the shelves here at GP H.Q. Thank you, thank you, and sincerely thank YOU for being so enthusiastic and supportive.  My publisher says thanks, too.  ?  )

On Amazon it’s ranked #2 in “Networking books.”  Awesome!!

() Get your own signed copy:
() Get it on Amazon..

PS: Hey.. who’s gonna help me out and write some nice stuff on Amazon about the book? ? Thanks in advance !

Apr 2010

What is AGPM4?

(Note: This tip may look familiar. It’s a “re-do” of something I blogged about back in 2008, but I wanted to re-talk about it, adding some new 2010 Juice to this 2008 discussion.)

Note: UK & European people / Aussie & New Zealand people… I have a special request at the VERY END of this email, so, please don’t ignore ! Just jump to the end right now if you only have a second.

Okay.. on with the deep thoughts of the day:

Dealing with GPOs can sometimes feel like you’re juggling grenades.

As soon as you open a GPO for editing, it’s already whizzing around your network,
replicating around your DCs and potentially available for any clients looking for
an update.

What if you’re in the middle of editing a GPO and you suddenly get called away, with, say a half-finished GPO?

Well, it’s likely at least SOME Windows machines will ask for that update and download it.

Also, I don’t know about you, but even with my daily GP comings-and-goings, I
still kinda wish there was an “Are you sure?” prompt when I’m editing stuff or
for when I’m about to do a bone-headed move.

Let’s think about all the times I wish I could put some process around my GP world. For instance, there
is no “Are you sure” when…

() Creating GPO
() Editing GPO
() Linking a GPO
() Deleting a GPO

You get the idea. There’s a lot of potential for quick damage there.

And, no way to see history of a GPO and “roll back” a set of changes once a GPO is rolled forward (though there is manual backup and restore capability.)

That’s why I like products that put a little “process” around GP management.

Microsoft’s AGPM v 4.0 was recently released as part of the MDOP subscription service ( and it’s got some neat-o features. Since AGPM 3.0, there are a handful of new items, but nothing too radical.

It’s strange, but I ask a lot of people if they’ve even HEARD of Microsoft’s AGPM (Advanced Group Policy Management) product, and I often get blank stares.

So, in the interest of GP Public service, I’m here to clear up what it is and what it does. Let’s spend a quick minute discussing what it is and how to get it.

What it is: It’s one of the 6 tools which are part of the Microsoft Desktop Optimization Pak (MDOP).

What does it do: It puts “Change management” around GPOs, so you have a full trackable history of what people did plus a way to roll back if there are problems.

How to get it: MDOP is a yearly subscription service which is only available to Microsoft SA customers who then ADDITIONALLY pay about $10 a seat, PER year.

Holy moly factor: Yep. With the SA costs and the yearly ongoing $10 a sat, it can be expensive, but because MDOP is a set of 6 products, it’s actually a pretty good bargain overall. But it’s pretty understandable to have a strong reaction to the cost.

AGPM’s Philosophy: You can think of AGPM almost like a library system. (At least, that’s how I think of it.) Only one person can have a GPO “checked out” at any given time for editing. And those edits don’t happen ONLINE and LIVE. They happen OFFLINE and are trackable. Essentially removing any direct impact to live computers — until you’re ready to rock.

What’s new in AGPM 4.0 vs AGPM 3.0: There’s a smattering of stuff, but here’s the hitlist:

() Searchable names and fields within the “Change Control” node
() Windows 7 and Windows Server 2008 R2 compatibility
() Export / Import from “test lab” to “production” domain or forest

Note that two COMMON MISCONCEPTIONS about AGPM are:

1. You have to deploy some “client” or “agent” to every machine. False. Totally false. Yes, AGPM has a “client” piece, but it’s just a fancy way to describe the “GPMC-add-on” piece which shows the AGPM stuff within the GPMC.

2. You get the ability to control “more stuff” on your target machines. False. Totally false. Remember: Group Policy “magic” only occurs when you have a new CSE (client-side extension) on your target machine, which can pick up your “directives” inside the GPO. AGPM doesn’t do this. Products like Specops Deploy, BeyondTrust Priv Manager, and PolicyPak Application Manager all ship “true CSEs” which extend Group Policy’s magic and ability. AGPM does no such thing.

So, are you using AGPM? Here’s my one-question survey:

PS: If you have no plans to be an SA customer and then get the MDOP suite, then, note you can get MDOP comparible functionality from 3rd party vendors, like NetIQ with their GPA product, Quest with their GPOAdmin product, or ScriptLogic with their Active Administrator product.

In the effort of full disclosure, note that some of those 3rd party vendors do occasionally advertise on (but they didn’t know this email was going out until.. well, right this second.)

Other notes:

1. My new book thoroughly covers AGPM 4.0 in a deep, deep way. And, that chapter is totally, totally FREE. Head over to and click eChapters and find the AGPM chapter on the LEFT (GREEN) side. It suggests a way for you test this all yourself. You’re then also in the “right place” if you wanted to get your own signed copy of the printed book to get the rest of the story.

2. I’m doing a “Do more with Group Policy and PolicyPak” LIVE demonstration TOMORROW at 11.00 AM EST (weird time, I know.). But sign up for the free live demonstration at See you there !

3. We’ve got lots of PEOPLE COMING in my upcoming class in Washington, DC / VA July 19th. Some discount seats still left. Honestly, these will not last long. $200 + Free book for the next three people who sign up at and use discount code FIRSTFIVEDC at checkout.

3. If you’re in UK / Europe and might want me to have a public training class over there, please click this link:

4. If you’re in AUS or NZ, and might want me to have a public training class over there, please click this link:

5. If you’re “happy and you know it” .. clap your hands. Just seeing if you’re paying attention.

Thanks for reaching the end of this long email. ?

PS: Going on vacation for a week after my talk on Friday. Diane is here all week if you need a PO for the class or any other special situation. 302-351-4903. Thanks Team !

Jeremy Moskowitz (Group Policy Community) (PolicyPak Software)

Mar 2010

Use the GPupdate /force (Part 2)

So, in a previous installment, we explored GPupdate /force.

One use, as we examined enabled us to move a user or computer account around in AD, and have it’s new location “magically picked up.”

Let’s examine the other use of of GPupdate /force. Let’s take a closer examination of how “GP does it’s thing.” When a user (or computer) get it’s first batch of GPOs, it has to download them.

Now, the good news is that WHAT it downloads is really, really small. Usually 1, 2, 3 or 4k ish. That’s KILOBYTES, like what my VIC-20 was packin’ back in the day.

So, okay. First myth busted: the download “payload” of Group Policy objects isn’t that big (under most circumstances.)

Now, it’s true that the stuff the GPO is DOING can have an impact. But, even then, it’s usually pretty nominal if you’re sticking mostly to GPPrefs and/or Admin Templates (registry settings.)

Okay. So, back to /force versus no /force. ?

So if your user or computer is just sitting there a while, it asks, every so often “Hey.. any updated (or new) GPOs out there for me?” If the answer is YES, it downloads JUST the new or changed GPOs and processes those.

Wow. Neat. So how does it KNOW which ones are NEW or CHANGED? The GPO Version number, of course. This is little internal counter (found on both the user and computer sides.) If either version changes, then blamo! the GPO comes down and is processed.

Okay, okay. Back to /force versus no /force.

When you run GPupdate by itself (no force) you’re “accelerating the hands of time” and forcing the user and computer side to ask “Hey.. any updated (or new) GPOs out there for me?” Again, if YES, those come down and apply.

Then why would you ever NEED /force ?

Honestly, under most circumstances.. you shouldn’t.

A key case when you WOULD need the /force would be, say, if someone with local admin rights did a no-no, like change a value that only the protected SYSTEM should get to. For example, if a local administrator deleted a registry key, which restricted access to the control panel. Now — REGULAR USERS cannot do this. But ADMINS can.

Then running a GPupdate — by itself — wouldn’t fix the problem. Only a GPupdate /force will “re-bring down” the settings — EVEN IF THE VERSION NUMBER HAS NOT CHANGED. Only this will shore up the hole that local admin has created.

That being said… On the other hand, I have seen plenty of times where GPupdate /force is like a kick to the system’s head. There is some magical quality about /force which does sometimes “jumpstart” you out of a problem, and .. whoa.. things seem to “just be all a-ok, ducky” right now.

Has the /force helped you get out of a pickle? Post your story to my blog.

Ready to learn more? Group Policy University.. Live or Online.

Next Live.. the week of Seattle April 19th.
Online.. whenever you need it it.
One line:

Jan 2010

Oodles of Great News today...


Several pieces of good news this week !

1. LAX Class — On on on ! March 22 – 26th.

We’ve got the first seven people signed up for my GPanswers five-day training class !

That means the class is ON ! Now, the only problem is.. will you be able to get one of the remaining seats?

If you were waiting for the class to be OFFICIALLY ON, well, we are now. So, don’t miss out.

Sorry, we cannot “save you a seat.” You can save your own seat when you use a credit card or utilize a PO. Then, your seat is a GUARANTEED. Sign up at…
or call Diane at 302-351-4903 for POs / special arrangements.

Special deals available for “Lone Wolf or Self-Pay” consultants, and discounts available when you sign up 3 or more.  Must call Diane to take advantage of these specials.

Sign up today. See you in LA.

2. I’ve been granted another year as a Enterprise Mobility MVP. There are exactly nine GP MVPs. Yowsa. Anyway, thank you for supporting my efforts here.


3. Speaking of thanking you.. check this crazy picture out… (safe for work.)

This is a picture (you can see the flash) of something printed in SQL Server magazine. Remember that “Community Choice” award survey I asked you to fill out? Something must have worked and you must have told two friends, because of all the websites… we came in #3 overall.

Holy cow.

We even beat out the MAGAZINE’S OWN website (the one who took the survey !)

What? Must have been a “rounding error” or something, but I’ll take it.


4. There’s a GPPreferences hotfix / rollup now available for Windows Vista clients.

There’s no new functionality in here (and some is slated to come, retroactively for Vista at some point..) But this is a nice hotfix rollup if you’re using Vista clients.

5. Team… I want to expand the GP FAQ we have online at Do you have a BURNING FAQ question you want answered? If so, send me an email with the subject line of BURNING FAQ, and I’ll try to answer it in an upcoming Tip of the Week / online in the FAQ section. Remember: Subject line of BURNING FAQ, and please, hold-yer-horses for an immediate answer. I’ll be hand-crafting the answers of the ones I pick and then presenting those answers at a later time. I likely won’t be able to answer all. I hope you’ll understand.

That’s it for now. Thanks team. You’re the best! Have a great 2010, and see a bunch of you lucky ones in LA in March!

Jeremy Moskowitz
Twitter: jeremymoskowitz (Group Policy Community)    (PolicyPak Software)

Dec 2009

Backup Tips for the 21st Century: Backup procedures so easy, your Mom could (and should) do it.


“Jeremy Moskowitz’s guide to how to backup your computer (which should be enough for most people)”

In a departure of my usual stuff here, this guide is not specifically geared toward IT managers or even IT pros. Rather, this is a guide that you should give to anyone and everyone you know with a computer.

IT backup and restore procedures will be significantly different than this. This is for “regular Joe and Jane” with one, two or maybe three computers in the house.

I wrote this document up after I saw this picture (See below). In short, you never know what is going to happen to your data.

There are *SEVEN* things you need to do to keep absolutely safe.

Omitting any of these steps is not advised, but I can see if you only did just ONE, you would still be BETTER OFF than most. Doing all seven is a near guarantee you will not be “up the creek when the water really hits.”

The Motto I live by: “There are people who back up their data, and those who will.”

That’s because DISK DRIVES ALWAYS FAIL.  ALWAYS. It’s is a guarantee.  Even the newest ones with no moving parts. They all fail. Eventually.

Read more to discover how “mere mortals” (not IT folks) should be backing up their data to prevent disaster.


Look at this picture. Ow. You never know what’s going to happen.

I know.. You’re thinking “Holy cow, Moskowitz. Really? Seven things I gotta do? You’ve got to be kidding me.”

Sorry. Yes. One method isn’t enough. Two *CAN* be enough. But you cannot count that any ONE method will always work.

That’s why you need at LEAST TWO. And the others are GOOD IDEAS.

Let me explain how I do it, and you can copy or otherwise parrot what I do. Or not. For the record, I haven’t lost any data since 1994, your mileage may vary.

Thing #1: Get an online backup service.

() What is it:

It’s a little application that runs on your PC or Mac and constantly backs up your files to the online service thru the Intertubes. I use (don’t sign up until you read this whole thing.) Others seem to like

() How does it protect you:
You tell it where your “data” is.. (or let it decide) and if you DELETE a file, or a directory, you go online and RESTORE it.

() What happens if I blow away my whole hard drive or change hard drives
You can get it all back.. your data. Pictures, docs, etc. Not applications. You can transfer your subscription to other computers at the same time.

() What about applications I’ve installed:
You should have another copy of these somewhere. At least a LIST of what’s important, offline, somewhere. See my answer a little later.

() What about if I overwrite a file by accident
Carbonite says they keep 3 months of backups of a file. Never used it.

() What does it cost:
$55 a year for “all you can eat.” Multi-year discounts. Get it. It’s a freekin’ no-brainer. $55 a year per computer.. GIGS of storage. They do not monitor.

() Mac and PC?
Yes. Get it.

() Do I need to license each computer in my house?
Yes. Do that.

() Does it take 90 years to upload all my stuff?
Yes. The first time is quite painful for your internet connection. After that, easy.

() Are there other backup services like this?
Yes, lots. I happen to use this one. Others like

Thing #2: Get a full-disk backup program

If you’re not using Windows 7, do that soon. Inside Windows 7 is a very decent “Full Disk backup” program. XP has one too, but it’s not quite as good.

In Windows 7, just type “Backup” at the start prompt. The Windows 7 default backup routine is to take a full disk backup. Macs have a built-in excellent program called Time Machine. Check it out, and use it.

If you’re using XP, or even Windows 7, I might suggest something like

This takes a full SNAPSHOT of your machine, (and increments) and puts them on an external USB disk (more later). When the shit hits, you boot off a CD (that you make) and .. whamo.. pull from your recovery backup.

Thing #3: Backup to an external USB drive (and back up MOST important stuff here.)

In Step #2, you saved an “image” of your PC somewhere. Where? Here. External USB disks are just DIRT CHEAP.

Here’s 250GB for $59.99. More Googling with yield better results, even.

Get two or three. See next FAQ for why.

Thing #4: Don’t keep all your backups / computers in your house !

Keep one backup in the house, another at your Mom’s or in the safe at the bank. True, the bad guys can break in and steal your backup at Mom’s, so a safe deposit box is better.

Why are you doing this “offsite backup?” So, if your house burns down, so does your laptop, -AND- the backup you have in the house. Having another at your Mom’s or in the Safe at the bank is a GOOD IDEA.. But this takes DILLIGENCE.

I know someone who did thing #3 (above) but his laptop *AND* his backup were caught in a flood. If he did Thing #4 as suggested here, he would still have been protected.

So, what do *I* do? Every Monday, I rotate to have TWO in the bank and ONE coming back to me for making a new backup.

If you have EXTRA room after thing #2, then make a DIRECT copy of your MOST IMPORTANT STUFF directly to the external disk drive.

Why? Because if something got CORRUPTED in the backup of step #2, you at least have YOUR MOST IMPORTANT STUFF as just regular “plain ol’ files” for you to recover.

Just plug in your USB backup and, COPY BACK.

Thing #5: Rotate between AT LEAST two, possibly three USB drives.

This is similar to #4, but three is better than two. This gives me THREE weeks to get something back from the dead if I messed up.

Thing #6 Keep copies of your ORIGINAL disks, downloadables, KEYCODES and Drivers.

I have some key “special” folders in case I need them:

() Keycodes: c:datakeycodes. It has WORD and TXT files with all the keycodes of everything I’ve ever bought.

()ISOs: c:ISOs.  This is a collection of the DVDs and CD-ROMs I have physically purchased, including Quickbooks and Microsoft Visio. To make ISO files, consider

()Drivers: c:Drivers: This has every driver I would need to get my Laptop and desktops system back going again (sound, video, network, disk, etc.)

This collection is enormously helpful if need to restore them or repair them, or I’m building / re-building a system.

For instance, this week, I built a new Windows 7 machine last Thursday and was up and running in 3 hours because I had all my ISOs, keycodes and drivers — all in one place, ready to go.

Thing #7: Test your restore procedure.

This can be really tricky, especially for item #2 (full snapshot backup.)

For laptops, invest in a second hard drive, even if you use it JUST for this test. That’s right. For about $100 or so, you can get, say, this drive:

And then TEST RESTORE from Step #2 onto this drive. MOST laptops can quickly pull out the drive, replace it with this new drive, and allow you to test your restore in full.

Then, when your test is complete, keep using that disk, or swap back to the original. Do this every 3-6 months or so.

For Desktops.. same deal. Get another drive. Get a technical friend to help you if you need to. It IS harder on a desktop than a laptop.

But do TRY to do a similar “full recovery” test. You will be SO GLAD you did this NOW and find problems NOW, as opposed to WHEN the problem occurs and you cannot correct from it anymore.

If you don’t want to do this, at LEAST try to do perform test restores of your DATA from your ONLINE service and your external USB-drive extra-copies

For extra credit, try to recover data from ANOTHER COMPUTER, in case yours becomes a smoldering mess or you drop it in a lake or something.

Other advice:

1. If you do just ONE thing on this list, do #3. You’re a total fool if you do not at this point because USB disks are so cheap, and they work on Macs and PCs.

2. Its better to do ONE of these than NONE of these. I’ve outlined 7 steps here. But if you only want to do one, but do it religiously, it’s better than doing NONE.

3. Don’t count on one method working 100% of the time. That’s why I use three methods and hope ONE of them works when the time comes.

4. Keep it simple. The LESS COMPLICATED you backup and restore procedure is, the better.

5. If all else fails, and you didn’t listen to me AT ALL, and your hard drive dies, and you DON’T KNOW WHAT TO DO Go here:

For a SMALL FORTUNE, they will open your hard drive and try to recover your data.

It’s not surprising that these companies stay in business. Most people do not back up. Will you pay NOW (cheap backup) or LATER (expensive recovery service that doesn’t always work?)

It’s up to you.

That is all.

Good luck.

Dec 2009

Office 2010: How are you going to deploy it?

The Office 2010 deployment story using Group Policy doesn’t get any better than Office 2007. You could argue it gets worse. There is no longer any possible way to deploy Office 2007 via Group Policy (outside of 3rd party tools like Specops Deploy.)

I found this plucky little document entitled “Deployment Options for Microsoft Office 2010” found here

In short, there’s a PDF, Visio and XPS document showing Microsoft’s sanctioned ways to deploy Office. Yes, Group Policy is on the list, but it’s the same way as Office 2007: Group Policy using Startup Scripts.

Just for fun, I tried deploying Office 2010 using Group Policy Software Installation. No dice. There’s a single error message in the event log with a non-obvious message about the failure.


So, here are the official steps (which will work for both Office 2007 and Office 2010). This is my suggested method for deploying, since the other options are spendy.. (click MORE) to read the answer.

Step 1: Create a config.xml File
We saw the Office 2007 version of this earlier. It’s the same idea in Office 2010. It’s used when clients initially install Office 2010. You can set the installation to be silent, for instance.
At last check the Config.xml file for Office 2010 was documented here… Shortened to

Step 2: Create a Custom MSP File
Like Office 2007, the Office 2010 config.xml file in Step 1 can only take us so far. Again, to create more Office simply run setup.exe /admin, and-voila!-the Office 2010 customization tool.
At last check the Office Customization Tool (OCT) can be found here: Shortened to
Again, it produces .MSP files.

Step 3: Place your MSP in the “Updates” folder
At installation time, you can have clients embrace the customizations you set in Step 2. Simply put the MSP file in the “Updates” folder on the network installation point of Office.

Step 4: Use Startup Scripts to Deploy Office 2007 or Office 2010
Use this suggested start up script to kick off you Office 2007 or Office 2010 installation:
You can use the script to ensure that you’re selecting the proper config.xml file you created in Step 1.

Optional: Re-Patch Your Target Machines
You can always create a specific MSP file for a specific machine or two using the OCT. For instance, maybe you just want one or two machines to not have Microsoft Access 2010.
After creating the MSP file, use the information about msiexec /p I detailed in the section “Using MSIEXEC to Patch a Distribution Point” in my book.

Except you don’t update the distribution point. Instead, you patch the specific machines, individually.

You’ll likely need another startup script to figure this out if you want to target specific machines.

If you’ve found a creative way to work around these Office 2007 or Office 2010 issues, I want to hear about it. Be sure to e-mail me and let me know your best techniques for deploying a customized Office 2007 or Office 2010 installation using Group Policy.

Nov 2009

The WSJ missed the point

I read the paper every day. I get the Wall Street Journal delivered to my house.

Say what you will about the Wall Street Journal, but there’s some (usually) great stuff in there.

Anyway, on Monday there was an article called

“It’s a FREE country… so why can’t we pick the technology we use in the office?”

You can catch up with the article here

But I think the WSJ missed the point. The article’s premise about why we (IT) continues to use older technology.

First off, if you look at the “Green IT” picture they have (with the birds) you can see that’s an Amiga 500 keyboard with a drawn-in monitor on top.



Here’s the premise (quoted directly from the article):

Companies now have an array of technologies at their disposal to give employees greater freedom without breaking the bank or laying out a welcome mat for hackers. “Virtual machine” software, for example, lets companies install a package of essential work software on a computer and wall it off from the rest of the system. So, employees can install personal programs on the machine with minimal interference with the work software.

In my case, I’ve installed a search engine called Google Desktop that lets me quickly scour my hard drive for files, and a product by Xobni Corp. that does something similar for Outlook email, even though neither is approved by my IT department. And those programs have made a world of difference. In a simple test, it took Outlook two minutes to track down an email from a few months ago, based on a few search terms. Xobni found the message before I finished typing the words.

Ow. Sorry, WSJ, you’re missing it guys.

I’m not exactly sure where to start, or how long I want to rant here, so, I’ll just tackle one or two points here.
Here’s the “Jeremy Op-Ed” part…

These “let users do what they will” strategies may, yes, may indeed work out. But not in all cases. They do certainly work out great in “free-wheeling” offices with low numbers of users, and tech-savvy users. They can work where users are willing to partially pay for the direct and indirect costs involved.

This relates to my world. Heck — I actually use Xobni too, and it’s great. But it didn’t work for a while, and I had to figure out how spend my own time on to fix it.

But this strategy is simply not for everyone.

Ultimately, giving up control to the users means more work for an already-overworked IT department.

Giving choice to users means, opens up scenarios that most IT departments would not like to think about.

“Sir, are you running IE, Firefox, Opera or Safari? Great. Um, let me Google, er, Bing to see how to clear out the cache.. hang on.”

(Meanwhile that support call cost the company $125 in hard or soft dollars.)


I’m all for giving users what they want — if they can support it themselves and not drain IT resources. But the reality is in most enterprises, giving users “more stuff” end up meaning “MORE WORK” for us, the IT department.

The WSJ goes on to detail one company (Kraft) which allows employees to choose non-standard Macs instead of PCs.

PS: I’m NOT anti-Mac, by the way.. I’m anti-de-standardization. (Hey, I just made up a word!) ?

Employees who choose Macs are expected to solve technical problems by consulting an online discussion group at Kraft, rather than going through the help desk, which deals mainly with Windows users.

Is this the right solution to the problem? Can users be self-supporting in a complex environment like yours?

And what about virtualization? The WSJ’s idea that you can just give em a VPC and go seems shortsighted to me. Those machines still need patching, lest they get infected and spit evil goo upon other virtual and real machines. There’s no mention of the enterprise-wide virtual desktop issue.. Things that Microsoft Med-V and VMware’s ACE try to solve.

Long story short… I think the WSJ missed the point.

We (IT) don’t control because we WANT to. We control because we HAVE to.

Group Policy is the “in the box” way to control Windows machines. We make things “more standard” to make them “more supportable.” More supportable means that we, in IT have a limited set of issues to troubleshoot, instead of an UNLIMITED set to troubleshoot. (At least we hope.)

I’m all for more freedom, if it doesn’t take US and OUR EYES away from the prize.

What’s the right way to handle this?

Maybe we should all be running Amiga 500s. (I kid.. I kid.. I’m a kidder.)

Comment on my BLOG to continue the discussion.

The link is here:

Thanks team!

Thing 4: Gold for the Price of Silver (Repeat from Monday!)

I am running a little “Special” on my Group Policy Online University classes. I have exactly SIX people I can offer this deal to, so here goes:

-You get the GOLD kit for the price of the SILVER kit.

What’s in the GOLD kit? Check out
and read item #10 for what, exactly, is in the box.

Oh, and you get FIVE “mentoring credits” to use with me — for your own personal course troubleshooting.

And, longer view times, extra perks, yada yada yada…

So, if you’ve always wanted the killer GOLD kit,
but wish it was at a discount,
I have exactly SIX gold kits I can do this for.

So, head over to
click the GOLD kit.

Then, at checkout time, use coupon code
for your “Gold for the price of Silver” kit.

Note the discount taken off means you’ll still have to pay for shipping ($50); the deal is good, but hey, I’m not crazy.

Again, six kits only at this price. When they’re gone, they’re gone. Don’t delay if you’ve always wanted one !

This just in from someone who finished the GPU online courses:

Jeremy is absolutely the best presenter and instructor I have seen. I really would like to get the same type of instruction for other IT courses. He has a wonderful way of sharing his knowledge in a simple, effective way that leaves you thinking “Wow! That makes so much sense. ” After taking his “Group Policy Online University” courses and reading his books I feel like a pro — truly understanding Group Policy. And whenever I have a question, Jeremy is always there to help. I really liked the fact you can review the online course TWICE. It’s almost like getting TWO courses in one. Add in his weekly tips and simply you can’t go wrong. Thanks Jeremy — and your staff for creating a great learning experience that I benefit from every day.

— Glen Morris, Network Administrator, Mondial Assistance

Thanks Glen ! Glad you’ve got that “GP stuff” handled at this point and ready to make your company more productive!

Who’s ready to learn and be like Glen ? Is it you?


GOLD4SILVER at checkout time.

I’m practically handing you over the keys to car. Get smarter starting today.

Jeremy Moskowitz (Group Policy Community)    (PolicyPak Software)

Oct 2009

Windows 7: Yada, Yada Yada

Today’s the day where you’re going to start to be bombarded with bajillions of messages about  how Windows 7 is the best operating system ever produced.

Look, that’s not for me to say — history will shake out and tell us all over time. It  might end up being the best selling operating system ever produced; and it might have  already even hit that mark for all I know, but that’s another topic.

Here’s my 2¢ of Jeremy wisdom (if there is such a thing)..

In the coming days, weeks, and possibly months, you’re going to hear about every  possible Windows 7 feature under the sun to “make your life better” and “more  wonderful” and “Oh, look! Shiny shiny shiny.”

I don’t have any beef with features like Multi-Touch, or Aeropeek or Aeroshake.

(Okay, well, maybe Aeroshake…  I’ve turned it off.)

But as IT Pros and managers, we need to be focused and ready to understand what’s  important to US and our businesses, versus all the gook from TV advertisements, Twitter tweets, and fancy-pants demos.

Indeed, Microsoft’s pseudo-tagline for Windows 7 is “A billion options.”

Ow. That kind of hurts my brain.

I guess what I’m trying to say is: It’s ALL good stuff. But, in the words of the late Clara Peller, “Where’s the beef?

And here’s the good news: there IS beef there. It’s just that we, as IT geeks, need to be conscientious and thoughtful about discerning and filtering out the incoming “shiny, shiny, shiny” messages from the “what really matters” of Windows 7.

So, in the days and weeks to come, with all the hubbub about Windows 7, we should try to focus in on key points where Windows 7’s new technologies can help our business grow,and be prosperous.

If I had to pick three areas to focus on initially (to get the most bang for the buck)  I would focus on…

Management: Group Policy improvements, GP Prefs improvements

Efficiency: GP + Powershell, Powershell for other non-GP tasks, DirectAccess

Security: AppLocker for system protection, Bitlocker for whole drive encryption

That’s not to say there aren’t OTHER areas to possibly focus on; these are just my opinions.

So, welcome Windows 7. It’s shiny. It’s beefy.

Let’s eat !

PS: This blog entry is on the home page of Re-Tweet if you like!

PS: Tip… Online Group Policy Training at gets you a jump on Windows 7 today.

PPS: Note… I have one seat left for the live Orlando class next week. If you think you can make a miracle happen and join us, you HAVE TO CALL us at 302-351-4903. No more seats available thru the website

Oct 2009

The Case of the Missing Group Policy Settings


Check this out.

Let’s say you had a Windows 7 management machine and also a Windows Server 2008 (or 2008 R2) as your management machine.(In “Jeremy-parlance” a “management machine” is where you run the GPMC from.)

Turns out that on Windows Server 2008 and 2008 / R2, there’s a gaggle of “extra” policy settings !

Seriously, this is weird, so stick with me.

Click here:
…and you’ll see the Windows 7 management machine view of the Computer Configuration | Policies | Administrative Templates | System | Group Policy node.

Click here:
…and you’ll see shows the same thing, except seen from a Windows Server 2008 management machine.

So, what are these “missing” definitions?

These are the settings used to control, manage and monitor the Group Policy Preferences settings. The very “way” GP Prefs “operates.” You’ll see specific Group Policy Preferences items like “Printers Policy Processing”, “Shortcuts Policy Processing”, “Start Menu Policy Processing” and all sorts of other Group Policy Preferences-specific settings.

And my favorite strangeness in this area is “Registry Policy Processing” (with an upper case P in Policy) right next to its cousin “Registy policy processing” (with a lower case P in policy.) The lower case P policy (Registry policy Processing) is about how we handle the stuff inside the “Administrative Templates” node; ya know – “normal” Group Policy settings like “Prevent Access to the Control Panel.” The upper case P policy setting (Registry Policy Processing) is about the “Registry node” in the Group Policy Preferences (Chapter 10 in the Green book)

Bizzaro, but now at least it’s understandable.

Look closely, and you’ll also see another whole node within the Group Policy node called “Logging and tracing.”

Okay, so what gives?

I’ll go more into this at another time, but since you can’t wait that long, here’s the abbreviated version. In short the “definitions” of what’s possible in Group Policy-land are stored in ADMX files Turns out, though that Windows 7’s RSAT and Windows Server 2008 don’t ship with the exact same definitions.

Kooky. The “missing” Group Policy settings are only available in Windows Server 2008’s “set” of definitions. And, yes, that set is downloadable if you don’t want to rip it out of an existing Windows Server 2008 machine.

To catch-up your “Windows 7 management machine” download and utilize the files here (though there are sure to be updates for Windows Server 2008 R2, so, I would try to track those down when available.)

Don’t be caught off guard if a GP Prefs problem occurs… now you’re in the know!

Some discount seats left for the Group Policy Master Class training in Orlando.

Sign up at

Use Coupon code NEXTSIXORLANDO to get $200 off the whole week !