MDM & GP Tips Blog

Newsletter 22. In this issue:

• Jeremy Talks About Vista and Group Policy, and Other News from GPanswers.com
• May the Fourth (Edition) Be With You . . .
• Moskowitz, inc. Technology Takeaway®
  • Some tips about using GP to manage Office 2007
• Public GP Training Schedule Update
  • Different course levels
  • XP and Vista coverage
  • Cities that are scheduled for public courses
• Subscribe, Unsubscribe, and Usage Information

There's lots to tell you in this issue! There was so much, in fact, that I held some back for the next edition, which will be out much sooner than normal.

This Month's Newsletter Sponsored by: BeyondTrust Corporation

Enable users who don't have administrative privileges to run all applications!

BeyondTrust Privilege Manager was the first product to enable the security best practice of Least Privilege in Windows environments by allowing administrators to assign end users permissions to required or selected applications. Built for Windows 2000, XP, and Vista, and applied through Group Policy.

Click the link to learn more:BeyondTrust

GPanswers.com News

Holy cow—it's here! 786 pages!

You wanted it, and now you can get it. The biggest GP book of all time, and it's available RIGHT NOW. That's right, I've got an updated version of my popular Group Policy book. It's not called "4th edition", but that's really what it is.

Learn more at www.GPanswers.com/book (and in the note below).

In short, it's long. Fully updated for Vista, XP/SP2, and Server 2003.

200 new pages. You're gonna love it. Get a signed copy at www.GPanswers.com/book!

Jeremy talks about Group Policy and Vista

In case you missed it, here's a link to an interview conducted by Greg Shields of Redmond Magazine where he and I chatted about some of the new customizations in Group Policy that come with Windows Vista and why you should start implementing them now to prepare for what's to come in Windows Server Longhorn.

Download the podcast from here

Updated GPanswers.com/community forum

We've moved and shaken a little bit in the forums, and now things are more streamlined. If you have a question about something in the book, or something about the material that the same chapter in the book would cover, you can just post to one place. (Trust me, this makes sense when you check it out.) So, join the community forum today!

don't forget the blog

Some people have asked why they don't see as many newsletters anymore.

Because now I have my little blog, so that when I have a neat little nugget to share, I can do it immediately.

I don't have to compile all those little tips into a big newsletter.

So, I'm saving the newsletter for longer tips that I think tell a bigger story.

Getting to the blog is easy. Just shuffle over to www.GPanswers.com/blog and you can use the RSS link on that page to get updated whenever there are goodies to be had!

Welcome to Cynthia

I have a new right-hand here in the offices of Moskowitz, inc. Her name is Cynthia Talmage, and she can help you order a case of books, sign up for Public class, or help you get that Private class you always wanted. You can also ping her just to say Hi. You can say Hi by emailing [email protected].

Welcome to Eric

Eric has joined Adam to help out with the GPanswers.com community forum. As a long-standing member, he has already provided countless tips and nuggets of advice to other visitors, and now he is also helping to keep the forum in order to make it even easier to get the best quality information about Group Policy from your peers. A warm welcome to Eric. Why not join him and our other regulars in the GPanswers forum today?

Spread the Word

If you enjoy this newsletter and are anxious to read the material we had to leave out for next time, why not share the GPanswers love?

Spread the word! How?

Simply forward the newsletter email that you received to a colleague or friend and they can decide if they like the content, and if so, they can sign up here to make sure they don't miss out on future releases.

Or maybe you can mention the newsletter in your blog or just shout "I love GPanswers.com" to the guy next to you in traffic. However you do it—let people know why you think GPanswers is THE place to go for Group Policy information.

Fourth Edition of Jeremy's Group Policy Book... renamed:

Group Policy: Management, Troubleshooting, and Security

Every single chapter has gotten an update for Vista, but I still make sure you have all the information you need for both Windows XP and Windows 2000. Here are some of the highlights of the new edition:

• A real lab guide makes it easier to follow along with all of the hundreds of examples. So, you can walk through everything with me if you want to.
• Multiple Local GPOs for Vista with walk-through examples.
• Understanding and troubleshooting Vista's method for determining if you're online or offline, and what that means for GP processing.
• Troubleshooting in a Vista world.
• Find out what happens with ADM and ADMX files when you create a GPO. Or what happens if you edit a GPO from Vista or XP. And back again!
• Software Restriction Policies secrets.
• Tricking Restricted Groups so it’s not “rip and replace”.
• Controlling User Account Control, and tweaking it for specific scenarios.

There's so much more ... read more detail and some reviewers' comments here. You can order the book from popular online retailers, or get it SIGNED if you order it directly from me. Just click here !

Technology Takeaway®, a Service of Moskowitz, inc.

A quick look at Group Policy for Office 2007

Many of you will be facing the challenge of planning a deployment of Office 2007, or you may already have some early adopters in your organization. So in this edition, we'll take a look at how to implement some of the useful Group Policy controls for this new version of Office.

First things first—the ADM templates

Microsoft has released a collection of ADM files (yes, ADM files) so you can manage these policies from an XP or 2003 machine just as easily as from Vista/Longhorn. These can be downloaded as a single extractable file here: http://go.microsoft.com/fwlink?linkid=75729

A little side note: What's strange is that ADMX files for when you use Vista management stations are STILL missing in action. I've seen pre-beta versions, but they never seem to materialize.

Anyway, once you have downloaded and extracted them, add them to your GPMC by editing or creating a policy, then right-clicking Administrative Templates | Add/Remove templates | Add. Browse to the extracted files and add the ones you need.

There are settings available for the machines side or the user side but the vast majority target user settings.

Help your users save things properly

One gripe system admins often have is that their users simply don't follow corporate guidelines, ignore all their training, and save things where they should not—particularly in places such as My Documents. This is a little unfair—many users would argue that if you want them to save somewhere, you should make it an easy place to find. You might also consider just preventing them from saving anywhere else but the place you designate. Let's look at helping your users find the right place first.

On XP/2003/2000, you would look under User Configuration | Administrative Templates; with Vista go down one more level to "Classic administrative templates" (which indicates their ADM file format). There you will find Microsoft Office 2007 System | File open/Save dialog box.

The first section in there deals with the Places Bar—the "favorites" area of the Open and Save dialog boxes. You can add up to 10 locations which will appear in the order you enter them, and you can give them meaningful names—no more "X: (fileshare on SRV27)", but "Your shared work files". You can use UNCs and combine environment variables for profile locations, and so on.

So, we've made it easy to find the right place, how about blocking the "wrong" places? This requires a combination of two settings, both of them under the section "Restricted browsing". Enabling "Activate Restricted Browsing" will mean that in the Save As dialog, users will not be able to navigate to any folder which is not explicitly allowed by the second (multi-value) setting, "Approve locations". Note that if you set the first one, you MUST provide a list in the second one.

Notice that these settings restrict where users can save, but do not limit where they can browse to open files (which they might have previously put in the wrong place).

Using Corporate standard templates

Anyone working for a large company will likely be familiar with the idea that they should stick to certain corporate guidelines for their documents; in other words, layout, styles, fonts, etc. should be consistent between documents and between authors.

In order to facilitate this process, marketing departments (usually aided by IT, of course) often create standard templates for users to use for their letters, faxes, presentations, and so on.

When the process is implemented badly, users will save their own copies of these templates which become out-of-date once the originals are updated, and all their future documents then deviate from company standards. Here's some simple rules of thumb if your business has gone to the effort of making these standard documents:

• Save them once in a central fileshare to which all users have read access and only a limited number of individuals have any modify permissions.
• Tell users to use these and only these.
• Better still, configure their Office apps to know where to find the templates, so when they create a new document, the application automatically gives them the right choices.

Now in Office 2000/2003, this was easy to do through the UI. In the always-connected world of Office 2007, however, it is just as likely for the app to try and find a jazzy-looking resume from the internet as it is to deliver the corporate memo template.

So, under Office 2007 System | Shared Paths | Workgroup Templates, set the UNC or the drive and folder where the templates are stored. (You can also do this for previous versions using the matching ADM files.)

Managing file types during your migration

There are lots of good reasons why the underlying file type has been changed after all these years, and many admins are thanking the development team for making all the files sitting on their fileservers and in their email systems so much smaller. But there is the potential problem of compatibility if your network is too big to upgrade everyone all at once.

You could download and install the Office 2007 compatibility pack on all your machines that have older versions, but this could be quite time consuming. As a short-term measure you might want to simply change the default for your Office 2007 applications to save in the older format.

Using Excel as our example, you need to look under User Configuration | Administrative Templates | [Classic Administrative Templates(ADM)] | Microsoft Excel 2007 | Excel Options | Save. The setting for "Save Excel Files as", once enabled, has a drop-down list of choices. The most likely option you would want is "Excel 97-2003 workbook".

Note that the application will use this as the default file format when saving, but does not prevent the user from making a different choice. It also does not prevent the user from changing the default in the UI by graying out the choice under the Office button | Excel options | Save. However, when they restart Excel it resets the policy setting, even before a GP refresh.

That's all the time we have for tips in this issue! Next time there'll be more about the way the GP engine works, and some information about the improved troubleshooting tools available under Vista. Please continue to submit your own tips or links to useful information in the GPanswers.com forums.

Choose the Right Active Directory and Group Policy Course for You

Did you know that here at GPanswers.com, we have GP courses that fit what YOU need?

• Are you dealing with mostly XP machines? We have an XP-focused course.
• Are you warming up to Vista? We have a Vista-focused course.
• Do you want to learn in an intensive format? Learn it in TWO DAYS.
• Less intensive? Learn it in THREE days.
• Want even more Advanced material? We've got that too.
• Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?

You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take for your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private and public classes. Use the Rightsize tool to get a complete understanding of your options.

public courses—2007 (First Half) scheduled

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go! So, here's the 2007 (first half) line-up:

• May 21–22, Washington, DC: Two-Day Group Policy Intensive Course (XP Focused)
  • We almost have enough people to run this class. Sign up TODAY to secure your seat! We need you to sign up ASAP (or we might have to cancel!)
• May 23–24, New York, NY: Two-Day Group Policy Intensive Course (XP Focused)
  • We almost have enough people to run this class. Sign up TODAY to secure your seat!
• May 25, New York, NY: One-Day Group Policy Advanced Course (XP/Vista Focused)
• June 18–19, Phoenix, AZ: Two-Day Group Policy Intensive Course (XP Focused)
  • We almost have enough people to run this class. Sign up TODAY to secure your seat!
• June 20, Phoenix, AZ: One-Day Group Policy Advanced Course (XP/Vista Focused)
• June 21, Phoenix, AZ: One-Day Group Policy XP-to-Vista Catch-Up Course
• July 16–17, San Francisco, CA: Two-Day Group Policy Intensive Course (XP Focused)
• July 18: San Francisco, CA: One-Day Group Policy Advanced Course (XP/Vista Focused)
• August 8–9: Chicago, IL: Two-Day Group Policy Intensive Course (XP Focused)
• August 10: Chicago, IL: One-Day Group Policy Advanced Course (XP/Vista Focused)

For any public class, sign up online at: https://www.gpanswers.com/workshop/ Some notes:

• This is the first time the Advanced Group Policy course has been made available to the public. If you've taken the Two-Day or Three-Day course, check it out. If you sign up for the Two-Day Intensive and One-Day Advanced at the same time, you'll get $100 off the third day.
• Phoenix is the only place you can take the One-Day XP-to-Vista Catch-Up course right now.

Here's a deal you can't pass up!

Okay, so I'll be in your city teaching a public class. But how would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two or three days, and you get a free student attendee!

Such a deal!

Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Private Course Special Offer

If you book a private class which completes before August 31, 2007, I'll include all travel expenses. I have some free time in the summer I want to fill, and want to give you an incentive to help me book that unused time. So, you pay no travel expenses if the class completes before Aug 31, 2007!

Get signed copies of...

Group Policy: Management, Troubleshooting, and Security

For Windows Vista, Windows 2003, Windows XP, and Windows 2000

-and-

Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

  If you’re in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Securitydirectly from me for $45 (including shipping).

• If you order the book from me, I’ll sign the book for you, free! I’ve had many requests for this service, and I’m honored that you'd ask!
• If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
• The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
• We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.

This book is in stock! We can ship it out today!
Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.

Order your signed copy today by clicking here.

Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0470106425 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before! So, head on over to the Solutions Guide and see what other goodies are available! Our newest sponsors at the Solutions Guide:

• Biscom Corp with their FaxCom Suite for Windows
• BeyondTrust Corporation with their BeyondTrust Privilege Manager product
• NetIQ with their GP Guardian product
• SDM software with their GP Health Reporter

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistant Cynthia at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Newsletter 21: Rounding off 2006 and looking ahead to 2007 In this issue:

• It's Issue 21
• Jeremy's joined the bloggers
• Moskowitz, inc. Technology Takeaway (r)
  • The questions on everyone's lips about the next generation of MS software
  • A tip for protecting some accounts from the wrong GPOs
• Public GP Training Schedule Released (first several months)
• Subscribe, unsubscribe, and usage information

In this issue, I'm happy to say, we've got a full plate. We've got a link to my interview with Michael Dennis (who is leaving the Group Policy team after 9 years!), a bunch of tips and tricks, and my 2007 public training schedule (for the next few months.) So, let's get started!

This Month's Newsletter Sponsored by: NetIQ

As an IT professional, NetIQ is interested in your thoughts and opinions on managing group policy. We know these responsibilities are critical in today's enterprise, and we value your feedback. Please take a few minutes and complete our brief Group Policy Survey, co-authored by Jeremy Moskowitz. Respond by February 15, and you will be entered for a chance to win a $300 Amazon.com gift certificate.Take the survey today.

GPanswers.com News

Jeremy's GP blog keeps you right up to date

If you just can't get enough information about Group Policy, then my blog would be a good place to go to get the latest and most important stuff you need. Take a look at the GPanswers.com blog to make sure you don't miss out on any updates.

GPanswers.com excluSIve -- "Exit Interview with Michael dennis, Outgoing team lead for Group Policy"

Speaking of the blog, I got an exclusive opportunity to interview the outgoing Team Lead for Group Policy, Michael Dennis. Michael has been the lead Program Manager for 9 years and 9 months to the day before changing posts (this Monday.) Learn about where Michael feels Group Policy is going, what he feels is his top achievements are so far at Microsoft, and what's next for the King of Control. Again, this is on the GPanswers.com blog.

how can i best help GPanswers.com ?

If you've ever asked yourself, "How can I help GPanswers.com" out? Well, here's your chance.

Sure, we take tips and tricks to help others. But today, I'm asking for something more.

Indeed, you're not helping me out, you're really helping out Ron Hrehirchuk, our original GPanswers.com Guy Friday.

I don't want to get into too many details here, but Ron is gravely sick and is unable to care for his family. Ron has done more for GPanswers.com than I can remember, and he did it for you, our loyal fans for several years.

Now, it's Ron and Ron's family's time of need.

In short, I (Jeremy) am personally asking you to donate to Ron's family's fund.

Click here.

It's via PayPal and it's quick and easy to do. The link is here. And it would meen a lot to me, personally, to know that the GPanswers.com folks have made a difference in someone's life who tried to help make a difference in yours.

Technology Takeaway (r), a Service of Moskowitz, inc.

FAQs about Group Policy for the latest MS products

Can I install the Group Policy Management Console (GPMC) on Vista?

The GPMC for Windows 2000, XP and 2003 is still available, the latest version is "GPMC with service pack 1." You can download GPMC with sp1 from MS here. However, Vista will ship with GPMC v2 already built-in, so there's no need to download anything, just start using it! Note that the old version won't work in Vista, so don't try to install it.

What about converting my old custom ADM files to ADMX format?

Before we get too far along in this topic... who is making custom ADM files and what are you making them for? Drop me a line and let me know.

As you know by now, the method for storing available group policy settings for Vista is an XML-based file format known as ADMX. This is the format your new custom policy definitions need to use if you want to include them in GPOs you will create on a Vista machine, although the policies themselves can be applied to earlier OS versions.

So, the problem is how do you get your current ADM files to the brand new ADMX file version?

At first, Microsoft did not give any indication that they would provide anything to help update existing ADM files, but thankfully they must have been listening to the GP community and (in conjunction with FullArmor corp) have released a free ADMX migrator tool to convert ADM files. This tool also provides a GUI environment for creating and editing ADMX files. You might also want to look at the free XML Notepad 2007 editor which would also allow you to do this and includes useful tools like find and replace and the ability to compare two XML files to find the differences (maybe an old and new version of your custom policy file).

Here's the trick: I've used the tool, and it works as advertised, but can be a little hard to get the policy settings you're creating to come out "just right." So, be patient with the tool, and take some "time off" if you get a litle frustrated. (And, don't forget -- it's free!)

How do I know what GP settings are available in each WIndows version?

Whenever a new service pack or operating system is released, MS issues a complete spreadsheet of all the Group Policy settings, along with the Explaintext and which OS version the policy setting will affect.

The latest version of the Group Policy Settings file is up to date to Vista build 6000 - the RTM version of Vista.

The new file layout also includes columns to let you know if the policy requires a reboot or logoff in order for the policy to take effect. (Note, it's not 100% accurate .. it's missing some , but it's a darn good start.)

You can filter the list easily on these columns, and use the usual Find feature (CTRL-F) to search for particular text. The older file for versions of Windows up to 2003 sp1 / XP sp2 is still useful if you are not moving to Vista just yet, as it shows which ADM files you will find the settings in when working with these older systems.

I'm not using Vista but I want to manage my IE7 deployment, what can I do?

In the last newsletter we talked about how you can use the blocker toolkit which you can use to prevent the installation of Internet Explorer 7 if you / your users / some applications you need are not ready for it just yet. If you are ready and want to roll out, though, you might like to download the ADM files for IE7 which will let you create GPOs which manage IE7 on XP sp2 and 2003 sp1 (the supported OS for IE7). Why didn't these ship as ADMX files? No idea. I wish they did.

Notes from the field: Protecting your users and computers from an "inadvertant" link of GPOs

Imagine this: You've got an OU full of users or computers. But corporate policy says "Don't link any GPOs to them." Maybe these are lab machines, or your machines or some other type of machine or user accounts which just shouldn't get GPOs. Okay, super.

All well and good until someone doesn't get the memo and still links a GPO to this OU.

Oops.

Now you have a problem.

Turns out, there IS a way to guarantee that no one can link a GPO to the OU.

Here's the trick (and stay with me here): don't make it an OU.

That's right -- don't use an OU for these accounts, use a "container." Just as the default containers for Users and Computers prevent you linking policies to them, so do any other containers you create. The accounts in here will still get domain and site policies, of course (subject to security filtering), but you can guarantee that they won't get any additional policy settings.

How do you create a container? Bad news -- it's not something you can do within Active Directory Users and Comptuers. But it is easy enough to do: use ADSIEdit.

On an admin workstation which has the "Ssupport Tools" installed (or directly on a server) fire up Start > Run and type ADSIedit.msc. (Note: if you are logged on without domain admin rights you need to use runas and provide an admin account for this procedure to work). You should see something like the screenshot below.

Choose the relevant domain and right click, select New > Object as shown here:

Choose to create a new container object class, provide a useful meaningful name for the new object and finally click finish.

So now you have a new container which will show up in AD users and computers for example, but simply will not appear in the GPMC or any other GP editing tool since you can't link any policies to it.

Simple yet effective.

That's all the time we have for tips in this issue. please continue to submit your own tips or links to useful information in theGPanswers.com forums.

Choose the right Active Directory and Group Policy Course for you

Did you know that here at GPanswers.com, we have three courses, including an ADVANCED course? You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a "Group Policy "Rightsize" Tool" which helps you decide the best course to take for your situation. We have both private and public classes, so use the Righsize tool to get a total understanding of your options.

For the first time ever, we're making the "Less Intensive Three-day" course as well as the "One Day Advanced" course available to the public.

As Vista becomes more popular, we'll make our Vista classes more available. Right now, Vista classes are only available as Private classes.

public courses -- 2007 (First Half) scheduled

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go! So, here's the 2007 (first half) lineup:

• Feb 1, 2: Seattle, WA: Two day Group Policy Intensive Course (XP Focused)
• Feb 27, 28: Chicago, IL: Two day Group Policy Intensive Course (XP Focused)
• Mar 1: Chicago, IL: One-Day Group Policy Advanced Course (XP/Vista Focused)
• Mar 5, 6: Atlanta, GA: Two day Group Policy Intensive Course (XP Focused)
• Mar 7: Atlanta, GA: One-Day Group Policy Advanced Course (XP/Vista Focused)
• Mar 13, 14, 15: Portland, OR: Three-day Group Policy Less-Intensive Course (XP Focused) -- Taught by James Conrad
• Apl 17, 18, 19: Cleveland, OH: Three-day Group Policy Less-Intensive Course (XP Focused) -- Taught by James Conrad
• May 9, 10: San Fran, CA: Two day Group Policy Intensive Course (XP Focused)
• May 11: San Fran, CA: One-Day Group Policy Advanced Course (XP/Vista Focused)
• May 21, 22: Wash, DC: Two day Group Policy Intensive Course (XP Focused)
• May 23, 24: New York, NY: Two day Group Policy Intensive Course (XP Focused)
• May 25: New York, NY: One-day Group Policy Advanced Course (XP/Vista Focused)

For any public class, sign up online at: https://www.gpanswers.com/workshop/ Some notes:

• This is the first time the Advanced Group Policy course has been made available to the public. If you've taken the two-day or three-day course, check it out. If you sign up for the "Two-Day Intensive" and "One-Day Advanced" at the same time, you'll get $100 of the third day.
• I'm working on updating the Two-Day and Three-Day classes for Vista and hope to make them an available course offering by March - April.

Here's a deal you can't pass up!

Okay, so I'll be in the above cities teaching the private classes. But how would you like to get a FREE student in the class? Easy: be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two or three days, and you get a free student attendee! Such a deal! Lots of companies have been the hosts for public classes, and they've gotten free training. So, if you're interested in free training for one of your treammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6 - 8), the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan - or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/

For a private class, just contact me at [email protected] or call me at 302-351-8408.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and 3rd party products which extend the reach of Group Policy or let you do something you haven't discovered before!

So, head on over to the Solutions Guide and see what other goodies are available! New sponsors this time:

• BeyondTrust Corporation with their BeyondTrust's Privilege Manager product.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected] Please POST your technical question on the GPanswers.com/community forum whenever possible. If you have questions about ordering a book, contact my assistantMark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Newsletter 20: Looking ahead to Vista, IE7 and other upcoming software releases In this issue:

• It's Issue 20
• Industry Update
• GPanswers.com updates
• Moskowitz, inc. Technology Takeaway (r)
  • IE7 is on the horizon, how do I control my rollout?
  • What do I need to know about GP in Vista?
  • What about Exchange 2007, Office 2007 etc.?
  • How do I know what settings are available in each OS version?
• Get a signed copy of Group Policy, Profiles and IntelliMirror
• Upcoming conferences, appearances, and classes
• Welcome new sponsors
• Free Education!
• Subscribe, unsubscribe, and usage information

This Month's Newsletter Sponsored by NetIQ

Download "Why Group Policy Matters," the informative whitepaper co-authored by Jeremy Moskowitz and NetIQ. This paper discusses the power of Microsoft's Group Policy and how organizations can better leverage the technology to address key business issues and help your organization attain its efficiency goals. Download the paper today.

GPanswers.com News

New assistant for the GPanswers.com community forum

While Ron takes a break, Adam Vero has stepped up to the plate to help keep GPanswers.com the best web resource for all things relating to Group Policy. Our thanks go to Ron for all his help in the past.

Adam has over 13 years of IT experience in a variety of fields including programming, teaching, systems management and now runs his own consultancy business, Meteor IT Ltd.

If you have not already joined in the discussions, why not come on in to the GPanswers.com forums and share your questions, answers, experiences and hot tips with other GP fanatics.  

Industry News: Microsoft Buys DesktopStandard

This, my friends, is a whopper.

If you haven't read the news, do so here. Now that you've done that, what exactly does this all mean?

Well, Group Policy (the engine) has a lot of moving parts called CSEs, or Client Side Extensions. There are 18 in XP and 21 in Vista. And DesktopStandard's PolicyMaker produc adds another 21 CSEs. So, if none get "cut", eventually we'll have 42 CSEs. (I predict several will be cut, like Powermanagement, because Vista already has a similar one.)

DesktopStandard also has (had?) a product called GPOVault: This is a "Check-in / Check-out" GP management system which is built right into the GPMC. I like this tool because, well, it's just built right in to the GPMC, which means I don't have to load ANOTHER console to do the dirty work. So, the idea is the Sally creates the GPO, Fred makes sure it's Kosher and Kirk puts it in play. All around a welcome addition.

The last "big" product DesktopStandard had was PolicyMaker Software Update. Imagine WSUS that actually worked with GPOs and that understood Active Directory. And, instead of using an SMS for the "really big guys", we could just deploy patches using GPOs! Wouldn't that be a great product? Well, that's what this was. However, I'm 99% sure this product won't see the light of day at Microsoft. Microsoft already uses WSUS for the "small" customers and SMS's patching technology for the big customers. This product kind of fit in the middle, and well, I bet that's about it for this product.

In the end analysis -- it's great. More stuff for GPO admins to know and love. And more power to do what they love to do.

Stay tuned for more info as it comes up. You bet I'll be all over this when I have more to share.

Technology Takeaway (r), a Service of Moskowitz, inc.

Looking ahead to Vista, IE7 and other upcoming software releases

IE7 is now at Release Candidate 1, so it's only a matter of time...

Maybe you have already tested IE7 and are happy that it interacts with your systems properly. Or perhaps you have some intranet application that either won't accept it (some look for a user-string of IE5 or IE6 specifically so they spit it out as being unacceptable) or don't work in some way (blocked popups causing issues for example). Or maybe you just haven't had a chance to test it yet. Either way, like all good system admins, you probably want to be sure that your users can get the most out of the new features and continue to work efficiently

You can download IE7 RC1 here if you have not already done so, and take a look at the new additions such as tabbed browsing and the phishing filter that mean Microsoft is closing the feature-gap on other browsers such as Firefox and Opera. Once IE7 is finally released it will be made available via Windows Update as a high-priority update. There has been much speculation that this means a high proportion of users will get the new browser before they know what to do with it, and before system administrators have been able to thoroughly test with intranets and other internal systems. Have no fear, it's a lot more controlled than that!

For starters, if you are using SMS, WSUS or SUS to manage all of your updates anyway, then read no further, you have it all under control (although if you are still using SUS 1.0 you should be aware that support ends on December 6th so you really ought to be upgrading to WSUS fairly soon).

So, if you're not using SMS or (W)SUS, what happens? Well, if your users are not local admins, then - nothing. They don't get prompted to install the update and it won't be pushed on them or automatically installed, period. If they are local admins then they will still get a choice to install or not - and we know how good some users are at making uninformed choices. For this scenario, Microsoft have kindly provided the IE7 Blocker Toolkit which will make sure that these less-managed machines won't get the new browser through Windows Update. In a nutshell, this blocking is done by creation of a registry key. The toolkit provides a script which can be run to create or remove this, and better still an ADM template to apply this via Group Policy. Here's a quick step-by-step on how to do this:

1) Download and run the IE7 Blocker Toolkit which will prompt for a location to extract the files, including the ADM file we will need in a moment.

2) Run the GPMC and create a new policy or edit an existing one which is linked to a location containing the computers which you wish to block from receiving IE7 via Automatic Updates

3) Navigate to Computer Configuration > Administrative Templates and right click > Add/Remove Templates. Click "Add" and Browse to where you extracted the files (see below)

4) Now that the ADM template is added, browse down to Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateAutomatic Updates Blockers. If you see "There are no items to show in this view" as shown below, then go to Step 5, otherwise skip to step 6

5) If you can't see the settings from the ADM file, you need to change the Filtering you have on. Go to View > Filtering and then CLEAR the box "Only show policy settings which can be fully managed" which is ticked by default as shown below.

6) Now you can see the setting to block the delivery of IE7 set it to "enabled" as shown below, and users will not get prompted by Automatic Updates to install this and if they do use the "Custom" feature of Windows Update they will be prevented from installing it.

Unfortunately this won't prevent users with local admin rights from downloading and installing the browser as an MSI for themselves, but that's the reason to only let those who know what they are doing to have those admin rights in the first place, right?  

What do I need to know about Group Policy in Windows Vista?

Not much has changed, really - apart from a total re-write of the format for policy templates, where and how they are stored, and a whole bunch of new settings! The two most important things to understand are that your existing policies will simply continue to work on your existing machines, and that you can only edit policies for Vista and Longhorn on a Vista or Longhorn machine.So, what is happening to ADM files? The short answer is that any custom ADM files you have will continue to work and the new GPMC will be able to use them in creating or amending policies. But the new ADMX format and syntax (which is XML-based) provides a few key benefits.

The biggest of these is that you can create a single central store for ADMX files which are used by your policies, rather than each policy storing its own copy in the GPT, which can lead to sysvol "bloat" and slow down replication between DCs. The second important point here is the separation between the ADMX file which contains settings and their effects, and an associated ADML file which contains language-specific bits which are exposed through the GUI (the description of the settings and the "Explain" tab for example). So admins can view and manipulate the same policies using a different language interface, rather than all having to share a common language which may not be native to many of them. Of course, for in-house custom files the same is true - but someone has to write the ADML files to go with the ADMX.

You have probably heard that there are all kinds of new policy settings available to manage aspects of your Vista machines. Some of the most important classes are those for Power Management, Device installation and Removeable Storage. All of these are areas you may want to control centrally to manage costs (by reducing wasted power consumption) and business risk (reducing the ability of Joe from Sales taking the whole customer database with him on a USB thumbdrive when he leaves). Printer management and IE configuration have also both been made easier with GP for Vista. There's much more information on the MS website about these new Group Policy categories.

Other things which have changed in Vista Group Policy processing include:

• the fact that the whole process now runs as an independent service
• you can have multiple Local Group Policies (yes - policy local admins differently form your normal users at last!)
• much better handling of connection status through "network location awareness" - slow link determination, or updating GP when a VPN is connected or a machine returns from hibernation for example

If you want to know more, get it straight from the horse's mouth by watching this 42-minute webcast:

Program Manager Mark Lawrence discusses the Group Policy improvements in Windows Vista 

(Live ID / Passport required to register)

One last thing for this edition while we're on the subject of Vista - your WSUS server won't get updates for Vista Beta editions without being configured to do so. Recommendation from MS is to configure a separate WSUS server (which must have WSUS sp1) just for your Vista Beta machines to update from, and configure this to fetch the updates from the MS Beta Update Server

Configuration is straightforward, simply by running a VBS script which is already on the WSUS server from a command prompt:

cscript.exe "%programfiles%update servicestoolsToggleMUUrl.vbs" beta

You can revert to the normal update server by repeating this command without the 'beta' on the end, but as already mentioned, you really ought to be doing this on a dedicated box anyway, and remove / reinstall WSUS completely once your Beta phase is over. More info here.    

What other GP goodies are there out now for upcoming products?

Just a couple of quickies about other upcoming bits of software which you may want to begin testing, and how this impacts on your GP world.

Firstly, Office 2007 brings with it a whole bunch of changes to the way it is deployed and of course more GP settings to control it. Significantly, to deploy from a central administrative install using GPSI you only need to point at the main MSI file and this will detect that this is being called by GP and go off to get all the MSI files it needs from the install point.

There is no longer on e single huge all-in-one "office.msi", in other words. Another big change for GP fans is that Outlook 2007 security can now be configured through regular Group Policies rather than having to configure a security template and publish this via the Exchange server. You can still do it the old way if you prefer, but for new installs a pure-GP method makes good sense. More about configuring security for Outlook 2007.

Of course, to manage Group Policy for Office 2007 you need to get the ADM files which are found in the Office 2007 Resource Kit here. (NB: this link only works if you are a registered Office 2007 Beta user, ie you installed the Beta, ran one of the apps and registered the product)

Exchange 2007 Beta can be run on 32 bit systems, although the final release code will only work on 64 bit and you won't get support if you put your production environment on the 32-bit version. However - for either platform you need to be running MMC version 3 (which we talked about in Newsletter 18) as well as .Net 2.0. Read more about MMC 3.0 here and download the version you need before you try and install the Beta. Click here to view the full system requirements for Exchange 2007 Beta 2  

How do I know what settings are available in each WIndows version?

A particularly common question, along with its cousin "where do I find the setting to do 'X'?"Periodically, MS issue a complete spreadsheet of all the Group Policy settings, along with the text you see on the explain tab to help work out what it does, and a column showing what the reuirements are (in other words, which OS version and other things are needed to make the setting work). You can filter the list easily on these columns, and use the usual Find feature (CTRL-F) to search for particular text.

The latest version of the Group Policy Settings file is up to date to Vista Release Candidate 1. If you are using Vista Beta 2 some of these settings do not apply, and you should check the Vista Beta2 GP settings instead, although the file is a lot less detailed. The older file for versions of Windows up to 2003 sp1 / XP sp2 is still useful if you are not moving to Vista just yet, as it shows which ADM files you will find the settings in.  

That's all the space we have for tips in this issue. please continue to submit your own tips or links to useful information in theGPanswers.com forums.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Choose the right Active Directory and Group Policy Course for you

Did you know that here at GPanswers.com, we have three courses, including an ADVANCED course. (It's true!) Online, we have a new-ish "Group Policy "Rightsize" Tool" which helps you decide the best course to take for your situation. We have both PRIVATE and PUBLIC classes. Again, use the Righsize tool to get a total understanding of your options.

Upcoming Public Classes, Appearances and Conferences

Public Two-Day Workshops for the Remainder of 2006:

• Oct 12-13: Phoenix, AZ -- FULL ! (Come to Portland, Dallas or Seattle)
• Oct 23-24: Portland, OR -- 11 seats left ! (Special note: No laptop required for this course. Leave your laptop at home if you want!)
• Oct 30-31: Dallas, TX-- Lots of seats left
• Nov 21-22: Seattle, WA -- Lots of seats left

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity! Learn more and sign up at: https://www.gpanswers.com/workshop

(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan - or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/

For a private class, just contact me at [email protected] or call me at 302-351-8408.

Free Education with Moskowitz / Microsoft / Techtarget / Dell Roadshow

Jeremy Moskowitz and TechTarget + Microsoft team up to bring you a 19-city roadshow tour titled: Deployment, Managing, and Monitoring: Getting the Job Done. Here, you’ll hear me talk about how to use the tools in the box to deploy your Windows XP, Windows 2003, and Vista systems, how to use Group Policy to manage your systems, and finally how to keep tabs on them with some slick free tools!

The roadshow is still rolling until November, so there’s a good chance we’ll be near you soon! Check it out and sign up here.

Upcoming Conferences

• TechMentor: Oct 9-13 in Las Vegas. I'll be speaking on Win/Lin integration topics. All sorts of other good stuff. Check it out here. Use promotion code 'moskowitz' when signing up.
• WinConnections: Nov 6-9 in Las Vegas. I'll be doing a pre-con on Group Policy, then some regular sessions on locking down computers, some awesome tips on Group Policy tools, and how to integrate Windows and Linux into Active Directory. Check it outhere.

Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and 3rd party products which extend the reach of Group Policy or let you do something you haven't discovered before!

So, head on over to the Solutions Guide and see what other goodies are available! 

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistantMark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Newsletter 19: The File Server Migration Toolkit In this issue:

• It's Issue 19
• GPanswers.com updates
• Moskowitz, inc. Technology Takeaway (r)
  • "Deep Dive" into the File Server Migration Toolkit
• Get a signed copy of Group Policy, Profiles and IntelliMirror
• Upcoming conferences, appearances, and classes
  • Classes and seminars
• Welcome new sponsors
• Free Education!
• Subscribe, unsubscribe, and usage information

This issue, we've got another "big article". It's about the File Server Migration Toolkit. Why should you care? How is it related to Group Policy? Ah the suspense ! So, without further ado!

This Month's Newsletter Sponsored by NetIQ

Learn how to leverage Group Policy’s capabilities to secure and manage your desktop. Moderated by Active Directory guru Jeremy Moskowitz, this information-packed Webcast will show you how business objectives can be paired with Group Policy settings for a more secure and managed environment. Sign up today for the live webcast on July 27th.

GPanswers.com News

Announcing 1-day Advanced Group Policy Course

Have you already taken the two-day or three-day workshop? Are you looking to get "more" of what you already love? Then check out our one-day Advanced Group Policy course. We cover four big topics:    

• How to create a “totally locked down” workstation
• How to use Group Policy tools to increase your troubleshooting ability
• How to zap registry punches down to your client machines with ADM templates and tools
• How to leverage a test lab for good Group Policy deployment practices

It's a one-day hands-on course. Right now, it's only available as a private class. So, if you want me on site, you can add this on to you two or three day workshop class -- or just have me come by for the day!

New "Rightsizing Tool" for GPanswers.com Training

I'll talk about this a little later in the newsletter. But I haven't always done a good job making it easy to decide which Group Policy class is ideal for each person or organization. Now, online, I have a new “Group Policy ‘Rightsize’ Tool” which helps you decide the best course to take for your situation. Check it out here.

New "At a glance view" of newsletter archives...

People were telling me it was hard to know what was in each previous newsletter. Too much to read to find out. Well, now at www.GPanswers.com/newsletter you'll see an at-a-glance view of all our old archives. Just find the newsletter you want -- and enjoy!

In case you didn't get the memo...

Free gift to anyone who has ever taken a GPanswers two-day or three-day Group Policy workshop (where either James or I was the instructor).

It's about time I said thanks. So, thanks!

Here's the deal: the gift is free, the shipping isn't. Sorry, I'm a small business, and that's the breaks.

Shipping for your free gift is only $5, though.

And if you hate the gift, I’ll cheerfully refund your $5 and you can keep the gift. Really! (I sound like Ron Popeil, don’t I?)

Here's the fine print:

• Shipping for the gift is a flat $5
• We can accept Paypal or credit card for shipping
• US residents only
• If you can remember, please specify which public class or private class you attended (location and approximate month and year).

Note, that if you like the gift, but have never taken the two-day or three-day class, you can get one for a whole $12 (including shipping). Gifts ship right away.

Technology Takeaway (r), a Service of Moskowitz, inc. -- All About the File Server Migration Toolkit

Admit it. You've got 'em. Windows NT and Windows 2000 file servers that you just can't seem to shake. You know you want to get your file servers updated to Windows 2003/SP1 or Windows 2003/R2. And, we both know why you're not there yet: users are using UNC paths to point to shares on these file servers. And you know that if you move the data from the original servers to the new servers, all those users with UNC paths pointing to those shares are going to call the help desk (then the help desk is going to hunt you down, and you'll have to go into hiding.)

Or how about this sticky Group Policy problem: you got started using Group Policy Software Installation, and serving your installations using one file server. Now you have 50 GPOs deploying applications to your Windows XP and Windows 2000 machines. But, oops! You're ready to turn off that original file server.

But you can't.

Those 50 GPOs are depending on it.

What are you going to do?

A typical environment where files and software are originally being deployed from a Windows 2000 file server and/or Windows NT files is seen below.

Figure 1: You're currently depending on NT 4 and Windows 2000 file servers (aren't you?)

So just turning off these servers isn't an option, and just copying the data to new shares on a new server isn’t an option. So what are you going to do? The good news is that there’s an answer [solution?] to these two tales of woe. Microsoft has a cool tool to help you take control of your old file servers and bring the data into the 21st century—seamlessly.

Enter the File Server Migration Toolkit . . .

    The File Server Migration Toolkit, or FSMT is a free download available here. The FSMT consists of three parts:

• DFS Consolidation Root Wizard: This is another GUI tool which works some serious magic. It allows you to maintain the original UNC paths of the servers, even if you’re planning on ultimately turning those servers off.
• DFSconsolidate.exe: This is a command line tool which is called by the DFS Consolidation Wizard. While it’s possible to use this tool on its own, we’re only going to explore its use in conjunction with the DFS Consolidation Root Wizard.
• File Server Migration Wizard: This is a GUI tool which helps you plan your migration from the source servers to the target servers. Then, it actually performs the copy of the original files to the target destination. We’ll explore this a bit later.

Understanding Our Goals . . .

The first thing to know is where to start. You need to pick a source server (where the files are currently stored) and a target server (where you will migrate the files to). Let’s work through an example to help us understand where we are and where we’re going. Our Before Picture: You can see this in Figure 1. We have an NT 4.0 file server (nt04) with three shares containing user data. We have a Windows 2000 server with one share used to deploy software. Let’s take a closer look at what’s happening in our world. Our Windows XP machine needs access to the following:

• • nt04ntshare1
  • nt04ntshare3
  • w2ksoftware

Our Windows 2000 machine needs access to these servers and shares:

• • w2ksoftware
  • nt04ntshare2

Now, let’s introduce our target file server, fileserver6, whose job it will be to receive these shares and requests.

Our After Picture: The goal is to consolidate these existing shares onto fileserver6 and turn off the Windows 2000 and NT 4 servers. We need to perform this task in a way which preserves the original paths of each of the aforementioned shares. Yes, you read that right. We want to be able to access the data that’s currently on the computers we’re turning off as if they were still turned on. Oh, and of course, you want to make sure security is preserved all along the way.

 
Figure 2: Our goal is to turn off the NT 4

and Windows 2000 file servers but allow access to all data using the original server names (even though those computers are off

Here, in Figure 3 we can see our Windows XP machine accessing a directory of files on both nt04ntshare1 and nt04ntshare3 shares. The goal is for this Windows XP machine to continue to perform the same commands, using the same UNC paths after we move the files and turn the original file servers off.

 
Figure 3: Here, our Windowx XP machine is viewing files via UNC paths

To get to our promised land, we'll leverage a part of Windows that has been around for a while, but still isn't in widespread use: the Distributed File System, or DFS. DFS's goal is to accept incoming connections and route them to existing shares (this is sometimes called referrals). You might say it's like a "share of other shares" because it allows you to basically "hang" existing shares off a new DFS share, or, more technically the "DFS root". There are two kinds of DFS roots: standard and domain-based (sometimes called an Enterprise root). Standard roots only live on one server. Enterprise roots live at the domain level, which means that they're fault tolerant. If one server that's part of the DFS referrals goes down-no problem-referrals just keep on truckin'. Learn more about DFS (which is substantially different in Windows Server 2003 than in Windows Server 2003 / R2) by reading more at the following link.

Here's the roadmap to get to your destination:

• You'll determine where you want to stash your new files. In our example we're going to be using fileserver6.demo.com.
• You'll rename any file servers you plan on permanently retiring. Since you're retiring them anyway, it doesn't really matter much what the name becomes.
• We'll be renaming our nt04 server to nt04-ret to signify that it's retired. Same goes for w2k to w2k-ret. Then, finally, when we're all done, we'll be turning off this server permanently.
• We'll use the DFS Root Consolidation Wizard to control basically, "reroute" new incoming requests for the retiring servers (nt04 and w2k) to the new location (fileserver6). Note that I could use two separate servers in my migration example. That is, I could use one server to hold the DFS Roots and another to hold the files. However, to keep things simple, I'll use fileserver6 for both roles.
• We'll actually move the files we need from the shares on our old servers to our new location on fileserver6.

So let's do it!

Getting Started with the FSMT and DFS Consolidation Wizard

The FSMT comes as a single MSI, but, as we stated has three separate components. The File Server Migration Wizard is meant to be run directly on the target file server. However, the DFS Consolidation Root Wizard and the Dfsconsolidate.exe command-line tool can be run anywhere; you can choose to run these tools on the target server or not.

Note the FSMT documentation makes special note of MSKB article 829885 which talks about a DFS hotfix. The implication is that this hotfix must be loaded upon the target DFS server. However, this hotfix is built into the Windows Server 2003/SP1, and is not needed when the target server is Windows Server 2003/SP1 (in my case fileserver6.) However, the FSMT documentation doesn't tell you one critical step: be sure the DFS service is started and set to Automatic for future restarts.

After the FSMT is loaded, as I mentioned earlier, we must change the name of NT04 server to nt04-ret and the name of w2k to w2k-ret (or something else that's meaningful to you). The reason why we must change the name is so that when clients try to connect to nt04 or w2k neither actually exists anymore. And, we'll be able to fool those incoming requests to nt04 or w2k into shimmying over to the new place on fileserver6.

In my tests, renaming an NT4 server wasn't as easy as I would have liked. Simply renaming it doesn't magically change the name in Active Directory (like it would if I renamed a Windows Server 2003 or Windows XP machine). I had to drop the machine into a workgroup, rename the machine, and rejoin the domain (demo.com.) And, of course, along the way several reboots were required. Finally, I had to delete an orphaned computer account for NT4 using Active Directory Users and Computers. In contrast, renaming the Windows 2000 server was a snap. Just rename and reboot -- easy. No muss, no fuss.

Now that my NT4 server and Windows 2000 servers are renamed, I'm ready to run the DFS Root Consolidation Wizard. The Wizard is pretty straightforward, asking only a minimum of information:

• DFS root server: This is the location where the DFS root will be held. In DFS terms, this will be a "standard root"-which exists solely on the server you specify. Note that the root cannot be on a Domain Controller. In my example, I'm choosing to put the DFS root on the same server where the files will ultimately go-fileserver6. However, you can create the root on a server cluster if you want to increase the redundancy of the stand-alone root.
• Local path of the folder: This is the top level directory where you want to store each migrated server. If we were migrating 10 servers, you would expect 10 subdirectories underneath this top level directory containing names of each migrated server. For my examples, I'm choosing the name c:migservers
• Specify which servers to consolidate (as seen in Figure 4): Here, you'll map the original name to the current name (as seen below.). We're migrating two servers, (original name nt04, current name nt04-ret and original name w2k, current name w2k-ret) so we'll have two mappings in the list.

Figure 4: The "DFS Consolidation Root Wizard" helps you map renamed servers to original names

If the Wizard finishes without errors, you've completed the first big step. Now, before you do anything else - take a moment to pause and check something out: Go back to your Windows XP machine (see first figure) and run those exact same dir commands access the servers and shares nt04ntshare1 and nt04ntshare3. Without rebooting the Windows XP machine (or logging off and back on), note those same dir commands just continue to work! This is because the DFS Root Consolidation Wizard has now mapped nt04 to nt04-ret-so all the shares via UNC paths still work.

And, let's take a quick second to see what really happened in the c:migservers folder on fileserver6. Below, you can see it created two subdirectories, which are each shared, and which contain another subdirectory of each server's original share.

 
Figure 5: The DFS Consolidation Root Wizard created a new share representing the old server

However, using Explorer locally and drilling down to one of the directories, say, ntshare1, will get you an error. This is because a DFS link only points to the right (new) location when using a remote referral (not a local one). Also note that each server is now represented by a share, #servername, such as #NT04, seen above. This was created by the DFS Consolidation Wizard.

It is possible to use the DFS Consolidation Wizard if your shares are on Domain Controllers. However, the same rule applies for Domain Controllers as for regular file servers. That is, the server (Domain Controller) must also be renamed. And unfortunately this can be a pain in the neck. Microsoft does have some Domain Controller renaming guidance:

• For NT 4.0 Domain Controllers, see MSKB 150298
• For Windows 2000 Domain Controllers, see MSKB 296592
• And, even though it's easier still with Windows Server 2003, there's some guidance at MSKB 325354.

There is one piece of magic that the DFS Consolidation Wizard cannot directly help with, and that is if you already have hard coded, persistent mappings. Meaning that if someone has used the /persistent flag while using the net use command to map a drive letter (or the corresponding Explorer commands) those mappings will now fail. But if you're using log in scripts to map the drive letters each and every time a user logs in-no problem! This is because every time a request goes to the old server name, a new lookup to the DFS is generated and routed appropriately.

Actually Migrating the files

  To actually migrate the files, you create a project contained within the File Server Migration Wizard (FSMW), which appears as an icon on the start menu. The beginning steps are rather straightforward: create a new project, point the File Server Migration Wizard toward the new DFS consolidation point you created earlier (fileserver6), and watch it recognize the servers, as seen in Figure 6.

 
Figure 6: The File Migration Wizard should recognize your servers after you consolidate them using the DFS Consolidation Wizard

Then, you can tell the FSMW which directory you want to plunk the new files in. I chose a new directory on fileserver6 called c:migfiles.

A quick note on what is and is not copied. Of course the files themselves are copied. But the FSMW also copies both NTFS and shared folder permissions. What aren't copied are references to local groups. If local groups have permissions on the source's shared folders, you can use the Resource Kit tool SubInACL.exe to adjust the permissions before or after the migration to replace the local groups, or you can use a local group migration tool like the Active Directory Migration Tool (located here ).

When the project is formed, you then have the ability to make any micro-adjustments you might need (as seen in the circled area on the right of Figure 7). For instance, you might want to put the contents of ntshare1 in a directory named "Sales stuff" instead of ntshare1. This might boggle the minds of your users, but you may have a valid reason.

Figure 7: You can change settings for each share if desired, then click Continue to step through the rest of the Migration.

Finally, you can just step through the rest of the process by clicking on the Continue button, circled above at the bottom of Figure 7. The process is painless, but could take a (long) while depending on just how many servers you are consolidating. For lots and lots of servers, consider breaking up the effort into multiple "projects" to allow for some settling-in time and attention to errors. If there are errors during the copying you'll have the ability to fix the errors and retry. A nice touch is that the target servers are still available during the copying phase. In other words, there's no server downtime from the copying of files from the source server to the target server. Additionally, because it's possible to repeat this phase multiple times to fix errors, another nice touch is that only failed copy attempts are retried. You don't need to copy the whole universe again if you've already copied 90% of it.

The last phase is called Finalize. This phase should really only be done when users won't be accessing the servers. That's because in this phase, you'll disable any original access to the source shares and close any open connections. Additionally, all other project settings are locked.

At this point, you're ready for your final test. Unplug the network connections from the original servers. Then, like we did with our Windows XP machine, make sure you can get to the copied servers using the original UNC path names.

Once you're satisfied that you can get to the copied data using the original UNC paths, you can turn off your old servers, recycle them, reformat them and redeploy them for another purpose, or make a fish tank out of them (or any another arts and crafts project you'd like).

The Future of the File Server Migration TOOLKIT?

The FMST is a great tool which gets the job done. However, there are some small nitpicky points that I’d love to see addressed going forward.

As stated, the FSMT uses what’s called “stand-alone” DFS roots to do the job. In other words, it puts the DFS root on one specific server. Sure, in my example, I used fileserver6 for both the storage of the standalone DFS root as well as the ultimate storage point for my migrated files. However, I could have also split the duty between file servers. That is, one server could house the DFS root, and another server could have held the data. So, what would happen today if that server holding the DFS root went offline? That would be a major problem, because there would be no way to route to the new file server(s). The ideal solution would be to use the more powerful domain-based roots which are fault-tolerant. Then if the one server holding the DFS roots should fail, the fault-tolerant nature of domain-based DFS would kick in. Today, FSMW doesn’t use domain-based, fault-tolerant roots, but I really wish it did. Again, as I mentioned earlier, a workaround would be to put the standalone root on a set of clustered servers. If one server went down, referrals would continue. The FSMT product team tells me that all parts of FSMT are fully cluster aware and compatible: it will create cluster consolidation DFS roots and add cluster names instead of DNS aliases if roots are hosted on cluster. So – nice touch.

Another problem is that you simply must rename the servers to do any of the redirecting magic. I would love to keep the server, name intact, and just redirect a specific share. This would allow me to keep using the server for whatever else it’s doing, but just migrate the specific shares I want to. To do this, we would need symbolic links within the original share that would route us to the new goal. But right now, Windows Server 2003 isn’t quite there. Perhaps with Longhorn server.  

The last note here is that you’re not actually forced to turn off servers you’ve migrated from. You can, if you so choose, keep the server online performing other roles. The problem is that it might be a challenge having other network services and clients find the newly renamed machine. DFS is some pretty strong magic, but it’s only for files; lots of other services won’t be able to magically find the newly renamed server.  

The FSMT is a cool tool, which works as advertised. And the price is right—free. It should be noted that as good as the tool is, it’s not meant to be a permanent solution. The help file notes that these consolidated DFS roots shouldn’t be maintained forever. The idea is that over time you’ll properly design your DFS, point users toward the new, updated structure, and then phase out the roots you created with the DFS Consolidation Wizard.  

Hopefully this will get you out of some tough jams, and into your 21st century file servers. Other FSMT resources:

• Download the FSMT
• FSMT Overview whitepaper
• FSMT FAQ

• Newsgroup support
  • You can use the microsoft.public.windows.server.migration newsgroup to ask questions about the File Server Migration Toolkit.
• The FSMT Solutions accelerator (additional guidance)

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here. Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Choose the right Active Directory and Group Policy Course for you

Did you know that here at GPanswers.com, we have three courses, including an ADVANCED course. (It's true!)

And, historically, I haven’t done such a hot job in making it obvious what your available options are for public and private training. So, here’s the executive summary. Online, we have a new “Group Policy ‘Rightsize’ Tool” which helps you decide the best course to take for your situation.

Two-day intensive Group Policy workshop class

• This course is best for Domain Administrators and qualified OU administrators.
• This course has “intensive” in the name, so be prepared to work and learn!
• This class is available as a private two-day course.
• This class is available as a public two-day course.
• Consider adding the One-Day Advanced course (below) as a third-day (if taking as a private two-day)

Three-day “Less Intensive” Active Directory warm-up and Group Policy workshop class

• This course starts with a half day warm-up of Active Directory, managing users, and delegating permissions.
• Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration experience can get a bit of the fundamentals before diving into the Group Policy waters.
• This class caters more to OU administrators (than Domain Administrators)
• This "Three-day less-intensive" course is ONLY available as a private course.
• Consider adding the One-Day Advanced course (below) as a fourth day

One-day Group Policy “advanced” class

• This class is a great “add-on” after your two-day or three-day Group Policy class. We cover four big concepts in this class:
  • How to create a “totally locked down” workstation
  • How to use Group Policy tools to increase your troubleshooting ability
  • How to zap registry punches down to your client machines with ADM templates and tools
  • How to leverage a test lab for good Group Policy deployment practices
• This class is only available as a private course. Consider adding it to your two-day or three-day private course as an additional day.
• It is suggested (though not required) that students attend either the two-day intensive or three-day less-intensive Group Policy workshop classes before this one.

Upcoming Classes, Appearances and Conferences

Public Two-Day Workshops for the Remainder of 2006:

• Aug 23-24: Denver, CO
• Aug 24–25: Phoenix, AZ
• Sep 25–26 (changed dates): Seattle, WA
• Nov 20-21 (new): Newtown, PA (Close to NY, NJ, PA, DE and more)

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity! Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Free Education with Moskowitz / Microsoft / Techtarget / Dell Roadshow

Jeremy Moskowitz and TechTarget + Microsoft team up to bring you a 19-city roadshow tour titled: Deployment, Managing, and Monitoring: Getting the Job Done. Here, you’ll hear me talk about how to use the tools in the box to deploy your Windows XP, Windows 2003, and Vista systems, how to use Group Policy to manage your systems, and finally how to keep tabs on them with some slick free tools! Did I mention this is 19 cities?? So, there’s a good chance we’ll be near you soon! Check it out and sign up here.

Upcoming Conferences

• TechMentor: Sep 25-29 in Las Vegas. I'll be speaking on Win/Lin integration topics. All sorts of other good stuff. Check it out here. Use promotion code 'moskowitz' when signing up.
• WinConnections: Nov 6-9 in Las Vegas. I'll be doing a pre-con on Group Policy, then some regular sessions on locking down computers, some awesome tips on Group Policy tools, and how to integrate Windows and Linux into Active Directory. Check it outhere.

Welcome New Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and 3rd party products which extend the reach of Group Policy or let you do something you haven't discovered before! Recently we've added:

• NetIQ: Group Policy Administrator
• Smartline: Devicelock

So, head on over to the Solutions Guide and see what other goodies are available!

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistantMark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Newsletter 18: Grab Bag and Major Announcements In this issue:

• It's Issue 18
• Free Giveaway!
• Moskowitz, inc. Technology Takeaway (r)
  • Three juicy tips
• Get a signed copy of Group Policy, Profiles and IntelliMirror
• Upcoming conferences, appearances, and classes
  • Classes and seminars
• Free Education!
• Welcome Mark!
• Subscribe, unsubscribe, and usage information

This month, there’s a lot of stuff to talk about. (This is where you ask me, “Jeremy, in which month isn’t there a lot of stuff to talk about?”) Last month, I asked you which newsletter format you liked most: small tips, one large tip, or a mix. The mix wins it! So, since I’ve had several “one large tip” emails in the last few newsletters, this one is a gaggle of small tips. Gotta mix it up.

Quick TechEd Notes

A quick note for those of you who are going to TechEd: I'll be speaking on Windows & Linux Integration (session SVR211), Monday 1.30 PM in Room "156 ABC". Hope to see you there! Even though I'm not speaking on Group Policy stuff, doesn't mean there aren't some great talks! Be sure to check out the following GP related talks:

• Mark Williams (GP Team @ Microsoft):
  • MGT310 Group Policy: What's New in Windows Vista Wednesday, June 14 2:00 PM - 3:15 PM, 210 ABC
  • MGT310R Group Policy: What's New in Windows Vista (Repeat Session) Friday, June 16 1:00 PM - 2:15 PM, 259 AB
• Emily Hill, George Roussos
  • CLITLC09 Group Policies in Windows Vista to Control Devices and Drivers Friday, June 16 2:45 PM - 4:00 PM, CLI/MGT/SEC/SVR Theater 2
• Derek Melber (DesktopStandard and all-around smart GPO-meister):
  • MGT425 Troubleshooting Group Policy Friday, June 16 10:45 AM - 12:00 PM, Grand Ballroom A

So, without further ado!

This Month's Newsletter Sponsored by Centrify

Now you can use Group Policy to manage Mac desktops just as you do Windows.

Centrify DirectControl not only delivers Active Directory-based single sign-on and access control for Mac OS X, but it is also the only solution that enables IT managers to centrally secure and configure Macs via Group Policy. Use GP to require screensaver password locks, lock down system sharing and firewall preferences, and centrally configure other security settings. Request an evaluation of DirectControl for Mac OS X today.

Announcement From the Better Late Than Never/Use Your Manners Department:

Free gift to anyone who has ever taken a GPanswers two-day or three-day Group Policy workshop (where either James or I was the instructor).

It’s about time I said thanks. So, thanks!

Here’s the deal: the gift is free, the shipping isn’t. Sorry, I’m a small business, and that’s the breaks.

Shipping for your free gift is only $5, though.

And if you hate the gift, I’ll cheerfully refund your $5 and you can keep the gift. Really! (I sound like Ron Popeil, don’t I?) Here’s the fine print:

• Shipping for the gift is a flat $5
• We can accept Paypal or credit card for shipping
• US residents only
• If you can remember, please specify which public class or private class you attended (location and approximate month and year).

Note, that if you like the gift, but have never taken the two-day or three-day class, you can get one for a whole $12 (including shipping).

It may take a little while for you to get the gifts (like a week or two.. but rest assured, they'll get there.)  

Technology Takeaway (r), a Service of Moskowitz, inc.

Tip 1: How to troubleshoot a machine that claims it cannot find a Domain Controller.

(This tip comes to us courtesy of Dan Home from Intelliem.com.) Two computers out of the 1000+ systems in our central site had these “Event 1054” errors. Unfortunately, these two systems were mission-critical systems. And, most interesting of all, there were NO OTHER VAGUELY RELATED ERRORS OF ANY KIND, visible or logged, on these systems. They just weren’t getting policy [“getting policy” ok terminology?] correctly (everything else was fine).

I said to myself, “Self, if they’re having these errors there must be something insidious going on.”

Here is a screenshot of the 1054 error on the machine:

After MUCH back-and-forth testing, we discovered the source of the problem: LINK NEGOTIATION! The switch between these systems and the DCs had one tiny little misconfiguration, and these particular systems weren’t “discovering” quickly enough what kind of network link they should have. So, in a final test, I hard-coded the NICs to 100/Full.

And the errors vanished like . . . well, something that vanishes.

Thanks again Dan Holme from Intelliem.com for this cool, simple troubleshooting tip!!

Tip 2: How do I get MMC 3.0 functionality on my Windows XP machine?

Last month, you read about how to control printers using GPOs. And we did so using Windows 2003/R2’s new Print Management Console. You might have noticed that it had a different look and feel to it. That new look and feel is the MMC 3.0 (as opposed to MMC 2.0) which can be seen in this screenshot.

(Click on image for a larger view)

Since you likely control your Active Directory universe from an Windows XP machine (and not a Windows 2003/R2 machine) you might want to step-up to the MMC 3.0 look and feel on your Windows XP machine. Here’s how we do it:

• Ensure that your Windows XP machine has SP2 installed.
• Get the MMC 3.0 interface (one for 32-bit Windows XP and one for 64-bit Windows XP)
• Enable the MMC 3.0

We’ll assume you already have Windows XP / SP2. Now, to get the 32-bit version of MMC 3.0, click here. To get the 64-bit version of MMC 3.0, click here: . Note that it seems as if 64-bit Windows XP systems get “second class citizen” status here, as there doesn’t seem to be a “final” version of the code, rather, that link for 64-bit Windows XP MMC 3.0 seems only to be Release Candidate 1.

Update: You can now download from Microsoft a copy of MMC 3.0 for XP x64 and MMC 3.0 for 2003 sp1 as well as 2003 x64 and ia64 Finally, once installed on your Windows XP machine, edit the registry to add a new key.

1. Navigate to HKEY_LOCAL_MACHINE | SOFTWARE | Microsoft | MMC.
2. From the Edit menu, select New, Key. (Yes, ‘key’, not value)
3. Enter “UseNewUI”.

Note that the new Action pane seems to be available regardless of whether the setting is performed or not. However, the new “Add/Remove Snap-ins” is definitely different once you perform the setting, as seen below. (Click on image for a larger view) You may not see much “new stuff” while you’re inside your console (such as when you’re inside the “Actions” pane.) That’s because each snap-in needs to specifically take advantage of MMC 3.0 goodies.

Tip 3: Ready for Vista?

  While not specifically a Group Policy–related tip, I thought y’all would find this interesting. You can do a quick “health check” on your existing hardware (running Windows XP) and figure out if it’s a good candidate to put Windows Vista on it.

Just trot on out to the machine in question, and click here.

You’ll get asked a handful of questions about what you want to DO with Windows Vista. Then, out pops a suggestion about which version of Vista you should get and which areas need attention. You’ll get an HTML report (IE-readable-only, of course) that tells you which features are A-OK and which might not work. You also get a report about the drivers on your current machine and how they’ll fare with Vista (see second screenshot below).

 
(Click on image for a larger view)

Note that some items are peripherals (like my Brother MFC-3220C printer), but some are built into the machine (like the SigmaTel C-Major Audio device.) Let’s hope all these drivers are available by Vista showtime.  

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Now Available: Private GP Course in "Less-Intensive" Format

Everyone knows the two-day Group Policy course is really three days of material packed into two intensive days. However, some customers have asked for a less intensive format.

Your wish has been granted!

This course starts with a half day warm-up of Active Directory, managing users, and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration experience can get a bit of the fundamentals before diving into the Group Policy waters.

This "three-day less-intensive" option is ONLY available as a private course. Note, the "two-day intensive" option is available as either a private or a public course. Learn more about the Group Policy courses here.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy intensive training and workshop. Students LOVE the class, and managers LOVE the results.

You BOUGHT and IMPLEMENTED Active Directory—now DO SOMETHING with it.

Public Two-Day Workshops for the Remainder of 2006:

Because I got invited to do a 19-city roadshow with TechTarget and Microsoft (see next section) I had to move around some of my class dates.
July 11–12: Denver, CO
July 25-26 (changed dates): Austin, TX (by popular demand!)
Aug 23–24: Phoenix, AZ
Sep 25–26 (changed dates): Seattle, WA
Oct 31–Nov 1 (changed dates): Portland, OR

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.  

Free Education!

I’m honored to announce that I’m working with two pairs of vendors to get you free stuff in the upcoming year starting in June! (Y’all know how much I love free stuff!)

Announcement #1:

Jeremy Moskowitz and NetIQ + FullArmor team up to bring you, over the next year or so, some webinars, whitepapers, and roadshow opportunities. Here, you’ll see me outline some of the difficulties that administrators have when working with the native Group Policy toolkit. Then, NetIQ + FullArmor will talk about how their products fill in those gaps ! I’ll keep you posted with mini-updates via “un-newsletters” when a webinar or roadshow date is approaching.

Announcement #2:

Jeremy Moskowitz and TechTarget + Microsoft team up to bring you a 19-city roadshow tour titled: Deployment, Managing, and Monitoring: Getting the Job Done. Here, you’ll hear me talk about how to use the tools in the box to deploy your Windows XP, Windows 2003, and Vista systems, how to use Group Policy to manage your systems, and finally how to keep tabs on them with some slick free tools! Did I mention this is 19 cities?? So, there’s a good chance we’ll be near you soon! First two cities are Charlotte, NC (June 27, 2006) and Atlanta, GA (June 28, 2006).

The best two places to see the city list will be my web site calendar (which runs along the right-hand side), and also here, the official TechTarget/Microsoft web site. Dates will be added when confirmed. Hope to see you there!  

Welcome Mark, my new assistant!

Also, a big welcome to my new assistant. His name is Mark, and he can be reached at [email protected]. He can help you get signed up for a class, get you a case of books, or troubleshoot a gift order. He’d love to get a welcome email from you! However, please don’t send Mark any technical questions. Post those to GPanswers.com/community.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Mark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

In this issue:

• Your opinion please!
• Windows 2003/R2 Printer Magic
• Get a signed copy of...
  • my GP book: Group Policy, Profiles and IntelliMirror
  • my Windows & Linux Integration book
• Now Available: Private GP Course in "Less Intensive" format
• Public Group Policy Intensive Training and Workshop Schedule Update
• Subscribe, Unsubscribe, and Usage Information

It's all about more control, baby

This Newsletter’s “big topic” is printers, and deploying them via Group Policy. But, before I talk about that, I have to ask you folks a thing or two.

Thing #1:

• Do you like these newsletters with one big topic in them?

or

• Do you like the original format with lots of little questions and lots of little answers?

Send your one word vote of BIG or LITTLE to [email protected]. Or, if you have more than one word to say, you can do that too.

Thing #2:

Want to be famous? I’m working on a project which highlights “creative uses” for Group Policy. So, if you think you’ve got a special implementation using Group Policy—I want to hear about it. For instance, one company I know uses Group Policy to lock down PCs as cash-registers. That’s cool! Another company I know wrote some sweet custom scripts to automate their entire Group Policy universe. Wow! That’s the kind of stuff I want to hear! Or, do you have a special “process” behind your Group Policy that goes beyond the “in the box” delegation? Anything neat or cool—special implementations are what I’m looking for. And, like I said, you can have your name in lights (if you so choose).

Give me a paragraph or two on your cool implementation, and what you’re doing that makes your organization unique. Send to[email protected] with a subject line of SPECIAL.

Now, on with the show!

Be sure to read through to the end. I’ve got a gaggle of new dates and cities for the public Group Policy course for the rest of 2006.

Newsletter Sponsored by: DesktopStandard

Provide all of your Windows 2000, XP and Windows 2003 end-users easy access to the correct printers via Group Policy, today!

Configuring printers is one of the essential desktop management tasks for which there is no built-in Windows solution. DesktopStandard's PolicyMaker Standard Edition solves this issue and many others. It includes both Shared Printer policy and TCP/IP Printer policy for managing printer connections. Standard location-based filters allow targeting of print connections so that jobs can automatically print to the most appropriate printer based on where the computer is located.

Click the link to learn more: PolicyMaker Standard Edition

Windows 2003/R2 Printer Magic

Let me guess what one of your biggest headaches is.

Printers.

Yes, it’s that “little thing we don’t like talking about much.” But, it’s been on my mind lately, so let’s figure out how we can “Do more with Group Policy!”

Are you one of Microsoft’s customers who is implementing Windows 2003/R2?

Or, are you one of Microsoft’s customers who just read the above line and is saying to themselves, “What the heck is Windows 2003/R2?”

Windows 2003/R2 can almost be thought of as “Windows Server 2006.” But that’s not what it’s called. It’s Windows 2003/R2. To use “R2” you need to load it upon a Windows 2003 Server with SP1. Then you load the R2 bits, and voila! You’ve got an R2 machine!

R2 has an armload of neat-o new features. And if you’re interested in reading about all the neat-o features it has, read here.

But only one of those features has any Group Policy-related goodness. But, oh friends, it is very good!

It’s the Print Management Component—a new add-in that R2 brings to the table. The Print Management component does a LOT of keen-o-rific stuff, like centrally manage almost all aspects of all of the printers on your Windows network. What’s not to like about that? And even better, it brings an extra superpower to the table: the ability to deploy printers to users or computers via Group Policy.

ZAAAP! You can just “beam” printers down to your mere mortals.

That’s right. You can now say “Whenever Sally moves from XPPRO1 to XPPRO12, she keeps her printer mappings.” Or, you can now say: “Whoever sits down at XPPRO5 will get the same printer settings.”

The god-like power you have using Group Policy is truly compelling!

Keen readers of my Group Policy book will note I had a tip (on pages 139-140 of the 3rd edition) about using loopback policy to perform the same idea. That is, by sitting down at any given machine you can dictate the printers. Now, finally, it’s part of the operating system.

Getting ready to perform the magic

Before we can get started with the Print Management Components, we need to perform several steps:

1. Update our Windows 2003 schema to Windows 2003/R2 schema

2a. If we want to use our Windows 2003 server as the place where we perform our printer management, we need to load the Print Management Component on our Windows 2003 machine.
 -or-
2b. If we want to use an Windows XP machine as the place where we perform our printer management, we need to load the Adminpak for R2 tools on our management station.

Updating the schema and installing R2

Updating the schema is likely the hardest part of the job, because you’ll need approval from your Active Directory big-wigs that this is an OK procedure to do. Once you have approval, this operation is best performed directly upon the Schema Master in your domain.

The reason for the schema upgrade is that to-printer connection objects get a new “fast query” lookup via LDAP in Active Directory. This way, the Print Management Console (which we’ll explore in a bit) doesn’t have to inspect every GPO in the domain to figure out where printers are currently deployed.

Just pop in the R2 media. You are then presented with the option to “Continue Windows Server 2003 R2 Setup.” If you click that, however, you get the message seen below.

 
Figure 1: In order to upgrade Windows 2003 to R2, the schema must be upgraded. (Click image for larger view)

The dialog box says it all. In short, you need to run the command adprep /forestprep which is located in the R2 CD-ROM in the cmpnentsr2adprep directory.

 
Figure 2: Once you press ‘C’ to continue, your schema will be upgraded to the R2 schema.(Click image for larger view)

From here, we’ll assume you want to test drive this on your Windows 2003 Server and upgrade it to R2. We’ll also assume that you want to manage your printers from there (as opposed to an Windows XP management station).

Once the schema update has been performed, you can then run the “R2Auto.exe” on the root of the R2 CD-ROM and select to “Continue Windows Server 2003 R2 Setup.” At this point, you may be informed that you have a service pack installed (and continuing will prevent any possibility of uninstalling it). Select “Yes.” Once you do, you’ll be at the “R2 Setup Wizard.” The Wizard is self-explanatory.  

Installing the Print Management Components

Next on the docket is loading the Print Management Component. Again, this is a comprehensive tool which allows you to manage many facets of your printer universe. To load the Print Management Component, go to Add/Remove Programs | Windows Components | Management and Monitoring tools and select Print Management Component, as seen below.

 
Figure 3: You can load the Print Management Console components into a Windows 2003/R2 server.

Note that next time the (annoying) Configure Your Server Wizard appears, you’ll see that it’s been installed as seen here:

 
Figure 4: The Configure Your Server Wizard now has a new option. (Click image for larger view)

Now that the Print Management Components are loaded, you’re ready to deploy printers to either your users or your computers. You can do this “by hand” using the regular Group Policy editor snap-in, or using the tools provided in the Print Management console.

Deploying printers using GPOs

Let’s deploy printers by hand first using the Group Policy editor, then we’ll move on to the Print Management console.  

First step: Define Deployed Printers

To zap a printer down to your users or computers, you start out by creating a GPO and linking it to an OU containing either users or computers. Say, the Sales Users OU.

When you edit your next GPO, you’ll see a “Deployed Printers” node in both the computer and user half of the GPO along with a new Action called “Deploy Printer” in the Action menu as seen below.

 
Figure 5: You’ll be able to manage printers directly within the Group Policy Object editor (Click image for larger view)

Note that if you don’t see the “Deployed Printers node”, it’s likely that you don’t have the updated Adminpak tools on your management station (the computer from which you’re editing this GPO). To get the latest tools, get the R2 Adminpak here. Note that it isn’t “one big .msi” like Adminpak.msi. Rather this is a collection of smaller files for specific updated components like the Print Console.

Once you select User Configuration | Deployed Printers | Deploy Printers (as seen in Figure 5 ) or Computer Configuration | Deployed Printers | Deploy Printers, you’ll be ready to blast new printer assignments down. Just type serverprinter into the “Enter printer name” dialog (shown below), click Add, and you’re done.

Figure 6: Enter the UNC path of the printer you want to push. (Click image for larger view)

Or are you? Here’s where the going gets tough. That is, just when you think you’ve got it super-easy, you need to go the last mile of this journey manually. All you’ve done right now is define which printer the folks affected by this GPO should get. But now you need to actually tell them to get it. That trick is done through a little executable program that you have to kick off via Login script (for printers assigned to users) or Startup script (for printers assigned to computers).

Second Step: Assign the PushPrinterConnections executable

The “moving part” to make the printer assignment is a little .exe called pushprinterconnections.exe. If you’re deploying printers to users, the .exe needs to be run in the user’s Login Script. If you’re deploying printers to computers, it needs to be run in the computer’s Startup Script.

The pushprinterconnections.exe gets placed on your R2 server in the windowsPMCSnap directory along with some other bits associated with the Print Management console (which we’ll talk about in a minute). You can see that here.

 
Figure 7: You’ll need to copy the pushprinterconnections.exe to each GPO’s script container. (Click image for larger view)

The key point is that the location where it starts out isn’t the location where you need to run it from. Your job is to take the file and plunk it directly into the GPO itself. Here are the rough steps to do this:

1. While editing the GPO, drill down to the script type (User Login, or Computer Startup).
2. Click the Show Files button.
3. Copy the pushprinterconnections.exe into the window that opens up.
4. Back at the properties of the script, click Add, locate and select the pushprinterconnections.exe file.
5. Click OK

Figure 8: Call the pushprinterconnections.exe from directly within the scripts portion of the GPO. (Click image for larger view)

Note: If you want to enable troubleshooting logging information, type –log in the Script Parameters box. A per-user debug log file will be written to %temp%. A per-machine debug log will be written to %windir%temp. (Note that these are totally different directories.) It’s worth noting that you shouldn’t use the –log parameter in a production environment—you wouldn’t want the utility filling up your client machine hard disks with megabytes of log files.

A quick “future looking” note about Vista. This utility isn’t required for Vista. The ability to push down printer connections is built in.

So, the first thing that PushPrinterConnections.exe does when you run it is to check if it is running on Windows Vista. If it is running on a Vista machine, the utility exits without doing anything. So network administrators don’t have to worry if they accidentally push out the pushprinterconnections.exe utility down to Windows Vista clients.

The results!

At this point, you should see goodness when you log in as the user or restart the computer. Note that these printers won’t “change” during background refresh after you’re already logged in. That’s because the pushprinterconnections.exe only runs at login or startup.

Figure 9: Success on an Windows XP machine! (Click image for larger view)

The easier way to do it (sort of)

We just deployed printers to our users or computers by hand using the Group Policy editor. However, there’s an alternate method: using the Print Management Console. The Print Management Console gives a “one stop shop view” of printers deployed via GPOs. In this list, you can see each of my printers (HPLaser1 and HPLaser2) and which GPOs they’re being dictated in, and which side—user or computer—is being forced.

 
Figure 10: The Deployed Printers node in the Print Management Console “hunts down” GPOs which are using the Deployed Printers feature. (Click image for larger view) However, the Print Management Console has another trick up its sleeve: the ability to zap printers directly by creating GPOs of its own.

Using the Print Management Console, just drill down to Print Management | Custom Printer Filters | All Printers, locate the printer you want to zap down to a computer or user, and select “Deploy with Group Policy”, as shown below.

 
Figure 11: You can see any printer in the Print Management Console and zap it down using Group Policy. (Click image for larger view) With no disrespect to the designers of R2, this is where it starts to get a little bit difficult to work with. It starts out innocently enough as you can see in the “Deploy with Group Policy” dialog box below.

Figure 12: The interface for deploying printers via GPOs using the Print Management Console. (Click image for larger view)

The interface from here on out is, well, almost a throwback to pre-GPMC days…and we all hated those days. But that’s the interface we have here after we perform our next step.

The idea here is to click Browse and either find a GPO you happen to know is linked to a Site, Domain, or OU (because, of course, you have that memorized) or drill down into an OU and choose to create a new GPO that’s linked to the level you drilled down to. You can see this in Figure 13.

Figure 13: Click to create a new GPO to affect your target OU. (Click image for larger view)

And, of course, you all knew that an icon of two people with a little star over their heads means “Create a new GPO and link it here.” Right? (Maybe not.) Thankfully, the tooltip tells the tale of the inexplicable icon.

Once you’ve created the GPO and linked it, it’s time to deploy the printer. Here you select which side of the house you want to deploy to: users, computers, or both. In my case, I’m deploying to Nurse Users, so I’m choosing users.

Now, here’s where you gotta stay with me—so I’ve numbered the steps like a “follow the bouncing ball.” Before I reveal these steps, I want to confess that I tried this procedure no less than 5 times before I finally figured it out.

 
Figure 14: Steps to deploy a printer using this dialog. (Click image for larger view)

Why did I go though the painstaking trouble to number the steps and show you exactly where to click? Because the procedure is to:

1. Choose the user and/or computer side of things.
2. Click the Add button.
3. Then click OK

In short, I kept missing the ADD button and was driving myself completely nuts! I think I was missing it because “Add” is ever-so-slightly higher in the dialog than the checkboxes, and my brain thought “Why would I need to click here? I should just click OK and be done.” But my brain was wrong. Learn from my brain.

Here’s the trick: Deploying printers via the Print Management Console doesn’t do 100% of the required steps. That is, while it puts the printer in place in the Deployed Printers node, it doesn’t jam the pushprinterconnections.exe into the Logon Script or Startup Script. this means you have to go back in, via the GPMC, edit the GPO, and jam in the pushprinterconnections.exe (basically, what I showed you in the first part of the article). Frustrating? A little, but now you know what you have to do!

If I’m missing something here, dear readers, don’t be shy. It’s a mystery to me why this whiz-bang Print Management console only does half the job while using the “Deploy with Group Policy” feature.

Final thoughts

Clearly, this ability to zap printers down to either users or computers is a nice leap forward. But, the bad news is subtle: That is, this new magic isn’t built on the client-side extension goodness that IS Group Policy. Rather, this is a little hack that Microsoft put together to zap printers down to users. What I’d like to see is the ability for users to get a changed GPO, and have the printers change on the fly with the background refresh interval. It’s not there yet, but appears to be coming soon with Vista.

One more note about all this before we move on:

• Windows 2000 machines only support per-user printer connections.
• Windows XP or Windows 2003 support per-user or per-computer printer connections.

Finally, if you want to learn more about the Print Management Console for the other goodies it brings to the table, be sure to read the “Print Management Step-by-Step Guide for Windows Server 2003 R2” found here.  

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

  Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)  

Now Available: Private GP Course in "Less Intensive" format

Everyone knows the two-day Group Policy course is really three days of material packed into two intensive days. However, some customers have asked for a "Less Intensive" format.

Your wish has been granted!

This course starts with a half day warm-up of Active Directory, managing users, and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration experience can get a bit of the fundamentals before diving into the Group Policy waters.

This "three-day Less Intensive" option is ONLY available as a private course. Note, the "two-day intensive" option is available as either a private or a public course.

Learn more about the Group Policy courses here.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.

You BOUGHT and IMPLEMENTED Active Directory—now DO SOMETHING with it.

So, learn to properly drive that "Ferrari" you bought by coming to a class!

Classes for remainder of 2006:

  June 7–8: Austin, TX (by popular demand!)
July 11–12: Denver, CO
Aug 23–24: Phoenix, AZ
Oct 24–25: Portland, OR
Nov 21–22: Seattle, WA

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Here's a testimonial from someone at a major upscale jewelry retailer who said his knowledge of Group Policy helped him and his SMS team be more efficient all around.

Jeremy, We actually use the SMS+ZTI (Zero Touch Installation) scripts you talked about in your last two newsletters. For us, we could only be successful with SMS+ZTI in conjunction with Group Policy settings -- a lot of which you taught. I made a Staging OU and redirected all new systems which get added to the domain to this new OU. The GPOs for this OU are quite restrictive. It makes the machine basically unusable. Heck, I make sure they’re presented with POPUPS which instruct users to call the help center if they get the popup message. This forces our deployment team to move the machine to a correctly managed OU. Some additional things that have accomplished via Group Policy since your class:

• Our new laptops come with Wireless cards. But, I needed to make sure they are initially disabled. Then, only turned on for the “right” people -- if you know what I mean. I created a wireless access GPO that disables the wireless service from starting (and removed administrators from enabling it as some extra protection.) I also used a technique in your class to guarantee who gets Wireless turned on, and who doesn’t. So now when we want to enable the access it’s just a quick change!
• I set up Restricted Groups for different OU’s. This helped with Sarbanes Oxley’s local admin requirements. Using a MOF through SMS we now report who has local admin rights.
• We implemented Microsoft Live Communicator – through Group Policy we restrict the settings.

So yes, your class was very helpful in getting me on my way. I can only hope it helped other administrators “see the light” like I did! Thanks, Jeremy!

Sponsor Update

At GPanswers.com, we want to welcome the following sponsors to the Solutions Guide:

• FullArmor Corporation
• Smartline, inc.

Be sure to check out their cool tools and all other vendor's tools at the Solutions Guide.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Jon at: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Why is this follow-up newsletter needed?

I want to thank you all for your comments and observations about my "Newsletter 15" rant. Some of you opted to post in my community forum, and there are some nice comments there. Others posted "side discussions" on, say, the SMS lists.

(PS: This whole newsletter update is being posted to the GPanswers.com newsletter folks and the SMS-list folks.)

I've spent the extra "quality time" getting to know the BDD a bit better. I'm ready to put this whole thing to bed, and I'm grateful for the insights everyone has brought to the table.

Again, if you have comments, my preferred way to handle them is via the Community forum. Or, if you're getting this on the SMS-list, then, feel free to post there too.

Special thanks to the BDD team (Michael Niehaus) for making contact to help me get to the bottom of some of my questions, as well as key members of the SMS-list (Rod Trent and Todd Hemsell) who chose to reach out to help everyone better understand why this is important to them.

Thanks, all.

PS: If you wish to respond, please do not email me about this topic. If you want to participate, please post herehttp://tinyurl.com/htaxw on my community forum.  

Findings

Ultimately, here are my findings after seriously going through the BDD materials. (Yes, true, I went thru them semi-seriously before. But this pass was even more so.)

Indeed, I found some videos of the whole process here and watched every single one and I suggest anyone interested in learning this better also watch them.

Warning: Whomever is giving the talk is clearly just READING from a script. And, hence, it's a little easy to "tune out" even though the information is quite good. With all that re-exploring, here is the Reader's Digest version on my findings:

About BDD/Standard

I seem to have been correct that the BDD, at the end of the day, deploys "Ghost-style monolithic images." These images are based on an "assisted scripted process" which helps wrap up all the steps (including hardware-specifics and timed reboots into the process.)

But in the words of the BDD team in a personal email: "In the end, this is captured as an image."

I think, in the end analysis, this is the big dealbreaker for me.

Let's say I change hardware. Or add something that requires another step.

Sure, I can go BACK and tweak my script to then create ANOTHER Ghost-style image. But that seems like more work to me. And now I've got different images running around.

Not that the BDD team or Microsoft needs my advice, but here it is: Take a hard-line stand, and support ONE method.

And that method should be a 100% automated, scripted install.

Here's why: People who already use Ghost-style tools already USE those tools without the process and guidance the BDD offers. And, the manufacturer of those Ghost-style tools should provide any process around them -- Microsoft shouldn't.

I don't think folks already using Ghost-style tools would necessarily jump ship over to BDD. I do think the BDD team could attract more flies by answering the problem of "How can I build a glorious, sexy scripted install that works on ALL my hardware, even if my hardware changes a lot?"

While it has a lot of excellent prescriptive guidance, I would be surprised to learn that many, many people use the BDD/Standard edition.

The BDD team has expressed that they do not assume AD is in place with the BDD/Standard edition. Therefore, none of the process involves any use of GPOs or scripts with GPOs. My suggestion to the BDD team: Start assuming people have AD and can "get it together" enough to use GPOs.

Seriously, even SBS installations run AD and most use GPOs, and they have 10-50 users.

If the target audience for the BDD doesn't even have ONE DC (hence, no AD) I think it's safe to assume that they DONT or WONT want to use a tool like this.

Do people WITHOUT AD really think "process" when doing anything? If the BDD's target audience really assumes about 500+ machines, then, c'mon -- we're ONLY talking AD here. :-)

About BDD/Enterprise

I think this is where the majority of administrators will find usefulness. The ZTI scripts which are part of the BDD really do add the "finishing touches" that SMS needed when the OSD was released.

And, I think that was my confusion, too. That is, that the OSD doesn't, by itself, come with the ZTI scripts. No no.. THOSE only come with BDD/Enterprise.

So, my overall suggestion would be to roll up the USEFUL BITS of BDD/Enterprise and marry them RIGHT to the OSD. I mean, is there a majority case in using ZTI without the OSD? If not, put the goodies where the SMS admins can just use 'em.

It seems, overall, that the SMS admins and I agree on the general "philosophy". That is SMS admins seem to often use BDD/Enterprise to smoke "broken" machines then use SMS to lay down their applications. That sounds awfully familiar when I teach about smoking a machine using RIS then laying down applications with GPOs. It's the exact same theory. (Yes, it’s true that GPOs require MSI packages, where SMS can deliver just about anything.)

There are some differences, and some similarities.

Difference #1.

With RIS, I need to walk out to the machine to kick it off -vs-With SMS, if the client is loaded and responding, I can kick it off remotely. If the SMS client isn't responding I need to either use RIS to boot WinPE or run out there with a WinPE CD-ROM. (Meanwhile, WinPE is still a "licensed" entity. RIS is included as a component for all Windows servers.)

Similarity #1

Both RIS and SMS/OSD seem to use the same "idea" of how they store files. That is, they're not “Ghost-style Monolithic images.” RIS stores "bunches of files" stored on the RIS server. SMS/OSD uses a "WIM" format. Both formats store about 20% less information than a "Ghost-style monolithic image."

So, at the end of the day, an SMS/OSD and a "naked" RIS install are going to take about the same amount of time. (That is, unless you're doing something tricky with the ZTI scripts and downloading a true Ghost-style image with your Ghost-style tool.)

My only question today is: If they're so SIMILAR in the underlying technology, why do we have two ways to skin the same cat? In the future, the BSD team tells me we won't. That's the right idea.

Advantage #1

SMS has always done a good job "staging" files in secondary sites. And, if you have a very large environment, say, with 25 branch offices, using RIS can be a challenge. This is because you'll likely want to load ONE RIS server and replicate it to all your branches. You would use Robocopy, XCOPY, DFS, or something else to copy that one RIS server to your 25 branches. But this route could be fraught with peril. (However, I would suggest that with the improvements with WS03/R2 this might be vastly improved.)

Onward and upwared

This isn't a BDD comment, specifically. But I think it's simply silly that that I must "run out" to a bare-metal machine with a WinPE disk, or have a RIS server available alongside my SMS just to boot WinPE to then get bare-metal installs up to speed. Unless I'm missing something, this is a kind of a big hole that the SMS team needs to address. I don't know enough about SMS 4.0 to know if this hole is plugged.

I like the idea that the ZTI scripts are "open" and customizable. And this, I think, is why SMS admins are "passionate" about the BDD in general. Again, however, my suggestion (for what it's worth) is to put the ZTI scripts right into the OSD if that's the people who use them.

Ultimately, the BDD has a nice message: Put some process around the way you do your deployments.

I can't rant about that. Clearly,

I'm not a huge fan of "Ghost-style monolithic images." I'd rather see you script the whole install, even if it takes longer. But the BDD's goal is to prescribe some repeatable guidence for those who choose to use Ghost-syle tools. Again, I can't argue with that -- if that's the way you're choosing to do your deployment. As I said in the original newsletter -- if you're happy with Ghost and their ilk, then keep on using it. The BDD helps you put some "process" around that deployment method if you choose to use it.

That's just good thinking all around.

However, in this "Son of rant" I've made some suggestions going forward I hope might be well received by both the BDD and SMS teams going forward.

One last piece of the puzzle: BDD will surely evolve in the Windows Vista timeframe. I would expect it to take on the new WIM/XIMAGE/IMAGEX formats Vista will support. But, that's another discussion for another day, isn't it?

PS: The BDD team responded in full to this content before it went live. And I've tried to inject the relevant feedback about the current state of the BDD and SMS/OSD back in before we went live. However, I'm currently seeking permission to print a full transcript of the conversation so you can read the response directly from the BDD team. In that response the BDD team discusses future directions, which are certainly interesting. When available, it will NOT be a newsletter. It will only be posted here http://tinyurl.com/htaxw on my community forum.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Jon at: [email protected] We endeavor to respond to everyone who email

Newsletter #15

• My Rant: Why imaging? Why SMS?
• Get a signed copy of...
  • my GP book: Group Policy, Profiles and IntelliMirror
  • my Windows & Linux Integration book
• Public Group Policy Intensive Training and Workshop Schedule Update
• Upcoming appearances and schedule
• Thanks Netpro!
• Subscribe, Unsubscribe, and Usage Information

This issue is (I’m sorry folks) a rant. It’s not about the war, or politics—but about something close to us, that we can all rally behind: disk imaging and management products.

So, without further ado, my rant.

After I rant for a while, I'll give you an update on my 2006 Group Policy Class Schedule and suggest some other great stuff for you to check out.

Before I forget—the Sacramento, CA Two-Day Group Policy class is ON for March 30, 31. We have three seats available. If you want one of those seats—sign up soon at www.GPanswers.com/workshop.

PS: A hearty THANK YOU to the folks who came and saw me and Tom present Win/Lin topics at this season's TechMentor in Orlando. I'm gone now (off to the next thing).. but thanks for brightening our days there -- you were a super audience !

Newsletter Sponsored by: Special Operations Software

Sometimes the out-of-the-box Password Policy in Windows isn't just enough. If you need many Password Policies perActive Directory domain or more granularcontrol of howpasswords can be created you should have a look at Specops Password Policy.

Redmond Magazine says that "Password Policy is easy to install and easy to use. It provides much more granular control and doesn't have a long learning curve."

Click the link to read more on how Specops Password Policy can benefit your organization with increased security.

As Dennis Miller says I don't mean to go off on a rant here

My good friends at TechNet Magazine have recently released their March/April 2006 magazine. And, let me tell you—it’s excellent, specifically, if you’re running SMS to roll out your desktops and/or contemplating using the new Business Desktop Deployment (BDD) to roll out desktops.

And, I have some questions (and please don’t answer me directly via email. Please, please, please answer this question or agree/disagree with this rant by going to http://tinyurl.com/htaxwon my community forum and post your 2 cents there.)

My three questions are:

1. Why does Microsoft have 7 ways to deploy a desktop?
2. Why bother with image-style desktop deployments at all? and
3. Why bother with SMS-style tools?

So, let’s get started on this very special “rant” issue.

Microsofts desktop deployment options

By my count, Microsoft has seven ways of “officially” deploying a desktop: Category 1: via winnt.exe

• Put in the CD and restart the machine. This basically runs winnt.exe and installs Windows.
• DOS-style Network boot disk to connect over the network to run winnt.exe
• WinPE-style to again run winnt.exe (almost the same as a DOS-style network boot disk in practice)
• Remote Installation Services (via PxE) where winnt.exe gets invoked

Category 2: via image

• SMS + Operating Systems Deployment Pack (OSD)
• Business Desktop Deployment (BDD)
  • Standard Edition and
  • Enterprise Edition
  and

• Vista’s all-new image-based deployment

The methods in Category 1 “build” a PC from scratch, loading Windows step by step (or via answer file), but fundamentally “create” a PC by formatting it and loading each file.

The methods in Category 2 “photocopy” from an image source in Ghost style.

So, here’s the question (again): why bother using either the Zero Touch Deployment for SMS (with the Operating System Deployment pack), the BDD, or the upcoming Vista image-based methods to roll out your desktops?

First of all, unless I’m missing something—these latest tools from Microsoft compete with each other for your desktop rollout attention. Not to mention that Vista will also come with its image-style based deployment mechanism. So, between the BDD, SMS+OSD and Vista’s Imaging mechanism—I’m one confused guy—and I’m trying to understand why each has it’s place.

So, that’s three image-style mechanisms to do the same job. That’s my real question: can someone (anyone) explain why I might choose, say, the BDD over the SMS+OSD even if could deploy both at exactly the same hard and soft costs. (Again, don’t reply here…post about it, at http://tinyurl.com/htaxw.)

To me, it seems a main selling point of both the BDD and SMS+OSD appears to be that it will “maintain state” as you do a desktop upgrade from say Windows 2000 to Windows XP. With a little elbow grease, you use the built-in User State Migration tool, shoot up a copy of the user’s important stuff, blast down a new desktop, and restore the important stuff (like desktop backgrounds, etc., etc.)

Great. But again, why bother specifically saving the state?

If you’re using the network to store the important stuff (say, by using Roaming Profiles), and use Group Policy to maintain your application settings, why specifically go out of your way to preserve any of it? Those of you who’ve heard my talks on desktop deployment know it will still be there waiting on the network when you deploy that new desktop to the user.

So, if you want to educate me… please do so. Again, respond by posting to http://tinyurl.com/htaxw.

Beyond the Microsoft image-based deployments

Since I'm already off on a rant here, let me take it one step farther…

Truthfully, I don't even see the point of having any image-style/“photocopy-style” deployments (including other non-Microsoft image-style deployments a la Ghost, PowerQuest, or anything else). Those of you who’ve seen me speak at conferences or those who have taken my more in-depth two-day Group Policy course know my feelings about image based deployments. Yes, they’re fast—but, ultimately, they’re a “photocopy.” To recap the process, you essentially wrap up a “perfect” PC with a set of “core” applications and make a big image. Then, you deploy that image to a zillion machines. And you do it fast.

Great.

But, this means several downsides when thinking long term. First, there’s the problem with the “photocopy” aspect in terms of hardware deployment.

Yes, I know—Windows sysprep is supposed to be the answer. Sysprep’s job (especially with the -pnp switch) is to shut the machine down for photocopying. Then, once the photocopied machine is turned back on, it’s supposed to magically discover all the correct hardware, and birds will land on the computer singing and chirping.

Except it’s not guaranteed (especially the birds). Not to mention the problem with photocopying from one machine to another—the required drivers might not be there. If you’re photocopying the same image for a Dell Latitude and an IBM Thinkpad—you let me know how that’s working out for you. If you can sleep at night while doing this, you’re a stronger man than I.

Okay, I’m sure the BDD and SMS+OSD deployment have some provisions to handle this situation. But, I was at a loss on specifically how to add new drivers to either the BDD or SMS+OSD if, say, a new network card showed up in your next desktop shipment. What I am sure of is that in each case, the WinPE image (which provides you the ability to access the image) would indeed need to be tweaked to accommodate this (already a hassle). But my confusion is what about the drivers for when Windows is actually running? If I’m pulling down a fully formed image, how can I jam in new drivers? If you know, and can educate me, please do so.

Even if there is a native way to do this (easy or cumbersome) it appears that Binary Research (the original makers of Ghost) has created something to help fail-safe the process. Their “Universal Imaging Utility” product (found here) is supposed to help inject a bazillion drivers into your images—specifically to remediate this very problem I’m describing.

The next big problem with the photocopy is—it’s obsolete the very day it’s placed into service. Why? Let’s explore a typical photocopy-style rollout. Let’s say we’re deploying our image to 1000 desktops. Just to give it a name, we’ll call our project OurImage 1.0. After rolling out 300 of our 1000 desktops someone on the deployment team realizes they’ve forgotten a critical application patch, or bite-sized application, or a configuration setting, or misspelled a directory, or any number of a 1,000 things that can go wrong during image building. So, the desktop engineering team cleans up the image, and rolls out OurImage 1.1. They then roll out to the next 300 desktops. (And, of course, the problems weren’t big enough to retrofit the first 300 desktops and disrupt users.) So, now, you have 600 desktops deployed: half on OurImage 1.0 and half on OurImage 1.1.

Not ideal, to be sure.

Then, one of the applications in the image has a new minor version (which the manufacturer strongly recommends you start deploying right away). Back to the drawing board, and a new revision, OurImage 1.2, is created. The deployment rollout must go on! And OurImage 1.2 is now deployed to the next 300 clients.

So, now, that’s three somewhat-different images over 900 clients. Now when any of those users calls the helpdesk for help, which version of the image are they using? Remember each version of the image has slightly different application versions tucked inside.

Or, consider this case: the image is rolled out to 300 people—both Sales and Marketing. But Sales is constantly playing around with applications in the image they have no right to even use. Should those applications have ever been in the image at all? Sure,those applications are needed for the Marketing guys. But not for Sales. So what do some IT departments do? They send someone to trot out to the Sales desktops and manually uninstall those applications (or script it, or touch it with SMS or something).

So, it must appear as if I’m “down” on photocopy-style desktop deployments such as Ghost, SMS+OSD or the BDD. It’s not that I’m down on them, just utterly confused why anyone would use them.

With that in mind, what’s my proposed desktop deployment solution?

Group Policy of course (with a little help from Remote Installation Services)!

Why RIS? Because RIS doesn’t “photocopy” an image. It “builds” the computer from scratch, installing just the software it needs in order for Windows to run. And, there are provisions for centrally adding new and updated drivers when new hardware comes out (like NICs, sound cards, etc.).

Why Group Policy? Because you can deploy just the applications you need to just the specific people who need them. If Fred in Sales shouldn’t get an application only Marketing would use, then it’s not in any photocopy where you’d have to worry about it. Fred only pulls down applications Fred needs.

Yes, I know the downside to my strategy. That is, in order for my suggested strategy to be successful, you have to be 100% committed to the MSI promised land (or buy 3rd party Group Policy tools to deploy applications other than only MSI apps).

Now, before you napalm my house—let me wrap up this section with this one thought:
I AM NOT SAYING TO ABANDON GHOST, POWERQUEST OR ANY OTHER IMAGE-BASED TOOL IF IT’S WORKING FOR YOU.

I know lots of people are quite attached to their desktop deployment methods. If something is working for you, and you’re happy—keep on truckin’.

Don't let me stop you.

The main reason I'm down on image-type deployments is for the reasons I mentioned above:

• Again, first, it’s a photocopy, and even though sysprep -pnp should work from machine to machine, it doesn’t always. If it does work for you—fantastic. Consider yourself blessed, and continue to make use of the speed that photocopying provides.
• However, consider the second problem: “core applications” in the image make it difficult to customize each user’s experience for them. If you get away from photocopying, you get away from deploying unnecessary apps (or forgetting to put apps in your image).

So again, yes I know RIS is slow. Slower than a photocopy, yes. And, if you’re comfortable photocopying machine to machine to get the OS deployed then, again, keep on doing that. All I’m asking is for you to consider not imbedding the applications in the image.

My problem

Now, if you want to help me out you can explain a few things to me.

1. If you’re actually using the SMS+OSD—how is it really “zero touch” as it’s touted? I don’t get it. I’ve read countless pieces of documentation, but it still appears as if the client needs to be “seen” by the SMS system in order to zap a new photocopy upon it. That means it needs to be an SMS client. If I’m cracking out a desktop or laptop from the cardboard box and put it on the wire, I’m totally unclear how SMS will “find” this new machine and zap it my corporate photocopy. From what I’m reading it seems (dig this) that the prescription is to actually use RIS to deploy that initial desktop, then get the SMS client loaded, then zap down the remaining applications. Wait a second—that sounds like “The Jeremy Prescription” (except you substitute GPO for SMS!) If I’m missing something, and you’re an expert here, please, please educate me.
2. The BDD has lots of wizard-driven steps to help you create your photocopy and then deploy it. Why would anyone would use the BDD at all, for any reason, when there are clearly other options which do the job? And, unless I’m looking it wrong, it seems the BDD requires a Ghost-style imaging tool to do the work. Indeed the documentation talks about the Powerquest tool quite a bit. Again, I’m at a loss to understand why the RIS/Group Policy/MSI combo wouldn’t be the preferred way to go here—or just about anywhere.

More stuff to rant about(Or, why I'm already unpopular with the SMS team at Microsoft)

Since I'm ranting about SMS anyway

The issue of TechNet magazine I mentioned has a whole article dedicated to SMS troubleshooting. When people ask me if I’d prefer SMS over Group Policy, I’ll tell them “Even if you gave me all the licenses I need for SMS, I’d still pick Group Policy over it any day.” Yes, yes, I know SMS has more features than Group Policy does.

But a Dodge Caravan has more features than a Mazda Miata. Get the picture?

In the end analysis what are the features people use when they buy that Dodge Caravan, er, SMS? Let’s look:

• Software Deployment with targeting (which can be done with Group Policy Software Installation and WMI filters)
• Hardware and software inventory (which can not be done natively with Group Policy but is, I hear, coming soon with 3rd party Group Policy tools.)
• SMS has Software Metering tools—but no one I know uses it much.
• SMS has compliance/patch-management tools. I do know some companies which do make use of these—but only because the free WSUS wasn’t yet available, and now they feel like they’re “locked in.”

So, why would I pick Group Policy over SMS even if someone handed me unlimited free licenses? The TechNet article in the same issue entitled “No Desktop Left Behind: SMS Troubleshooting Basics” about sums it up. Not to saturate you with all the steps the author expertly describes, but, holy cow does it ever take some troubleshooting skillz (that’s skillz with a ‘z’) to get to the bottom of things when SMS stops working. In a nutshell: SMS has about a zillion moving parts. The author expertly demonstrates how to “trace” where the problem is within all those moving parts.

In a basic (very basic) comparison, the same operation (software deployment) for Group Policy is refreshingly simple. There are, in short,many fewer moving parts to troubleshoot when things go wrong. Yes, okay, maybe I’m a little biased due to my love of all things Group Policy. And that isn’t to say Group Policy always works, either.

What I am saying, however, is that when Group Policy “breaks” it’s a much easier proposition to figure out where the problem is, then actually get to fixing it. For the record, in case you think I’m making stuff up here to specifically beat up SMS, I am certified in SMS 2.0 and do know a little about what I’m talking about. (And, yes, I know SMS 2003 is a different, though similar animal.)

Simpler is better

Okay, poor SMS. I just beat it up a little bit, and I’m feeling a little guilty here. But, ask yourself if you need a tool like SMS at all.

If you need it—you need it.

But, the question is do you really need it?

I've personally met a handful of people who seem to be with me; ditching SMS and Tivoli (and the like) for a pure Group Policy-based solution to their management.

Here's the thought process: By not introducing an SMS-style tool, you’re reducing complexity.

Again, the Group Policy moving parts are already built-into the operating system.

So, if you can make use of the moving parts inside the box, my advice is to do so.

Now, let me be super-clear before the hate mail comes in from the SMS team (or SMS-style product companies). As I said: if you need it—you need it. That’s the trick, and the trap I see many organizations fall into. Many organizations inadvertently increase their complexity by adding an SMS-style management tool for not a lot of benefit. When I ask people “Why did you end up deploying your SMS-style tool?” The #1 response I get is “We needed a way to distribute software.” And 10% actually use the overall “power features” SMS provides over Group Policy.

So, again, my feeling is that, yes, an SMS-style tool is great—if it truly gives you something you cannot achieve a different way. Again, SMS provides software distribution, hardware and software inventory, patch management, image deployment, and software metering. If you need something on this list that Group Policy cannot do natively (or enhanced with third-party tools) then, yes, go get it.

But, if you don't need it—why introduce it, even if you’re getting the licenses for free?

Wrapup

For the love of Pete (whoever he is) do NOT email me directly about this rant. While I strive to answer everyone’s email, I’m making an exception in this case. It’s not because I don’t love you, it’s because I want you to respond publicly here where we can all talk about it. Key points to talk about:

• If you’re using the BDD…why? What does the BDD give you that other methods do not?
• If you’re using SMS+OSD…why? How’s it working out for you?
• How can you add drivers when Windows runs using the BDD or SMS+OSD?
• If you’re using the “Jeremy Method” of RIS + Group Policy + MSI, how’s that working out for you? Was getting to the MSI promised land a tough haul? Did you succeed, or give up?
• Why save user state and restore it using the USMT during the BDD or SMS+OSD process? If you’re using the network properly (redirected MyDocs and Application Data), what precisely are you saving by using the USMT?
• Has anyone introduced an SMS-like product only to then realize it was overkill and the same task could be performed via Group Policy? How did you handle that?
• Or, is SMS your life blood and you’re using it for a task I didn’t describe here?

Thanks for listening.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)  

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.
You BOUGHT and IMPLEMENTED Active Directory—now DO SOMETHING with it.
So, learn to properly drive that "Ferrari" you bought by coming to a class! Classes for first half of 2006 (lots of date changes since the last newsletter. Sorry about that.):
Mar 30-31, 2006: Sacramento, CA—This class is ON. If you want a seat, I suggest you sign up now. Only three seats left!
Apl 18-19: Atlanta, GA
Apr 20-21, 2006: Tulsa, OK (not Okla. City, as previously reported.)
Apr 26-27, 2006 (new class): Richmond, VA
May 15-16, 2006: London, England

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop (Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or,if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Upcoming Appearances and schedule

It's going to be a busy month for me. Embrace the travel! Love the airport. Embrace the security dweebs patting me down. Well, maybe not.

Here's my ever-so-brief schedule.

NetPro Directory Experts Conference: Mar 26 - Mar 29

I'll be speaking on Windows/Linux authentication integration. My speech is 9.15 Tuesday the 28th. www.dec2006.com/agenda_tues.cfm

Linuxworld Boston: Apl 3 - Apl 6

Again, on Windows/Linux authentication integration. My specific speech date is 4/4/06 and it'll be at 2.30 PM. Hope to see you there !tinyurl.com/7dspg

WinConnections Orlando: Apl 9 - Apl 12

I'll be speaking on a variety of topics at this WinConnections. "Group Policy Toolbelt", Shared Computer Toolkit" & "Windows–Linux Integration: Authentication Services" and a 3-hour Group Policy Pre-Conference warm-up. www.winconnections.com

Microsoft Teched Boston: Jun 11 -1 5

Again, on Windows/Linux authentication integration. Don't know my exact speech date yet. tinyurl.com/7lktw

Thanks, Netpro!

Recently Netpro had a cool webinar, and they mentioned us—GPanswers.com. Neat! Thought I’d return the favor. Here’s how to check out the webinar with a good message for anyone managing Active Directory. WEBCAST: 16 Steps to a healthier and happier Active Directory

Before going about securing Active Directory, you should make sure that certain configurations have not created unexpected security holes. In this webcast, NetPro CTO Gil Kirkpatrick will examine various aspects of Active Directory, from backup to DNS configuration to Group Policy management, that, when executed properly, can ensure a secure installation. Register here.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected]

If you have questions about ordering a book, contact my assistant Jon at: [email protected] We endeavor to respond to everyone who emails.

Thanks for reading!

Welcome to 2006

• Technology Takeaway (r), a service of Moskowitz, inc.
  • Just one LOONG tip: Creating a Bulletproof desktop with the Shared Computer Toolkit.
• Get a signed copy of...
  • my GP book: Group Policy, Profiles and IntelliMirror
  • my Windows & Linux Integration book
• Free, Free, Free speeches by Jeremy
• By popular demand: The three-day less-intensive GP Course in PA
• Upcoming Public two-day GP Classes for 2005 / 2006
• What's new from GPanswers.com
• What's new from Microsoft
• Subscribe, Unsubscribe, and Usage Information

Moskowitz, inc. and www.GPanswers.com

This issue, we tackle something that's near and dear to me: Desktop Lockdown. It certainly feels as if all the Group Policy settings available to us would allow us full control over our desktops. But, there's something missing. In this issue, we'll explore the Shared Computer Toolkit which makes your Ultimate Desktop Smackdown vision possible.

After we talk about this, I'll give you an update on my 2006 Group Policy Class Schedule and show you some cool new features we've added to GPanswers.com.

Newsletter Sponsored by: DesktopStandard

Built-in Windows security management features simply don't give you enough granular access. As a result, administrators run applications with full administrative access - even if it is not required. This exposes the network to unnecessary security risks like viruses and spyware.

DesktopStandard's PolicyMaker line of Group Policy Extensions solves this problem with Application Security policy. Click the link to learn how you can empower your users to be more secure today.

Technology Takeaway®, a service of Moskowitz, inc.

Bulletproofing your shared desktop -- with the shared computer toolkit

One of the top requests I get at GPanswers.com is how to take machines and “lock them down.” People want ways to ensure their machines can’t be broken by Joe User or Harry Badguy. The “out of the box” Group Policy settings can go a long way towards solving this common conundrum. But the settings in the box can only take you so far.

The situations involving computer lockdown can get complex–fast. You might not even know the people who are walking up to the machine, but you still have to give them some portion of your network resources like Internet browsing, file viewing, or printing.

You would typically find computers like these in places like universities, airports, hotels, community centers, museums, kiosk stands, and conference centers . So, these aren’t the kinds of machines that your typical business users utilize day to day; these are the kinds of machines where people need sporadic access, and they are people that you may or may not trust. And by “not trust” I mean they’re potentially downloading infectious junk off the Internet. They may be inadvertently adding spyware–or worse, they’re really out to get you and are going out of their way to try to damage your public-access PC.

What you need is a way to restrict anything from being written to the Windows partition. You need a way to trap the bad stuff, but keep the good stuff–like critical Windows updates and antivirus updates. You need a way to lock down Windows so it’s much harder to get to the under-the-hood Windows stuff, like the C:Windows directory. And you need a way for new users to get a guaranteed profile, so you’re dictating their experience, not fighting to clean up after them. However, if you’re dreaming a little bit, you might also want to manage exceptions. That is, you might want to have a known or trusted user use this shared PC for some specific task, and to make sure that their data and settings stick around.

What you need is the Shared Computer Toolkit, or SCT. While the SCT can be many things to many people, it’s not specifically meant to be loaded on every desktop to restrict the actions of day-to-day employees (though I’m sure some enterprising geeks will attempt to roll it out corporation-wide). It’s also not really meant as a “parental control” device either, though there might be some attributes of the SCT which might be useful there.

Requirements

To use the SCT, you need a Windows XP/SP2 machine with at least 1GB of unallocated space (though having 10% of the hard drive unallocated is recommended.) This unallocated space will be converted into a special “protection partition” by the SCT Additionally, you might want a second “Data” partition to store persistent data from trusted users to whom you specifically grant access. For instance, if someone uses this machine for their daily work, you might want them to be able to save Word documents on this additional partition.

One of the tricks is getting a machine which already runs Windows XP/SP2 and carving out some unallocated space. Typically, when Windows is installed the entirety of the hard drive is used, therefore there is no unallocated space. However, any repartitioning tool will make it possible, such as Symantec Partition Magic, Terrabyte BootIt Next Generation, or Acronis Partition Manager (part of the Acronis Disk Director Suite). The Microsoft documentation for the SCT specifically mentions the first two, but I already own the Acronis product and used that one with no problems.

There are two main ways to use the SCT: when machines are not joined to the domain, or when machines are joined to the domain. We’ll examine both scenarios here.

Getting Started with the SCT

After you’ve re-partitioned the machine, you’ll take the following steps to use the SCT:

1. Install all the applications that you want to make available on the shared computer.
2. Remove Windows components that you don’t want people to use (or would be potentially dangerous for people to use) like IIS, or Outlook Express.
3. Install the SCT after installing the required User Profile Hive Cleanup Service (UPHClean).
4. Configure the SCT.

Once SCT has been configured, its goal is to keep your computer as clean as the day you installed it. Therefore, be careful that you’re not actually loading “junk” on your shared computer as you’re preparing it for use.

At the heart of the SCT is the Windows Disk Protection service, or WDP. The goal of WDP is to “trap” writes to the Windows system volume, and temporarily store them on the Protection Partition so the bad guys can’t actually do any permanent damage to the real Windows partition. Once the session is over, so is any accompanying potential damage.

However, the SCTs cannot prevent certain attacks from being attempted. Even though the SCT will help you lock out Windows functions like Explorer, that doesn’t mean an application you’ve installed and made available for use doesn’t have Explorer-like capabilities. For instance, many applications allow you to browse the contents of the hard drive when you’re in their File | Open dialog boxes. Again, the SCT will ultimately prevent the disruption of Windows because of the WDP—that is, the WDP ultimately discards any writes to the system volume. However, it is incapable of preventing this kind of “poking around” attack if your application lets them poke around.

To download the SCT, go to Microsoft’s website here. What I like most about the website is the opening graphic where three kids are ostensibly “learning” on the machine. However, what we really know is that they’re right-clicking over your favorite disk partition and selecting “Format.” With the SCT, you’ll be protected from rascals of all age groups.

The SCT installation is Wizard-driven, and is a snap to use. However, it requires an additional package, called the User Profile Hive Cleanup Service, or UPHClean. UPHClean is popular with Terminal Services administrators whose users have difficulties logging off Terminal Services and having their User Profiles setting saved. It’s interesting to note that UPHClean is now a required component for this SCT. It would have been nice if the SCT installation didn’t make you download it separately, but (since you need it anyway) simply made it part of the SCT installation.

Configuring the SCT in 8 Easy Steps

Once SCT has been installed, configuring it is made easier with a Getting Started page (seen in Figure 1), which steps you though the configuration process.

 
Figure 1: The SCT Getting Started page is a like a guided setup (click on figure to enlarge)

After the Getting Started guide appears, it’s easy to walk step-by-step through the process. The second step, as seen in Figure 2, is mostly configuring security-related Group Policy settings which are being set within the local GPO. In most cases, you’ll want to make sure all boxes are checkmarked.

 
Figure 2: Step 2 mostly deals with security-related Group Policy settings (click on figure to enlarge)

Step 3 simply has you create a new local user and give it a name of your choosing, such as Public.

Step 4 has you actually configure the user account the way you want: configure the desktop wallpaper, accept first-time run settings and license agreements (for programs such as Windows Media Player, Microsoft Office, and Acrobat Reader), add printers, etc. Whichever way you configure this profile is how all public users on this machine will see it.

Step 5 has you select the Public profile and locking down some additional settings, as seen in Figure 3. There are too many options to delve into right here. Thankfully, the recommended settings are all located in one place and can be selected with one Checkboxwhich highlights all of them. Defaults here include the restriction on running applications from USB thumb drives, restricting the running of system tools (such as regedit.exe), and preventing users from right-clicking within Internet Explorer.

Optional Restrictions, such as “Remove CD and DVD burning features” and “Prevent printing from Internet Explorer” are welcome additions.

 
Figure 3: It’s easy to administer perform the kinds of restrictions you want to apply to all users (click on figure to enlarge)

Step 6 has you actually testing the Public profile before you go into lockdown mode. This enables you to see what the user will see, but still makes it easy for you to go back and make changes in the SCT Getting Started steps.

Step 7 contains the secret sauce–the Windows Disk Protection service, which requires a reboot before it can be configured. Here, you can specify whether or not to retain changes made by public users, and how critical updates are handled, as you can see in Figure 4.

 
Figure 4: Once Windows Disk Protection is turned on, you can Clear, Save, or Retain changes as you see fit, as well as schedule Critical Updates, and set other options. (click on figure to enlarge)

The WDP features a very, very strong protection mechanism with four choices:

• “Clear changes with each restart”: Once this function is turned on, the system is officially protected. All historically “sensitive” parts of the system, such as the registry, services, even critical boot files like boot.ini and NTLDR are protected from permanent harm.
• “Save changes with next restart”: Once the CST has been running for a while, you might realize you want to add another application to the system, or make another permanently desired change. To do this, you need to specifically select “Save changes with next restart” and you’ll have skirted around WDP this one time and integrated your changes. A quite note before this function’s use: be sure to restart the computer before you load your new application, so as not to keep something bad or unknown. Then, once loaded, select “Save changes with next restart.”
• “Retain changes for one restart”: If you’re adding a new application, and that application requires a reboot to finish its installation, select this option. Then, once you’re convinced you’ve loaded and configured the application correctly, pick the “Save changes with next restart” option to permanently seal in your changes.
• “Retain changes indefinitely”: If you want to load many applications and watch their interactions over time, you might select this option. Once you’re ready to accept your changes then select “Save changes with next restart.” If you want to back out of all changes, select “Clear changes with each restart.” For example, this functionality is great for computer training centers where a new class comes in every week and you want students to have free rein over the computer. You can let them do what they want and they can restart the computer us much as they need to. At the end of the week, just clear the changes and the computer will be restored to its Monday morning state.

Another way to think about these settings is that once WDP is turned on, all changes are written to the Protection Partition (this was the previously unallocated space you carved out) until you choose “Save changes with next restart”, and they are merged with the real partition.

It’s likely your other corporate computers are downloading critical Windows updates from Microsoft or from WSUS by themselves (see my article in Technet Magazine about corporate WSUS settings.) However, computers using the SCT need a little TLC. That is, these computers need you to manually grab these updates. When it’s time to automatically install patches, the interactive user is logged off, and during the Critical Updates installation time, no users (other than administrators) can log on. It should be noted that when Critical Updates are downloaded, they are always written directly to the “real” Windows partition and not the Protection Partition. The process is quite elegant: An automatic reboot clears any potentially damaging changes users might have introduced, andthen the updates are written. This ensures that only the Critical Updates make it onto the disk.

Additional Ways to Configure the SCT

So far, the discussion has been for one standalone PC–not a domain environment. One PC is a good start, but not likely how corporations, schools, and the like will ultimately roll this out. The two additional scenarios to consider are:

• Domain-joined SCT machines, and
• Mass deployment of the SCT (domain-joined or not)

If your target SCT machine or machines are domain-joined you can, of course, go through all the steps listed above to get the job done. But that means you have to visit each and every machine to do the job. Instead, the SCT team (thankfully) rounded up their hard work and made a Group Policy ADM file which just snaps right in to the Group Policy Editor. This file (SCTSettings.adm) is located in the C:Program FilesMicrosoft Shared Computer Toolkitbin directory. This enables you to make mass changes on multiple SCT-enabled machines, as seen in Figure 5. The ADM template is a little rough around the edges and could use a little cleaning up of the Explaintext entries to be as useful as possible, but it’s a really good start.

 
Figure 5: You can mass-implement changes to SCT-enabled machines via Group Policy (click on figure to enlarge)

There are some additional technical obstacles to overcome with domain-joined machines. For instance, how do you run around to 1,000 SCT-enabled machines and reconfigure their disk-protection settings? Thankfully, there’s a DiskProtect.wsf provided which you can use to script the behavior of your SCT-enabled machines. You also need to manually implement the suggested Software Restriction Policy settings which prevent System Tools and unwanted programs to run. This is all very well spelled out in Chapter 10 of the Shared Computer Toolkit Handbook, which is titled “The Shared Computer Toolkit in Domain Environments.”

The next hurdle is the mass deployment issue. That is, how do you get the SCT bits and pieces on the target machines in the first place? The suggested avenue here is to imbed the pre-installed SCT and corresponding bits inside your “Ghost-style” or “RIPrep” image build. Or, if you deploy “clean” machines, you could simply script the UHPClean and SCT installation using post-installation script commands. My first choice would be to use Group Policy Software Installation and simply assign both UHPClean and the SCT to your shared computers via Active Directory and Group Policy.

Once you have the required bits on the machines, simply use the included Group Policy ADM and .VSB files to control the computers after they’ve been deployed.

However, there are still two more hurdles to overcome. Every Windows machine must be expressly validated by Windows Genuine Advantage. This becomes a bit of a problem because each machine needs to be “touched”, either by installing an IE Active Xcontrolor running an HTA application.

The last problem is, how do you remotely repartition a computer’s hard drive if you don’t want to trot over to it? Remember, every SCT computer needs the required Protection Partition. If you have your own ideas of how to “mass validate” computers via GTA or remotely repartition a computer, don’t keep it a secret! Let me know and I’ll post a follow-up on GPanswers.com.

Final Outcome

Once the computers have been deployed, your users log on with the username you set; in our examples it was “Public”. And if you were using a domain account, you could feel free to use that as well. Once they’re logged on, it really is a restricted, bulletproof machine as seen in Figure 6.

 
Figure 6: The final outcome of an SCT-enabled machine with restrictions enforced (click on figure to enlarge)

This is a really great tool with lots of potential uses. The tool itself as well as the documentation is well thought out, and the additional control via Group Policy is just icing on the cake for a Group Policy control freak like me.

Online support for the tool is available at Microsoft’s newsgroups, here.

Additionally, before running headlong into a real deployment using the SCT, I suggest you read the included Shared Computer Toolkit Handbook, which is well-laid-out PDF file.

For a 1.0 release, this tool really gets the job done.

SPECIAL THANKS to the Shared Computer Toolkit team at Microsoft for reviewing this article for technical accuracy. This article will appear in the July issue of Microsoft's TechNet Magazine. Consider subscribing. Click here to check out the magazine.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Free, Free, Free!

Well, the price is right, even if it stinks. But it won't stink -- I promise you'll learn something, or DOUBLE your money back!

Windows & Linux: Perfect Together (Online Roundtable)

Jan 26, 2006 from 2.00 to 3.00 PM EST (11.00 to 12.00 PST) This will be a live talk with me, my co-author of my Windows/Linux Integration book (Tom Boutell) and others! The topic: Windows & Linux Integration -- so sign up and see you online! Bring your questions! Click here to register.

WSUS Architecture Crash course

Feb 10, 2006 from 12.00 to 1.00 PM EST (9.00 to 10.00 PST) Patches and updates can be a real headache to manage. Microsoft Windows Server Update Services (WSUS) is here to make your life easier. Have you implemented it yet? This is a "Power Hour" webcast with 30 minutes allotted to talk and demos and 30 minutes allotted to questions and answers. Click here to register.

By popular demand: The "Less Intensive" Group Policy course is available as a trial in Pennsylvania

Last month I debuted my new three-day "Less Intensive" format. I explained how this course was only available for PRIVATE courses.

Well, as an experiment, I'm making it available as a PUBLIC course in Newtown, PA in February 7, 8 and 9.

This course starts with a half day warm-up of Active Directory, managing users and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration can get a bit of fundamentals before diving in to the Group Policy waters.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point to how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.

You BOUGHT and IMPLEMENTED Active Directory -- now DO SOMETHING with it.

So, learn to properly drive that "Ferrari" you bought by coming to a class!

Classes for first half of 2006 (lots of date changes since the last newsletter. Sorry about that.):

Feb 7, 8, 9: Newtown, PA (Three day, "less-intensive" AD/GPO course). Newtown, PA is near Trenton, Philly, and other major metro areas.
Feb 21 - 22, 2006: San Antonio (We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)
Feb 27 - 28, 2006: Portland, OR
Mar 2 - 3, 2006 : Atlanta, GA
Mar 15 - 16, 2006: Washington, DC
Mar 30 - 31: Sacramento, CA
Apr 20 - 21, 2006: Tulsa, OK (not Okla. City, as previously reported.)
May 15 - 16, 2006: London, England

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or ... if you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Other Changes around GPanswers.com

In the last issue, I explained about our "mini-web overhaul." I'm trying to keep the new features coming so you can have the best Moskowitz,inc. / GPanswers.com / WinLinAnswers.com experience. New since last time:

• The FAQ/Tips and Tricks area has even BETTER categories, which makes things easier to search
• Did you know the GPanswers and WinLinAnswers community forums are RSS enabled?
  • The RSS feed for the GPanswers.com/community room is: https://www.gpanswers.com/community/rss.php
  • The RSS feed for the WinLinanswers.com/community room is: http://www.winlinanswers.com/community/rss.php
• If you're not a big fan of RSS, you can get new posts on any given forum MAILED to you. I've been waiting FOREVER for this feature. You need to enable it for any and every forum you want to "watch". When any new post appears in the forum -- you get a little email summary. This is great for the Announcements forum, or any specific technical forum to make sure you don't miss a great question, or a great answer. Click on the graphic below to see where this feature is found.

(Click picture to enlarge)

• We're working on a global GPanswers.com search -- which should also be able to buzz through PDFs and all questions in the forums. Not there yet with this one, but stay tuned.

What's new from Microsoft?

Lots, actually! Microsoft has three new documents to help better understand GP. Well, the first one isn't really a "document" but rather a(nother) FAQ for GPOs. Yes, we have one here at GPanswers.com, but I guess it's okay that the boys in Redmond have their own too, right? :-)

Additionally, they released to documents to help understand how Vista and Longhorn will change with Group Policy.

So, how do you find all these new resources? You could Google for hours and not find it! Of course, we have the links, right off ourMicrosoft Resources page. Just scroll to the bottom to check out the new docs.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Jon at: [email protected] We endeavor to respond to everyone who emails.

Thanks for reading!

• It's Issue 13 ... Do you feel lucky?
• Technology Takeaway (r), a service of Moskowitz, inc.
  • Tips and tricks
    • Just one tip: Delegated permissions, the perils therein and how to pull back the reigns
• Get a signed copy of...
  • my GP book: Group Policy, Profiles and IntelliMirror
  • my Windows & Linux Integration book
• Something new... Two Training Options: Intensive Two day and "Less Intensive Three Day"
  • Upcoming Public GP Classes for 2005 / 2006
• What's new around GPanswers.com
• Subscribe, Unsubscribe, and Usage Information
   

Moskowitz, inc. and www.GPanswers.com -- Issue 13

It wasn't long since the last newsletter, but... when I get busy working on something that affects a lot of people, I want to make sure you get it ASAP!

I think you're really going to like this newsletter. It's HUGE and has *TONS* of graphics for this massive how-to. Don't be scared away by the "unlucky" number 13. Okay, so the big problem we tackle this month is large. The lucky part is that you found this newsletter, and will be well prepared to correct for it!!

After we talk about this, I'll give you an update on my 2006 Group Policy Class Schedule and talk about some other stuff.

Technology Takeaway, a service of Moskowitz, inc.

Delegation... the perils therein, and how to pull back the reigns

One of the key things for your organization to get right is the proper balance of power. Specifically, you need to decide just who creates GPOs and who can link them to areas in Active Directory.

Sometimes, it's just the people in the Domain Admins group. That's fine, if that works for your organization. But if you're the only Domain Administrator, or, if there's only a handful of you, then managing Group Policy for hundreds or thousands of users could be a troubling, cumbersome task which you're always doing again and again. When there's something to be tweaked - you're the one who's called - every time.

Again, if you like it that way - that's great. I'm not proposing to take that away from you. However, if you want some helpers with your GPO comings and goings, then enter the magical world of Group Policy delegation.

The idea is simple: give someone else the rights to create GPOs in the domain, and you won't have to do it. Before you run away and say "My people can't handle this task!!" let's actually analyze this for a second.

First, you need to ask yourself, "Who knows my users best?" Sometimes, that is the Domain Administrator. Sometimes, however, it's the OU administrator, or even, perhaps someone else. We'll call these people (whomever they are) "helper-administrators." For our definition, "helper-administrators" don't have Domain Administrator rights - they're just average Janes and Joes with some ability you've delegated them.

When it comes to Group Policy implementation, one often-successful strategy is to get the power in the hands of the helper-administrators that are closest to the users. So, even though by default, the only people who can create GPOs are Domain Administrators, you might want to re-consider and delegate the permissions such that other administrators (usually OU administrators with non Domain Administrator powers) can also create GPOs.

Delegation 101

In this picture, you can see the basic procedure which permits people the ability to create new GPOs. First, click on the Group Policy Objects node. Then, click on the Delegation tab. Finally, click on Add (at the bottom of the page) and add in the user you want to delegate the ability to create GPOs.

 
Figure 1: Delegation to create new GPOs occurs at the Group Policy Objects node in the delegation tab (Click on figure to enlarge)

In this example, we'll anoint a helper-administrator, Nurse1 to create GPOs. Now, just because this helper-administrator can create GPOs doesn't mean they can actually do anything useful, like linking them somewhere. In other words, the simple fact that a GPO is createddoesn't inherently mean it's doing anything or affecting anyone. For that, there's another delegation tab, which you'll find at the level in Active Directory you want to delegate (for instance, domain or OU).

In this example, you can see the delegation tab at the Nurses OU.

 
Figure 2: The Delegation tab at the OU level determines who can link GPOs to this OU (Click on figure to enlarge)

Now that the user Nurse1 can create GPOs, and link them to the Nurses OU, you've empowered this helper-administrator. The idea, again, is that this helper-administrator knows the user population very well, and has the proper knowledge of creating GPOs which (hopefully) won't "break stuff" (to use a technical term.)

However, there are some pitfalls in allowing a helper-administrator to do this. One fear that Domain Administrators (rightly) have is that these delegated helper-administrators can do bad, bad things. This is always a possibility, but then again, you wouldn't delegate someone to drive your Ferrari unless they took a lesson or two, right? (Subtle hint to get your Domain Administrators and OU admins into my highly acclaimed two-day Group Policy Intensive Training and Workshop class, but I digress).

It's very similar here; and as Domain Administrators, sometimes we have issues letting go. :) Let's put aside that specific fear of a helper-administrator messing something up inside a GPO and affecting users, but rather move on to a different sort of problem. The problem of that helper-administrator trying (or inadvertently) "hiding" access of the GPO from the Domain Administrator.

When Good Admins go Bad

Specifically, the person who creates the GPOs also owns the GPO as you can see in this picture.

Figure 3: Someone who is delegated the right to create a GPO also owns the GPO (Click on figure to enlarge)

Because the helper-administrator user owns the GPO, they can basically do whatever they want to the GPO. The idea here is that you're granting someone you trust the ability to create GPOs and use them wisely. Hopefully, these helper-administrators will use the power wisely; but, sometimes, administrators are rogues (as Microsoft calls them) or jerks (as I call them).

Rogue-like (or Jerk-like) behavior could include changing the permissions on the GPO so even the Domain Administrator can't see the GPO. In this example, the helper-administrator has set the permissions on the GPO that she has access to as follows:

Figure 4: The helper-administrator has removed permissions from the Domain Administrator with an explicit Deny on all attributes

In other words, the Domain Administrator is Deny-ied access from even seeing the GPO. Now, when the Domain Administrator looks at the Group Policy Objects node in GPMC, the GPO is simply not listed because it is being hiddenby the explicit Deny properties the Nurse put on the GPO.

Note, however, that when Nurse1 linked the GPO to a location in Active Directory the GPO's properties are still viewable though Inaccessible as seen below.

 
Figure 5: The GPO is now missing from the Group Policy Objects node in the GPMC. However, you can see an Inaccessible marker where it's been linked. (Click on figure to enlarge)

Depending on your perspective, this could be a problem.

On the one hand, the GPO is, in fact, working as advertised and nothing is technically wrong here. The Nurses will get the GPO applied to them and everything will continue functioning normally. The only problem is an unruly helper-administrator who is hiding his or her actions from the Domain Administrator. At this point, you can choose to do two things: nothing, or perform a Take Ownership upon the GPO and put the power back in to your hands.

Reclaiming the Fort: Taking Ownership

Let's examine what it takes to Take Ownership of a GPO as a Domain Administrator and restore the GPO back to health. First, the Group Policy Objects node in the GPMC is a representation of the two halves of a GPO: the GPC (the part that lives in Active Directory) and the GPT (the part that lives in the SYSVOL). In order to perform this, we need to take ownership of both halves.

Let's first examine how to take ownership of the GPC part, because this is the part that controls visibility of the GPO in GPMC.

To do this, we need to go back to the old-school way we used to manage GPOs: Active Directory Users and Computers. To get started, you need to view Advanced Features as seen here in Active Directory Users and Computers.

Figure 6: To dive in and see the GPC, we need to enable Advanced Features in Active Directory Users and Computers.

Once Advanced Features is enabled,you can dive down into the GPC part of the Group Policy. You do this by diving into System | Policies and looking for the GUID of the GPO object that currently has the problem. What's interesting in this view is that you cannot see the GUID of the GPO in the left pane, but only in the right pane listed as Unknown.

 
Figure 7: Inaccessible objects show up in the right pane as Unknown. (Click on figure to enlarge)

When you go to the properties of this object and click the Security tab, you'll see the error message in Figure 8 below.

Figure 8: The ACL editor forbids you, the Domain Administrator, from seeing the permissions because you are expressly Denied. (Click on figure to enlarge)

From this point, you might be tempted to give the Domain Administrator, say, Full Control rights. But, if you try it, it won't work. What you really need to do first is to take ownership of the object.

 
Figure 9: You need to select the Administrators group as the new owner and select Apply. (Click on figure to enlarge)

Unfortunately, once you've taken ownership of the object, you cannot immediately give the proper permissions back to the object. You need to close the ACL editor, and then right-click on the GPC portion again and select Properties | Security. Only now can you actually change the permissions.

 
Figure 10: To fix the GPC portion, click Full Control | Allow for the Domain Admins group

Taking Ownership of the GPT

Once you've granted Domain Admins Full Control over the GPC again, you're about halfway finished. Again, all you've fixed is the GPC. Now, it's time to dive into the GPT and perform the same Take Ownership tasks.

The GPT part of a GPO lives on every Domain Controller, typically in the windows system sysvol sysvol {domain-name} policies directory. (Yes, that's two sysvol directories.) Then, inside this directory are directories for each GPO's GPT. In my example here, my GPT has a GUID starting with 0f8D1AD2 (as seen in Figures 7, 8, and 10 among others). So, we need to locate that directory, and take ownership of it in the same way we did with the GPC. You can see this in Figure 11.

Figure 11: Take ownership of the file-based GPT the same way you did with the Active Directory based GPC (Click on figure to enlarge)

Once performed, you'll have to (again) exit the ACL editor and re-enter it. Then, ensure that Administrators have Full Control similar to the way that you did with the GPC. Though in this case, note that the default permissions should automatically set Administrators (not Domain Admins) to Full Control.

The Final Fixeroo

If you were now to go back to the GPMC and refresh the Group Policy Objects node, you would now see the previously-hidden GPO. However, when you click on it, you might get a message similar to what is seen in Figure 12.

 
Figure 12: The GPMC recognizes that permissions are amiss between the GPC and GPT. (Click on figure to enlarge)

This is exactly the gift we wanted! Clicking OK will copy the permissions from the GPC over to the GPT. However, the bad news is that you might not actually get this message! If you don't get this message, you have to manually kickstart permissions synchronization between the GPC and GPT.

To do this, click on the Delegation tab of the GPO and click the Advanced button. When you do, you're able to edit the actual ACLs of the GPO, which should (simultaneously) affect both the GPC and GPT. Make a change (any change) and apply it even if it's something temporary. For instance, add a new user and grant that user Read access. Then apply that change. Then, remove that user. The point is to make any change. When you do this, you are writing the ACLs to both the GPC and GPT.

Now they're in sync, and now you've fixed the problem.

Figure 13: Make a change any change (and apply it). When you do, the GPC and GPT will be simultaneously adjusted to reflect the ACL change. (Click on figure to enlarge)

Moral of the Story

Delegation is a very good thing if you trust the people to whom you're delegating. You can't cover every base, however, and some helper-admins are just going to be jerks. For that reason, this tutorial on how to restore permissions on hidden GPOs will help you know how to take back control.

SPECIAL THANKS to Darren Mar-Elia, CTO for Infrastructure Management Solutions at Quest Software, and operator of GPOguy.com for helping work out this problem with me.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Now available: Private GP Course in "Less Intensive" format

Everyone knows the two-day Group Policy course is really three days of material packed in to two intensive days. However, some customers have asked for a "Less Intensive" format.

Your wish has been granted!

This course starts with a half day warm-up of Active Directory, managing users and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration can get a bit of fundamentals before diving in to the Group Policy waters.

This "Three-day Less Intensive" option is ONLY available as a private course. Note, the "Two-day intensive" option is available as either a private of public course.

Learn more about the Group Policy courses here.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point to how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.

You BOUGHT and IMPLEMENTED Active Directory -- now DO SOMETHING with it.

So, learn to properly drive that "Ferrari" you bought by coming to a class!

Classes remaining in 2005:
Dec 13 - 14, 2005: Minneapolis (Bloomington), MN (We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)

Classes for first half of 2006:
Jan 16 - 17, 2006: Philly / Berwyn, PA (moved from Nov 2005) (We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)
Jan 24 - 25, 2006: Sacramento, Ca
Jan 26 - 27, 2006: Portland, OR
Feb 21 - 22, 2006: San Antonio (We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)
Mar 2 - 3, 2006 : Atlanta, GA
Mar 15 - 16, 2006: Washington, DC
Apr 20 - 21, 2006: Oklahoma City, OK
May 15 - 16, 2006: London, England Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity! Learn more and sign up at: www.gpanswers.com/live-class
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or ... if you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services and Product Support Services teams at Microsoft!

For a public class, sign up online at: www.gpanswers.com/online-class
For a private class, just contact me at [email protected] or call me at 302-351-8408.  

Other Changes around GPanswers.com

We've had a mini-web overhaul lately. It might not look a whole lot different, but there's a lot of things, here and there that have been changed.

• There is no more "downloads" section off the main page. The downloads that were there were moved to the FAQ/Tips and Tricks
• Speaking of the FAQ/Tips and Tricks area, the Tips and Tricks are now in categories, which makes things easier to search
• The book downloads (and any updates) are now centrally located right off the main page. It's now called "GP Book Resources"
• We came up with a way to be able to click on any graphic and have it pop-up to full page view. We're working on backfilling all Tips and Tricks, Solutions Guide, and other areas which have scaled-down graphics to enable pop-ups to full size.
• We're working on a global GPanswers.com search -- which should also be able to buzz through PDFs and all questions in the forums. Not there yet with this one, but stay tuned.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!