MDM & GP Tips Blog

Apr 2008


Did you know Vista has a take ownership command right in the box?

I used to have to do this with a command called "Chown" which I had to download seperately. Now, "takeown.exe" is right there for me.

Also, my favorite unix command of all time (whoami) also ships in the box. With whoami /all you can figure out what groups you're in and what privileges you've got. What's neat is that because Vista has "split token" SIDs, you won't actually see all your Privileges -- even if you log in with Domain Administrator credentials. You only get to USE those privs when you elevate thru UAC (User Account Control.)

Apr 2008

Bugs in the ointment (one in a series)

There are -lots- of bugs in Vista RTM. Some are in the Group Policy space.

I'm not beating up the GP team in any way by reporting these facts to you. Indeed, it's my goal to help locate these bugs, and let you and the team know of them (together). That way, YOU can work around these bugs and THEY can whomp 'em.

So, stay tuned for lots of little things here and there which need a little spackle.

Bug #1: GP Filtering

The final policy settings appear not have been scrubbed such that there was one "At least" requirements for Vista.


There are two main sets of Vista-specific policy settings, each with their own "Requirements."

One set is: "At least Windows Vista"
The other set is: "At least Microsoft Windows Vista"

Most are in the later set. However, the FIRST set is first when you click in the "Fillter by Requirements information" so, most people (like me) will likely click that puppy and be "surprised" when most vista-specific policy settings aren't showing up.

Took me two weeks to figure out why I wasn't seeing it.
(I guess I'm slow.)

Apr 2008

What?? No MSI for ForeFront Security from Microsoft?

"Microsoft has released the public beta of Forefront Client Security - their new malware product. Currently deployment of the client via GPSI is not supported (there's not a single MSI file). This is due to the complexity of the install process. Which means creating your own might be unlikely as well. Deployment via script is the only remote deployment option.

This issue has been brought up on the beta test newsgroups and Microsoft has asked for feedback.

A product suggestion has been submitted - Feedback on this suggestion can now be submitted by voting on its priority (1 lowest - 5 highest). If the lack of GPSI integration would influence your decision to use this product you can vote on the suggestion priority at

Thanks to John Richardson for this alert !

Apr 2008

About BeyondTrust and DesktopStandard

Today I had a nice chat with CEO of BeyondTrust John Moyer. We talked about the Microsoft acquisition of his previous company, DesktopStandard and where he's going with BeyondTrust.

The Old
On the subject of the acquisition, former DesktopStandard CEO, Moyer said, “we had a great run with DesktopStandard and greatly appreciate all the support from our customer base and thought leaders like you, Jeremy. The acquisition validated not only the capabilities of the DesktopStandard team, but also Microsoft’s commitment to Group Policy. I am very happy that Microsoft will distribute DesktopStandard products to an even broader base of potential customers to help them manage their desktops and leverage their investments in Active Directory.”

The New
Moyer has transitioned to a new role as CEO of BeyondTrust Corp. BeyondTrust was spun out of DesktopStandard to focus on enterprise security products. When I asked Moyer about BeyondTrust and why DesktopStandard’s PolicyMaker Application Security Product was not part of the Microsoft transaction he had the following to say,

“Simply put, we didn’t want to sell PolicyMaker Application Security. It was DesktopStandard’s fastest growing product. We recognized that the market for this product was just starting to take off. And we already had a successful and experienced team in place so this just made good sense.

PolicyMaker Application Security, which we have renamed to Privilege Manager, will form the backbone of BeyondTrust Corp. BeyondTrust is a new type of security company focused on helping customers to move beyond the need to place trust in users.

BeyondTrust’s flagship product, Privilege Manager, enables customers to implement the security best practice of Least Privilege. With it end-users can run all required applications and perform all required system tasks without administrative privileges. Currently, there is too much trust in IT security. Users must often be given admin privileges in order to do their jobs, forcing IT to ‘trust’ those users. The result is that these same users are often overrun by malware and can expose the network to serious threats through malicious activity.

BeyondTrust will continue to leverage Group Policy. Privilege Manager policy is applied by rule creation in the Group Policy Object Editor.”

Apr 2008

ADM to ADMX Converter tool

You're not using Vista yet, but FullArmor and Microsoft are thinking of you. That is, with Vista the new ADMX file format will supplant the ADM file format. But what if you've already got a bunch of ADM files out there? Are you going to learn the ADMX format for a one time conversion? Not anymore. Microsoft and FullArmor are releasing a free tool, found here to help automatically transition ADM to ADMX files. Thanks, guys !! (Are you reading this blog? If so, send me a short email, and just tell me. Trying to figure out if this blog thing is useful for you guys or not. And tell me if you're reading it from the web page, or via RSS or another way. Thanks !)

Feb 2008

Welcoming new products to the Solutions Guide

We've got three new additions to our 3rd party tools section. Check 'em out!

SpecialOperations Software has added two products you should check out in the Third Party Solutions guide. One product lets you manipulate passwords over OUs and over specific people. The other tool does a complete hardware and software inventory via Group Policy. Neat !


Additionally, we've added SecureVantage Technologies' Group Policy Product -- PCMP. If you've already got MOM, and want to really manage your Group Policy world, check this tool out.

See all the products at

Feb 2008

DesktopStandard purchased by Microsoft

Is it good or bad that DesktopStandard was purchased by Microsoft?

Now, before we go into the ANALYSIS of what's happened, I encourage you to read this, which does a pretty good job explaining WHAT happened.

Well, I picked one heck of a day to start my blog. Today's topic: Microsoft's purchase of DesktopStandard. Now, before we go into the ANALYSIS of what's happened, I encourage you to read this, which does a pretty good job explaining WHAT happened. Okay. Now that that's out of the way, let's analyze WHAT we're going to get: The Good -------- - 21 new Client Side Extensions: You want to zap Outlook configuration down? Zaaap. You want to zap shortcuts on the desktop? Zaaap. You want to zap Printer settings? Zaaap. In all, 21 new things to Zap. -GPOVault: This is a "Check-in / Check-out" GP management system which is built right into the GPMC. I like this tool because, well, it's just built right in to the GPMC, which means I don't have to load ANOTHER console to do the dirty work. So, the idea is the Sally creates the GPO, Fred makes sure it's Kosher and Kirk puts it in play. All around a welcome addition. The unknown ----------- -PolicyMaker Registry Extension: This was a great free CSE which could be used to zap down registry changes. Who knows what the status will be of this great free tool. -Share Manager: Another CSE available for purchase which managed shares on servers. Honestly, I don't know if this tool sold well or not. The ugly -------- -PolicyManger Software Update: Imagine WSUS that actually worked with GPOs and that understood Active Directory. Now imagine it dead. Yep, this very cool product will likely not see the light of day as a Microsoft product. Microsoft already has a free patch strategy system, WSUS (again, even though it has no tie ins to AD and very little tie ins to GPOs) and SMS for industrial-strength patch management. This product kind of fit in the middle, and well, now it's dead. Analysis -------- In the end analysis -- it's great. More stuff for GPO admins to know and love. And more power to do what they love to do. Stay tuned for more info as it comes up. You bet I'll be all over this when I have more to share.