MDM & GP Tips Blog

Apr 2008
01

What?? No MSI for ForeFront Security from Microsoft?

"Microsoft has released the public beta of Forefront Client Security - their new malware product. Currently deployment of the client via GPSI is not supported (there's not a single MSI file). This is due to the complexity of the install process. Which means creating your own might be unlikely as well. Deployment via script is the only remote deployment option.

This issue has been brought up on the beta test newsgroups and Microsoft has asked for feedback.

A product suggestion has been submitted - Feedback on this suggestion can now be submitted by voting on its priority (1 lowest - 5 highest). If the lack of GPSI integration would influence your decision to use this product you can vote on the suggestion priority at https://connect.microsoft.com/feedback/default.aspx?SiteID=27

Thanks to John Richardson for this alert !



Apr 2008
01

About BeyondTrust and DesktopStandard

Today I had a nice chat with CEO of BeyondTrust John Moyer. We talked about the Microsoft acquisition of his previous company, DesktopStandard and where he's going with BeyondTrust.

The Old
--------
On the subject of the acquisition, former DesktopStandard CEO, Moyer said, “we had a great run with DesktopStandard and greatly appreciate all the support from our customer base and thought leaders like you, Jeremy. The acquisition validated not only the capabilities of the DesktopStandard team, but also Microsoft’s commitment to Group Policy. I am very happy that Microsoft will distribute DesktopStandard products to an even broader base of potential customers to help them manage their desktops and leverage their investments in Active Directory.”

The New
--------
Moyer has transitioned to a new role as CEO of BeyondTrust Corp. BeyondTrust was spun out of DesktopStandard to focus on enterprise security products. When I asked Moyer about BeyondTrust and why DesktopStandard’s PolicyMaker Application Security Product was not part of the Microsoft transaction he had the following to say,

“Simply put, we didn’t want to sell PolicyMaker Application Security. It was DesktopStandard’s fastest growing product. We recognized that the market for this product was just starting to take off. And we already had a successful and experienced team in place so this just made good sense.

PolicyMaker Application Security, which we have renamed to Privilege Manager, will form the backbone of BeyondTrust Corp. BeyondTrust is a new type of security company focused on helping customers to move beyond the need to place trust in users.

BeyondTrust’s flagship product, Privilege Manager, enables customers to implement the security best practice of Least Privilege. With it end-users can run all required applications and perform all required system tasks without administrative privileges. Currently, there is too much trust in IT security. Users must often be given admin privileges in order to do their jobs, forcing IT to ‘trust’ those users. The result is that these same users are often overrun by malware and can expose the network to serious threats through malicious activity.

BeyondTrust will continue to leverage Group Policy. Privilege Manager policy is applied by rule creation in the Group Policy Object Editor.”

Apr 2008
01

ADM to ADMX Converter tool

You're not using Vista yet, but FullArmor and Microsoft are thinking of you. That is, with Vista the new ADMX file format will supplant the ADM file format. But what if you've already got a bunch of ADM files out there? Are you going to learn the ADMX format for a one time conversion? Not anymore. Microsoft and FullArmor are releasing a free tool, found here to help automatically transition ADM to ADMX files. Thanks, guys !! (Are you reading this blog? If so, send me a short email, and just tell me. Trying to figure out if this blog thing is useful for you guys or not. And tell me if you're reading it from the web page, or via RSS or another way. Thanks !)



Feb 2008
01

Welcoming new products to the Solutions Guide

We've got three new additions to our 3rd party tools section. Check 'em out!

SpecialOperations Software has added two products you should check out in the Third Party Solutions guide. One product lets you manipulate passwords over OUs and over specific people. The other tool does a complete hardware and software inventory via Group Policy. Neat !

 

Additionally, we've added SecureVantage Technologies' Group Policy Product -- PCMP. If you've already got MOM, and want to really manage your Group Policy world, check this tool out.

See all the products at www.GPanswers.com/solutions

Feb 2008
01

DesktopStandard purchased by Microsoft

Is it good or bad that DesktopStandard was purchased by Microsoft?

Now, before we go into the ANALYSIS of what's happened, I encourage you to read this, which does a pretty good job explaining WHAT happened.

http://www.networkworld.com/article/2307686/software/microsoft-acquires-policy-based-management-vendor-desktopstandard.html



Well, I picked one heck of a day to start my blog. Today's topic: Microsoft's purchase of DesktopStandard. Now, before we go into the ANALYSIS of what's happened, I encourage you to read this, which does a pretty good job explaining WHAT happened. http://www.networkworld.com/news/2006/100206-ms-desktopstandard.html?page=1 Okay. Now that that's out of the way, let's analyze WHAT we're going to get: The Good -------- - 21 new Client Side Extensions: You want to zap Outlook configuration down? Zaaap. You want to zap shortcuts on the desktop? Zaaap. You want to zap Printer settings? Zaaap. In all, 21 new things to Zap. -GPOVault: This is a "Check-in / Check-out" GP management system which is built right into the GPMC. I like this tool because, well, it's just built right in to the GPMC, which means I don't have to load ANOTHER console to do the dirty work. So, the idea is the Sally creates the GPO, Fred makes sure it's Kosher and Kirk puts it in play. All around a welcome addition. The unknown ----------- -PolicyMaker Registry Extension: This was a great free CSE which could be used to zap down registry changes. Who knows what the status will be of this great free tool. -Share Manager: Another CSE available for purchase which managed shares on servers. Honestly, I don't know if this tool sold well or not. The ugly -------- -PolicyManger Software Update: Imagine WSUS that actually worked with GPOs and that understood Active Directory. Now imagine it dead. Yep, this very cool product will likely not see the light of day as a Microsoft product. Microsoft already has a free patch strategy system, WSUS (again, even though it has no tie ins to AD and very little tie ins to GPOs) and SMS for industrial-strength patch management. This product kind of fit in the middle, and well, now it's dead. Analysis -------- In the end analysis -- it's great. More stuff for GPO admins to know and love. And more power to do what they love to do. Stay tuned for more info as it comes up. You bet I'll be all over this when I have more to share.

Aug 2007
09

Issue#25

  • Let's get an understanding of ADMs and ADMXs (PART TWO)
  • New Public Classes and upcoming events
  • Some more goodies about PolicyPak Software
  • Public GP Training Schedule Update
    • Cities that are scheduled for public courses
  • Subscribe, Unsubscribe, and Usage Information

In our last issue, we tackled what ADM files are, where they live, and what they look like in the interface. Here, we

GPanswers.com News and Updates

Update #1:

Search We have SEARCH! That's right, it took us, like way too long .. but we have a new search capability right on the GPanswers.com home page. Just type in what you're looking for and.. whamo !

Update #2:

FAQs Our FAQs are now more FAQ'n organized than ever. (Did I really just go there!?) Anyway, they are. Thanks to Eric Johnson, who really went the extra mile to make this happen. Each FAQ now has it's own unique URL, so, if someone in the forums asks "How do I enable GP for Windows 95" we can just say.. "Please read this: faq/5 " Okay, that one doesn't come up all that often, but you get the idea.

Update #3:

One more public class for the rest of 2007 and two new ones for 2008

I have new dates in Portland (Jan 15-18) Orlando (Jan 29- Feb 1), Washington DC (Feb 4 - 7) and Nashville (March 4-7). More on this topic later.  


This Month's Newsletter Sponsored by: NetIQ

Are you using Group Policy optimally? Ever wonder if you can do more with it? Get the best practices you need to leverage Group Policy on your servers in this new white paper, "Why Group Policy Matters for Servers," authored by Group Policy guru Jeremy Moskowitz & NetIQ. Download it now


 

This issue's big tech tip...

What’s All the Hubbub about ADMX? (Part II)

In the last issue, you learned all about ADM files. But what's this you keep hearing about ADMX files ?

Windows Vista ships with a built-in GPMC. And with that GPMC comes a new ability to shake off the use of old ADM files in lieu of newer ADMX files if you want to. Why would we want to shake off the ADM format?

Recall that the ADM file itself is placed up inside the GPT part of the GPO (the part that lives in SYSVOL). When that happens, you burn about 4MB on every Domain Controller—every time you create a GPO. Also recall that the ADM file itself is placed in the GPT of the GPO because it’s necessary when you want to re-edit the GPO on another management station. Without that ADM file, you can’t edit the custom setting contained within the GPO.

So, the ADMX format helps us break away from these issues. You no longer need to store anything inside the GPO, so you don’t get what’s known as “SYSVOL Bloat.” That is, a fat SYSVOL which has the heavy duty to store GPOs full of ADM files. To work around this, the new ADMX standard can take advantage of what’s known as the Central Store. The job of the Central Store is to have one place which can store the new ADMX files so they don’t need to get copied into each and every GPO. So, goodbye SYSVOL bloat. The other big deal about the Central Store is that if an ADMX file has an updated definition, then all Vista management stations will immediately use that updated ADMX file.

If you want to learn about the format of ADMX files, the creation and use of the Central Store in detail, I’ve got two resources for you. Darren Mar-Elia has an informative, yet succinct, article on ADMX file format internals and a brief explanation of the Central Store in his Technet Article here (http://tinyurl.com/2musnh). I also have an entire, downloadable chapter from my new book, Group Policy: Management, Troubleshooting, and Security on GPanswers.com available here.

As we’ve seen, ADM templates are still supported when you use a Vista management station; but ADM files are not supported within the Central Store. This can be a little confusing, so let’s walk through an example.

Let's assume the following:

  • I created a GPO from a Vista management station.
  • I tweaked some in-the-box settings (like Prohibiting Access to the Control Panel).
  • I wanted to add a custom ADM template.

After we do this final step, we’ll then peek into the GPO’s GPT and see what has happened to get some clarity.

To add the ADM template, we’ll repeat some steps we performed earlier. Just open up the Group Policy Object Editor, right-click “Administrative Templates” which is contained within both the Users or Computers node and select “Add/Remove Template.” You can see the added template in Figure 1.

gp
Figure 1

Note that in order to actually see the settings contained within this ADM template, click on View | Filtering. Finally, uncheck “Only show policy settings that can be fully managed”.

Then, close the Group Policy Object Editor and return to the GPMC. Figure 2 shows the Details tab of the GPO I just created from my Vista management station. (Note the catchy name of the GPO.) By looking in the “Details” tab, I can determine the GUID for the GPO, which will make it easier when I go fishing around in SYSVOL to sleuth around for that particular GPO.

 gp
Figure 2

Once I track down the GPT of the GPO (by using the GPO’s GUID), I can crack open that GPO’s ADM directory and see that there’s exactly one ADM template here—the one which I manually imported, seen in Figure 3. This is because Vista machines don’t rely on ADMs anymore. Since they don’t natively use them, they don’t natively push anything up into the GPO itself. However, if you manually import an ADM (as we just did) it will continue to honor the ADM it in the same fashion it always did.

 gp
Figure 3

This is in contrast with, say, the GPO in Figure 4, which was created on an XP or Windows Server 2003 machine. When GPOs are created using pre-Vista management stations, the original ADM files are pushed up into the GPO as previously described. This GPO was created on a Windows XP management station. You can tell, because it’s jam packed with ADM files that Vista doesn’t need or use.

gp
Figure 4

Converting ADM to ADMX Using the ADMX Migrator Tool

We just learned that Windows XP uses ADM files and Vista uses ADMX files. We also learned that Vista will continue to utilize ADM files if that’s what we have available. But, we cannot stick an ADM file into the Central Store and expect our Windows Vista management stations to all be able to utilize the file.

In order to utilize the settings contained within the ADM in the Central Store, you need to convert the ADM file to ADMX, or re-create the ADM files as ADMX files by hand. Luckily, there’s only one download that performs both of these functions.The ADMX Migrator tool (which is really composed of an ADM-to-ADMX converter tool and an ADMX creation tool) can be downloaded from Microsoft’s website here: http://tinyurl.com/yjnptj.

You can install the ADMX Migrator Tool .msi file on Windows Server 2003, Windows XP, or Windows Vista. Once installed, the applications go to C:Program FilesFullArmorADMX Migrator. The command-line application we’ll be running is called “faAdmxConv.exe”. But since the directory isn’t in the path, you would need to be in that directory in order to run the app. Therefore, when I’m using the tool, I opt to add this directory to my Windows Path. Click here for more information on how to set the path in Windows (http://tinyurl.com/3n4zy).

I usually create a temp directory, like C:ADMtemp and copy my source ADM files into it. There are a lot of possible parameters for faAdmxConv.exe, but the simplest way to convert an ADM file is to specify the name of the ADM file and the output directory. If you’ve already put the source ADM file in ADMtemp and added faAdmxConv.exe to the path, you can just run “faAdmxConv nopassport.adm .” (with the dot to signify the current directory as output). If you don’t specify the dot (for this directory) or another explicit path, the output goes somewhere you likely don’t want it to: the installation directory of the ADMX Migrator tool. Doh! In Figure 5, you can see three commands:

  • A “dir” command to see the ADM file
  • The “faAdmxConv” command with the name of the ADM and the . (dot) to represent the current directory and
  • A “dir” to see the outputted files: nopassport.admx and nopassport.adml

gp
Figure 5

Before you go plunking this into your Central Store, you might want to test this on a machine which isn’t leveraging the Central Store (like a Windows Vista machine that’s offline). After you take the machine offline, copy the ADMX file to the C:WindowsPolicyDefinitions directory, and the ADML file to the language-specific directory. In the US, that directory is C:WindowsPolicyDefinitionsen-us. An example of the copy procedure can be seen in Figure 6.

 gp
Figure 6

The ADM to ADMX converter tool doesn’t always generate ADMX files which are “ready to go” inside the Group Policy Object Editor. That is, the conversion process appears to be 100% successful. But then loading the resulting ADMX and ADML files into the Central Store and seeing the results using your Vista management station could demonstrate errors. This could manifest itself when the Group Policy Object Editor starts, with various error messages appearing about the resulting ADMX file. To remedy this, there will be another update of the ADMX Migrator tool that should produce more useful output at conversion time to help you adjust your ADM file before it makes its way through the conversion process.

This is a known issue, and one that the FullArmor and Microsoft teams are aware of and are working hard to fix. The updated tools will likely be available by the time this article goes to press. Be sure to check in at www.GPanswers.com/blog for the latest info. The official timetable for this updated tool is “soon,” but stay tuned to GPanswers.com and the ADMX Migrator tool download page for more details.

Finally, the now-converted ADM file is really now two files: an ADMX (language neutral file) and an ADML (language specific file). At this point, you can put inside the Central Store or test on a local machine. However, once again, in order to actually see the policy settings contained within this ADMX template, you’re still going to need to do what we did earlier as seen in Figure 4. That is, you’ll still need to click on View | Filtering, then uncheck the “Only show policy settings that can be fully managed” safety. That’s because the settings contained within this ADMX file does not write to one of the “proper” Policies keys, as previously discussed.

Cleaning Up Shop

The ideal state is clearly to use only ADMX files, and to utilize the Central Store. But in order to do that you need to:  

  • Convert all your current ADM files to ADMX
  • Convert all management stations to Vista (or Windows Server 2008)
  • Commit to stop editing GPOs on pre-Vista machines

If you’ve done these three steps, you have ostensibly banished ADM files from your world. At this point, the ADM files within your GPOs are just taking up space within your Domain Controller’s SYSVOL. Once you’re achieved ADMX nirvana, you could, if you wanted, simply delete the ADMs contained within the GPO’s GPT within SYSVOL. That’s right: like your body’s appendix, they’re vestigial. They did serve a purpose at one point; but their purpose is done. You can do this manually, or do it with a script. Before you do, though, note that this would be a serious mistake if the above steps haven’t been completed. So be sure to do this only if you’re sure you can leave ADM files behind.

For more about ADM, ADMX, and ADML files be sure to sign up for the GPanswers.com newsletter (the thing you're reading right now) at www.GPanswers.com/newsletter and intermediary notices via blog at www.GPanswers.com/blog.

Test some PolicyPaks for a test drive

Some of you have downloaded the software at PolicyPak to start making your admin life a little easier. We have our own Group Policy CSE, a Client-Side-Extension. This isn't an "agent", it's an organic extension to Group Policy. Installation is super-easy. You run a component which extends the Group Policy Object editor on your administrative machine (where you create your GPOs). Then you deploy the CSE using Group Policy Software Installation to your target machines, and you're ready to control your applications using Group Policy.

  • Wanna control Adobe Acrobat Reader using Group Policy? Try PolicyPak for Adobe Acrobat Reader.
  • Wanna control Microsoft Windows Live Messenger using Group Policy? Use PolicyPak for Windows Live Messenger.
  • Wanna control WinZip using Group Policy? We're working on PolicyPak for WinZip (and lots of others...)
  • Wanna control something we don't support yet? Suggest an application at www.PolicyPak.com/suggest !

gp
Click for larger graphic...

So, how can you check them out? We're ready for you to check us out and it for a test drive. Just mosey over to www.PolicyPak.com, register for an account and give our two PolicyPaks a whirl. We've made the download process even easier. So, if you "gave up" before because we asked for too much information, I think you'll be a lot happier now.  


About GPanswers.com Training

Choosing the Right Course for You

Of course you want GP training. And we know you'd prefer to use GPanswers.com as your GO TO source for GP training. We try to make it as easy as possible for you. We have GP courses that fit what you need.

  • Are you dealing with mostly XP machines? We have an XP-focused course.
  • Are you warming up to Vista? We have a Vista-focused course.
  • Do you want to learn in an intensive format? Learn it in TWO DAYS.
  • Less intensive? Learn it in THREE days.
  • Want even more Advanced material? We've got that too.
  • Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?

You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take for your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private (on site) and public classes. Use the Rightsize tool to get a complete understanding of your options.

Public courses—2007 scheduled

I have limited classes for the rest of 2007 and beginning of 2008:

  • Oct 23, 24 and 25: Netherlands: Three-Day Group Policy Essentials Course (XP Focused). Sign up here.
  • Jan 15, 16, 17, 18: Portland OR: Group Policy Essentials Course, Advanced One Day Course and XP to Vista Catchup Course.
  • Jan 29, 30, Feb 1, 2: Orlando, FL: (Yes, I spun up this course so that you, yes you, can get approval to go to Orlando in the dead of winter time.) Group Policy Essentials course, Advanced One Day Course and XP to Vista Catchup course
  • Feb 4, 5, 6, 7: Wash, DC: Group Policy Essentials course, Advanced One Day Course and XP to Vista Catchup course
  • March 4, 5, 6, 7: Nashville: Group Essentials course, Advanced One Day Course and XP to Vista Catchup Course.

For any public class, sign up online at: https://www.gpanswers.com/workshop/

What about OTHER CITIES in 2008?

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go for 2007.

Now tell me where you want me to go for 2008. The cities with the most "votes" get classes in their city. Bigger cities are a better bet, so you might want to vote for your closest "major airport" city.

Here's a deal you can't pass up!

Okay, let's assume I'll be in your city teaching a public class. But how would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two, three or four days, and you get a free student attendee !

Such a deal!

Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, the Security Team and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.


Places I'll be...

  • WinConnections 2007 Fall in Vegas: www.WinConnections.com
    • I'll be speaking on Group Policy Essentials
    • Group Policy Troubleshooting
    • Microsoft Softgrid and other Application Virtualization technologies
    • Maybe more !

Get signed copies of...

Group Policy: Management, Troubleshooting, and Security

For Windows Vista, Windows 2003, Windows XP, and Windows 2000

-and-

Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

  If you’re in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Security directly from me for $45 (including shipping).

  • If you order the book from me, I’ll sign the book for you, free! I’ve had many requests for this service, and I’m honored that you'd ask!
  • If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
  • The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
  • We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.

This book is in stock! We can ship it out today!

Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.

Order your signed copy today by clicking here.

Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
 http://www.amazon.com/gp/product/0470106425 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)


Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before! So, head on over to the Solutions Guide and see what other goodies are available! Our newest sponsors at the Solutions Guide:

  • AdventNet with their ADManager Plus

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistant Margot at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Jul 2007
17

Issue #24

Issue #24

edit

  • Let's get an understanding of ADMs and ADMXs, finally !
  • Did you miss the Fourth ? (Edition, that is...)
  • Some more goodies about PolicyPak Software
  • Public GP Training Schedule Update
    • Different course levels
    • XP and Vista coverage
    • Cities that are scheduled for public courses
  • Subscribe, Unsubscribe, and Usage Information

GPanswers.com News and Updates

GPanswers.com is a free service, as you know. And we try try try to keep it as up-to-date as possible. But we're a limited full time staff (that's me!) so every once in a while, I ask for some part time helpers to help give us a "boost."

These just aren't "any ol' people" .. they need to be READY and WILLING to help the cause of GP everywhere ! (Okay.. maybe that's a little much, but you get the idea.) We've added three super helpful folks to our GPanswers.com staff.

Staff Changes

In the office, I've changed my office assistant to Margot Cullen. Margot is just awesome. So, if you need receipts, want to call in to sign up for a public class, or ask her personal and revealing questions about what I do on the weekends, she's your gal. She can be reached at[email protected]. Please do not send technical questions to Margot. Please use the Community Forum (GPanswers.com/community) for that. Thanks !

GPanswers.com Helper Additions

After a long search, I'm proud to announce two helpers to GPanswers.com: Jakob Heidelberg and Eric Johnson. Jakob is a Danish Windows Expert, and well known blogger. If you read my blog, you'll be sure to love his as well. Click here for information about Jakob !and Be sure to read his blog !

Eric Johnson who works at a private healthcare firm will also be helping out at GPanswers.com. No blog from Eric yet, but maybe soon!

These two guys are going to help answer questions in the forums, and help with the Tips and Tricks section at GPanswers.com. In fact, if you look at some (most!) of the Tips and FAQ questions, you'll see Eric already hard at work. Many tips and such at the bottom will say:

" Verified by: Eric Johnson
Edited by: Eric Johnson
Last Edit date: June 30th, 2007
This question originally posted on August 7th 2004. "

That way, you get a good idea that we double-checked the accuracy of our tips and also the last time we touched them for a checkup. Hope you like that new GPanswers.com feature. If you want to submit a Tip / Trick / FAQ question .. there's only one place!

That's at the GPanswers.com/community forum, specifically in the "Submit a Tip / Trick" section here. You will need to register for a community forum account before submitting.


This Month's Newsletter Sponsored by: NetIQ

Download our new white paper, "Best Practices for Managing AD & Group Policy", to understand how your organization can improve its control over changes to Active Directory and Group Policy. You'll get the answers you need to assure changes are identified, tracked, and safely made across Active Directory and Group Policy.  

Click the link to learn more: NetIQ


Inside ADM and ADMX Templates

ADM files. You either love 'em or your hate 'em. Maybe both.

And that's because they're both necessary, but also confusing. And to add to the mix, Microsoft now has ADMX files which can only seemingly add to the confusion.

In this issue we'll tackle ADM files. Next issue -- ADMX files.

So, let's begin with the "unconfusion."

Why do we need ADM files?

Group Policy is made up of multiple areas. If you dive down into the Group Policy Object Editor (GPOE), you'll find lots of "stuff" you can do with Group Policy. For instance, Software Restriction Policy, Group Policy Software Installation, Folder Redirection. And yes, the one we play with most: "Administrative Templates" as seen here. The Administrative Templates node is on both the User and Computers sides. As suspected users can only embrace User side policy settings and Computers can only embrace Computer side policy settings.

But how do these magical settings get "born?"

It all starts when the stork brings us a new application. Really!

Okay, not really. But when new applications are "born" there's potentially some settings we can manipulate. That's where ADM files come into play. They describe the areas of the application that's ready to accept settings. ADM files are limited, right away, unfortunately, because they can only address registry settings within an application. But, an application might save it's settings in various places: .ini files, .js files, .XML files and other areas. ADM files can only address registry-based settings.

In the box ADM files

So how do all those policy settings in the box for Computer Configuration | Administrative Templates and User Configuration | Administrative Templates get there in the first place? If you right-click over the words "Administrative Templates" and select "Add/Remove Templates" in either the User or Computer side, you'll see the default templates which make up the standard configuration.

The breakdown of these files is:

  • Conf.adm -- NetMeeting settings.
  • Inetres.adm -- Internet Explorer settings, including connections, toolbars, and toolbar settings. It is equivalent to the options that are available when using the Internet Options menu inside Internet Explorer.
  • System.adm -- Operating system changes and settings. Most of the Computer and User Administrative Template settings are in this ADM template.
  • Wmplayer.adm --Windows Media Player 9 settings.
  • Wuau.adm -- Controls client's access to Windows Software Update Services servers' clients.

Adding your own ADM Template Files

Well, that's easy. First, just get the ADM template you want to use. Maybe you've downloaded one from GPanswers.com. (We have about a dozen interesting ones.) Or maybe you want to utilize the ADM files for Office 2003 or Office 2007. That's great.

Just click Add as seen in Figure 1 and add in the template. By default, templates are looked for in the Windowsinf directory, but there's no reason you cannot store them anywhere else. Here's something you may not know: once the ADM template is added, that ADM template gets added to the GPO itself.

For instance, in this example, I've added "nopassport.adm" which will let us squelch the "Do you want to add your passport?" message the first time a user logs into an XP machine. And also Word11.ADM (from the Office 2003 ADM template download.) You can see these additions in the "Add/Remove Templates" window.

Then, inside the GPO itself, specifically, the GPT, in the ADM directory, you can see the nopassport.adm and Word11.ADM file added. Click for larger graphic...

Why is it added to the GPO? Because if you then try to edit this GPO on another management station, you'll be able to see the settings contained within the ADM files.

Why Can't I see the ADM file additions?

Well, maybe you can, or maybe you can't see your ADM file additions. And this is causing a lot of confusion for a lot of administrators. Indeed, this is a top 5 FAQ at GPanswers.com, so I hope to put it to rest right here.

You should at least be able to see the results of adding the two templates as seen here. Two new nodes will appear. Computer Configuration | Nuisances (because of nopassport.adm) and User Configuration | Microsoft Office Word 2003 (because of Word11.ADM). If you dive down into the Word 2003 settings, you'll see a huge array of configurables, as seen here. Click for larger graphic...

But, you cannot see the settings within the new Nuisances node. Why not? To understand that, you need to understand the idea of "proper" vs. "improper" policies keys that an ADM template might affect.

Proper vs. Improper Policies Keys

Microsoft documentation states that four Registry areas are considered the approved places to create policies out of Registry hacks:

  • HKLM|Software|Policies (computer settings, the preferred location)
  • HKLM|Software|Microsoft|Windows|CurrentVersion|Policies (computer settings, an alternative location)
  • HKCU|Software|Policies (user settings, the preferred location)
  • HKCU|Software|Microsoft|Windows|CurrentVersion|Policies (user settings, an alternative location)

The settings contained within Word 2003's ADM writes to these "proper" locations. But the nopassport.adm file doesn't. Indeed, nopassport.adm writes to HKLM | Software | Microsoft | MessengerService | PassportBalloon

So, Microsoft puts up a little safety gate before it allows you to see these settings. The idea is that any of the settings that don't write to the proper Policies keys (listed above) will tattoo the registry. So, even if you whack the GPO, there's no way the setting will "revert" back. For example, let's say you added the nopassport.adm file, and chose squelch the "Do you want to add a passport?" pop-up balloon to every machine in your domain. Then, later, the boss said he really liked that setting. You've got a long road ahead of you because all computers now will embrace the setting - basically forever - until you expressly put that setting back.

In contract, regular policy settings have a "default" value. And if you whack the GPO, those settings will revert back to something. For instance, if you choose to prohibit access to the Control Panel using the built-in ADM templates. Then later, change your mind, all you need to do is whack the GPO and voila! The Control Panel comes back.

Again - not so with the Passport message - because the policy setting isn't in a place that will ever revert. So Microsoft protects you by (initially) not showing the policy settings at all - so you don't shoot yourself in the foot !

Seeing ADM templates

So, seeing the ADM templates isn't all that hard. The editor, by default, doesn't show you the settings. But it's easy. Click on the word "Administrative Templates" (either User or Computer half). Then select View | Filtering. Finally, uncheck (yes, uncheck) "Only show policy settings that can be fully managed." When you do, you'll see "Passport Solicitation" as a policy setting show up under the Setting column as seen here.  Click for larger graphic...

XP vs. Vista in the editor

Did you notice a subtle difference in the policy setting that just popped up? Look at the icons of policy settings that ship in the box. Click for larger graphic...

Now, look at the icon for a policy setting from an ADM template where the settings don't write to the proper Policies registry keys.  Click for larger graphic...

This blue vs. red icon differential helps you know which settings will tattoo, and which won't. But again, it's all based upon where the setting actually targets its settings. In Vista, by the way, the situation changes a bit when you use ADM files in your management station. ADM files show up in their own node called the "Classic Administrative Templates (ADM)" node, as seen below. What was red-dot settings now show up as a scroll icon with a downarrow (but while editing the setting itself, it has a little "No Enter" sign) all seen below.    Click for larger graphic...

The settings that were blue-dot (those that write to the proper Policies keys) show up as little scroll icons, as seen here. Click for larger graphic...

Next time..

This newsletter is about to get to be "too long." So, what we'll do is cut it off here, and talk more about ADM vs. ADMX files a little more in the next issue.

How PolicyPak Software Changes Things

Before I even jump to the good parts, let me just say that PolicyPak software is now ready for you to download and check out today! So, if you decide halfway through reading this, "I just gotta start playing !" ... well, you can! Just go to PolicyPak.com, register for an account, validate the account, and download the software you put in your download cart! As we've just learned, ADM templates are great, but, they're not the best solution to settings management. You still need to:

  • Figure out all the ways the target application needs to be controlled
  • Create the ADM files by hand

Then, those ADM files ...

  • "Tattoo" the Registry (boo!)
  • Can't even get to some areas of the Registry with ADM files at all! (Think reg_binary values or HKEY_Classes_Root.)

And finally,

  • The ADM language doesn't let you "craft" a look and feel similar to the application you're actually trying to control.

Not to mention that ADM files only manipulate the Registry. If your application has tweaks in .ini files, or custom configuration files or databases, ADM files just won't be able to get in there to adjust the settings you need them to.

Enter PolicyPak.

PolicyPak Software is a new venture of mine that offers software that lets you naturally control your existing applications with Group Policy.

How do we do it?

We have our own Group Policy CSE, a Client-Side-Extension. This isn't an "agent", it's an organic extension to Group Policy. Installation is super-easy. You run a component which extends the Group Policy Object editor on your administrative machine (where you create your GPOs). Then you deploy the CSE using Group Policy Software Installation to your target machines, and you're ready to control your applications using Group Policy.

  • Wanna control Adobe Acrobat Reader using Group Policy? Try PolicyPak for Adobe Acrobat Reader.
  • Wanna control Microsoft Windows Live Messenger using Group Policy? Use PolicyPak for Windows Live Messenger.
  • Wanna control WinZip using Group Policy? We're working on PolicyPak for WinZip (and lots of others...)
  • Wanna control something we don't support yet? Suggest an application at www.PolicyPak.com/suggest !

Click for larger graphic...

Our goal is to have lots of PolicyPaks to control the applications you already have.

You'll purchase them a la carte, so you'll get only the PolicyPaks you need.

Not only have we already "done the research for you", the interface looks almost exactly like the target application. No learning curve! You're gonna love them! In this example, we're changing the color of the Highlight Color in the Forms tab. Click for larger graphic...

Try doing THAT with an ADM template ! Or this trick.. Setting where files should be saved when users utilize Windows Live Messenger. Click for larger graphic...

So, how can you check them out?

We're ready for you to check us out and it for a test drive. Just mosey over to www.PolicyPak.com, register for an account and give our two PolicyPaks a whirl.


About GPanswers.com Training

Choosing the Right Course for You

Did you know that here at GPanswers.com, we have GP courses that fit what YOU need?

  • Are you dealing with mostly XP machines? We have an XP-focused course.
  • Are you warming up to Vista? We have a Vista-focused course.
  • Do you want to learn in an intensive format? Learn it in TWO DAYS.
  • Less intensive? Learn it in THREE days.
  • Want even more Advanced material? We've got that too.
  • Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?

You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take for your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private and public classes. Use the Rightsize tool to get a complete understanding of your options.

Public courses—2007 scheduled

So, here's the 2007 (first half) line-up:

  • August 8–9: Chicago, IL: Two-Day Group Policy Intensive Course (XP Focused)
  • August 10: Chicago, IL: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • Oct 23, 24 and 25: Netherlands: Three-Day Group Policy Less-Intensive Course (XP Focused). Sign up here.

For any public class, sign up online at: https://www.gpanswers.com/workshop/

What about the SECOND HALF of 2007?

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go for the first half!

Now tell me where you want me to go for the second half. The cities with the most "votes" get classes in their city.

Here's a deal you can't pass up!

Okay, let's assume I'll be in your city teaching a public class. But how would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two or three days, and you get a free student attendee!

Such a deal!

Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, the Security Team and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.

LIMITED TIME Private Course Special Offer

If you book three-days of private class training which completes before Sep 7, 2007, I'll include all travel expenses. So, maybe you'd like the Two-Day XP Training with the One-Day XP-To-Vista Catchup day. Or, maybe the Vista Two-Day and One-Day Advanced training.

Any three training days qualifies for this special offer.

I have some free time in the summer I want to fill, and want to give you an incentive to help me book that unused time. So, you pay no travel expenses if the class completes before Sep 7, 2007!


Get signed copies of...

Group Policy: Management, Troubleshooting, and Security

For Windows Vista, Windows 2003, Windows XP, and Windows 2000

-and-

Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

  If you’re in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Securitydirectly from me for $45 (including shipping).

  • If you order the book from me, I’ll sign the book for you, free! I’ve had many requests for this service, and I’m honored that you'd ask!
  • If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
  • The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
  • We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.

This book is in stock! We can ship it out today!
Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.

Order your signed copy today by clicking here.

Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0470106425 (GPO book)
 http://www.amazon.com/gp/product/0782144284 (WinLin book)


Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before! So, head on over to the Solutions Guide and see what other goodies are available! Our newest sponsors at the Solutions Guide:

  • FullArmor corp, with their Endpoint Policy Manager
  • PolicyPak Software, with their PolicyPak family of tools

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

.For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected] Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistant Margot at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

May 2007
31

Issue #23

GPanswers.com Special Mid-Newsletter Update

Are you going to be at Microsoft's TechEd next week?
I am, and I hope you'll come by and say Hi!
In fact, I've got some really big news, so I'm breaking it down in three bites to make it easier to digest.
I'm speaking at TechEd, and so are some other speakers you'll be interested in.
It's here: PolicyPak Software! Group Policy—Enable Your World!
More ways to connect at TechEd (free book signing and more!)
SPEAKING TIMES AT TechED
I'll be speaking twice—same talk (just repeated). Come to one, or both!
Topic: Deep Dive into Windows Vista Group Policy Changes and Troubleshooting

Session ID: CLI408
Time #1: Tuesday 8.45 Room S330
Time #2: Thursday 9.45 Room: N320 A

The beauty of Group Policy changes is not skin deep. There are some basic and detailed changes lying under the hood. And Jeremy Moskowitz of GPanswers.com and author of "Group Policy: Management, Troubleshooting, and Security" is just the guy to bring them to you. In this session, learn why you can't just run gpresult.exe anymore and get the results you want. Discover what happens if you reconnect to the network after a long absence. Learn how to crack open the new Vista event log and trace Group Policy flow to figure out what might be going on. Learn how other areas, like Offline Files and Group Policy Software Installation can be tweaked to give you just the information you need to fix what ails you. If you're looking for Group Policy answers to your troubleshooting questions, this is the session for you.

OTHER Group Policy Speakers and Speeches

Actually, there's so much Group Policy stuff going on I can't list it all! But here's a sampling. CLI331 - Using Group Policy with Windows and Windows Server 2008
Wednesday, June 6 10:15 AM - 11:30 AM, S330
And
Thursday, June 7 1:00 PM - 2:15 PM, S320 A
Speaker(s): Mark Williams and Jason Leznek

This scenario-based walkthrough uses a series of demonstrations to offer an in-depth understanding of new and enhanced Group Policy functions in Windows Vista, and plans for the Windows Server 2008 timeframe. This session showcases Windows Vista as a Windows Vista Group Policy administrative workstation. Learn about new Group Policy features in Windows Vista, including the new format and functionality of Administrative Template (ADMX) files (and interop with legacy ADM files), the ADMX central store, improved awareness of changing network conditions, using multiple local Group Policy Objects (MLGPOs), and Group Policy Management Console (GPMC) integration into the operating system. Demos include using the new event viewer ("Crimson"), and showcase a selection of the hundreds of new policy settings delivered with Windows Vista. Finally, we provide an introduction to the products acquired from DesktopStandard and discuss their future availability and roadmap.

CLI316 - Microsoft Desktop Optimization Pack: Advanced Group Policy Management (AGPM)
Tuesday, June 5 4:30 PM - 5:45 PM, N320 A
Speaker(s): Derek Melber, Winni Verhoef

Advanced Group Policy Management, a Microsoft Desktop Optimization Pack technology, adds an important level of control to Group Policy management. By adding delegation and workflow for Group Policy management, the enterprise administrator gains granular control over Group Policy deployment. This session explores the AGPM product and how it can help the Enterprise regain control over Group Policy management.

CLI03-TLC - ADMX File Creation and Management
Wednesday, June 6 3:45 PM - 5:00 PM, Yellow Theater 1
Speaker: Judith Herman

Microsoft Windows Vista introduced ADMX files to define Group Policy settings. This session describes how to create, edit, and manage ADMX files (and their associated ADML files for multi-lingual support). The discussion covers the syntax of these files and how they are used with the ADMX Central Store.

Okay—Here's the Big News: PolicyPak Software
Two TechEds ago, I had a flash of realization about Group Policy. Group Policy does some amazing stuff. It controls Windows itself really, really well. But what it doesn't control really, really well are third-party applications.
Sure, there's ADM templates. But ADMs are just NOT the ideal solution. With ADM templates you have to: Figure out all the ways the target application needs to be controlled Create the ADM files by hand Then, those ADM files "tattoo" the Registry All the while, you can't even get to some areas of the Registry with ADM files at all! (Think reg_binary.)

And finally, The ADM language doesn't let you "craft" a look and feel similar to the application you're actually trying to control. Not to mention that ADM files only manipulate the Registry. If your application has tweaks in .ini files, or custom configuration files or databases, ADM files just won't be able to get in there to adjust the settings you need them to.
Enter PolicyPak.
PolicyPak Software is a new venture of mine that offers software that lets you naturally control your existing applications with Group Policy.

How do we do it?
We have our own Group Policy CSE, a Client-Side-Extension. This isn't an "agent", it's an organic extension to Group Policy. Installation is super-easy. You run a component which extends the Group Policy Object editor on your administrative machine (where you create your GPOs). Then you deploy the CSE using Group Policy Software Installation to your target machines, and you're ready to control your applications using Group Policy. Wanna control Adobe Acrobat Reader using Group Policy? Try PolicyPak for Adobe Acrobat Reader. Wanna control Microsoft Windows Live Messenger using Group Policy? Use PolicyPak for Windows Live Messenger. Wanna control WinZip using Group Policy? We offer PolicyPak for WinZip.

Our goal is to have lots of PolicyPaks to control the applications you already have.
You'll purchase them a la carte, so you'll get only the PolicyPaks you need. And the interface looks almost exactly like the target application. No learning curve.
And PolicyPaks act a lot more like Group Policy than ADM templates do.
You're gonna love them!

So, how can you check them out?
Two ways:
Way #1: We're still in "private beta", but you can get on board if you send me an email letting me know that you're interested, and telling me how you plan to test our software out. This can be a simple test lab or a pilot group.
Way #2: Come to Booth #914 at TechEd and meet the Specops Group Policy Gurus. That's me, Darren Mar-Elia of GPOGuy.com, and SDM Software and the Specops Guys who make some awesome Group Policy software (www.specopssoft.com)! We'll be there most of the conference to show off our stuff and answer your tough Group Policy questions! And I'll have live demos of my new software and we can talk about what you think! We have a website, www.PolicyPak.com, with more information and images of the PolicyPak interface that you can check out, too. But right now there is no way to download the beta software. It is a PRIVATE BETA open only to people who email me directly. If you think you can get me some feedback before TechEd starts, I especially want to hear from you!

Book Signing at NetIQ's Booth At NetIQ's booth, I'll be giving away 100 free signed copies of my new book. All you need is one of my famous "Group Policy Book/Training Postcards" and then just be one of the first 100 people in line to get your free, signed copy. Come to NetIQ's booth before the free book signing on Wednesday from 1:00 to 2:00 for all the details!

More at TechEd to Love
There is likely going to be more news and stuff to love at TechEd this year, and when I find out about it, the quickest way I can tell you about it is via my blog at www.GPanswers.com/blog. Keep checking it for updates as they happen! See you at TechEd 2007 (booth #914!, mostly!)

May 2007
09

Issue#22

Newsletter 22. In this issue:

  • Jeremy Talks About Vista and Group Policy, and Other News from GPanswers.com
  • May the Fourth (Edition) Be With You . . .
  • Moskowitz, inc. Technology Takeaway®
    • Some tips about using GP to manage Office 2007
  • Public GP Training Schedule Update
    • Different course levels
    • XP and Vista coverage
    • Cities that are scheduled for public courses
  • Subscribe, Unsubscribe, and Usage Information

There's lots to tell you in this issue! There was so much, in fact, that I held some back for the next edition, which will be out much sooner than normal.


This Month's Newsletter Sponsored by: BeyondTrust Corporation

Enable users who don't have administrative privileges to run all applications!

BeyondTrust Privilege Manager was the first product to enable the security best practice of Least Privilege in Windows environments by allowing administrators to assign end users permissions to required or selected applications. Built for Windows 2000, XP, and Vista, and applied through Group Policy.

Click the link to learn more:BeyondTrust


GPanswers.com News

Holy cow—it's here! 786 pages!

You wanted it, and now you can get it. The biggest GP book of all time, and it's available RIGHT NOW. That's right, I've got an updated version of my popular Group Policy book. It's not called "4th edition", but that's really what it is.

Learn more at www.GPanswers.com/book (and in the note below).

In short, it's long. Fully updated for Vista, XP/SP2, and Server 2003.

200 new pages. You're gonna love it. Get a signed copy at www.GPanswers.com/book!

Jeremy talks about Group Policy and Vista

In case you missed it, here's a link to an interview conducted by Greg Shields of Redmond Magazine where he and I chatted about some of the new customizations in Group Policy that come with Windows Vista and why you should start implementing them now to prepare for what's to come in Windows Server Longhorn.

Download the podcast from here

Updated GPanswers.com/community forum

We've moved and shaken a little bit in the forums, and now things are more streamlined. If you have a question about something in the book, or something about the material that the same chapter in the book would cover, you can just post to one place. (Trust me, this makes sense when you check it out.) So, join the community forum today!

don't forget the blog

Some people have asked why they don't see as many newsletters anymore.

Because now I have my little blog, so that when I have a neat little nugget to share, I can do it immediately.

I don't have to compile all those little tips into a big newsletter.

So, I'm saving the newsletter for longer tips that I think tell a bigger story.

Getting to the blog is easy. Just shuffle over to www.GPanswers.com/blog and you can use the RSS link on that page to get updated whenever there are goodies to be had!

Welcome to Cynthia

I have a new right-hand here in the offices of Moskowitz, inc. Her name is Cynthia Talmage, and she can help you order a case of books, sign up for Public class, or help you get that Private class you always wanted. You can also ping her just to say Hi. You can say Hi by emailing [email protected].

Welcome to Eric

Eric has joined Adam to help out with the GPanswers.com community forum. As a long-standing member, he has already provided countless tips and nuggets of advice to other visitors, and now he is also helping to keep the forum in order to make it even easier to get the best quality information about Group Policy from your peers. A warm welcome to Eric. Why not join him and our other regulars in the GPanswers forum today?

Spread the Word

If you enjoy this newsletter and are anxious to read the material we had to leave out for next time, why not share the GPanswers love?

Spread the word! How?

Simply forward the newsletter email that you received to a colleague or friend and they can decide if they like the content, and if so, they can sign up here to make sure they don't miss out on future releases.

Or maybe you can mention the newsletter in your blog or just shout "I love GPanswers.com" to the guy next to you in traffic. However you do it—let people know why you think GPanswers is THE place to go for Group Policy information.


Fourth Edition of Jeremy's Group Policy Book... renamed:

Group Policy: Management, Troubleshooting, and Security

Every single chapter has gotten an update for Vista, but I still make sure you have all the information you need for both Windows XP and Windows 2000. Here are some of the highlights of the new edition:

  • A real lab guide makes it easier to follow along with all of the hundreds of examples. So, you can walk through everything with me if you want to.
  • Multiple Local GPOs for Vista with walk-through examples.
  • Understanding and troubleshooting Vista's method for determining if you're online or offline, and what that means for GP processing.
  • Troubleshooting in a Vista world.
  • Find out what happens with ADM and ADMX files when you create a GPO. Or what happens if you edit a GPO from Vista or XP. And back again!
  • Software Restriction Policies secrets.
  • Tricking Restricted Groups so it’s not “rip and replace”.
  • Controlling User Account Control, and tweaking it for specific scenarios.

There's so much more ... read more detail and some reviewers' comments here. You can order the book from popular online retailers, or get it SIGNED if you order it directly from me. Just click here !


Technology Takeaway®, a Service of Moskowitz, inc.

A quick look at Group Policy for Office 2007

Many of you will be facing the challenge of planning a deployment of Office 2007, or you may already have some early adopters in your organization. So in this edition, we'll take a look at how to implement some of the useful Group Policy controls for this new version of Office.

First things first—the ADM templates

Microsoft has released a collection of ADM files (yes, ADM files) so you can manage these policies from an XP or 2003 machine just as easily as from Vista/Longhorn. These can be downloaded as a single extractable file here: http://go.microsoft.com/fwlink?linkid=75729

A little side note: What's strange is that ADMX files for when you use Vista management stations are STILL missing in action. I've seen pre-beta versions, but they never seem to materialize.

Anyway, once you have downloaded and extracted them, add them to your GPMC by editing or creating a policy, then right-clicking Administrative Templates | Add/Remove templates | Add. Browse to the extracted files and add the ones you need.

There are settings available for the machines side or the user side but the vast majority target user settings.

Help your users save things properly

One gripe system admins often have is that their users simply don't follow corporate guidelines, ignore all their training, and save things where they should not—particularly in places such as My Documents. This is a little unfair—many users would argue that if you want them to save somewhere, you should make it an easy place to find. You might also consider just preventing them from saving anywhere else but the place you designate. Let's look at helping your users find the right place first.

On XP/2003/2000, you would look under User Configuration | Administrative Templates; with Vista go down one more level to "Classic administrative templates" (which indicates their ADM file format). There you will find Microsoft Office 2007 System | File open/Save dialog box.

The first section in there deals with the Places Bar—the "favorites" area of the Open and Save dialog boxes. You can add up to 10 locations which will appear in the order you enter them, and you can give them meaningful names—no more "X: (fileshare on SRV27)", but "Your shared work files". You can use UNCs and combine environment variables for profile locations, and so on.

So, we've made it easy to find the right place, how about blocking the "wrong" places? This requires a combination of two settings, both of them under the section "Restricted browsing". Enabling "Activate Restricted Browsing" will mean that in the Save As dialog, users will not be able to navigate to any folder which is not explicitly allowed by the second (multi-value) setting, "Approve locations". Note that if you set the first one, you MUST provide a list in the second one.

Notice that these settings restrict where users can save, but do not limit where they can browse to open files (which they might have previously put in the wrong place).

Using Corporate standard templates

Anyone working for a large company will likely be familiar with the idea that they should stick to certain corporate guidelines for their documents; in other words, layout, styles, fonts, etc. should be consistent between documents and between authors.

In order to facilitate this process, marketing departments (usually aided by IT, of course) often create standard templates for users to use for their letters, faxes, presentations, and so on.

When the process is implemented badly, users will save their own copies of these templates which become out-of-date once the originals are updated, and all their future documents then deviate from company standards. Here's some simple rules of thumb if your business has gone to the effort of making these standard documents:

  • Save them once in a central fileshare to which all users have read access and only a limited number of individuals have any modify permissions.
  • Tell users to use these and only these.
  • Better still, configure their Office apps to know where to find the templates, so when they create a new document, the application automatically gives them the right choices.

Now in Office 2000/2003, this was easy to do through the UI. In the always-connected world of Office 2007, however, it is just as likely for the app to try and find a jazzy-looking resume from the internet as it is to deliver the corporate memo template.

So, under Office 2007 System | Shared Paths | Workgroup Templates, set the UNC or the drive and folder where the templates are stored. (You can also do this for previous versions using the matching ADM files.)

Managing file types during your migration

There are lots of good reasons why the underlying file type has been changed after all these years, and many admins are thanking the development team for making all the files sitting on their fileservers and in their email systems so much smaller. But there is the potential problem of compatibility if your network is too big to upgrade everyone all at once.

You could download and install the Office 2007 compatibility pack on all your machines that have older versions, but this could be quite time consuming. As a short-term measure you might want to simply change the default for your Office 2007 applications to save in the older format.

Using Excel as our example, you need to look under User Configuration | Administrative Templates | [Classic Administrative Templates(ADM)] | Microsoft Excel 2007 | Excel Options | Save. The setting for "Save Excel Files as", once enabled, has a drop-down list of choices. The most likely option you would want is "Excel 97-2003 workbook".

Note that the application will use this as the default file format when saving, but does not prevent the user from making a different choice. It also does not prevent the user from changing the default in the UI by graying out the choice under the Office button | Excel options | Save. However, when they restart Excel it resets the policy setting, even before a GP refresh.

That's all the time we have for tips in this issue! Next time there'll be more about the way the GP engine works, and some information about the improved troubleshooting tools available under Vista. Please continue to submit your own tips or links to useful information in the GPanswers.com forums.


Choose the Right Active Directory and Group Policy Course for You

Did you know that here at GPanswers.com, we have GP courses that fit what YOU need?

  • Are you dealing with mostly XP machines? We have an XP-focused course.
  • Are you warming up to Vista? We have a Vista-focused course.
  • Do you want to learn in an intensive format? Learn it in TWO DAYS.
  • Less intensive? Learn it in THREE days.
  • Want even more Advanced material? We've got that too.
  • Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?

You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take for your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private and public classes. Use the Rightsize tool to get a complete understanding of your options.

public courses—2007 (First Half) scheduled

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go! So, here's the 2007 (first half) line-up:

  • May 21–22, Washington, DC: Two-Day Group Policy Intensive Course (XP Focused)
    • We almost have enough people to run this class. Sign up TODAY to secure your seat! We need you to sign up ASAP (or we might have to cancel!)
  • May 23–24, New York, NY: Two-Day Group Policy Intensive Course (XP Focused)
    • We almost have enough people to run this class. Sign up TODAY to secure your seat!
  • May 25, New York, NY: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • June 18–19, Phoenix, AZ: Two-Day Group Policy Intensive Course (XP Focused)
    • We almost have enough people to run this class. Sign up TODAY to secure your seat!
  • June 20, Phoenix, AZ: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • June 21, Phoenix, AZ: One-Day Group Policy XP-to-Vista Catch-Up Course
  • July 16–17, San Francisco, CA: Two-Day Group Policy Intensive Course (XP Focused)
  • July 18: San Francisco, CA: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • August 8–9: Chicago, IL: Two-Day Group Policy Intensive Course (XP Focused)
  • August 10: Chicago, IL: One-Day Group Policy Advanced Course (XP/Vista Focused)

For any public class, sign up online at: https://www.gpanswers.com/workshop/ Some notes:

  • This is the first time the Advanced Group Policy course has been made available to the public. If you've taken the Two-Day or Three-Day course, check it out. If you sign up for the Two-Day Intensive and One-Day Advanced at the same time, you'll get $100 off the third day.
  • Phoenix is the only place you can take the One-Day XP-to-Vista Catch-Up course right now.

Here's a deal you can't pass up!

Okay, so I'll be in your city teaching a public class. But how would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two or three days, and you get a free student attendee!

Such a deal!

Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Private Course Special Offer

If you book a private class which completes before August 31, 2007, I'll include all travel expenses. I have some free time in the summer I want to fill, and want to give you an incentive to help me book that unused time. So, you pay no travel expenses if the class completes before Aug 31, 2007!


Get signed copies of...

Group Policy: Management, Troubleshooting, and Security

For Windows Vista, Windows 2003, Windows XP, and Windows 2000

-and-

Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

  If you’re in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Securitydirectly from me for $45 (including shipping).

  • If you order the book from me, I’ll sign the book for you, free! I’ve had many requests for this service, and I’m honored that you'd ask!
  • If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
  • The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
  • We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.

This book is in stock! We can ship it out today!
Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.

Order your signed copy today by clicking here.

Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0470106425 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)


Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before! So, head on over to the Solutions Guide and see what other goodies are available! Our newest sponsors at the Solutions Guide:

  • Biscom Corp with their FaxCom Suite for Windows
  • BeyondTrust Corporation with their BeyondTrust Privilege Manager product
  • NetIQ with their GP Guardian product
  • SDM software with their GP Health Reporter

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

 

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistant Cynthia at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!