MDM & GP Tips Blog

In this issue:

• It's Issue 11 ... So much news, I can't take it!!
• Big News Item #1: Updated Group Policy Book!
• Big News Item #2: A New Book and a New Website for Windows/Linux Integration!
• GPanswers.com "Suggest a City" a Success
• Group Policy Intensive Training and Workshop Schedule Update
• Technology Takeaway (r), a service of Moskowitz, inc.
  • Three juicy tips and tricks
• Upcoming Conferences, Appearances, and Classes
• Get a signed copy of Group Policy, Profiles and IntelliMirror
• Subscribe, Unsubscribe, and Usage Information

Moskowitz, inc. and www.GPanswers.com -- Issue 11

There's so much news, I simply don't know where to begin.

First, however, I want to welcome about 100 new people since the last newsletter, which went out only about three weeks ago.

I got to meet a lot of great people in my own home town of Wilmington, DE at a Microsoft / TS2 event.

People here are downright excited about Windows Server Update Services (WSUS), and specifically, how an admin can use GPOs to control WSUS even more granularly than the older Software Update Services (SUS).

We'll address some of those issues in this newsletter, right after we announce all these goodies!

Big News Item #1: Updated Group Policy Book!

I have a Third Edition of my popular Group Policy book (Group Policy, Profiles and IntelliMirror) coming out THIS MONTH (September).

What's more -- you can pre-order a SIGNED COPY!

In this edition, we're building on the last, but adding in the bits and pieces for Windows 2003 / SP1 and Windows XP / SP2.

And, since I cannot leave well enough alone, there are lots of little adjustments and improvements throughout. Here are the TOP 12 things that have been updated since the previous edition...

1. More "prescriptive guidance" is peppered throughout the book, based on additional experiences over the years.
2. In the last book, I tested using XP/SP2 *BETA*. I made educated guesses how XP/SP2 *WOULD react*. This time, I made sure.
3. We had Kevin Sullivan, a fellow Enterprise Mobility MVP, as the Technical Editor and reviewer. That means additional assurance of technical accuracy in all areas of the book.
4. We give guidance about how to deal with XP/SP2's built-in firewall. Because some aspects of Group Policy won't work with the firewall enabled, we give specific guidance on how to deal with this feature.
5. We've added clearer guidance on what happens during backup and restore operations.
6. We've added more troubleshooting guidance.
7. We've added more guidance on how to ensure that you can "see" all the settings for XP/SP2 and Windows Server 2003 / SP1.
8. We fully cover the Windows Server 2003 / SP1 "Security Configuration Wizard." Specifically, we demonstrate how to make your servers more secure via Group Policy. This is a really big addition for this edition.
9. We've included some newly updated information regarding Windows Installer 3.0.
10. ALL of the URLs are "tiny" now. Not a big deal, but now you're not typing in 300 characters for a URL to Microsoft.
11. We've addressed a notorious quirk when dealing with GPOs. Have you ever had to press "OK" 52 times when editing a GPO? This is "The Retroactive Bug That Ate New York." In this new edition, we squash this bug with a rock.
12. And last but certainly not least, there are lots of little things that have been clarified, fixed, adjusted, and generally made better.

Oh, and all the web downloads will be updated (really soon!). We've gone through the effort to document every single Group Policy Setting and made these available. Again, stay tuned for updated web downloads just as soon as the publisher releases them!

So, the big question that I'm sure you have is: "Do I NEED this edition?" It's a tough call, because the book DID NOT go through a MAJOR re-write like it did from the First Edition to the Second Edition. Here's what's the same:

• All chapters from the Second Edition are here again in the Third Edition.
• The book has the same cast of characters.
• The book has the same "flow" and the same holistic approach.
• The scripting chapter is 100% unchanged. (It's the only untouched chapter in the book, though.)
• In short, it really is the same book.

So, again, the question is: "Do I NEED this edition?"

I know it's not easy forking over your hard-earned dough to get a copy of a book that's, well, very similar to the previous edition. So, how can you make the best decision? Here's my take on it...

• If you're rolling out XP/SP2 and Windows Server 2003/SP1, I'd say Yes, this new addition is for you. Again, I updated the book expressly for this purpose. And, while I was here, I cleaned up anything I wasn't 100% happy with.
• If you're NOT rolling out XP/SP2 and/or Windows Server 2003/SP1, then just the "bug fixes" alone aren't worth plunking down the dough to get a copy. The bad news, however, is that the book's "bug fixes" alone are not availableas a download on GPanswers.com. This is because there really were too many pages changed between this edition and the last.

Hopefully, that makes sense, and gives you some direction on whether or not you should get the updated edition.

-If you want a signed copy ($45, includes shipping), the place is www.GPanswers.com/book
-If you want a cheaper copy from Amazon ($32.99), the place is: http://www.amazon.com/exec/obidos/tg/detail/-/0782144470 (For some reason, the cover image says "Second Edition," but I assure you that it's the "Third Edition.")
-If you want an even cheaper copy, from Bookpool ($31.50), the place is: http://www.bookpool.com/sm/0782144470 (Again, for some reason the cover image says "Second Edition," but I assure you that it's the "Third Edition.")

Big News Item #2: A New Book and a New Website for Windows/Linux Integration!

I know, I know. I can hear you from here ... "Whaaa? Jeremy, I thought you were the Group Policy dude. I didn't think you did that 'Linux thing.'" Well, I do.

It's interesting, exciting, and coming to an IT shop near you. And you'd better be prepared for it.

There are plenty of books you can get that try to describe how to "walk away" from your Windows investment and ... blink! ... go 100% Linux.

But there are two problems with the "walk away from Windows" idea:

• First, it's often not possible. That is, there is a good chance you will always have Windows applications that run your business. And they might never be able to run natively on Linux.
• Second, it's simply not realistic. Assuming every application could be re-coded for Linux, you've already got a lot invested in Windows desktops, applications, architecture, training, personnel, and more.

And yet, Linux offers undeniable advantages of its own. Compelling open-source applications, like the Apache web server and the MySQL database engine, are available today and will continue to appear. And the option of running these applications on an open-source operating system presents undeniable cost advantages. Yes, Linux has its own costs, such as re-training users and administrators familiar with Windows. But the presence of Linux in your business can save money and solve problems today.

In short, neither Windows nor Linux is leaving this planet (or the datacenter) any time soon. And for that reason, it's more important to be able to cooperatively utilize what "the other guy" has to offer, instead of trying to punch his lights out.

My new book is entitled:

Practical Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

And, along with a book, I'm launching a new web site: www.WinLinAnswers.com
WinLinAnswers.com is similar to GPanswers.com. It has:

• Its own newsletter
• Its own community forum
• Its own downloads (many, many downloads for the book)
• Its own links and other resources
• Coming soon, its own Win/Lin Integration Training course
• And more...

It shares the same look and feel as GPanswers.com and shares the same "Where is Jeremy?" calendar that runs along the right-hand side.

For the record ... No, no, no! I'm NOT abandoning GPanswers.com for other pastures. I am not going to stop living and breathing Group Policy. I'm simply expanding a little bit and hope you'll join me for the ride.

For now, if you want to receive Win/Lin updates, you'll have to specifically sign up for THAT newsletter at www.WinLinAnswers.com/newsletter.

(For the record, I may change my mind in the future and go to one unified newsletter. But for now, they're separate.)

You can find out more and pick up a signed copy of the new Windows / Linux Integration book at www.winlinanswers.com/book.

GPanswers.com "Suggest a City" a Success

People are using the new "SUGGEST YOUR OWN CITY" service. The idea is for YOU to tell ME where you want a Group Policy class.

Simply click on the workshop page and find the link to SUGGEST YOUR OWN CITY.

Or, go directly to www.GPanswers.com/suggest

Once we get 5-7 interested people in the same city, we've got a class!

Maybe your city is already listed? Check it out and add your suggestion. (It takes, maybe, 10 seconds.)  

Group Policy Intensive Training and Workshop Schedule Update

Learn more and sign up at: https://www.gpanswers.com/workshop
-or-
Suggest your own city at https://www.gpanswers.com/suggest  

Technology Takeaway (r), a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks

TIP 1

Q. Can I upgrade from SUS to WSUS?

A. Before we get into upgrading SUS to WSUS, there's good news. If you're still on SUS, Microsoft is providing 6 more months of support. That's a good idea ... because getting to WSUS could take a while. I suggest that if you're working with SUS and want to move to WSUS, you should check out this resource: TechNet Webcast: Migration from Software Update Services to Windows Server Update Services (Level 300)

About the talk (Copied from Microsoft's website):

Marc Shepard, Program Manager, Microsoft Corporation Many customers today use Software Update Services (SUS) to deploy Windows updates across their businesses. During this session, which was highly rated when presented at TechEd 2005 in Orlando, Florida, as MGT350, learn how to upgrade from SUS to Windows Server Update Services, the next version of SUS, to reap the benefits of the enhanced capabilities and broadened application support. Learn best practices and pitfalls to watch out for to help you upgrade seamlessly.

TIP 2

Q. Are there any bugs in the GPMC that you know about?

A. The "GPMC with SP1" has been out for some time, and it squashed lots of the remaining bugs. But not all. Here's one I know of...

If you select a GPO link in the GPMC, select the 'Details' tab, and set the GPO status to 'All settings disabled', the link itself will grey out, but the actual GPO doesn't.

So is it disabled or not?

Actually, it is. Just right-click on the domain name and select Refresh, and the icon will grey out.

Ok, it's not really a tip, but it is something to keep in mind!

TIP 3

Q. How can I script ... ?

A. There are just a GAGGLE of Group Policy goodies waiting for you on your scripting adventure. They are located in a 'scripts' folder in the installation folder of the GPMC.

Samples include a script to back up all GPOs (handy if you want to schedule the backup), a script to find unlinked GPOs, a script to copy a GPO. And lots more. Check 'em out!

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com) I have a neat-o calendar that I'm always updating with any public (and private) appearances. So, check it out any time for up-to-date information!  

Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes. These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

• "Fantastic Presentation !"
• "Can't wait to go back to share the wealth !"
• "Would recommend to other IT people in my company."
• "I had a foot in the GPO door, and now I can hold it open."
• "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.
For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)  

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.

SPECIAL THANKS

I want to say "thanks" for a killer book review from one of our subscribers, "AVero".

The review was originally posted here.

but is also posted on GPanswers.com here.

Pick one if you're interested in reading it. Thanks again!

Subscribe and Unsubscribe Information

• subscribe to this newsletter
• unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

In this issue:

• It's Issue 10... Wow.. the big 10 !
• GPanswers.com Growth Spurt
• Moskowitz, inc. Technology Takeaway®
  • Three juicy tips and tricks
• Upcoming conferences, appearances, and classes
• Get a signed copy of Group Policy, Profiles and IntelliMirror
• Subscribe, unsubscribe, and usage information

Moskowitz, inc. and www.GPanswers.com -- Issue 10

I love it when new people come to my class and they say ..."I think I'm on your newsletter list, but I've never seen one."

Well, the idea is that this newsletter comes out "Whenever I feel like it."

And I feel like it again!

As always, you can forward this newsletter to your friends -- but please do so in one whole piece (please don't just cut and paste).

GPanswers.com Growth Spurt

Here's a little collection of updates and facts about GPanswers.com:

• We have 606 Community Forum Members
• We have 1,966 newsletter recipients
• We have seven sponsors and freeware vendors in the Group Policy Solutions Guide. There's more tools than ever in the "GP Solutions Guide." So, be sure to click on the GP Solutions Guide off the main page to check it out!
• I now have a "Jeremy's GP Resources" section of the website. It's a collection of all articles I've ever published on Group Policy and related bits.
• I've installed Google Adsense in the forum. Before you throw rotten eggs, and think I sold out to "The Man" this turns out to be a huge benefit. Adsense is sometimes smart enough to actually advertise solutions to problems people are actually having. So, please view this as a service while inside the forums. If you end up hating this, do let me know. (Though I do think it looks pretty unobtrusive.)
• New "SUGGEST YOUR OWN CITY" service. Simply click on the workshop page, find the link to SUGGEST YOUR OWN CITY. Or, go directly to www.GPanswers.com/suggest Once we get 5-7 interested people in the same city, we've got a class! This is still in beta, but hopefully will help us all out !
  
   

Technology Takeaway (r), a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks

TIP 1

Q. Can I disable the Startup Splash Screen in Adobe Acrobat Reader 7?

A. Yes you can. We've just added a custom adm file in our Tips section at GPAnswers.com. Thanks to Dan Thomson and Neil Toepfer for your help and support.

TIP 2

Q. I just added a custom ADM file (from GPanswers.com or from elsewhere), but I when I edit the GPO, I can't actually *SEE* any of the settings. What's going on?

A. Chances are the ADM settings are _Preferences_ not _Policies_. You will know this for sure if the icon before the setting has a red dot on it, and not a blue dot. In the Group Policy Object Editor you need to click the view menu, and choose Filtering. In the Filteringdialog box, you'll need to clear the last checkbox, which says Only show policy settings that can be full managed. And there you go! Your settings automagically appear!

Unfortunately the filtering setting is not saved when you close out the Group Policy Object Editor, so you need to un-select it every time.

If anyone has figured out a way around this, please let Ron, our tip guy know !

TIP 3

Q. Can I copy the settings from a GPO to another GPO? (From our FAQ)

A. The easiest way to do this is to make a copy of the original GPO, and rename it. Then you will have a new GPO with all of the settings of the original. To do this, open the GPMC and drill down to the Group Policy Objects node. Right-click over the GPO you want to use, and select Copy. Then, immediately select Paste. It will create a new GPO named "Copy of {oldname}". Simply rename it what you wish, and you're in business!

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com)

I have a neat-o calendar that I'm always updating with any public (and private) appearances.

So, check it out any time for up-to-date information!  

Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes. These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

• "Fantastic Presentation !"
• "Can't wait to go back to share the wealth !"
• "Would recommend to other IT people in my company."
• "I had a foot in the GPO door, and now I can hold it open."
• "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.
For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)  

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.

HIDDEN EASTER EGG PART OF THE NEWSLETTER

You made it to the end of the newsletter... So, goodies await you!

WS03/SP1 Blocker Tool Available

In the same way that XP/SP2 could be blocked from Automatic Updates, so too can WS03/SP1. If you want to roll out WS03/SP1 on YOUR SCHEDULE, and not automatically accept it via Automatic Updates, I highly suggest you read this FAQ. The link to download the actual tool is found in the little gray box on the page on the right.

Another Group Policy Perspective

My pal Mark Russinovich had an interesting thought or two on Group Policy recently. A very interesting read..It echoes a similar statement I make all the time..if your users are local administrators, you could be in for a world of hurt.  

Subscribe and Unsubscribe Information

• subscribe to this newsletter
• unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

.If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

In this issue:

• It's Issue 9... Whaaa? I just saw issue 8?
• Moskowitz, inc. Technology Takeaway (r)
  • Three juicy tips and tricks
• Upcoming conferences, appearances, and classes
  • Classes and seminars
• Get a signed copy of Group Policy, Profiles and IntelliMirror
• Subscribe, unsubscribe, and usage information

Moskowitz, inc. and www.GPanswers.com -- Issue 9

Okay, okay.. I know we JUST had a newsletter. But, sometimes there's more news! Again, this newsletter comes out "Whenever I feel like it." And I feel like it!

So... In this newsletter, I've got good news... Yes, this is a full newsletter -- with tips and tricks and fun stuff for you.. It's all here!

As always, you can forward this newsletter to your friends --but please do so in one whole piece (please don't just cut and paste).

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks

TIP 1

How can I hide drives from my users?

Out of the box, Group Policy allows you to hide a few drives from your users, but what if you want to hide a drive such as 'N:'?

We've got ya' covered! Check out our tip (with screenshots!). It explains a neat tool called GPDriveOptions, available here, that will let you select any drive letters you want!

Then, in no time flat -- you're restricting specific drive letters!

TIP 2

How can I set the size limit for Temporary Internet Files in Internet Explorer?

Yizhar Hurwitz, MVP has created a great custom ADM file that will not only allow you to set the size limit for the cache, but also set its location, and enable automatic emptying of the cache when the browser is closed.

You can find it in our tips section!

TIP 3

Have you ever wondered if you could download the most current, or any previous version of the ADM files? Well you can!

Microsoft's Download Center has a page where you can download ANY version of a set of ADM files since their release.

You can find them at here!

Thanks to Ron Hrehirchuk, the "GPanswers Tip Man" for compiling this newsletter's tips and putting them on the web page for all of us to use!  

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com) I have a neat-o calendar that I'm always updating with any public (and private) appearances.

So, check it out any time for up-to-date information!

Classes and Seminars

Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

• "Fantastic Presentation !"
• "Can't wait to go back to share the wealth !"
• "Would recommend to other IT people in my company."
• "I had a foot in the GPO door, and now I can hold it open."
• "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.
For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.

HIDDEN EASTER EGG PART OF THE NEWSLETTER

Fun Free Thing I Found at TechEd

Word on the street says this disk defragmenter really does the job. And the price is right! Haven't tried it myself, but, like I said, sounds interesting.

Subscribe and Unsubscribe Information

• subscribe to this newsletter
• unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

In this issue:

• It's Issue 8...
• GPanswers.com -- Update !
• Moskowitz, inc. Technology Takeaway (r)
  • Three juicy tips and tricks
• Upcoming conferences, appearances, and classes
• Get a signed copy of Group Policy, Profiles and IntelliMirror
• Subscribe, unsubscribe, and usage information

Moskowitz, inc. and www.GPanswers.com -- Issue 8

Welcome to issue 8 of the Moskowitz, inc. newsletter.

Spring is here.. heck it's almost summer. And that means all sorts of good stuff is happening. As I write this, I'm at the Red Hat conference, which is pretty good, and not totally filled with Microsoft bashing. Indeed, the Red Hat folks really have a "Let's play nice" attitude with regards to Microsoft. Refreshing !

What am I doing here, at the RED HAT conference, you ask? It has to do with "Jeremy's Next Big Thing", which I'll discuss (hopefully) in the next newsletter.

In this newsletter, I've got updated class dates, some fun new tips and tricks, and more. As always, you can forward this newsletter to your friends -- but please do so in one whole piece (please don't just cut and paste).

GPAnswers.com News!

We now have a working "Group Policy Solutions Guide" on GPanswers.com. The goal is give you a one-stop-shop for 3rd party tools which snap-in to Group Policy.

Just click "Third Party Solutions Guide" after you click over to GPanswers.com to check it out! We have five sponsors (yay, sponsors!) and we also give free listings to free tools.

So, if you know of any free tools that hook into Group Policy -- let me know about it! If it's a free tool, it gets a free listing!

Again, check out the tools we have today!

Group Policy Intensive Training and Workshop

Learn more and sign up at here! (Don't forget to scroll all the way to the bottom of that page and locate your city!)

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks

TIP 1

We just had to fire one of our desktop administrators. The only problem is -- he knew the local Administrator password for all of our desktop machines. How can I change all computer's local passwords?

Answer 1

This free tool, looks very promising. It looks like it's been around a long time, but, hey -- what the heck! Give it a shot !

TIP 2

I'm looking for some "Plain English" definitions of events in my Event Log. Any idea where to find that?

Answer 2

Yes! My pal Randy Franklin Smith has just a resource. It's literally called "Plain English Explanations of Windows Security Log Events." Check it out! And be sure to say Hi to Randy !

TIP 3

I'm doing some testing as a user. But, we have restricted all sorts of things. How can I temporarily log in as a user, but strip away all GPOs?

Answer 3

Killpol to the rescue!This tool asks for credentials, then lets you kill policies (temporarily) for a logged in user. Really handy when you need it!

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com)I have a neat-o calendar that I'm always updating with any public (and private) appearances.

So, check it out any time for up-to-date information!

Classes and Seminars
Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

• "Fantastic Presentation !"
• "Can't wait to go back to share the wealth !"
• "Would recommend to other IT people in my company."
• "I had a foot in the GPO door, and now I can hold it open."
• "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.
For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)
 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.

Useless Time Waster

Go here. (Don't ask.) In a nutshell, I drink a LOT of Snapple, and one of my best friends noticed. Any Java enabled web browser will do. Trust me, you won't be disappointed.

Subscribe and Unsubscribe Information

• subscribe to this newsletter
• unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go). For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

In this issue:

• It's Issue 7...
• Moskowitz, inc. Technology Takeaway®
  • Three juicy tips and tricks
• Upcoming conferences, appearances, and classes
  • Free live events
  • Classes and seminars
• Get a signed copy of Group Policy, Profiles and IntelliMirror
• Even more good stuff!
• Subscribe, unsubscribe, and usage information
   

Moskowitz, inc. and www.GPanswers.com -- Issue 7

Welcome to issue 7 of the Moskowitz, inc. newsletter.

It's just cold cold cold where I live, and that's no fun. But, thankfully, I get to travel a bit to San Francisco and Los Angeles and a bunch of other warm places before the winter is up.

In this newsletter, I've got updated class dates, some fun new tips and tricks, and more. As always, you can forward this newsletter to your friends -- but please do so in one whole piece (please don't just cut and paste).

Also, I'd like to announce that I have a "Full Time Tips Man" helping out at GPanswers.com. It's Ron Hrehirchuk, who knocks out questions in the forum and does a lot of work getting the FAQ/Tips and Tricks section looking great! If you want to help add to the FAQ / Tips and Tricks section, the best way is to post a message inside the Community forum here. (Note that you must register for the forum to post.)

Thanks Ron, for all you do!  
 

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks
TIP 1/Question 1

I've been asked this question three times this month, so it must be on people's minds.

"Jeremy, can you explain to me why I might want to put users and computers into seperate OUs? We're debating how to implement our OU structure with regard to Group Policy. Any advice you have here would be helpful."

I've never been asked the same question three times in a month. Here's the acoop...Segmenting users and computers into different OUs is, first and foremost, a Microsoft Best Practice. And, it's a Best Practice for a good reason.

Here are three good reasons to separate users and computers into different OUs:

• Easier troubleshooting
  • When users and computers are separated into different OUs, you can more easily figure out what's going on when you run Resultant Set of Policy tools (ie: GPRESULT, or the Group Policy Results Wizard in the GPMC.) You'll know precisely which GPOs are affecting the OU. True, you'd see this anyway, but by segmenting them, there's never a question about which half of the policy (user or computer) is affecting the target.
• Easier delegation
  • You might want to grant others in your organization the ability to perform certain functions upon your structure. By seperating out users and computers, you can delegate some people to create user accounts and others to create computer accounts.
• Easier implementation of loopback policy
  • The loopback processing attribute affects the computer object. By distinctly separating out computers (especially those which need loopback) it makes loopback troubleshooting a world easier.
     

TIP 2 / Question 2

Under an Active Directory user's properties (Account Tab | Log On To settings), you can restrict what computers a user can log into. This works great but it's not currently set for all of our "lab users" (and its a fair amount of work to set this manually). So here's the question: How can this be set via GPO?

Answer: There is no Group Policy settings which control this. However, using Active Directory Users and Computers, you can simply "multi-select" several users and select Properties. Simply click each user while holding down the CONTROL key to multi-select.

Then, in the Account tab, select Computer Restrictions and go from there!

TIP 3

Windows Server 2003 has the ability to allow two Remote Desktop connections for administrative purposes. This can be enabled by going to the properties of "My Computer", clicking on the "Remote" tab and enabling "Remote Desktop".

This can also be enabled on each server individually, using the registry setting below, or by creating a custom adm template and deploying the setting via Group Policy.

Registry Settings Involved:

Using regedit, navigate to
HKEY_LOCAL_MACHINE|SYSTEM|CurrentControlSet|Control|Terminal Server

If the value "DenyTSConnections" does not exist, create it as a DWORD.

Setting it to 0 will permit remote desktop connections and setting it to 1 will prohibit them.

Wouldn't it be great if you could set this up with Group Policy so ALL your servers just did this??

Well, you can. On https://www.gpanswers.com/faq/ we're working on a custom .adm Template that can be deployed via Group Policy by creating an .adm file using included code. After you implement it, you won't know how you did without it.

It'll be up this week in the FAQ/TIPS section! So stop by and tell your friends!
 

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com) I have a neat-o calendar that I'm always updating with any public (and private) appearances. So, check it out any time for up-to-date information!
 

Free Live Events
GROUP POLICY POWER HOUR Webinar

New date: Friday, December 03, 2004(was November 19th): 8:00 AM -- WEST COAST 11:00 AM -- EAST COAST Seminar #3 in the "The Group Policy Power Hour!" It's 1/2 hour of talk and demos, and 1/2 hour of Q&A! Here's the intro:

One of the key skills to master is to know what's going on at your client system. In this talk, Jeremy will demonstrate the various methods to get the Resultant Set of Policy, or RSOP, for your client systems. Both command-line tools and the GPMC can be used to gather this knowledge, so join Jeremy for this Power Hour session!

Registration is available here.

Classes and Seminars
Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

• "Fantastic Presentation !"
• "Can't wait to go back to share the wealth !"
• "Would recommend to other IT people in my company."
• "I had a foot in the GPO door, and now I can hold it open."
• "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.

For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)  

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.  

Technology Takeaway®, a service of Moskowitz, inc. (Supersecret, hidden, Easter-egg Part of the Newsletter)

We're just giving it away! --

More Technical Takeaway Tips (My way of saying thanks for making it all the way to the end of the newsletter!)

BONUS TIP #1

  Is your company starting to use Firefox? Terrific, except out of the box, it's not Group Policy enabled... Buuut... check out: http://spaces.msn.com/members/in-cider/ for a way to make it enabled! (We're working on making this a permanent section within our Tips collection.)

BONUS TIP #2

Check out http://www.grouppolicywiki.com
It's a way for people to simply "add what they know" to a common body of Group Policy knowledge.
I've contributed a bit, my pal Darren Mar-Elia (who runs GPOguy.com) has contributed a bit and Microsoft has contributed a LOT. Add your 2 cents! It's helpful and fun!

Useless Time Waster

Go here. (Don't ask.) In a nutshell, I drink a LOT of Snapple, and one of my best friends noticed. Any Java enabled web browser will do. Trust me, you won't be disappointed.

Subscribe and Unsubscribe Information

• subscribe to this newsletter
• unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

In this issue:

• It's Issue 6...
• GPanswers 2.0 -- New year, new design
• Moskowitz, inc. Technology Takeaway®
  • Correction from Newsletter #5
  • Three juicy tips and tricks
• Upcoming conferences, appearances, and classes
  • Free live events
  • Classes and seminars
  • Upcoming conference appearances
• Get a signed copy of Group Policy, Profiles and IntelliMirror
• Subscribe, unsubscribe, and usage information
   

Moskowitz, inc. and www.GPanswers.com -- Issue 6

It's issue 6, and welcome again to the Moskowitz, inc. / GPanswers.com newsletter. Here's hoping you had a great Thanksgiving !

The personal news here is that I've hired a new assistant--well, I guess that makes it "personnel" news. His name is Jon Seitzer. If you'd like to drop him or note or just say "Hi," you can reach him at [email protected] .

As always, you can forward this newsletter to your friends --but please do so in one whole piece (please don't just cut and paste).
 

GPanswers 2.0 -- New year, new design

GPanswers.com is a little over one year old. And, well, it was time for a makeover. We've got some very exciting changes to the web site available immediately, and a little more coming up really soon.

First of all, we have an updated look and feel. Not just for the sake of doing something new, but rather because I kept hearing the same report: People told me they had trouble finding "where to click" to find stuff on the web site. I've had that all changed to be easier to find!

Additionally, GPanswers.com URLs are now "on their own." No longer are GPanswers.com URLs really just pointers to Moskowitz-inc. Of course, you can still get to Moskowitz, inc. pages in various ways on GPanswers.com.

Those are the changes as of today. Here is what's coming up in the next several days/weeks:

• New searchable FAQ section
• New Tips and Tricks section
• Annnnnnd...the Big News! We are diligently workingon a sponsored "Group Policy Solutions Guide" whichenables YOU to easily locate 3rd-party softwarethat enhances Group Policy!

We're aiming to get each and every vendor that offers a Group Policy product to join the club! If you think there's a company and product that should be listed, just let me know! Additionally, we've updated the 2005 class location list and schedule. Be sure to click on "Group Policy Workshop" to get a full list of the updated schedule and/or to sign up for a class.

I hope you enjoy GPanswers.com 2.0 in our second year! PS: I'll likely send out a mini-announcement when the "Group Policy Solutions Guide" goes live.
 

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

Correction from Newsletter #5

I hate to have to start out with an apology. But, alas, it happens. That is, my Bonus Tip #1 in Newsletter #5—the "TWO Remote Desktop Sessions" tip--didn't pan out to be true. I did test it ... but I tested it with a Beta of SP2, and, well, that functionality was removed last minute from the ACTUAL SP2.

D'oh! My bad.

Three juicy tips and tricks

TIP 1

Recently, I've been searching for a way to avoid going to the task bar (oops, I mean "Notification Area") in order to disconnect various hardware. Often, I'm just "ready to roll" but, alas, it takes multiple mouse clicks to get the job done to disconnect USB flash disks, Firewire hard drives, or my USB camera.

Here's a tip you can use to save some time. It comes from this Microsoft KB article: "Remove hardware from a command line".

The syntax is a little hard to follow. In this case, I'm going to list the active USB devices.

C:>devcon find usb*
USBROOT_HUB4&1B96DD0A&1 : USB Root Hub
USBROOT_HUB4&23036E4B&1 : USB Root Hub
USBROOT_HUB4&A2AFF59&1 : USB Root Hub
USBROOT_HUB204&18075F55&1 : USB Root Hub
USBVID_05DC&PID_A400415DEF11191525121004 : USB Mass Storage Device
5 matching device(s) found.

Let's say I want to remove the USB Flash Disk that is currently attached. In the example, I can see that my device has a unique ID of "415DEF11191525121004." To remove it, I can quickly type in a command (or, better yet, batch file) that removes this device based on a string within the device. C:>devcon remove "@USB*525121004*" USBVID_05DC&PID_A400415DEF11191525121004 : Removed 1 device(s) removed.

In my short time using this utility, here's what I've found:

• Some devices complain when being "ripped" out of the system like this. Couple your batch file with the Sysinternals tool called "Sync" which can flush the data to the disk before removal. I'm not saying it'll 100% prevent data damage, but it's certainly better to sync before removal.
• When specifying the device to remove, be sure to put the unique device name between quotes.
• Additionally, proceed it with an @ sign. Not really sure why, that's just the deal.
• It seems that each time I remove a device (then plug it back in), I'm essentially re-forcing the PNP subsystem to do its thing when the device is plugged in next. I guess I'm really looking for a command to "eject" a device and not "remove" it.

The closest I've come is this:

"RUNDLL32.EXE SHELL32.DLL,Control_RunDLL hotplug.dll"

It starts the "Unplug or Eject Hardware" wizard, but that's about all it does. If anyone figures out the command syntax for disconnecting a device WITHOUT "removing" it, please let me know!

There's a nice website dedicated to things like this little utility here.
If you have any neat tricks to add to this, do let me know!
 

TIP 2

Everyone I know has cell phones. But heck if I know what carrier they're using. So, when I want to send a little text message (known properly as SMS messages), I have to just GUESS which service they're using.

Is it @vtext.com ? @tmomail.net ? @cingular.com ? Who knows?

And now, you don't have to. Just send an email to
@teleflip.com and -- voila! Instant SMS message to your friend or co-worker.
 

TIP 3

Ron Hrehirchuk is one of my most active GPanswers.com forum members. He's constantly knocking tough questions out of the park. Indeed, Ron is going to be helping me with enhancing the "Tips and Tricks" section.

Recently, Ron found this little gem.

The goal? To use Group Policy to control your EnergyStar-compliant systems. I checked it out, and it is very, very nice! I didn't actually use it though, because I don't have the right kinds of hardware. But it's certainly an interesting example of how Group Policy can be used in ways not normally considered.
 

Upcoming Conferences, Appearances, and Classes

Something new... On www.moskowitz-inc.com (or www.GPanswers.com) I have a neat-o calendar that I'm updating with any public (and private) appearances. So, check it out any time for up-to-date information!
 

Free Live Events
GROUP POLICY POWER HOUR Webinar

New date: Friday, December 03, 2004(was November 19th):
8:00 AM -- WEST COAST
11:00 AM -- EAST COAST
Seminar #3 in the "The Group Policy Power Hour!" It's 1/2 hour of talk and demos, and 1/2 hour of Q&A!

Here's the intro:

One of the key skills to master is to know what's going on at your client system. In this talk, Jeremy will demonstrate the various methods to get the Resultant Set of Policy, or RSOP, for your client systems. Both command-line tools and the GPMC can be used to gather this knowledge, so join Jeremy for this Power Hour session!

Registration is available here.
 

Classes and Seminars
Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? My favorite email this month was from Chris Curran from Sullivan Data Management.

Great Class!! Ever since the training everything GPO justseems to make a heck of a lot of sense. It's like you filledan eyeglass prescription or something.

Chris Curran

Sullivan Data Management

That's me ... Jeremy Moskowitz, your GPOptometrist.
Just contact me at [email protected]or call me at 302-793-3957.

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.
 

Subscribe and Unsubscribe Information

• subscribe to this newsletter
• unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

In this issue:

• It's Issue 5...
• Where do you want me?
• Moskowitz, inc. Technology Takeaway (r)
  • Three juicy questions and answers...
• Upcoming conferences, appearances, and classes
  • Free live events
  • Public courses until the end of the year ... and one for 2005 already!
• Get a signed copy of Group Policy, Profiles and IntelliMirror
• Subscribe, unsubscribe and usage information
   

Moskowitz, inc. and www.GPanswers.com -- Issue 5

It's issue five of the Moskowitz, inc. newsletter. Hopefully, you've all had some time to at least experiment with XP/SP2. Okay, okay ...here's my short, shameful confession: I haven't loaded it yet on my own laptop. Okay, sure, it's on my desktop machine, but not the one I travel with.

Why haven't I committed? Because I'm busy busy busy... running around the country, etc. I'm 1% fearful that I'll be that one guy who gets the BLUE SCREEN after the reboot.

I have some vacation time planned in December. That's when I'm making my own switch. Do you have a plan for your company? As always, you can forward this newsletter to your friends --but please do so in one whole piece (please don't just cut and paste).
 

Where do you want me?

I'm trying to come up with the Group Policy Intensive Training and Workshop class schedule for 2005. My plan is to do 12 PUBLIC training classes – one a month in a different city. I'm committed to having one in Orlando, Phoenix, Dallas, and Philly. All dates (except Orlando) to-be-determined. Everything else is open for negotiation.

So, if you think you've got a great location for a class (we only need 5 people to make it "a go"), then send me an email with a subject line of CLASS LOCATION: . I'll take the top 6 suggestions, and that'll be that. The winning results will be in the next newsletter.Of course, I'll still be available for PRIVATE training classes inside your company. You don't have to VOTE for that. Just send me an email when you're ready to get that started.
 

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

TIP / Question 1

We have a GPO that disables XP/SP2's Firewall until we can configure and test its use. So, when a new system starts up on our LAN, the GPO takes effect immediately and disables the firewall.

However, if the user has never connected to the LAN before, and simply dials in, the policy does not appear to have any effect. Ihave left a test machine connected for over 3 hours to give the background refresh time to occur, and have tried manually initiating processing with "gupdate /force" -- but neither had any effect. Again, if I then connect the system to the LAN, the policy takes effect immediately.

Answer 1

First, you need to be using the XP/SP2 ADM templates. (See previous newsletters for that.)

Then, you can drill down to:

Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall

There, you'll see both "Domain Profile" and "Standard Profile." And, the policy setting you're after is: "Firewall: Protect all network connections" and you want to set it to DISABLED (yes, Disabled). The policy settings in "Domain Profile" are used when AUTHENTICATED to a DC. The policy settings in "Standard Profile" are for when the computer ISN'T AUTHENTICATED to a DC.

Soooooooo.... You have a very special case, my friend. You should set *BOTH* the
Domain Profile | Firewall: Protect all network connections
and the
Standard Profile | Firewall: Protect all network connections

so they are Disabled.

Why?Because when you dial in you might not be actually authenticating to a DC. Rather, if you dial in (when already logged on) you're using pass-through authentication. You might need to GET the GPO ONE TIME on the LAN (ie: not dialed up) for this magic to work. Then, it should keep on working.
 

Question 2

How can I stop XP/SP2 from deploying to my clients via critical update?
 

Answer 2:

Take a look at the materials on Microsoft's web site here. There's an ADM template to squelch XP/SP2 from being automatically downloaded until YOU'RE ready. There's also other little odds and ends in there to help with the process.
 

Question 3

Jeremy, some things just aren't going to work after I install XP/SP2. Do you know what is known to "blow up"?
 

Answer 3

Check out this KB article which has a known list of stuff that might not work immediately after XP/SP2 is applied. There are lot of applications on this list, so be sure to give it a look-see BEFORE you leap into XP/SP2.
 

Upcoming Conferences, Appearances and Classes

Something new...
On www.moskowitz-inc.com (or www.GPanswers.com )
I have a neat-o calendar that I'm updating with any public (and private) appearances. So, check it out anytime for up-to-date information!
 

Its Free! Jeremy pairs with Microsoft TechNet Presenters at key events!

Microsoft is running around the country giving free all-day Active Directory, Group Policy and ISA talks. was just paired up with TechNet presenter Bryan Von Axelson, in Dover, DE and Philadelphia, PA and it was great!

I'll be there at some more dates, giving out some free books, some shirts -- oh, and some killer Group Policy tips, too! I get about 20 minutes to speak, but, believe me, you'll walk away with something you can use immediately.

Hope to see you there.

You can sign up for the free Microsoft events here. They're simply EVERYWHERE around the country. But I'm not. I'm scheduled to appear at two more before the end of the year: December 14th, 2004in my hometown of Wilmington, DE and December 16th, 2004in either Trenton, NJ or Allentown, PA. It's still being determined. I'll keep you posted as I know more.'
 

Not free... but worth it! Upcoming classes

I'd love to see you in one of the two-day Group Policy intensive training and workshop classes.These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates and just about all you need to know to hit the ground running -- Fast!

Hope to see you in class soon!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004, conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training, and GPanswers.com for each of his sessions!

Wow! Thanks, again Microsoft!

If you want to see the full course outline, and sign up for an upcoming public class, be sure to click here. Or ... If you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you on-site!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!) I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Just contact me at [email protected] or call me at 302-793-3957.
 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.
 

Technology Takeaway (r), a service of Moskowitz, inc. (Supersecret, hidden, Easter-egg)

We're just giving it away! -- More Technical Takeaway Tips (My way of saying thanks for making it all the way to the end of the newsletter!)
 

BONUS TIP #1

Did you know Windows XP's SP2 has a new ability to have TWO Remote Desktop Sessions? Out the box, XP SP2 only has one. You can enable the second one with a simple registry punch.

1) In the registry, drill down to: HKEY_LOCAL_MACHINE | System | CurrentControlSet | Control | Terminal Server | Licensing Core. 2) Create a new REG_DWORD value named EnableConcurrentSessions.
3) Set the value to 1.

You may have to reboot (or maybe not). And, voila! Instant double-team!
 

Bonus Tip #2

Microsoft had another nice online Q&A chat on September 29th with the guys who head up the Group Policy division within Microsoft.

If you missed the chat, you can catch the transcript. Some goodies in there, for sure!They even mentioned us -- GPanswers.com training! Hey, thanks! You make me blush!
 

Bonus Tip #3

Microsoft is having a large 14-part webinar series on Group Policy. They're doing one each Wednesday until the end of the year. Discover more about it!

My pal Matt Hester from Microsoft is doing the presentations, so be sure to catch some!
 

Subscribe and Unsubscribe Information

• subscribe to this newsletter
• unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

In this issue:

• It's Issue 4...All about Service Pack 2 for XP
• Moskowitz, inc. Technology Takeaway (r) Part I:
• Recap and Corrections from Newsletter #3
  • Recap + Update #1: XP/SP2 gives you more -- much more
  • Recap + Update #2: How to use these 700 new settings that affect XP/SP2 ?
  • Recap + Update #3: Loading XP/SP2 will prevent admins from performing RSOPs
• Upcoming conferences and appearances
• Moskowitz, inc. Technology Takeaway (r) Part II:
  • What happens if I load XP/SP2 and it bluescreens ?
  • Weeding through the bajillion firewall settings in XP/SP2
  • Da Big one: ADM Template Trouble!
• Get a signed copy of Group Policy, Profiles and IntelliMirror
• Subscribe and unsubscribe information
   

Moskowitz, inc. www.GPanswers.com -- Issue 4

It's issue four of the Moskowitz, inc. newsletter. Windows XP's Service Pack 2 is out, and it affects you.

Unless you were living under a rock, you already knew XP/SP2 would have some impact on your systems. If you believe the hype, XP/SP2 will change everything from the climate to my bowling average. Trust me, it's not that bad -- you just need some reliable information to help you get through the change.

Microsoft has some great data on XP/SP2, and the first place you should travel to is to what I call "XP/SP2 Central" on Microsoft.comhere.

Unfortunately, while I'm sure it's in there somewhere, this site doesn't specifically highlight how Group Policy might be affected by the installation of XP/SP2. So, that, my friends, is what this newsletter is all about. (And, as late-breaking information comes out, you might expect another newsletter not too far out!) Once again, I suggest you save a copy of this newsletter (print, inbox, etc) because when Service Pack 2 for XP comes to your organization, you'll want to recall some of the juicy goodies we'll be exploring in this issue.

You can forward this newsletters to your friends but please do so in one whole piece (please don't just cut and paste.)

Technology Takeaway (r), a service of Moskowitz, inc. (Part I)

Before we dive into the new stuff for this newsletter, let's take a quick stroll back to memory lane of Newsletter 3 which also had some Group Policy goodies for XP/Service Pack 2.
 

Recap + Update #1: XP/SP2 gives you more -- much more

In the previous newsletter, I said that XP/SP2 brings about 90 new Group Policy settings to the table. Well, I seemed to not have had my coffee that day, as I failed to mention the additional 619 policy settings which affect Internet Explorer when running on XP/SP2.

Again, I have a link to Microsoft's latest spreadsheet which helps bring our the differences here.That page has now been recently updated to link to Microsoft's FINAL (not Release Candidate) version of the spreadsheet.
 

Recap + Update #2: How to use these 700 new settings that affect XP/SP2 ?

A common question is: "How do I get these XP/SP2 policy settings to show up when I create a new Group Policy Object?"

A Microsoft article on how to do that is MSKB 816662, entitled: "Recommendations for managing Group Policy administrative template (.adm) files." (In the last newsletter, I had the wrong KB article. Again, not enough coffee.) Or, an explanation in plain English with some extra advice for a holistic approach to ADM template management can be found in Chapter 5 of my new Group Policy book.
 

Recap #3 + Update #3: Loading XP/SP2 will prevent admins from performing RSOPs

As we stated in the Newsletter 3, once you load XP/SP2, all INCOMING client communication to your clients will be prohibited. If you have viruses and other little nasties running around your network -- this is a good thing. However, you'll likely want to get back the functionality that's lost by this change.

So, what do you do? You have three options:

Option 1: Turn off the Windows Firewall in XP/SP2

Result: Would let the nasties back in if they're running around your network. Maybe not the best option for all organizations... The default setting for Windows Firewall is "Enabled" for a good reason!

Option 2: Leave the Windows Firewall on, but make sure I can still perform RSoP and otherwise manage my client computers. Perform this magic using policy settings only found in the Service Pack 2 ADM files.
or
Option 3: Manually run around and enable port 445 (to get RSoP back) on specific client machines. This option is tedious and not recommended.

The net result: Opening up port 445 is essential for administrative tools to work between Active Directory and the XP machine from where you do your administration.

Again, please check out Newsletter #3 for a full account for how to turn these settings on (which turns off certain Windows Firewall settings.)

All our newsletter stuff is found here. Additionally, please check out this articlewhich highlights the precise problem in Microsoft's words.
 

Upcoming Conferences, Appearances and Classes
It's free! GROUP POLICY POWER HOUR Webinar

Seminar #2 in the "The Group Policy Power Hour!"

It's 1/2 hour of talk and demos, and 1/2 hour of Q&A!

Here's the intro:

It's true: Group Policy is now self-documenting. You just need to know where to go to get the information. And securing users' access to which Group Policy functions they can perform is important. If you needed to grant someone specific access to modify a GPO, could you do that?

Come to this session to learn some "insider goodies" about the Group Policy Management Console (GPMC). Then, ask as many questions as you want in the second half of the POWER HOUR!
http://tinyurl.com/47xxt
 

Not free... but worth it!

I'd love to see you in one of the two-day Group Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates and just about all you need to know to hit the ground running -- Fast!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At both MMS 2004 and TechEd 2004 Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training! In fact, he dedicated a whole slide to the book, the training, and GPanswers.com for each of his sessions! Wow! Thanks, again Microsoft!

If you want to see the full course outline, and sign up for an upcoming public class, be sure to check out: 
www.gpanswers.com/live-class

Or... If you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you on-site! If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!) I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Just contact me at [email protected] or call me at 302-793-3957.
 

Technology Takeaway (r), a service of Moskowitz, inc. (Part II)

Here's some fresh, new material about XP/SP2!

What happens if I load XP/SP2 and it bluescreens?

As Hitchhiker's Guide to the Galaxy says, "DON'T PANIC." Here are the steps to rollback XP/SP2 to a (hopefully) previously working condition:

1. Boot to recovery console. You can do this by booting off any bootable Windows XP CD if you haven't previously loaded it.
2. Using the recovery console, locate the %windir% $NTServicePackUninstall$spuninst folder
3. Rename "spuninst.txt" to "spuninst.bat"
4. Then, execute the batch file with "Batch spuninst.bat"

This should remove XP/SP2 AND if you have it, XP/SP1, so be careful! This will return you to Windows XP -- NO SERVICE PACK!

This could be especially troublesome on unprotected networks if youstill have little nasties running around within the network!

Why does a bluescreen happen? Matrox Millenium drivers seem to be a major cause. Load latest drivers on Matrox web site, then re-apply the XP/SP2 installation.
 

Once XP/SP2 is installed, there a bajillion firewall settings. How can I figure out what they all do?-

Microsoft has a great document just for the "Star Feature" of XP/SP2, the Windows Firewall. Learn how to make it sing and dance the way YOU want.

The document is called:Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 and you can find it here.
 

Da Big one: ADM Template Trouble!

Those of you hear me speak, know I talk about a concept called a "Management Station." Your Management Station is where you DO your Group Policy work from.

You could create a new GPO by walking up to a Windows 2000 DC, then modify that same GPO by walking up to your Windows XP PC and editing it there. In this scenario, you've used two "Management Stations" -- both the Windows 2000 DC and the Windows XP PC.

The problem we need to take a moment to discuss is what happens when you use templates from Windows XP/SP2 and use them on any management station OTHER THAN XP/SP2.

And you'll get it about 50 (yes, 50) times (with various error messages.)

Here's the link from Microsoft which describes the problem: http://support.microsoft.com/?kbid=842933

But what is this technote really saying?

It's saying that you'll need to apply a patch on any management station you modify Group Policy from. Does this mean you have to patch EVERY server and EVERY workstation? NO! You only need to patch the locations from WHERE YOU CREATE AND EDIT GPOs.

So, where do you find the patches?

If you use Windows 2000 as your management station, you can use this patch, here.

Patches for XP/SP1 and WS03-RTM are forthcoming. I'll have an announcement on the BBS when Microsoft releases them.

Follow-up on this important bug, in the Moskowitz inc. Group Policy forums. Specifically, I've started a thread here in the forumsjust for this specific bug. So, sign up for the forums, and stay tuned!
 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.
 

Technology Takeaway (r), a service of Moskowitz, inc. (Supersecret, hidden, Easter-egg Part III)

We're just giving it away!
 -- More Technical Takeaway Tips
(My way of saying thanks for making it all the way to the end of the newsletter!)
 

Bonus Tip #1

Special GOLD STAR to Andy King who has a super solution for whacking MyDoom nasties with GPOs. Just check out our ongoing support forum. Specifically, Andy posted his solution here.
Thanks Andy!
 

Bonus Tip #2 (Keeping with our XP/SP2 theme)

Check this out on Microsoft's web site for a detailed how-to install XP/SP2 using SMS.
 

Bonus Tip #3

Microsoft had a nice online Q&A chat with the guys who head up the Group Policy division within Microsoft. If you missed the chat, you can catch the transcript. Some goodies in there, for sure!

They even mentioned us -- GPanswers.com! Hey, thanks!
 

Subscribe and Unsubscribe Information

• subscribe to this newsletter
• unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

In this issue:

• Moskowitz, inc. and www.GPanswers.com
  • Partnering with the GPTF.ORG
• Upcoming conferences and appearances
  • Not free... but worth it!
• Moskowitz, inc. Technology Takeaway (r)
  • XP's SP2 is imminent (save this email!)
  • Bonus!: Kill Spyware with Group Policy!
• Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000
• Subscribe and unsubscribe information

Moskowitz, inc. and www.GPanswers.com

It's issue three of the Moskowitz, inc. newsletter. As promised, it's strategically put out "Roughly whenever I feel like it."

And I feel like it!

Why? There's a lot of Group Policy buzz! There's a lot happening lately, and I want to be the first to bring it to you. So, let's kick off this issue.

I suggest you save a copy of this newsletter (print, inbox, etc) because when Service Pack 2 for XP hits, you'll want to recall some of the juicy goodies we'll be exploring in this issue.  

Introducing the GPTF.ORG

Harmony. Cooperation. Working together.

These phrases are not something that is normally associated with rival product vendors. But, that's exactly what is going to be happening with an upcoming group I've helped create called the "Group Policy Task Force" or, GPTF.

The GPTF is a consortium of vendors which make Group Policy product add-ons. Many vendors hook-in to what Microsoft's Group Policy already offers and takes it to the next level. Even Microsoft, themselves are a member. This strong showing of support from all vendors involved demonstrates their commitment to the Group Policy "way of life" which we know and love to use every day.

So, Where do I fit in?

I came up with the idea because there was no direct avenue for Microsoft to hear vendors' requests, assess how important those requests were to administrators like you, and actually get the wish into the next version of Group Policy product.

Additionally, because Group Policy is becoming more and more important it's only a matter of time before vendors start to want to have some interoperability between their products.

I will be helping with ongoing coordination efforts My official title in this role is called "Group Policy Evangelist" (how cool is that!?) If I only got a scepter or something to wield around... now that would be cool. But I digress.
(Actually, this one is pretty cool)
 

So, where do you fit in?

While the GPTF is not open for membership to the community-at-large (ie: network administrators) directly, there are two ways you can help.

First, you should communicate with your 3rd party product vendor about what you want to see regarding interoperability. If you see an avenue for cross-over between vendors, there's a good chance that we can make it happen now.

Also, if you have a specific wish you might want built right into Group Policy itself, we have a new forum at the GPanswers.com bulletin-board entitled "Group Policy Functionality Wish List" where you can post what you want! No guarantees that your wish is going to be embraced, but, if you don't A-S-K, you won't G-E-T.

You can check out the GPTF.ORG web site to see which vendors are participating. And, you can check out our official press release here.

Upcoming Conferences, Appearances and Classes

Not free... but worth it!

The number one thing holding back administrators from using Group Policy more is LACK OF TRAINING. Well, there's no excuse anymore!

Join us for one of my upcoming two-day "Group Policy Intensive Training and Workshop" classes.

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At both MMS 2004 and TechEd 2004 Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!

In fact, he dedicated a whole slide to the book, the training, and GPanswers.com for each of his sessions! Wow! Thanks, again Microsoft!

So, to sign up for an upcoming public class, and check out the full course outline, be sure click here.
Or... If you think you might want your own in-house training of the course (with all the personalized attention that affords),

I'd love to join you on-site! If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!)

Just contact me at [email protected] or call me at 302-793-3957.
 

Technology Takeaway (r), a service of Moskowitz, inc.

XP's Service Pack 2 is almost ready to burst forth on the scene.

Are you ready?

If I were you, I'd be glued to Microsoft's SP2 site for Microsoft professionals which is here.

I'm quite sure there will be some upcoming prescriptive guidance for it's proper deployment and implementation, so stay tuned. However, Release Candidate 2 (RC2) is out, and you can play with it today. And, you should. This is because when you apply XP/SP2 to an existing XP system, you get new functionality, new power, and the ability to manage more stuff with about 90 new policy settings to play with! (Correction for anyone reading the archive version of this newsletter, that should have read 611 new settings if you include al the IE ones)

I have a link to Microsoft's latest spreadsheet which helps bring our the differences here. The biggest thing to expect with XP/SP2 is the fact that the Windows Firewall (formally known as the Internet Connection Firewall) is ENABLED (that is, turned ON) by default. So, as soon as XP/SP2 is installed, there's a good chance things won't work as expected.

Once the Windows firewall is turned on, you won't even be able to ping your XP/SP2 machines. In other words, all INCOMING client communication to your clients will be prohibited (though as of XP/SP2 RC2, there is an exception for Remote Assistance on port 3389.)

So, what do you do?

Here are some suggested avenues to mitigate your potential upcoming pain.

Option 1: Turn off the Windows Firewall in XP/SP2

If you're thinking "I'm already working just fine, I don't want the Windows Firewall at all" you can disable it when users authenticate to your domain controllers.

The new policy setting is located here: Configuration | Administrative Templates | Network |Network Connections | Windows Firewall | Domain Profile and is named Windows Firewall: Protect all Network connections policy setting

This policy setting is a little weird. In order to turn off the Windows Firewall, you need to set the policy setting to DISABLED. This is because, the new default sets XP/SP2 to have the firewall ENABLED; so you're essentially REVERSING the edict.

Turning off the Windows firewall might be just the thing, or it might be overkill. If you think it might be overkill, read onward!
 

Option 2: Leave the Windows Firewall on, but make sure I can still manage my client computers

Like I said earlier, once the Windows Firewall is on, all inbound client communications is kaput. But, you'll occasionally need to talk TO your clients from the servers.

Specifically, if you use GPRESULT or the Resultant Set of Policy tools built into the GPMC, you won't be able to ask the client "What's going on?" without adjusting the XP/SP2 client.

So, how do you fix it?

Drill down to Configuration | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile and ENABLE the policy setting named Windows Firewall: Allow Remote Administration Exception

Now your requests will successfully go through.

Also, according to some sources, this is the same policy setting you would enable if you have your Active Directory Administration tools running on your XP/SP2 machine, such as Active Directory Users and Computers or the GPMC. This is because ENABLING this policy additionally opens up port 445 which is essential for these tools to work between Active Directory and the XP machine from where you do your administration. However, in my testing Active Directory Users and Computers, AD Domains and Trusts, and many other administration tools worked just fine without me needing to open up port 445 via this setting. Your experience might be different depending on the tools you use.

A common question is: "How do I get these XP/SP2 policy settings to show up when I create a new Group Policy Object?"

A Microsoft article on how to do that is MSKB 816662, entitled: "Recommendations for managing Group Policy administrative template (.adm) files."

Or, an explanation in plain English with some extra advice for a holistic approach to ADM template management can be found in Chapter 5 of my new Group Policy book.
 

***BONUS TIPS***

We're just giving it away!
-- More Technical Takeaway Tips
 

BONUS TIP #1

Want to preemptively kill spyware and the like leveraging GPOs? This BLOG demonstrates how to use SpywareBlaster to leverage GPOs to configure your clients.

Use at your own risk. I haven't tried it out, but it sounds good on paper.

Thanks to contributor Bill Avellan for locating this!

BONUS TIP #2:

Are your incremental backups larger than you think they should be? Maybe it's a bug with Group Policy. Check out the fix here. It corrects a problem if you're using Group Policy to change file permissions.

Thanks to contributor Gary Busby for this one!
 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards just fine.) Thanks for understanding!

Order your signed copy today by clicking here:

Thanks for reading! And, as promised I'll send out the next newsletter "Roughly whenever I feel like it" or whenever big news hits. Until next time!
 

Subscribe and Unsubscribe Information

- subscribe to this newsletter
- unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:
www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

In this issue:

• Moskowitz, inc. and www.GPOanswers.com, er, GPanswers.com updates
  • Help GPanswers.com rise to the top!
  • Helping your fellow Group Policy administrator!
• Upcoming conferences and appearances
  • It's free! Windows Server 2003 Group Policy Essentials Webinar
  • Not free... but worth it! Upcoming classes.
• Moskowitz, inc. Technology Takeaway (r): five juicy questions (and answers!)
• Get a signed copy of Group Policy, Profiles andIntelliMirror for Windows 2003, Windows XP and Windows 2000
• Subscribe and unsubscribe information

Moskowitz, inc. and www.GPOanswers.com, er...

It's stunned analysts everywhere. Okay, actually,no one seemed to notice. But, I've decided to change the name of GPOanswers.com to GPanswers.com

Why the change?

Well, the GPO (Group Policy Object) is the "molecule" that makes the Group Policy world go round. However, the name GPOanswers.com wasn't all encompassing enough.

In reality, the forum and the web site is about all aspects of Group Policy, not just the GPO "molecule."

To that end, I've renamed it to be www.GPanswers.com. Note that www.GPOanswers.com will still point to the same place.
 

Help GPanswers.com rise to the top!

There's only one "go to" location for Group Policy help on the web. And that's. GPanswers.com!

Only problem? Our Google rank is in the tank.

I'm not a "Google-head" -- that is, I don't have a genuine understanding of the Google-rhythm, or whatever the algorithm is called that pushes certain pages to the top of the ranks.

Long story short, the only thing I know that helps is if others POINT to the web site. So, if you're interested in helping out the community, then, please create a web site link from your web site to GPanswers.com.

You'll be helping everyone who is interested in getting some extra Group Policy help.  

Helping your fellow Group Policy administrators!

Hopefully, you're finding the updated resources of GPanswers.com useful. We have some dedicated folks in the forum (www.moskowitz-inc.com/bbs) constantly knocking out questions for others in need.

If you're an expert (or use Group Policy a lot) we would encourage you to help out others! That's the spirit of the forum ...give a penny, leave a penny... er, ask a question, answer a question.

Also, if you come across something that's new and exciting which EVERYONE should know about, then let me know.

I'll make it a permanent link in the GPanswers.com site.

Note that I've changed the policy of the forum a bit. That is, we now require that you are a registered member of the forum to post. This is because guests don't have the ability to receive emails when someone responds to their posts. And we want to make sure that all answers are getting to their respective question-askers.

Upcoming Conferences, Appearances and Classes

It's free!

Windows Server 2003 Group Policy Essentials Microsoft Technet Webinar

From the Microsoft site:

Just getting started with Windows Group Policy? Unsure of where WindowsR Group Policy applies or how to manage them? In this session you'll learn just what Group Policy is, and how you can deploy it correctly. Join this webcast to hear Active Directory and Group Policy guru Jeremy Moskowitz (from GPOanswers.com) and author of the recently overhauled "Group Policy, Profiles and Intellimirror for Windows 2003, Windows 2000 and Windows XP teach you the ropes. Learn how to modify Group Policy objects to lock down desktops and manage your user environments. Gain insights into the thorny issues surrounding permissions. Discover how to delegate the job of creating Group Policy. Last, you'll learn how to troubleshoot Group Policy --through tools and with your bare hands.

Sign up here: http://go.microsoft.com/fwlink/?LinkId=27801

Not free... but worth it! Upcoming classes

We'd love to see you in the upcoming two-day Group Policy intensive training and workshop class. Here's what one IT manager said after taking the training:

Facing the challenge of upgrading our multi-site user environment I was very concerned with my staff's limited knowledge of Group Policy.

Much like most sites we struggled with estimating outside resource requirements for our Active Directory project. Looking for Group Policy specific training proved to be a challenge and I turned to a resource from my computer security group who recommended Jeremy.

After speaking with Jeremy about the classes I immediately identified him as someone who would be a valued resource, as he clearly understood many of the problems I was facing. After the class which wrapped up on 4/24 I find myself adjusting my project plan, as my staff went from being unsure of the challenge ahead to being able to confidently plan and implement a strong Group Policy environment.

The class was very detailed and Jeremy really knows how to control the class. The labs are great assuring that everyone can touch and feel Group Policy. Jeremy proved to be a solid professional, and from what I can tell one of the few who can drill down to the expert level in Group Policy.

Maurice McClain,
GSEC Manager IS Operations

Thanks Maurice!

Also, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

Indeed, at TechEd 2004 Mark Williams from the Group Policy team encouraged the 1500 attendees to check out the new Group Policy book and the training! In fact, he dedicated a whole slide to the book, the training, and GPanswers.com for each of his sessions!

Wow! Thanks, Microsoft!

So, to sign up for an upcoming public class, and check out the full course outline, be sure to visit: www.gpanswers.com/my-online-class

Or... If you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you on-site! Just contact me at [email protected] or call me at 302-793-3957. If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!)

Technology Takeaway (r), a service of Moskowitz, inc.

Here are some questions on people's minds recently...

Question 1:

I implemented an Account locked out policy on my domain. I set the policy to lockout after 3 tries, but most user accounts still get locked out with our old account policy. So, next, I tried to disable the policy but my domain Administrator account still gets locked out according to the old lockout policy. What could be causing this?

Answer 1:

This sounds like you have a DNS problem. I know, I know – how can this possibly be a DNS issue, you ask? I submit that perhaps not all of your Domain Controllers are receiving the updated domain policy. Hence, they are retaining some other policy you set. So, my advice? Make one DNS server the authoritative source and have all Domain Controllers (temporarily) use that DNS server for resolution. Hopefully, the latest policy will take affect, and you'll be updated.

Question 2:

How do restrict users from opening and editing the registry in Windows XP. All domain controllers are 2003 server.

Answer 2:

Software Restriction Policies to the rescue! There are plenty of great Microsoft articles on Software Restriction Policies in Technet or online. (Or, you can get it in plain English in my book.) Don't forget, though, that Software Restriction Policies are only valid for Windows XP or Windows 2003 as clients – those with Windows 2000 clients are out of luck! Oh, and it doesn't matter if your DCs are 2000 or 2003.

Question 3:

Are Group Policy Objects cumulative? If a GPO is linked to the domain and then a separate GPO is linked to an OU, do features of the domain GPO "flow" down to the OU and apply with features set in the OU GPO as long as they don't conflict? I thought that if a GP was assigned to an OU then its features would overwrite any features set by a GP assigned to a level above.

Answer 3:

If you have no GPOs that conflict anywhere in your SOM (scope of management), they will apply cumulatively. However, if you have a GPO which says to do one specific thing at, say, the Domain level, and another GPO which ways to do a specific thing, at, say the OU level, the one "closer" to the user (or computer) will apply. So, here's a simple example: At the domain level, imagine that you restrict the control panel, but at the OU level, you make it available again. Since the GPO linked to the OU is closer to the target account, thataffect will take effect.

Question 4:

I blew up the Default Domain Policy in my Windows 2000 domain. How can I recover that?

Answer 4:

You're in luck! (Well, not really since you blew up a critical GPO.) Microsoft has just released RecreateDefPol.exe. It restores the Default Domain and Default Domain Controllers policy GPOs in case of accidental deletion. This tool is for use exclusively on Windows 2000 Server, Advanced Server, and DataCenter Server. Do not use this tool on Windows Server 2003; use Dcgpofix.exe instead (included in Windows Server 2003). You can download the tool directly from Microsoft here: http://tinyurl.com/3yyr3

Question 5:

I love using the Group Policy Software Deployment functionality. However, recently I tried to decommission a file server we were using, and well, chaos ensued. Any recommendations or "best practices" for using Group Policy Software Deployment?

Answer 5:

Use DFS in conjunction with software deployment, and you'll be in clover. Why? Because DFS will abstract the REAL severname from the equation. That is, you can bank on the DFS share being there, even if you change the underlying file server name. So, my recommendation is to use {dfsname}{rootshare} like corp.comsoftware instead of {specificserver}{sharename}. This way, if you change servers, you can easily move the file share to the new server, change the DFS pointer, and everything just keeps on truckin' !

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards just fine.) Thanks for understanding!

Order your signed copy today by clicking here: www.gpanswers.com/books Thanks for reading! And, as promised I'll send out the next newsletter "Roughly whenever I feel like it" or whenever big news hits. Until next time!

Subscribe and Unsubscribe Information
==============================================

- subscribe to this newsletter
- unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address :https://www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !