MDM & GP Tips Blog

May 2004


In this issue:

  • Moskowitz, inc. and, er, updates
    • Help rise to the top!
    • Helping your fellow Group Policy administrator!
  • Upcoming conferences and appearances
    • It's free! Windows Server 2003 Group Policy Essentials Webinar
    • Not free... but worth it! Upcoming classes.
  • Moskowitz, inc. Technology Takeaway (r): five juicy questions (and answers!)
  • Get a signed copy of Group Policy, Profiles andIntelliMirror for Windows 2003, Windows XP and Windows 2000
  • Subscribe and unsubscribe information

Moskowitz, inc. and, er...

It's stunned analysts everywhere. Okay, actually,no one seemed to notice. But, I've decided to change the name of to

Why the change?

Well, the GPO (Group Policy Object) is the "molecule" that makes the Group Policy world go round. However, the name wasn't all encompassing enough.

In reality, the forum and the web site is about all aspects of Group Policy, not just the GPO "molecule."

To that end, I've renamed it to be Note that will still point to the same place.

Help rise to the top!

There's only one "go to" location for Group Policy help on the web. And that's.!

Only problem? Our Google rank is in the tank.

I'm not a "Google-head" -- that is, I don't have a genuine understanding of the Google-rhythm, or whatever the algorithm is called that pushes certain pages to the top of the ranks.

Long story short, the only thing I know that helps is if others POINT to the web site. So, if you're interested in helping out the community, then, please create a web site link from your web site to

You'll be helping everyone who is interested in getting some extra Group Policy help.  

Helping your fellow Group Policy administrators!

Hopefully, you're finding the updated resources of useful. We have some dedicated folks in the forum ( constantly knocking out questions for others in need.

If you're an expert (or use Group Policy a lot) we would encourage you to help out others! That's the spirit of the forum ...give a penny, leave a penny... er, ask a question, answer a question.

Also, if you come across something that's new and exciting which EVERYONE should know about, then let me know.

I'll make it a permanent link in the site.

Note that I've changed the policy of the forum a bit. That is, we now require that you are a registered member of the forum to post. This is because guests don't have the ability to receive emails when someone responds to their posts. And we want to make sure that all answers are getting to their respective question-askers.

Upcoming Conferences, Appearances and Classes

It's free!

Windows Server 2003 Group Policy Essentials Microsoft Technet Webinar


From the Microsoft site:

Just getting started with Windows Group Policy? Unsure of where WindowsR Group Policy applies or how to manage them? In this session you'll learn just what Group Policy is, and how you can deploy it correctly. Join this webcast to hear Active Directory and Group Policy guru Jeremy Moskowitz (from and author of the recently overhauled "Group Policy, Profiles and Intellimirror for Windows 2003, Windows 2000 and Windows XP teach you the ropes. Learn how to modify Group Policy objects to lock down desktops and manage your user environments. Gain insights into the thorny issues surrounding permissions. Discover how to delegate the job of creating Group Policy. Last, you'll learn how to troubleshoot Group Policy --through tools and with your bare hands.

Sign up here:

Not free... but worth it! Upcoming classes

We'd love to see you in the upcoming two-day Group Policy intensive training and workshop class. Here's what one IT manager said after taking the training:

Facing the challenge of upgrading our multi-site user environment I was very concerned with my staff's limited knowledge of Group Policy.

Much like most sites we struggled with estimating outside resource requirements for our Active Directory project. Looking for Group Policy specific training proved to be a challenge and I turned to a resource from my computer security group who recommended Jeremy.

After speaking with Jeremy about the classes I immediately identified him as someone who would be a valued resource, as he clearly understood many of the problems I was facing. After the class which wrapped up on 4/24 I find myself adjusting my project plan, as my staff went from being unsure of the challenge ahead to being able to confidently plan and implement a strong Group Policy environment.

The class was very detailed and Jeremy really knows how to control the class. The labs are great assuring that everyone can touch and feel Group Policy. Jeremy proved to be a solid professional, and from what I can tell one of the few who can drill down to the expert level in Group Policy.

Maurice McClain,
GSEC Manager IS Operations

Thanks Maurice!

Also, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

Indeed, at TechEd 2004 Mark Williams from the Group Policy team encouraged the 1500 attendees to check out the new Group Policy book and the training! In fact, he dedicated a whole slide to the book, the training, and for each of his sessions!

Wow! Thanks, Microsoft!

So, to sign up for an upcoming public class, and check out the full course outline, be sure to visit:

Or... If you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you on-site! Just contact me at [email protected] or call me at 302-793-3957. If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!)


Technology Takeaway (r), a service of Moskowitz, inc.

Here are some questions on people's minds recently...

Question 1:

I implemented an Account locked out policy on my domain. I set the policy to lockout after 3 tries, but most user accounts still get locked out with our old account policy. So, next, I tried to disable the policy but my domain Administrator account still gets locked out according to the old lockout policy. What could be causing this?

Answer 1:

This sounds like you have a DNS problem. I know, I know – how can this possibly be a DNS issue, you ask? I submit that perhaps not all of your Domain Controllers are receiving the updated domain policy. Hence, they are retaining some other policy you set. So, my advice? Make one DNS server the authoritative source and have all Domain Controllers (temporarily) use that DNS server for resolution. Hopefully, the latest policy will take affect, and you'll be updated.

Question 2:

How do restrict users from opening and editing the registry in Windows XP. All domain controllers are 2003 server.

Answer 2:

Software Restriction Policies to the rescue! There are plenty of great Microsoft articles on Software Restriction Policies in Technet or online. (Or, you can get it in plain English in my book.) Don't forget, though, that Software Restriction Policies are only valid for Windows XP or Windows 2003 as clients – those with Windows 2000 clients are out of luck! Oh, and it doesn't matter if your DCs are 2000 or 2003.

Question 3:

Are Group Policy Objects cumulative? If a GPO is linked to the domain and then a separate GPO is linked to an OU, do features of the domain GPO "flow" down to the OU and apply with features set in the OU GPO as long as they don't conflict? I thought that if a GP was assigned to an OU then its features would overwrite any features set by a GP assigned to a level above.

Answer 3:

If you have no GPOs that conflict anywhere in your SOM (scope of management), they will apply cumulatively. However, if you have a GPO which says to do one specific thing at, say, the Domain level, and another GPO which ways to do a specific thing, at, say the OU level, the one "closer" to the user (or computer) will apply. So, here's a simple example: At the domain level, imagine that you restrict the control panel, but at the OU level, you make it available again. Since the GPO linked to the OU is closer to the target account, thataffect will take effect.

Question 4:

I blew up the Default Domain Policy in my Windows 2000 domain. How can I recover that?

Answer 4:

You're in luck! (Well, not really since you blew up a critical GPO.) Microsoft has just released RecreateDefPol.exe. It restores the Default Domain and Default Domain Controllers policy GPOs in case of accidental deletion. This tool is for use exclusively on Windows 2000 Server, Advanced Server, and DataCenter Server. Do not use this tool on Windows Server 2003; use Dcgpofix.exe instead (included in Windows Server 2003). You can download the tool directly from Microsoft here:

Question 5:

I love using the Group Policy Software Deployment functionality. However, recently I tried to decommission a file server we were using, and well, chaos ensued. Any recommendations or "best practices" for using Group Policy Software Deployment?

Answer 5:

Use DFS in conjunction with software deployment, and you'll be in clover. Why? Because DFS will abstract the REAL severname from the equation. That is, you can bank on the DFS share being there, even if you change the underlying file server name. So, my recommendation is to use {dfsname}{rootshare} like corp.comsoftware instead of {specificserver}{sharename}. This way, if you change servers, you can easily move the file share to the new server, change the DFS pointer, and everything just keeps on truckin' !


Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards just fine.) Thanks for understanding!

Order your signed copy today by clicking here: Thanks for reading! And, as promised I'll send out the next newsletter "Roughly whenever I feel like it" or whenever big news hits. Until next time!

Subscribe and Unsubscribe Information

- subscribe to this newsletter
- unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address :

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at !

May 2004


In this issue:

-Jeremy's put together his first newsletter!
- Moskowitz, inc. and updates:
- It's OUT! The most anticipated sequel of the year!
- How to get your copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000
- Join us at
- Upcoming Group Policy intensive class: onsite and public
- Upcoming conferences and appearances
- Moskowitz, inc. Technology Takeaway (r): five juicy questions (and answers!)
- Subscribe and unsubscribe information


Can it really be true? Jeremy's put together his first newsletter!

If you're getting this newsletter, it probably means that you've handed me, Jeremy Moskowitz, a business card at a conference, meeting, or seminar -- or you've specifically asked to be part of this list. I've converted your email address from the business card to this email listserver, which can easily handle subscribing and unsubscribing, as well as offering a host of other features. All information on subscribing and unsubscribing can be found at the end of this newsletter. If you choose to unsubscribe, you won't get any more newsletters like these.

However, I hope you stay with me! This newsletter's intent is to keep you updated on the comings and goings of Moskowitz, inc. and, provide a technical tip or three, and generally keep you apprised of the state of affairs. In the words of Scott Adams, the creator of Dilbert, this newsletter will come out "roughly, whenever I feel like it." Some newsletters will have lots of news. Other issues will be shorter. In all cases, I'll try to make efficient use of your time.

I do hope you'll stay aboard. Moskowitz, inc. and updates

Here's a brief rundown of what's new at Moskowitz, inc and


It's OUT -- March 22nd! The most anticipated sequel of the year!!

...and it's 100% Jar-Jar Binks free!

That's right! The follow-up to the wildly successful Windows 2000: Group Policy, Profiles and IntelliMirror is here! It's called Group Policy, Profiles and IntelliMirror for Windows 2003, Windows 2000, and Windows XP. If you liked the first one, you're going to love this edition!

It's not an update -- it's an OVERHAUL!

The best news is that 90-95% of the material is applicable to Windows 2000 users. Even if you have just one Windows XP machine in your domain, you'll want to take a look!

Here are the major changes:

- We shifted the focus primarily to Windows 2003 Server and Windows XP (from Windows 2000 Server and Professional). The Group Policy Management Console (GPMC) changes everything.

Warm-ups and usage are in Chapters 1 and 2. We continue all examples of Group Policy application by demonstrating the GPMC in the remaining chapters of the book.

- The "secret underbelly" of Group Policy Processing has changes for Windows XP. Come to Chapter 3 to find out what. I've also made sure to have the most technically accurate information for Windows 2000 processing possible. (Chapters 1, 2, and 3)

- Group Policy Troubleshooting is never easy, but with additional techniques in Chapter 3 and Chapter 4, you'll have that extra edge!

- If you're getting into automation with scripting, Chapter 7, "Scripting Group Policy Operations," is for you. This chapter, written by the one and only Bill Boswell, will quickly get you up to speed with a gaggle of great stuff you can do once you learn the scripting interface. All in all, this chapter will just make your life easier. We even have a super-secret trick in the book to script the "push" of GPOs to your client systems! Zowie!

- There are lots of new add-on tools available for Group Policy management. Some are in the Microsoft Windows 2003 Resource Kit, others are third-party products, and others are free tools. There's even one feature of the GPMC which can be thought of as an add-on to help us migrate GPOs from one domain to another. It's all in the chapter entitled "Group Policy and Profile Tools."

- Security is a hot topic. Group Policy lets you access the heart of the security within Active Directory and across your whole network. Chapter 6, "Group Policy Security Implementation," is completely revamped to home in on this important subject. There is information here that is simply not available in any other text.

- Other changes you'll find in the book include new strategies for ADM template management (Chapter 5), Windows XP Profile behavior (Chapter 8), Windows XP folder redirection changes (Chapter 9), Group Policy software distribution changes (Chapter 10), remote Installation Services changes (Chapter 11), migrating GPOs with the GPMC (Appendix B), and a third-party tools list (Appendix B).

- Oh, and did I forget to mention the five downloadable web resources? Everything from Restricted Groups tables to a quick reference of all the newest policy settings for Windows 2003, Windows XP, Windows XP + SP1, and Windows XP + SP2!

So I hope you'll agree with me: this edition isn't just a revision, it's a total overhaul! This book is in the Mark Minasi Windows Administration Series. And Michael Dennis, the Lead Program Manager of Group Policy at Microsoft, kindly provided the Forward. Here's an excerpt from the Foreword:

At Microsoft, we have a lot of downloadable documentation on Group Policy, Profiles, and IntelliMirror (r). What Jeremy provides with this book is a "one-stop-shop" for practical, how-it-works information, including real-world examples of implementing and troubleshooting Group Policy, Profiles, and IntelliMirror. Indeed, his digging and prodding into the Group Policy internals means that there is information in his book that you simply cannot find anywhere else. Jeremy has always provided an independent eye into how Group Policy works. Best of all, his writing style will keep you engaged throughout the entire book.

Jeremy's book uncovers the basics of Group Policy and GPMC and then reveals the hidden nuggets that truly unleash the power of Group Policy. He describes the many underlying and overt changes since Windows 2000 that make this book a valuable successor to his previous work. The practical, (often prescriptive) technical information just keeps rolling in -- chapter after chapter.

-- from Michael Dennis, the Lead Program Manager of Group Policy


Buy Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 in three ways!

If you're ready to get crackin' with your Group Policy workout, you can get the new book in one of three ways:

- You can order it from Amazon for $35.00 plus shipping by clicking here:

- You can order it from Bookpool for $30.95 plus shipping by clicking here:

- If you order the book from me, I'll sign the book for you, free! I've had many requests for this service, and I'm honored that you would want it! If you order it from me, you get the book, shipping included! Usually, I try to ship out the week's orders on Mondays and Thursdays. If you need a guaranteed shipping date, then Amazon might be a better choice. The cost is $45. The slight extra cost goes toward the shipping from SYBEX to me, then me to you (not for the signature.) Again, note that shipping -is- included.

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards just fine.) Thanks for understanding! Order your signed copy today by clicking
Join us at


You've got questions, we've got answers. And we won't ask for your home phone number like Radio Shack. Come join your peers at for the following goodies:

- All the Web downloads from the book (you don't have to track them down at SYBEX's Web site)
-Additional ADM templates
-Additional VB scripts
-Pointers to all the best Microsoft Group Policy stuff
-Newsletter archives
-And an ongoing battery of new stuff as it comes up!

Best of all, there's the Discussion Forum!

Here, your peers are waiting to chat with you about all sorts of Group Policy, Profiles, and IntelliMirror topics: everything from troubleshooting to trying something new! And you never know who might be lurking and posting -- just waiting to answer your question or hear your feedback.

We've already received a lot of buzz... so, c'mon and join the fun! Note that joining the Forum doesn't automatically join you to the newsletter, so, if you're receiving this newsletter because someone forwarded it to you, be sure to sign up for both!
Subscription information can be found at the end of this newsletter.


Now Available! Group Policy intensive class! Public and Onsite!

You've asked for it, and here it is: a two-day Group Policy intensive workshop! It's really three days of stuff presented in two days. If you need to get up to speed and get using that Active Directory you've got lying around, then this is the class for you! It'll consist of about 50% instruction, 50% demos, and 50% hands-on practice. Okay, somehow, that's 150%! But would you expect anything less?

You can see an outline of the course here: And... This class can be taught as a private class within your company (with all the personalized attention that affords). Just email me at [email protected] for details.


Technology Takeaway (r), a service of Moskowitz, inc.

Here are some questions on people's minds recently...

QUESTION 1: Can you have different policies governing different types of users within the Domain? Specifically I am looking to have non-privileged users expire and change passwords every 45 days and privileged users every 30.

ANSWER: Unfortunately, no. You cannot have different Account or Password policies within the domain. If you must perform what you describe, you must have two domains.

QUESTION 2: I have a standalone PC with Windows XP Professional and I want to create a few users with restricted use. For example, remove the icons on the desktop or take away "run" in the Start menu. Now I have tried this with GPEDIT.MSC, but when I do, even the Administrator account is affected. How can I log on as an Administrator and restrict users for certain parts but not get the restriction myself?

ANSWER: You should avoid using GPEDIT.MSC on local machines. When you do this, you have the least amount of control over your Active Directory. Really, you're only able to control just that one machine. Instead, you should set up GPOs linked to the domain-level or OU-level to affect your users or computers. You can use Group Policy filtering (via user groups) to specify which specific users or computers will be affected. You can remove Administrators from the processing in this fashion.

QUESTION 3: Can you restrict the use of floppy and/or CD-ROM drives on workstations in a domain with Group Policy?

ANSWER: Yes. Check out these two policy settings: User Configuration|Administrative Templates|Windows Components|Windows Explorer | Hide these specified drives in My Computer And User Configuration|Administrative Templates|Windows Components|Windows Explorer | Prevent access to drives from My Computer

QUESTION 4: We have a Win2000 Server network environment and are running AD. About 95% of our end-user PCs are Win98 SE. How do I set Group Policies so that I can restrict end users' ability to change wallpaper, etc?

ANSWER: Bad news. Active Directory Group Policy cannot affect Windows 98 clients. Group Policy only affects Windows 2000, Windows XP, and Windows 2003 machines. You'll need to use old-style SYSTEM POLICY, which creates CONFIG.POL files. Remember -- these SYSTEM POLICIES will be permanent entries in your registry until you specifically change and invert the settings (a distinct disadvantage to Active Directory Group Policy).

QUESTION 5: I want to leverage GPOs such that a temporary user can log on only to the computer he is given. Once there, I want him to only be able to use Word, Excel, Acrobat, and Internet Explorer, but not be able to access Windows Update, Yahoo, or Hotmail. I am new to both Active Directory and Group Policy, and I don't want to mess with other users.

ANSWER: This question has a fourfold answer:

1. First, load a workstation with the specific software you want him/her to run. Your list above is fine. You can do this manually, or via Group Policy Software Installation.

2. To restrict a user to a specific computer, you need to be running NetBIOS. Then, in the user's Account tab, click the "Log on to" button and specify the computer you want to restrict the user to.

3. Users, that is, non-administrators, cannot go to Windows Update. You don't have to do anything to restrict access to this site.

4. To restrict users from all other Web sites, you'll need to get familiar with how to implement Internet Explorer Maintenance policies -- either via local GPOs or via Active Directory GPOs. The process is fairly detailed, but here are the steps in a nutshell: Configure a computer's IE settings to be as restrictive as you want, then use the Internet Explorer Maintenance Settings (specifically, those located in User Configuration |Windows Settings | Internet Explorer Maintenance | Security | Security Zones and Content Ratings) to import the current computer's settings. Then the other computers you apply the GPO to will embrace the same settings as well.

In short, you may be new to Group Policy, but you'll have to get familiar with it to do lots of tasks -- so, better get started learning!


Subscribe and Unsubscribe Information

- subscribe to this newsletter
- unsubscribe from this newsletter

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:

Thanks for reading!