MDM & GP Tips Blog

Mar 2006
22

Issue#15

Newsletter #15

  • My Rant: Why imaging? Why SMS?
  • Get a signed copy of...
    • my GP book: Group Policy, Profiles and IntelliMirror
    • my Windows & Linux Integration book
  • Public Group Policy Intensive Training and Workshop Schedule Update
  • Upcoming appearances and schedule
  • Thanks Netpro!
  • Subscribe, Unsubscribe, and Usage Information

This issue is (I’m sorry folks) a rant. It’s not about the war, or politics—but about something close to us, that we can all rally behind: disk imaging and management products.

So, without further ado, my rant.

After I rant for a while, I'll give you an update on my 2006 Group Policy Class Schedule and suggest some other great stuff for you to check out.

Before I forget—the Sacramento, CA Two-Day Group Policy class is ON for March 30, 31. We have three seats available. If you want one of those seats—sign up soon at www.GPanswers.com/workshop.

PS: A hearty THANK YOU to the folks who came and saw me and Tom present Win/Lin topics at this season's TechMentor in Orlando. I'm gone now (off to the next thing).. but thanks for brightening our days there -- you were a super audience !


Newsletter Sponsored by: Special Operations Software

Sometimes the out-of-the-box Password Policy in Windows isn't just enough. If you need many Password Policies perActive Directory domain or more granularcontrol of howpasswords can be created you should have a look at Specops Password Policy.

Redmond Magazine says that "Password Policy is easy to install and easy to use. It provides much more granular control and doesn't have a long learning curve."

Click the link to read more on how Specops Password Policy can benefit your organization with increased security.


As Dennis Miller says I don't mean to go off on a rant here

My good friends at TechNet Magazine have recently released their March/April 2006 magazine. And, let me tell you—it’s excellent, specifically, if you’re running SMS to roll out your desktops and/or contemplating using the new Business Desktop Deployment (BDD) to roll out desktops.

And, I have some questions (and please don’t answer me directly via email. Please, please, please answer this question or agree/disagree with this rant by going to http://tinyurl.com/htaxwon my community forum and post your 2 cents there.)

My three questions are:

  1. Why does Microsoft have 7 ways to deploy a desktop?
  2. Why bother with image-style desktop deployments at all? and
  3. Why bother with SMS-style tools?

So, let’s get started on this very special “rant” issue.

Microsofts desktop deployment options

By my count, Microsoft has seven ways of “officially” deploying a desktop: Category 1: via winnt.exe

  • Put in the CD and restart the machine. This basically runs winnt.exe and installs Windows.
  • DOS-style Network boot disk to connect over the network to run winnt.exe
  • WinPE-style to again run winnt.exe (almost the same as a DOS-style network boot disk in practice)
  • Remote Installation Services (via PxE) where winnt.exe gets invoked

Category 2: via image

  • SMS + Operating Systems Deployment Pack (OSD)
  • Business Desktop Deployment (BDD)
    • Standard Edition and
    • Enterprise Edition
    and
  • Vista’s all-new image-based deployment

The methods in Category 1 “build” a PC from scratch, loading Windows step by step (or via answer file), but fundamentally “create” a PC by formatting it and loading each file.

The methods in Category 2 “photocopy” from an image source in Ghost style.

So, here’s the question (again): why bother using either the Zero Touch Deployment for SMS (with the Operating System Deployment pack), the BDD, or the upcoming Vista image-based methods to roll out your desktops?

First of all, unless I’m missing something—these latest tools from Microsoft compete with each other for your desktop rollout attention. Not to mention that Vista will also come with its image-style based deployment mechanism. So, between the BDD, SMS+OSD and Vista’s Imaging mechanism—I’m one confused guy—and I’m trying to understand why each has it’s place.

So, that’s three image-style mechanisms to do the same job. That’s my real question: can someone (anyone) explain why I might choose, say, the BDD over the SMS+OSD even if could deploy both at exactly the same hard and soft costs. (Again, don’t reply here…post about it, at http://tinyurl.com/htaxw.)

To me, it seems a main selling point of both the BDD and SMS+OSD appears to be that it will “maintain state” as you do a desktop upgrade from say Windows 2000 to Windows XP. With a little elbow grease, you use the built-in User State Migration tool, shoot up a copy of the user’s important stuff, blast down a new desktop, and restore the important stuff (like desktop backgrounds, etc., etc.)

Great. But again, why bother specifically saving the state?

If you’re using the network to store the important stuff (say, by using Roaming Profiles), and use Group Policy to maintain your application settings, why specifically go out of your way to preserve any of it? Those of you who’ve heard my talks on desktop deployment know it will still be there waiting on the network when you deploy that new desktop to the user.

So, if you want to educate me… please do so. Again, respond by posting to http://tinyurl.com/htaxw.

Beyond the Microsoft image-based deployments

Since I'm already off on a rant here, let me take it one step farther…

Truthfully, I don't even see the point of having any image-style/“photocopy-style” deployments (including other non-Microsoft image-style deployments a la Ghost, PowerQuest, or anything else). Those of you who’ve seen me speak at conferences or those who have taken my more in-depth two-day Group Policy course know my feelings about image based deployments. Yes, they’re fast—but, ultimately, they’re a “photocopy.” To recap the process, you essentially wrap up a “perfect” PC with a set of “core” applications and make a big image. Then, you deploy that image to a zillion machines. And you do it fast.

Great.

But, this means several downsides when thinking long term. First, there’s the problem with the “photocopy” aspect in terms of hardware deployment.

Yes, I know—Windows sysprep is supposed to be the answer. Sysprep’s job (especially with the -pnp switch) is to shut the machine down for photocopying. Then, once the photocopied machine is turned back on, it’s supposed to magically discover all the correct hardware, and birds will land on the computer singing and chirping.

Except it’s not guaranteed (especially the birds). Not to mention the problem with photocopying from one machine to another—the required drivers might not be there. If you’re photocopying the same image for a Dell Latitude and an IBM Thinkpad—you let me know how that’s working out for you. If you can sleep at night while doing this, you’re a stronger man than I.

Okay, I’m sure the BDD and SMS+OSD deployment have some provisions to handle this situation. But, I was at a loss on specifically how to add new drivers to either the BDD or SMS+OSD if, say, a new network card showed up in your next desktop shipment. What I am sure of is that in each case, the WinPE image (which provides you the ability to access the image) would indeed need to be tweaked to accommodate this (already a hassle). But my confusion is what about the drivers for when Windows is actually running? If I’m pulling down a fully formed image, how can I jam in new drivers? If you know, and can educate me, please do so.

Even if there is a native way to do this (easy or cumbersome) it appears that Binary Research (the original makers of Ghost) has created something to help fail-safe the process. Their “Universal Imaging Utility” product (found here) is supposed to help inject a bazillion drivers into your images—specifically to remediate this very problem I’m describing.

The next big problem with the photocopy is—it’s obsolete the very day it’s placed into service. Why? Let’s explore a typical photocopy-style rollout. Let’s say we’re deploying our image to 1000 desktops. Just to give it a name, we’ll call our project OurImage 1.0. After rolling out 300 of our 1000 desktops someone on the deployment team realizes they’ve forgotten a critical application patch, or bite-sized application, or a configuration setting, or misspelled a directory, or any number of a 1,000 things that can go wrong during image building. So, the desktop engineering team cleans up the image, and rolls out OurImage 1.1. They then roll out to the next 300 desktops. (And, of course, the problems weren’t big enough to retrofit the first 300 desktops and disrupt users.) So, now, you have 600 desktops deployed: half on OurImage 1.0 and half on OurImage 1.1.

Not ideal, to be sure.

Then, one of the applications in the image has a new minor version (which the manufacturer strongly recommends you start deploying right away). Back to the drawing board, and a new revision, OurImage 1.2, is created. The deployment rollout must go on! And OurImage 1.2 is now deployed to the next 300 clients.

So, now, that’s three somewhat-different images over 900 clients. Now when any of those users calls the helpdesk for help, which version of the image are they using? Remember each version of the image has slightly different application versions tucked inside.

Or, consider this case: the image is rolled out to 300 people—both Sales and Marketing. But Sales is constantly playing around with applications in the image they have no right to even use. Should those applications have ever been in the image at all? Sure,those applications are needed for the Marketing guys. But not for Sales. So what do some IT departments do? They send someone to trot out to the Sales desktops and manually uninstall those applications (or script it, or touch it with SMS or something).

So, it must appear as if I’m “down” on photocopy-style desktop deployments such as Ghost, SMS+OSD or the BDD. It’s not that I’m down on them, just utterly confused why anyone would use them.

With that in mind, what’s my proposed desktop deployment solution?

Group Policy of course (with a little help from Remote Installation Services)!

Why RIS? Because RIS doesn’t “photocopy” an image. It “builds” the computer from scratch, installing just the software it needs in order for Windows to run. And, there are provisions for centrally adding new and updated drivers when new hardware comes out (like NICs, sound cards, etc.).

Why Group Policy? Because you can deploy just the applications you need to just the specific people who need them. If Fred in Sales shouldn’t get an application only Marketing would use, then it’s not in any photocopy where you’d have to worry about it. Fred only pulls down applications Fred needs.

Yes, I know the downside to my strategy. That is, in order for my suggested strategy to be successful, you have to be 100% committed to the MSI promised land (or buy 3rd party Group Policy tools to deploy applications other than only MSI apps).

Now, before you napalm my house—let me wrap up this section with this one thought:
I AM NOT SAYING TO ABANDON GHOST, POWERQUEST OR ANY OTHER IMAGE-BASED TOOL IF IT’S WORKING FOR YOU.

I know lots of people are quite attached to their desktop deployment methods. If something is working for you, and you’re happy—keep on truckin’.

Don't let me stop you.

The main reason I'm down on image-type deployments is for the reasons I mentioned above:

  • Again, first, it’s a photocopy, and even though sysprep -pnp should work from machine to machine, it doesn’t always. If it does work for you—fantastic. Consider yourself blessed, and continue to make use of the speed that photocopying provides.
  • However, consider the second problem: “core applications” in the image make it difficult to customize each user’s experience for them. If you get away from photocopying, you get away from deploying unnecessary apps (or forgetting to put apps in your image).

So again, yes I know RIS is slow. Slower than a photocopy, yes. And, if you’re comfortable photocopying machine to machine to get the OS deployed then, again, keep on doing that. All I’m asking is for you to consider not imbedding the applications in the image.

My problem

Now, if you want to help me out you can explain a few things to me.

  1. If you’re actually using the SMS+OSD—how is it really “zero touch” as it’s touted? I don’t get it. I’ve read countless pieces of documentation, but it still appears as if the client needs to be “seen” by the SMS system in order to zap a new photocopy upon it. That means it needs to be an SMS client. If I’m cracking out a desktop or laptop from the cardboard box and put it on the wire, I’m totally unclear how SMS will “find” this new machine and zap it my corporate photocopy. From what I’m reading it seems (dig this) that the prescription is to actually use RIS to deploy that initial desktop, then get the SMS client loaded, then zap down the remaining applications. Wait a second—that sounds like “The Jeremy Prescription” (except you substitute GPO for SMS!) If I’m missing something, and you’re an expert here, please, please educate me.
  2. The BDD has lots of wizard-driven steps to help you create your photocopy and then deploy it. Why would anyone would use the BDD at all, for any reason, when there are clearly other options which do the job? And, unless I’m looking it wrong, it seems the BDD requires a Ghost-style imaging tool to do the work. Indeed the documentation talks about the Powerquest tool quite a bit. Again, I’m at a loss to understand why the RIS/Group Policy/MSI combo wouldn’t be the preferred way to go here—or just about anywhere.

More stuff to rant about(Or, why I'm already unpopular with the SMS team at Microsoft)

Since I'm ranting about SMS anyway

The issue of TechNet magazine I mentioned has a whole article dedicated to SMS troubleshooting. When people ask me if I’d prefer SMS over Group Policy, I’ll tell them “Even if you gave me all the licenses I need for SMS, I’d still pick Group Policy over it any day.” Yes, yes, I know SMS has more features than Group Policy does.

But a Dodge Caravan has more features than a Mazda Miata. Get the picture?

In the end analysis what are the features people use when they buy that Dodge Caravan, er, SMS? Let’s look:

  • Software Deployment with targeting (which can be done with Group Policy Software Installation and WMI filters)
  • Hardware and software inventory (which can not be done natively with Group Policy but is, I hear, coming soon with 3rd party Group Policy tools.)
  • SMS has Software Metering tools—but no one I know uses it much.
  • SMS has compliance/patch-management tools. I do know some companies which do make use of these—but only because the free WSUS wasn’t yet available, and now they feel like they’re “locked in.”

So, why would I pick Group Policy over SMS even if someone handed me unlimited free licenses? The TechNet article in the same issue entitled “No Desktop Left Behind: SMS Troubleshooting Basics” about sums it up. Not to saturate you with all the steps the author expertly describes, but, holy cow does it ever take some troubleshooting skillz (that’s skillz with a ‘z’) to get to the bottom of things when SMS stops working. In a nutshell: SMS has about a zillion moving parts. The author expertly demonstrates how to “trace” where the problem is within all those moving parts.

In a basic (very basic) comparison, the same operation (software deployment) for Group Policy is refreshingly simple. There are, in short,many fewer moving parts to troubleshoot when things go wrong. Yes, okay, maybe I’m a little biased due to my love of all things Group Policy. And that isn’t to say Group Policy always works, either.

What I am saying, however, is that when Group Policy “breaks” it’s a much easier proposition to figure out where the problem is, then actually get to fixing it. For the record, in case you think I’m making stuff up here to specifically beat up SMS, I am certified in SMS 2.0 and do know a little about what I’m talking about. (And, yes, I know SMS 2003 is a different, though similar animal.)

Simpler is better

Okay, poor SMS. I just beat it up a little bit, and I’m feeling a little guilty here. But, ask yourself if you need a tool like SMS at all.

If you need it—you need it.

But, the question is do you really need it?

I've personally met a handful of people who seem to be with me; ditching SMS and Tivoli (and the like) for a pure Group Policy-based solution to their management.

Here's the thought process: By not introducing an SMS-style tool, you’re reducing complexity.

Again, the Group Policy moving parts are already built-into the operating system.

So, if you can make use of the moving parts inside the box, my advice is to do so.

Now, let me be super-clear before the hate mail comes in from the SMS team (or SMS-style product companies). As I said: if you need it—you need it. That’s the trick, and the trap I see many organizations fall into. Many organizations inadvertently increase their complexity by adding an SMS-style management tool for not a lot of benefit. When I ask people “Why did you end up deploying your SMS-style tool?” The #1 response I get is “We needed a way to distribute software.” And 10% actually use the overall “power features” SMS provides over Group Policy.

So, again, my feeling is that, yes, an SMS-style tool is great—if it truly gives you something you cannot achieve a different way. Again, SMS provides software distribution, hardware and software inventory, patch management, image deployment, and software metering. If you need something on this list that Group Policy cannot do natively (or enhanced with third-party tools) then, yes, go get it.

But, if you don't need it—why introduce it, even if you’re getting the licenses for free?

Wrapup

For the love of Pete (whoever he is) do NOT email me directly about this rant. While I strive to answer everyone’s email, I’m making an exception in this case. It’s not because I don’t love you, it’s because I want you to respond publicly here where we can all talk about it. Key points to talk about:

  • If you’re using the BDD…why? What does the BDD give you that other methods do not?
  • If you’re using SMS+OSD…why? How’s it working out for you?
  • How can you add drivers when Windows runs using the BDD or SMS+OSD?
  • If you’re using the “Jeremy Method” of RIS + Group Policy + MSI, how’s that working out for you? Was getting to the MSI promised land a tough haul? Did you succeed, or give up?
  • Why save user state and restore it using the USMT during the BDD or SMS+OSD process? If you’re using the network properly (redirected MyDocs and Application Data), what precisely are you saving by using the USMT?
  • Has anyone introduced an SMS-like product only to then realize it was overkill and the same task could be performed via Group Policy? How did you handle that?
  • Or, is SMS your life blood and you’re using it for a task I didn’t describe here?

Thanks for listening.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)  

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.
You BOUGHT and IMPLEMENTED Active Directory—now DO SOMETHING with it.
So, learn to properly drive that "Ferrari" you bought by coming to a class! Classes for first half of 2006 (lots of date changes since the last newsletter. Sorry about that.):
Mar 30-31, 2006: Sacramento, CA—This class is ON. If you want a seat, I suggest you sign up now. Only three seats left!
Apl 18-19: Atlanta, GA
Apr 20-21, 2006: Tulsa, OK (not Okla. City, as previously reported.)
Apr 26-27, 2006 (new class): Richmond, VA
May 15-16, 2006: London, England

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop (Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or,if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Upcoming Appearances and schedule

It's going to be a busy month for me. Embrace the travel! Love the airport. Embrace the security dweebs patting me down. Well, maybe not.

Here's my ever-so-brief schedule.

NetPro Directory Experts Conference: Mar 26 - Mar 29

I'll be speaking on Windows/Linux authentication integration. My speech is 9.15 Tuesday the 28th. www.dec2006.com/agenda_tues.cfm

Linuxworld Boston: Apl 3 - Apl 6

Again, on Windows/Linux authentication integration. My specific speech date is 4/4/06 and it'll be at 2.30 PM. Hope to see you there !tinyurl.com/7dspg

WinConnections Orlando: Apl 9 - Apl 12

I'll be speaking on a variety of topics at this WinConnections. "Group Policy Toolbelt", Shared Computer Toolkit" & "Windows–Linux Integration: Authentication Services" and a 3-hour Group Policy Pre-Conference warm-up. www.winconnections.com

Microsoft Teched Boston: Jun 11 -1 5

Again, on Windows/Linux authentication integration. Don't know my exact speech date yet. tinyurl.com/7lktw

Thanks, Netpro!

Recently Netpro had a cool webinar, and they mentioned us—GPanswers.com. Neat! Thought I’d return the favor. Here’s how to check out the webinar with a good message for anyone managing Active Directory. WEBCAST: 16 Steps to a healthier and happier Active Directory

Before going about securing Active Directory, you should make sure that certain configurations have not created unexpected security holes. In this webcast, NetPro CTO Gil Kirkpatrick will examine various aspects of Active Directory, from backup to DNS configuration to Group Policy management, that, when executed properly, can ensure a secure installation. Register here.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected]

If you have questions about ordering a book, contact my assistant Jon at: [email protected] We endeavor to respond to everyone who emails.

Thanks for reading!

Jan 2006
17

Issue#14

Welcome to 2006

  • Technology Takeaway (r), a service of Moskowitz, inc.
    • Just one LOONG tip: Creating a Bulletproof desktop with the Shared Computer Toolkit.
  • Get a signed copy of...
    • my GP book: Group Policy, Profiles and IntelliMirror
    • my Windows & Linux Integration book
  • Free, Free, Free speeches by Jeremy
  • By popular demand: The three-day less-intensive GP Course in PA
  • Upcoming Public two-day GP Classes for 2005 / 2006
  • What's new from GPanswers.com
  • What's new from Microsoft
  • Subscribe, Unsubscribe, and Usage Information

Moskowitz, inc. and www.GPanswers.com

This issue, we tackle something that's near and dear to me: Desktop Lockdown. It certainly feels as if all the Group Policy settings available to us would allow us full control over our desktops. But, there's something missing. In this issue, we'll explore the Shared Computer Toolkit which makes your Ultimate Desktop Smackdown vision possible.

After we talk about this, I'll give you an update on my 2006 Group Policy Class Schedule and show you some cool new features we've added to GPanswers.com.


Newsletter Sponsored by: DesktopStandard

Built-in Windows security management features simply don't give you enough granular access. As a result, administrators run applications with full administrative access - even if it is not required. This exposes the network to unnecessary security risks like viruses and spyware.

DesktopStandard's PolicyMaker line of Group Policy Extensions solves this problem with Application Security policy. Click the link to learn how you can empower your users to be more secure today.


Technology Takeaway®, a service of Moskowitz, inc.

Bulletproofing your shared desktop -- with the shared computer toolkit

One of the top requests I get at GPanswers.com is how to take machines and “lock them down.” People want ways to ensure their machines can’t be broken by Joe User or Harry Badguy. The “out of the box” Group Policy settings can go a long way towards solving this common conundrum. But the settings in the box can only take you so far.

The situations involving computer lockdown can get complex–fast. You might not even know the people who are walking up to the machine, but you still have to give them some portion of your network resources like Internet browsing, file viewing, or printing.

You would typically find computers like these in places like universities, airports, hotels, community centers, museums, kiosk stands, and conference centers . So, these aren’t the kinds of machines that your typical business users utilize day to day; these are the kinds of machines where people need sporadic access, and they are people that you may or may not trust. And by “not trust” I mean they’re potentially downloading infectious junk off the Internet. They may be inadvertently adding spyware–or worse, they’re really out to get you and are going out of their way to try to damage your public-access PC.

What you need is a way to restrict anything from being written to the Windows partition. You need a way to trap the bad stuff, but keep the good stuff–like critical Windows updates and antivirus updates. You need a way to lock down Windows so it’s much harder to get to the under-the-hood Windows stuff, like the C:Windows directory. And you need a way for new users to get a guaranteed profile, so you’re dictating their experience, not fighting to clean up after them. However, if you’re dreaming a little bit, you might also want to manage exceptions. That is, you might want to have a known or trusted user use this shared PC for some specific task, and to make sure that their data and settings stick around.

What you need is the Shared Computer Toolkit, or SCT. While the SCT can be many things to many people, it’s not specifically meant to be loaded on every desktop to restrict the actions of day-to-day employees (though I’m sure some enterprising geeks will attempt to roll it out corporation-wide). It’s also not really meant as a “parental control” device either, though there might be some attributes of the SCT which might be useful there.

Requirements

To use the SCT, you need a Windows XP/SP2 machine with at least 1GB of unallocated space (though having 10% of the hard drive unallocated is recommended.) This unallocated space will be converted into a special “protection partition” by the SCT Additionally, you might want a second “Data” partition to store persistent data from trusted users to whom you specifically grant access. For instance, if someone uses this machine for their daily work, you might want them to be able to save Word documents on this additional partition.

One of the tricks is getting a machine which already runs Windows XP/SP2 and carving out some unallocated space. Typically, when Windows is installed the entirety of the hard drive is used, therefore there is no unallocated space. However, any repartitioning tool will make it possible, such as Symantec Partition Magic, Terrabyte BootIt Next Generation, or Acronis Partition Manager (part of the Acronis Disk Director Suite). The Microsoft documentation for the SCT specifically mentions the first two, but I already own the Acronis product and used that one with no problems.

There are two main ways to use the SCT: when machines are not joined to the domain, or when machines are joined to the domain. We’ll examine both scenarios here.

Getting Started with the SCT

After you’ve re-partitioned the machine, you’ll take the following steps to use the SCT:

  1. Install all the applications that you want to make available on the shared computer.
  2. Remove Windows components that you don’t want people to use (or would be potentially dangerous for people to use) like IIS, or Outlook Express.
  3. Install the SCT after installing the required User Profile Hive Cleanup Service (UPHClean).
  4. Configure the SCT.

Once SCT has been configured, its goal is to keep your computer as clean as the day you installed it. Therefore, be careful that you’re not actually loading “junk” on your shared computer as you’re preparing it for use.

At the heart of the SCT is the Windows Disk Protection service, or WDP. The goal of WDP is to “trap” writes to the Windows system volume, and temporarily store them on the Protection Partition so the bad guys can’t actually do any permanent damage to the real Windows partition. Once the session is over, so is any accompanying potential damage.

However, the SCTs cannot prevent certain attacks from being attempted. Even though the SCT will help you lock out Windows functions like Explorer, that doesn’t mean an application you’ve installed and made available for use doesn’t have Explorer-like capabilities. For instance, many applications allow you to browse the contents of the hard drive when you’re in their File | Open dialog boxes. Again, the SCT will ultimately prevent the disruption of Windows because of the WDP—that is, the WDP ultimately discards any writes to the system volume. However, it is incapable of preventing this kind of “poking around” attack if your application lets them poke around.

To download the SCT, go to Microsoft’s website here. What I like most about the website is the opening graphic where three kids are ostensibly “learning” on the machine. However, what we really know is that they’re right-clicking over your favorite disk partition and selecting “Format.” With the SCT, you’ll be protected from rascals of all age groups.

The SCT installation is Wizard-driven, and is a snap to use. However, it requires an additional package, called the User Profile Hive Cleanup Service, or UPHClean. UPHClean is popular with Terminal Services administrators whose users have difficulties logging off Terminal Services and having their User Profiles setting saved. It’s interesting to note that UPHClean is now a required component for this SCT. It would have been nice if the SCT installation didn’t make you download it separately, but (since you need it anyway) simply made it part of the SCT installation.

Configuring the SCT in 8 Easy Steps

Once SCT has been installed, configuring it is made easier with a Getting Started page (seen in Figure 1), which steps you though the configuration process.

 gp
Figure 1: The SCT Getting Started page is a like a guided setup (click on figure to enlarge)

After the Getting Started guide appears, it’s easy to walk step-by-step through the process. The second step, as seen in Figure 2, is mostly configuring security-related Group Policy settings which are being set within the local GPO. In most cases, you’ll want to make sure all boxes are checkmarked.

 gp
Figure 2: Step 2 mostly deals with security-related Group Policy settings (click on figure to enlarge)

Step 3 simply has you create a new local user and give it a name of your choosing, such as Public.

Step 4 has you actually configure the user account the way you want: configure the desktop wallpaper, accept first-time run settings and license agreements (for programs such as Windows Media Player, Microsoft Office, and Acrobat Reader), add printers, etc. Whichever way you configure this profile is how all public users on this machine will see it.

Step 5 has you select the Public profile and locking down some additional settings, as seen in Figure 3. There are too many options to delve into right here. Thankfully, the recommended settings are all located in one place and can be selected with one Checkboxwhich highlights all of them. Defaults here include the restriction on running applications from USB thumb drives, restricting the running of system tools (such as regedit.exe), and preventing users from right-clicking within Internet Explorer.

Optional Restrictions, such as “Remove CD and DVD burning features” and “Prevent printing from Internet Explorer” are welcome additions.

 gp
Figure 3: It’s easy to administer perform the kinds of restrictions you want to apply to all users (click on figure to enlarge)

Step 6 has you actually testing the Public profile before you go into lockdown mode. This enables you to see what the user will see, but still makes it easy for you to go back and make changes in the SCT Getting Started steps.

Step 7 contains the secret sauce–the Windows Disk Protection service, which requires a reboot before it can be configured. Here, you can specify whether or not to retain changes made by public users, and how critical updates are handled, as you can see in Figure 4.

 gp
Figure 4: Once Windows Disk Protection is turned on, you can Clear, Save, or Retain changes as you see fit, as well as schedule Critical Updates, and set other options. (click on figure to enlarge)

The WDP features a very, very strong protection mechanism with four choices:

  • “Clear changes with each restart”: Once this function is turned on, the system is officially protected. All historically “sensitive” parts of the system, such as the registry, services, even critical boot files like boot.ini and NTLDR are protected from permanent harm.
  • “Save changes with next restart”: Once the CST has been running for a while, you might realize you want to add another application to the system, or make another permanently desired change. To do this, you need to specifically select “Save changes with next restart” and you’ll have skirted around WDP this one time and integrated your changes. A quite note before this function’s use: be sure to restart the computer before you load your new application, so as not to keep something bad or unknown. Then, once loaded, select “Save changes with next restart.”
  • “Retain changes for one restart”: If you’re adding a new application, and that application requires a reboot to finish its installation, select this option. Then, once you’re convinced you’ve loaded and configured the application correctly, pick the “Save changes with next restart” option to permanently seal in your changes.
  • “Retain changes indefinitely”: If you want to load many applications and watch their interactions over time, you might select this option. Once you’re ready to accept your changes then select “Save changes with next restart.” If you want to back out of all changes, select “Clear changes with each restart.” For example, this functionality is great for computer training centers where a new class comes in every week and you want students to have free rein over the computer. You can let them do what they want and they can restart the computer us much as they need to. At the end of the week, just clear the changes and the computer will be restored to its Monday morning state.

Another way to think about these settings is that once WDP is turned on, all changes are written to the Protection Partition (this was the previously unallocated space you carved out) until you choose “Save changes with next restart”, and they are merged with the real partition.

It’s likely your other corporate computers are downloading critical Windows updates from Microsoft or from WSUS by themselves (see my article in Technet Magazine about corporate WSUS settings.) However, computers using the SCT need a little TLC. That is, these computers need you to manually grab these updates. When it’s time to automatically install patches, the interactive user is logged off, and during the Critical Updates installation time, no users (other than administrators) can log on. It should be noted that when Critical Updates are downloaded, they are always written directly to the “real” Windows partition and not the Protection Partition. The process is quite elegant: An automatic reboot clears any potentially damaging changes users might have introduced, andthen the updates are written. This ensures that only the Critical Updates make it onto the disk.

Additional Ways to Configure the SCT

So far, the discussion has been for one standalone PC–not a domain environment. One PC is a good start, but not likely how corporations, schools, and the like will ultimately roll this out. The two additional scenarios to consider are:

  • Domain-joined SCT machines, and
  • Mass deployment of the SCT (domain-joined or not)

If your target SCT machine or machines are domain-joined you can, of course, go through all the steps listed above to get the job done. But that means you have to visit each and every machine to do the job. Instead, the SCT team (thankfully) rounded up their hard work and made a Group Policy ADM file which just snaps right in to the Group Policy Editor. This file (SCTSettings.adm) is located in the C:Program FilesMicrosoft Shared Computer Toolkitbin directory. This enables you to make mass changes on multiple SCT-enabled machines, as seen in Figure 5. The ADM template is a little rough around the edges and could use a little cleaning up of the Explaintext entries to be as useful as possible, but it’s a really good start.

 gp
Figure 5: You can mass-implement changes to SCT-enabled machines via Group Policy (click on figure to enlarge)

There are some additional technical obstacles to overcome with domain-joined machines. For instance, how do you run around to 1,000 SCT-enabled machines and reconfigure their disk-protection settings? Thankfully, there’s a DiskProtect.wsf provided which you can use to script the behavior of your SCT-enabled machines. You also need to manually implement the suggested Software Restriction Policy settings which prevent System Tools and unwanted programs to run. This is all very well spelled out in Chapter 10 of the Shared Computer Toolkit Handbook, which is titled “The Shared Computer Toolkit in Domain Environments.”

The next hurdle is the mass deployment issue. That is, how do you get the SCT bits and pieces on the target machines in the first place? The suggested avenue here is to imbed the pre-installed SCT and corresponding bits inside your “Ghost-style” or “RIPrep” image build. Or, if you deploy “clean” machines, you could simply script the UHPClean and SCT installation using post-installation script commands. My first choice would be to use Group Policy Software Installation and simply assign both UHPClean and the SCT to your shared computers via Active Directory and Group Policy.

Once you have the required bits on the machines, simply use the included Group Policy ADM and .VSB files to control the computers after they’ve been deployed.

However, there are still two more hurdles to overcome. Every Windows machine must be expressly validated by Windows Genuine Advantage. This becomes a bit of a problem because each machine needs to be “touched”, either by installing an IE Active Xcontrolor running an HTA application.

The last problem is, how do you remotely repartition a computer’s hard drive if you don’t want to trot over to it? Remember, every SCT computer needs the required Protection Partition. If you have your own ideas of how to “mass validate” computers via GTA or remotely repartition a computer, don’t keep it a secret! Let me know and I’ll post a follow-up on GPanswers.com.

Final Outcome

Once the computers have been deployed, your users log on with the username you set; in our examples it was “Public”. And if you were using a domain account, you could feel free to use that as well. Once they’re logged on, it really is a restricted, bulletproof machine as seen in Figure 6.

 gp
Figure 6: The final outcome of an SCT-enabled machine with restrictions enforced (click on figure to enlarge)

This is a really great tool with lots of potential uses. The tool itself as well as the documentation is well thought out, and the additional control via Group Policy is just icing on the cake for a Group Policy control freak like me.

Online support for the tool is available at Microsoft’s newsgroups, here.

Additionally, before running headlong into a real deployment using the SCT, I suggest you read the included Shared Computer Toolkit Handbook, which is well-laid-out PDF file.

For a 1.0 release, this tool really gets the job done.

SPECIAL THANKS to the Shared Computer Toolkit team at Microsoft for reviewing this article for technical accuracy. This article will appear in the July issue of Microsoft's TechNet Magazine. Consider subscribing. Click here to check out the magazine.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Free, Free, Free!

Well, the price is right, even if it stinks. But it won't stink -- I promise you'll learn something, or DOUBLE your money back!

Windows & Linux: Perfect Together (Online Roundtable)

Jan 26, 2006 from 2.00 to 3.00 PM EST (11.00 to 12.00 PST) This will be a live talk with me, my co-author of my Windows/Linux Integration book (Tom Boutell) and others! The topic: Windows & Linux Integration -- so sign up and see you online! Bring your questions! Click here to register.

WSUS Architecture Crash course

Feb 10, 2006 from 12.00 to 1.00 PM EST (9.00 to 10.00 PST) Patches and updates can be a real headache to manage. Microsoft Windows Server Update Services (WSUS) is here to make your life easier. Have you implemented it yet? This is a "Power Hour" webcast with 30 minutes allotted to talk and demos and 30 minutes allotted to questions and answers. Click here to register.

By popular demand: The "Less Intensive" Group Policy course is available as a trial in Pennsylvania

Last month I debuted my new three-day "Less Intensive" format. I explained how this course was only available for PRIVATE courses.

Well, as an experiment, I'm making it available as a PUBLIC course in Newtown, PA in February 7, 8 and 9.

This course starts with a half day warm-up of Active Directory, managing users and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration can get a bit of fundamentals before diving in to the Group Policy waters.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point to how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.

You BOUGHT and IMPLEMENTED Active Directory -- now DO SOMETHING with it.

So, learn to properly drive that "Ferrari" you bought by coming to a class!

Classes for first half of 2006 (lots of date changes since the last newsletter. Sorry about that.):

Feb 7, 8, 9: Newtown, PA (Three day, "less-intensive" AD/GPO course). Newtown, PA is near Trenton, Philly, and other major metro areas.
Feb 21 - 22, 2006: San Antonio (We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)
Feb 27 - 28, 2006: Portland, OR
Mar 2 - 3, 2006 : Atlanta, GA
Mar 15 - 16, 2006: Washington, DC
Mar 30 - 31: Sacramento, CA
Apr 20 - 21, 2006: Tulsa, OK (not Okla. City, as previously reported.)
May 15 - 16, 2006: London, England

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or ... if you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Other Changes around GPanswers.com

In the last issue, I explained about our "mini-web overhaul." I'm trying to keep the new features coming so you can have the best Moskowitz,inc. / GPanswers.com / WinLinAnswers.com experience. New since last time:

  • The FAQ/Tips and Tricks area has even BETTER categories, which makes things easier to search
  • Did you know the GPanswers and WinLinAnswers community forums are RSS enabled?
    • The RSS feed for the GPanswers.com/community room is: https://www.gpanswers.com/community/rss.php
    • The RSS feed for the WinLinanswers.com/community room is: http://www.winlinanswers.com/community/rss.php
  • If you're not a big fan of RSS, you can get new posts on any given forum MAILED to you. I've been waiting FOREVER for this feature. You need to enable it for any and every forum you want to "watch". When any new post appears in the forum -- you get a little email summary. This is great for the Announcements forum, or any specific technical forum to make sure you don't miss a great question, or a great answer. Click on the graphic below to see where this feature is found.

gp (Click picture to enlarge)

  • We're working on a global GPanswers.com search -- which should also be able to buzz through PDFs and all questions in the forums. Not there yet with this one, but stay tuned.

What's new from Microsoft?

Lots, actually! Microsoft has three new documents to help better understand GP. Well, the first one isn't really a "document" but rather a(nother) FAQ for GPOs. Yes, we have one here at GPanswers.com, but I guess it's okay that the boys in Redmond have their own too, right? :-)

Additionally, they released to documents to help understand how Vista and Longhorn will change with Group Policy.

So, how do you find all these new resources? You could Google for hours and not find it! Of course, we have the links, right off ourMicrosoft Resources page. Just scroll to the bottom to check out the new docs.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Jon at: [email protected] We endeavor to respond to everyone who emails.

Thanks for reading!

Nov 2005
25

Issue#13

edit

  • It's Issue 13 ... Do you feel lucky?
  • Technology Takeaway (r), a service of Moskowitz, inc.
    • Tips and tricks
      • Just one tip: Delegated permissions, the perils therein and how to pull back the reigns
  • Get a signed copy of...
    • my GP book: Group Policy, Profiles and IntelliMirror
    • my Windows & Linux Integration book
  • Something new... Two Training Options: Intensive Two day and "Less Intensive Three Day"
    • Upcoming Public GP Classes for 2005 / 2006
  • What's new around GPanswers.com
  • Subscribe, Unsubscribe, and Usage Information
     

Moskowitz, inc. and www.GPanswers.com -- Issue 13

It wasn't long since the last newsletter, but... when I get busy working on something that affects a lot of people, I want to make sure you get it ASAP!

I think you're really going to like this newsletter. It's HUGE and has *TONS* of graphics for this massive how-to. Don't be scared away by the "unlucky" number 13. Okay, so the big problem we tackle this month is large. The lucky part is that you found this newsletter, and will be well prepared to correct for it!!

After we talk about this, I'll give you an update on my 2006 Group Policy Class Schedule and talk about some other stuff.


Technology Takeaway, a service of Moskowitz, inc.

Delegation... the perils therein, and how to pull back the reigns

One of the key things for your organization to get right is the proper balance of power. Specifically, you need to decide just who creates GPOs and who can link them to areas in Active Directory.

Sometimes, it's just the people in the Domain Admins group. That's fine, if that works for your organization. But if you're the only Domain Administrator, or, if there's only a handful of you, then managing Group Policy for hundreds or thousands of users could be a troubling, cumbersome task which you're always doing again and again. When there's something to be tweaked - you're the one who's called - every time.

Again, if you like it that way - that's great. I'm not proposing to take that away from you. However, if you want some helpers with your GPO comings and goings, then enter the magical world of Group Policy delegation.

The idea is simple: give someone else the rights to create GPOs in the domain, and you won't have to do it. Before you run away and say "My people can't handle this task!!" let's actually analyze this for a second.

First, you need to ask yourself, "Who knows my users best?" Sometimes, that is the Domain Administrator. Sometimes, however, it's the OU administrator, or even, perhaps someone else. We'll call these people (whomever they are) "helper-administrators." For our definition, "helper-administrators" don't have Domain Administrator rights - they're just average Janes and Joes with some ability you've delegated them.

When it comes to Group Policy implementation, one often-successful strategy is to get the power in the hands of the helper-administrators that are closest to the users. So, even though by default, the only people who can create GPOs are Domain Administrators, you might want to re-consider and delegate the permissions such that other administrators (usually OU administrators with non Domain Administrator powers) can also create GPOs.

Delegation 101

In this picture, you can see the basic procedure which permits people the ability to create new GPOs. First, click on the Group Policy Objects node. Then, click on the Delegation tab. Finally, click on Add (at the bottom of the page) and add in the user you want to delegate the ability to create GPOs.

 gp
Figure 1: Delegation to create new GPOs occurs at the Group Policy Objects node in the delegation tab (Click on figure to enlarge)

In this example, we'll anoint a helper-administrator, Nurse1 to create GPOs. Now, just because this helper-administrator can create GPOs doesn't mean they can actually do anything useful, like linking them somewhere. In other words, the simple fact that a GPO is createddoesn't inherently mean it's doing anything or affecting anyone. For that, there's another delegation tab, which you'll find at the level in Active Directory you want to delegate (for instance, domain or OU).

In this example, you can see the delegation tab at the Nurses OU.

 gp
Figure 2: The Delegation tab at the OU level determines who can link GPOs to this OU (Click on figure to enlarge)

Now that the user Nurse1 can create GPOs, and link them to the Nurses OU, you've empowered this helper-administrator. The idea, again, is that this helper-administrator knows the user population very well, and has the proper knowledge of creating GPOs which (hopefully) won't "break stuff" (to use a technical term.)

However, there are some pitfalls in allowing a helper-administrator to do this. One fear that Domain Administrators (rightly) have is that these delegated helper-administrators can do bad, bad things. This is always a possibility, but then again, you wouldn't delegate someone to drive your Ferrari unless they took a lesson or two, right? (Subtle hint to get your Domain Administrators and OU admins into my highly acclaimed two-day Group Policy Intensive Training and Workshop class, but I digress).

It's very similar here; and as Domain Administrators, sometimes we have issues letting go. :) Let's put aside that specific fear of a helper-administrator messing something up inside a GPO and affecting users, but rather move on to a different sort of problem. The problem of that helper-administrator trying (or inadvertently) "hiding" access of the GPO from the Domain Administrator.

When Good Admins go Bad

Specifically, the person who creates the GPOs also owns the GPO as you can see in this picture.

gp
Figure 3: Someone who is delegated the right to create a GPO also owns the GPO (Click on figure to enlarge)

Because the helper-administrator user owns the GPO, they can basically do whatever they want to the GPO. The idea here is that you're granting someone you trust the ability to create GPOs and use them wisely. Hopefully, these helper-administrators will use the power wisely; but, sometimes, administrators are rogues (as Microsoft calls them) or jerks (as I call them).

Rogue-like (or Jerk-like) behavior could include changing the permissions on the GPO so even the Domain Administrator can't see the GPO. In this example, the helper-administrator has set the permissions on the GPO that she has access to as follows:

gp
Figure 4: The helper-administrator has removed permissions from the Domain Administrator with an explicit Deny on all attributes

In other words, the Domain Administrator is Deny-ied access from even seeing the GPO. Now, when the Domain Administrator looks at the Group Policy Objects node in GPMC, the GPO is simply not listed because it is being hiddenby the explicit Deny properties the Nurse put on the GPO.

Note, however, that when Nurse1 linked the GPO to a location in Active Directory the GPO's properties are still viewable though Inaccessible as seen below.

 gp
Figure 5: The GPO is now missing from the Group Policy Objects node in the GPMC. However, you can see an Inaccessible marker where it's been linked. (Click on figure to enlarge)

Depending on your perspective, this could be a problem.

On the one hand, the GPO is, in fact, working as advertised and nothing is technically wrong here. The Nurses will get the GPO applied to them and everything will continue functioning normally. The only problem is an unruly helper-administrator who is hiding his or her actions from the Domain Administrator. At this point, you can choose to do two things: nothing, or perform a Take Ownership upon the GPO and put the power back in to your hands.

Reclaiming the Fort: Taking Ownership

Let's examine what it takes to Take Ownership of a GPO as a Domain Administrator and restore the GPO back to health. First, the Group Policy Objects node in the GPMC is a representation of the two halves of a GPO: the GPC (the part that lives in Active Directory) and the GPT (the part that lives in the SYSVOL). In order to perform this, we need to take ownership of both halves.

Let's first examine how to take ownership of the GPC part, because this is the part that controls visibility of the GPO in GPMC.

To do this, we need to go back to the old-school way we used to manage GPOs: Active Directory Users and Computers. To get started, you need to view Advanced Features as seen here in Active Directory Users and Computers.

gp
Figure 6: To dive in and see the GPC, we need to enable Advanced Features in Active Directory Users and Computers.

Once Advanced Features is enabled,you can dive down into the GPC part of the Group Policy. You do this by diving into System | Policies and looking for the GUID of the GPO object that currently has the problem. What's interesting in this view is that you cannot see the GUID of the GPO in the left pane, but only in the right pane listed as Unknown.

 gp
Figure 7: Inaccessible objects show up in the right pane as Unknown. (Click on figure to enlarge)

When you go to the properties of this object and click the Security tab, you'll see the error message in Figure 8 below.

gp
Figure 8: The ACL editor forbids you, the Domain Administrator, from seeing the permissions because you are expressly Denied. (Click on figure to enlarge)

From this point, you might be tempted to give the Domain Administrator, say, Full Control rights. But, if you try it, it won't work. What you really need to do first is to take ownership of the object.

 gp
Figure 9: You need to select the Administrators group as the new owner and select Apply. (Click on figure to enlarge)

Unfortunately, once you've taken ownership of the object, you cannot immediately give the proper permissions back to the object. You need to close the ACL editor, and then right-click on the GPC portion again and select Properties | Security. Only now can you actually change the permissions.

 gp
Figure 10: To fix the GPC portion, click Full Control | Allow for the Domain Admins group

Taking Ownership of the GPT

Once you've granted Domain Admins Full Control over the GPC again, you're about halfway finished. Again, all you've fixed is the GPC. Now, it's time to dive into the GPT and perform the same Take Ownership tasks.

The GPT part of a GPO lives on every Domain Controller, typically in the windows system sysvol sysvol {domain-name} policies directory. (Yes, that's two sysvol directories.) Then, inside this directory are directories for each GPO's GPT. In my example here, my GPT has a GUID starting with 0f8D1AD2 (as seen in Figures 7, 8, and 10 among others). So, we need to locate that directory, and take ownership of it in the same way we did with the GPC. You can see this in Figure 11.

gp
Figure 11: Take ownership of the file-based GPT the same way you did with the Active Directory based GPC (Click on figure to enlarge)

Once performed, you'll have to (again) exit the ACL editor and re-enter it. Then, ensure that Administrators have Full Control similar to the way that you did with the GPC. Though in this case, note that the default permissions should automatically set Administrators (not Domain Admins) to Full Control.

The Final Fixeroo

If you were now to go back to the GPMC and refresh the Group Policy Objects node, you would now see the previously-hidden GPO. However, when you click on it, you might get a message similar to what is seen in Figure 12.

 gp
Figure 12: The GPMC recognizes that permissions are amiss between the GPC and GPT. (Click on figure to enlarge)

This is exactly the gift we wanted! Clicking OK will copy the permissions from the GPC over to the GPT. However, the bad news is that you might not actually get this message! If you don't get this message, you have to manually kickstart permissions synchronization between the GPC and GPT.

To do this, click on the Delegation tab of the GPO and click the Advanced button. When you do, you're able to edit the actual ACLs of the GPO, which should (simultaneously) affect both the GPC and GPT. Make a change (any change) and apply it even if it's something temporary. For instance, add a new user and grant that user Read access. Then apply that change. Then, remove that user. The point is to make any change. When you do this, you are writing the ACLs to both the GPC and GPT.

Now they're in sync, and now you've fixed the problem.

gp
Figure 13: Make a change any change (and apply it). When you do, the GPC and GPT will be simultaneously adjusted to reflect the ACL change. (Click on figure to enlarge)

Moral of the Story

Delegation is a very good thing if you trust the people to whom you're delegating. You can't cover every base, however, and some helper-admins are just going to be jerks. For that reason, this tutorial on how to restore permissions on hidden GPOs will help you know how to take back control.

SPECIAL THANKS to Darren Mar-Elia, CTO for Infrastructure Management Solutions at Quest Software, and operator of GPOguy.com for helping work out this problem with me.


Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Now available: Private GP Course in "Less Intensive" format

Everyone knows the two-day Group Policy course is really three days of material packed in to two intensive days. However, some customers have asked for a "Less Intensive" format.

Your wish has been granted!

This course starts with a half day warm-up of Active Directory, managing users and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration can get a bit of fundamentals before diving in to the Group Policy waters.

This "Three-day Less Intensive" option is ONLY available as a private course. Note, the "Two-day intensive" option is available as either a private of public course.

Learn more about the Group Policy courses here.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point to how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.

You BOUGHT and IMPLEMENTED Active Directory -- now DO SOMETHING with it.

So, learn to properly drive that "Ferrari" you bought by coming to a class!

Classes remaining in 2005:
Dec 13 - 14, 2005: Minneapolis (Bloomington), MN (We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)

Classes for first half of 2006:
Jan 16 - 17, 2006: Philly / Berwyn, PA (moved from Nov 2005) (We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)
Jan 24 - 25, 2006: Sacramento, Ca
Jan 26 - 27, 2006: Portland, OR
Feb 21 - 22, 2006: San Antonio (We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)
Mar 2 - 3, 2006 : Atlanta, GA
Mar 15 - 16, 2006: Washington, DC
Apr 20 - 21, 2006: Oklahoma City, OK
May 15 - 16, 2006: London, England Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity! Learn more and sign up at: www.gpanswers.com/live-class
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or ... if you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services and Product Support Services teams at Microsoft!

For a public class, sign up online at: www.gpanswers.com/online-class
For a private class, just contact me at [email protected] or call me at 302-351-8408.  

Other Changes around GPanswers.com

We've had a mini-web overhaul lately. It might not look a whole lot different, but there's a lot of things, here and there that have been changed.

  • There is no more "downloads" section off the main page. The downloads that were there were moved to the FAQ/Tips and Tricks
  • Speaking of the FAQ/Tips and Tricks area, the Tips and Tricks are now in categories, which makes things easier to search
  • The book downloads (and any updates) are now centrally located right off the main page. It's now called "GP Book Resources"
  • We came up with a way to be able to click on any graphic and have it pop-up to full page view. We're working on backfilling all Tips and Tricks, Solutions Guide, and other areas which have scaled-down graphics to enable pop-ups to full size.
  • We're working on a global GPanswers.com search -- which should also be able to buzz through PDFs and all questions in the forums. Not there yet with this one, but stay tuned.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Nov 2005
07

Issue#12

In this issue:

  • It's Issue 12 ... Wow.. a new format!
  • Group Policy Intensive Training and Workshop Schedule Update for 2006
  • Technology Takeaway (r), a service of Moskowitz, inc.
    • Juicy tips and tricks (Jumbo sized!)
      • All about login scripts (Offline and Online)
      • All about WSUS settings
  • Upcoming Conferences, Appearances, and Classes
    • Upcoming GP Classes for 2005 and 2006
  • Additional Technical Tidbits
    • All about VMware's new gizmo and Microsoft's whizbang licensing!
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Get a signed copy of Windows & Linux Integration
  • Subscribe, Unsubscribe, and Usage Information
     

Moskowitz, inc. and www.GPanswers.com -- Issue 12

This is the first newsletter for a LOT of people I've met in the last several months. I've been to:

  • SMB Nation in Seattle
  • Two or three Microsoft TS/2 Roadshows
  • WinConnections
  • TechMentor
  • and more !

So, a big hearty WELCOME to all those people who signed up via giving me a business card at an event.

As you can see, our newsletter format has changed a bit. It's now online as a full web page, instead of being a mail-delivered document. Of course, you got the notification via email -- and that's going to stay the same. The good news about putting things in a web page like this is simple: I can inject graphics and other HTML goodies without getting your spam filters all huffy at me.

Let's get right to the goodies, then I'll give you an update on my 2006 Group Policy Class Schedule and talk about some other stuff.

Technology Takeaway (r), a service of Moskowitz, inc.

Here's what's on people's minds recently...

Can logon scripts be set to run when a user re-docks their laptop? (or otherwise force user login script GPO processing via a command or script?)

Scenario: A notebook user can log on to their computer with cached credentials (ie: not connected to the network.) When this happens, it appears that their logon script that maps their drives does not run. Upon returning to the office they dock their computer, but they still do not get their network drives.

So... Can logon scripts be forced to run when the user returns to the office?

The answer in this case is no. Logon GPOs are processed in the foreground, so since they are already logged on using cached credentials, they only get a background refresh, so the logon script settings in this GPO does not run.

This question was submitted recently via email, and it's a good one (so good, we added to the FAQ at www.gpanswers.com/faq).

Is there any advantage to running a login script from the network or from the local PC?

This is something you should consider for laptop users. If you place a script on the local drive of the client and point the GPO to it, the script will run upon logon even if the laptop it is not connected to the network. BUT, it can only perform tasks that don't require the network, so things like mapping network drives won't work.

Oftentimes, administrators choose to perform tasks like mapping network drives and other things which are simply impossible if the network is not available. However, again, technically, the script is trying to run - even if it cannot perform the command you want.

If you have a script that performs some other action that does not depend on the network, login scripts should perform those actions.

How can I configure a workstation to download updates from my WSUS Server (or SUS I haven't upgraded) instead of Windows update?

Windows XP / SP2 comes with the latest "wuau.adm" ADM template which contains the power you need to point your workstation anywhere you want it to retrieve its updates from. The settings are under Computer Configuration | Administrative Templates | Windows Components | Windows Update as seen here.

 gp

Here you find the following ten settings (a more detailed explanation of each can be found on the settings Explain tab).

  • Configure Automatic Updates

This setting must be enabled if you want to specify the settings the workstation needs to retrieve automatic updates using Group Policy. It is essentially the same as using the Control Panel applet to configure the download option, and the installation schedule.

Note there are four potential settings... #2, #3, #4 and #5 as seen below.

 gp  

When you set up an OU which contains regular workstations, you'll likely want to set this value to #4 -- which will auto download AND install the patches. This can often mean a reboot, so, be sure to educate your users to SAVE their files before going home for the say.

For the least amount of disruption for your users, you'll want to set your installation to happen off hours, say 3.00 AM.

When you set up an OU which contains SERVERS, you'll likely want to set this value to #3 -- which will auto download, but then notify an administrator who logs on locally to that server that patches have been downloaded. The idea here is that you wouldn't want a server just rebooting at 3.00 AM! You want to control that installation and reboot process a little more closely.

  • Specify intranet Microsoft update services location

This setting allows you to point the workstation to the WSUS (or SUS) server in your organization (e.g http://wsus1.company.com). Note that both fields need to point to the same server. It is an invalid configuration to have different entries here.

 gp

  • Enable client-side targeting

In WSUS, you can create groups for your workstations to belong to. Note that these "groups" aren't NT-style groups. I wish Microsoft had called these "collections" to make the distinction. And, what's more WSUS really doesn't hook in to Active Directory beyond this one setting.

The idea is to have several collections, er, groups then approve specific updates differently as you see fit. For instance, you could have a pilot test group before you roll the update out to everyone. Or, you might manage Doctors differently than Nurses.

The one trick here is that you must first pre-create the groups on the WSUS server. Then, once your client receives this setting you're delivering via Group Policy, they'll automatically find the group.

  • Reschedule Automatic Updates scheduled installations

What happens if the workstation is off when it's supposed to be installing your approved patches? In this case, the update will be installed at system startup. This setting allows you to tell the workstation how long to wait after system start before installing the update, and rebooting the workstation.

Be careful not to have the computer wait too long after startup, as your users may start working away and all of the sudden their machine says is about to reboot. Chances are, your user will turn on their computer before they grab their morning coffee, so if you can set the delay to less then five minutes, chances are they won’t even notice!

  • No auto-restart for scheduled Automatic Updates installations

If you have “Reschedule Automatic Updates scheduled installations” setting enabled, you can also enable this setting if you do not want the computer to automatically reboot after the installation. The user will be notified that a reboot is required to complete the installation.

  • Automatic Updates detection frequency

You can tell the workstation how often it should check in with the Update Server by enabling this setting. The detection frequency is the hours specified, minus zero to 20 percent of the hours specified. The default setting 22 hours.

  • Allow Automatic Updates immediate installation

If an update that is approved can be installed without interrupting Windows service and does not restart Windows, it will be installed immediately upon detection if this setting is enabled.

Although an update like this has yet to have been seen, it’s a nice idea, to have the update apply as soon as possible.

  • Delay Restart for scheduled installations

By default, Windows will wait five minutes after installation before rebooting the computer. This setting allows you to specify how many minutes the computer should wait before reboot.

  • Re-prompt for restart with scheduled installations

This setting allows you to set the amount of time that passes before re-prompting that a restart is required to complete an installation of updates.

If you are automatically installing updates and restarting machines after hours, this setting isn’t necessary.

  • Allow non-administrators to receive update notifications

Enabling this setting will allow non-administrators to receive notifications either before downloading or before installation of updates.

Again, If you are setting your computers to install and restart during off hours, this setting isn’t necessary, unless you really want your users to install the updates and restart their computers during the workday.

Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point to how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.

You BOUGHT and IMPLEMENTED Active Directory -- now DO SOMETHING with it.

So, learn to properly drive that "Ferrari" you bought by coming to a class!

Classes remaining in 2005:
Nov 28 - 29, 2005: Philadelphia (Berwyn, PA)
(We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)

Dec 13 - 14, 2005: Minneapolis (Bloomington), MN
(We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)

Classes for first half of 2006:

Jan 24 - 25, 2006: Sacramento, Ca
Jan 26 - 27, 2006: Portland, OR
Feb 21 - 22, 2006: San Antonio
(We almost have enough interested people. If you're interested, or ready to sign up, don't be a stranger! You might be that one person we need to make this class A GO.)
Mar 2 - 3, 2006 : Atlanta, GA
Mar 15 - 16, 2006: Washington, DC
Apr 20 - 21, 2006: Oklahoma City, OK
May 15 - 16, 2006: London, England

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or ... if you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.  

Additional technical tidbits...

Even though the thoughts in this section aren't necessarily Group Policy related, I thought these tidbits might be something you all would find interesting.

Tidbit #1: Microsoft gets really generous with virtualization licensing Microsoft has a new press release regarding their upcoming virtualization strategy here: http://tinyurl.com/c78kf

There's a lot here, but there's one key sentence which rocked my world (and I quote):

"Licenses for the upcoming Windows Server 2003 R2 Enterprise Edition will allow customers to run up to four virtual instances on one physical server at no additional cost..."

And, this licensing deal is also expected to carry through to Longhorn (Enterprise) Server as well.

In a word: WOW. This means that if you buy one copy of Enterprise server, and you run it virtually, you basically get 4 copies of Enterprise server for the price of one! Now, of course, the key word here is "Enterprise." This is the more (much more) expensive version of Windows Server. Note that Windows Standard server (the less expensive sibling) is left out in the cold here.

The other issue is... is this deal only good when you use Microsoft's Virtualization technology (Virtual PC or Virtual Server?) In other words, if a shop chooses to use VMware as their virtualization platform, does the deal hold up? Well, there's nothing here in this press release which specifically says you can't use VMware if you wanted -- which is good news. However, before rolling out a bazillion (free) copies of Windows R2 Enterprise Server, be sure to consult with your licensing mavens, just to be sure.

Tidbit #2: VMware gets really generous with free virtualization technology!

Rumors have it that Windows Vista will have a free free free built-in version of Microsoft Virtual PC. There will be a small restriction on it, though: you can only have ONE running virtual-machine at a time. I think when VMware heard this upcoming plan, they got a little nervous, and came out with {insert fanfare music here} the VMware Player. The VMware Player takes existing VMware virtual-machines and allows you to, you guessed it -- use them for free anywhere you like. And you're not limited to just ONE running virtual-machine. So, in short, if you've already CREATED your virtual-machine with, say, VMware Workstation or VMWare GSX server -- just copy the files to a friend, give him or her the free VMware Player application -- and -- they're running your virtual-machine! Way to go VMware! It's in beta (thought it looks like production quality software to me.) You can download it here. Again, the only thing you really CANNOT do in VMware Player is CREATE new virtual-machines. Other than that -- it's quite similr to VMware Workstation.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here: https://www.gpanswers.com/book/

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

New Forum in the GPanswers.com/community

Want to have an ongoing discussion about anything in this newsletter? Then head on over tohttps://www.gpanswers.com/community/viewforum.php?f=33

where you can talk with your peers about anything in this newsletter (or previous ones!) Be sure to use the newsletter number when you post!

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Sep 2005
04

Issue#11

In this issue:

  • It's Issue 11 ... So much news, I can't take it!!
  • Big News Item #1: Updated Group Policy Book!
  • Big News Item #2: A New Book and a New Website for Windows/Linux Integration!
  • GPanswers.com "Suggest a City" a Success
  • Group Policy Intensive Training and Workshop Schedule Update
  • Technology Takeaway (r), a service of Moskowitz, inc.
    • Three juicy tips and tricks
  • Upcoming Conferences, Appearances, and Classes
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Subscribe, Unsubscribe, and Usage Information

Moskowitz, inc. and www.GPanswers.com -- Issue 11

There's so much news, I simply don't know where to begin.

First, however, I want to welcome about 100 new people since the last newsletter, which went out only about three weeks ago.

I got to meet a lot of great people in my own home town of Wilmington, DE at a Microsoft / TS2 event.

People here are downright excited about Windows Server Update Services (WSUS), and specifically, how an admin can use GPOs to control WSUS even more granularly than the older Software Update Services (SUS).

We'll address some of those issues in this newsletter, right after we announce all these goodies!

Big News Item #1: Updated Group Policy Book!

I have a Third Edition of my popular Group Policy book (Group Policy, Profiles and IntelliMirror) coming out THIS MONTH (September).

What's more -- you can pre-order a SIGNED COPY!

In this edition, we're building on the last, but adding in the bits and pieces for Windows 2003 / SP1 and Windows XP / SP2.

And, since I cannot leave well enough alone, there are lots of little adjustments and improvements throughout. Here are the TOP 12 things that have been updated since the previous edition...

  1. More "prescriptive guidance" is peppered throughout the book, based on additional experiences over the years.
  2. In the last book, I tested using XP/SP2 *BETA*. I made educated guesses how XP/SP2 *WOULD react*. This time, I made sure.
  3. We had Kevin Sullivan, a fellow Enterprise Mobility MVP, as the Technical Editor and reviewer. That means additional assurance of technical accuracy in all areas of the book.
  4. We give guidance about how to deal with XP/SP2's built-in firewall. Because some aspects of Group Policy won't work with the firewall enabled, we give specific guidance on how to deal with this feature.
  5. We've added clearer guidance on what happens during backup and restore operations.
  6. We've added more troubleshooting guidance.
  7. We've added more guidance on how to ensure that you can "see" all the settings for XP/SP2 and Windows Server 2003 / SP1.
  8. We fully cover the Windows Server 2003 / SP1 "Security Configuration Wizard." Specifically, we demonstrate how to make your servers more secure via Group Policy. This is a really big addition for this edition.
  9. We've included some newly updated information regarding Windows Installer 3.0.
  10. ALL of the URLs are "tiny" now. Not a big deal, but now you're not typing in 300 characters for a URL to Microsoft.
  11. We've addressed a notorious quirk when dealing with GPOs. Have you ever had to press "OK" 52 times when editing a GPO? This is "The Retroactive Bug That Ate New York." In this new edition, we squash this bug with a rock.
  12. And last but certainly not least, there are lots of little things that have been clarified, fixed, adjusted, and generally made better.

Oh, and all the web downloads will be updated (really soon!). We've gone through the effort to document every single Group Policy Setting and made these available. Again, stay tuned for updated web downloads just as soon as the publisher releases them!

So, the big question that I'm sure you have is: "Do I NEED this edition?" It's a tough call, because the book DID NOT go through a MAJOR re-write like it did from the First Edition to the Second Edition. Here's what's the same:

  • All chapters from the Second Edition are here again in the Third Edition.
  • The book has the same cast of characters.
  • The book has the same "flow" and the same holistic approach.
  • The scripting chapter is 100% unchanged. (It's the only untouched chapter in the book, though.)
  • In short, it really is the same book.

So, again, the question is: "Do I NEED this edition?"

I know it's not easy forking over your hard-earned dough to get a copy of a book that's, well, very similar to the previous edition. So, how can you make the best decision? Here's my take on it...

  • If you're rolling out XP/SP2 and Windows Server 2003/SP1, I'd say Yes, this new addition is for you. Again, I updated the book expressly for this purpose. And, while I was here, I cleaned up anything I wasn't 100% happy with.
  • If you're NOT rolling out XP/SP2 and/or Windows Server 2003/SP1, then just the "bug fixes" alone aren't worth plunking down the dough to get a copy. The bad news, however, is that the book's "bug fixes" alone are not availableas a download on GPanswers.com. This is because there really were too many pages changed between this edition and the last.

Hopefully, that makes sense, and gives you some direction on whether or not you should get the updated edition.

-If you want a signed copy ($45, includes shipping), the place is www.GPanswers.com/book
-If you want a cheaper copy from Amazon ($32.99), the place is: http://www.amazon.com/exec/obidos/tg/detail/-/0782144470 (For some reason, the cover image says "Second Edition," but I assure you that it's the "Third Edition.")
-If you want an even cheaper copy, from Bookpool ($31.50), the place is: http://www.bookpool.com/sm/0782144470 (Again, for some reason the cover image says "Second Edition," but I assure you that it's the "Third Edition.")

Big News Item #2: A New Book and a New Website for Windows/Linux Integration!

I know, I know. I can hear you from here ... "Whaaa? Jeremy, I thought you were the Group Policy dude. I didn't think you did that 'Linux thing.'" Well, I do.

It's interesting, exciting, and coming to an IT shop near you. And you'd better be prepared for it.

There are plenty of books you can get that try to describe how to "walk away" from your Windows investment and ... blink! ... go 100% Linux.

But there are two problems with the "walk away from Windows" idea:

  • First, it's often not possible. That is, there is a good chance you will always have Windows applications that run your business. And they might never be able to run natively on Linux.
  • Second, it's simply not realistic. Assuming every application could be re-coded for Linux, you've already got a lot invested in Windows desktops, applications, architecture, training, personnel, and more.

And yet, Linux offers undeniable advantages of its own. Compelling open-source applications, like the Apache web server and the MySQL database engine, are available today and will continue to appear. And the option of running these applications on an open-source operating system presents undeniable cost advantages. Yes, Linux has its own costs, such as re-training users and administrators familiar with Windows. But the presence of Linux in your business can save money and solve problems today.

In short, neither Windows nor Linux is leaving this planet (or the datacenter) any time soon. And for that reason, it's more important to be able to cooperatively utilize what "the other guy" has to offer, instead of trying to punch his lights out.

My new book is entitled:

Practical Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

And, along with a book, I'm launching a new web site: www.WinLinAnswers.com
WinLinAnswers.com is similar to GPanswers.com. It has:

  • Its own newsletter
  • Its own community forum
  • Its own downloads (many, many downloads for the book)
  • Its own links and other resources
  • Coming soon, its own Win/Lin Integration Training course
  • And more...

It shares the same look and feel as GPanswers.com and shares the same "Where is Jeremy?" calendar that runs along the right-hand side.

For the record ... No, no, no! I'm NOT abandoning GPanswers.com for other pastures. I am not going to stop living and breathing Group Policy. I'm simply expanding a little bit and hope you'll join me for the ride.

For now, if you want to receive Win/Lin updates, you'll have to specifically sign up for THAT newsletter at www.WinLinAnswers.com/newsletter.

(For the record, I may change my mind in the future and go to one unified newsletter. But for now, they're separate.)

You can find out more and pick up a signed copy of the new Windows / Linux Integration book at www.winlinanswers.com/book.

GPanswers.com "Suggest a City" a Success

People are using the new "SUGGEST YOUR OWN CITY" service. The idea is for YOU to tell ME where you want a Group Policy class.

Simply click on the workshop page and find the link to SUGGEST YOUR OWN CITY.

Or, go directly to www.GPanswers.com/suggest

Once we get 5-7 interested people in the same city, we've got a class!

Maybe your city is already listed? Check it out and add your suggestion. (It takes, maybe, 10 seconds.)  

 

Group Policy Intensive Training and Workshop Schedule Update

Learn more and sign up at: https://www.gpanswers.com/workshop
-or-
Suggest your own city at https://www.gpanswers.com/suggest  

 

Technology Takeaway (r), a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks

TIP 1

Q. Can I upgrade from SUS to WSUS?

A. Before we get into upgrading SUS to WSUS, there's good news. If you're still on SUS, Microsoft is providing 6 more months of support. That's a good idea ... because getting to WSUS could take a while. I suggest that if you're working with SUS and want to move to WSUS, you should check out this resource: TechNet Webcast: Migration from Software Update Services to Windows Server Update Services (Level 300)

About the talk (Copied from Microsoft's website):

Marc Shepard, Program Manager, Microsoft Corporation Many customers today use Software Update Services (SUS) to deploy Windows updates across their businesses. During this session, which was highly rated when presented at TechEd 2005 in Orlando, Florida, as MGT350, learn how to upgrade from SUS to Windows Server Update Services, the next version of SUS, to reap the benefits of the enhanced capabilities and broadened application support. Learn best practices and pitfalls to watch out for to help you upgrade seamlessly.

TIP 2

Q. Are there any bugs in the GPMC that you know about?

A. The "GPMC with SP1" has been out for some time, and it squashed lots of the remaining bugs. But not all. Here's one I know of...

If you select a GPO link in the GPMC, select the 'Details' tab, and set the GPO status to 'All settings disabled', the link itself will grey out, but the actual GPO doesn't.

So is it disabled or not?

Actually, it is. Just right-click on the domain name and select Refresh, and the icon will grey out.

Ok, it's not really a tip, but it is something to keep in mind!

TIP 3

Q. How can I script ... ?

A. There are just a GAGGLE of Group Policy goodies waiting for you on your scripting adventure. They are located in a 'scripts' folder in the installation folder of the GPMC.

Samples include a script to back up all GPOs (handy if you want to schedule the backup), a script to find unlinked GPOs, a script to copy a GPO. And lots more. Check 'em out!

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com) I have a neat-o calendar that I'm always updating with any public (and private) appearances. So, check it out any time for up-to-date information!  

Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes. These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

  • "Fantastic Presentation !"
  • "Can't wait to go back to share the wealth !"
  • "Would recommend to other IT people in my company."
  • "I had a foot in the GPO door, and now I can hold it open."
  • "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.
For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)  

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.

SPECIAL THANKS

I want to say "thanks" for a killer book review from one of our subscribers, "AVero".

The review was originally posted here.

but is also posted on GPanswers.com here.

Pick one if you're interested in reading it. Thanks again!

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

Aug 2005
05

Issue#10

In this issue:

  • It's Issue 10... Wow.. the big 10 !
  • GPanswers.com Growth Spurt
  • Moskowitz, inc. Technology Takeaway®
    • Three juicy tips and tricks
  • Upcoming conferences, appearances, and classes
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Subscribe, unsubscribe, and usage information

Moskowitz, inc. and www.GPanswers.com -- Issue 10

I love it when new people come to my class and they say ..."I think I'm on your newsletter list, but I've never seen one."

Well, the idea is that this newsletter comes out "Whenever I feel like it."

And I feel like it again!

As always, you can forward this newsletter to your friends -- but please do so in one whole piece (please don't just cut and paste).

GPanswers.com Growth Spurt

Here's a little collection of updates and facts about GPanswers.com:

  • We have 606 Community Forum Members
  • We have 1,966 newsletter recipients
  • We have seven sponsors and freeware vendors in the Group Policy Solutions Guide. There's more tools than ever in the "GP Solutions Guide." So, be sure to click on the GP Solutions Guide off the main page to check it out!
  • I now have a "Jeremy's GP Resources" section of the website. It's a collection of all articles I've ever published on Group Policy and related bits.
  • I've installed Google Adsense in the forum. Before you throw rotten eggs, and think I sold out to "The Man" this turns out to be a huge benefit. Adsense is sometimes smart enough to actually advertise solutions to problems people are actually having. So, please view this as a service while inside the forums. If you end up hating this, do let me know. (Though I do think it looks pretty unobtrusive.)
  • New "SUGGEST YOUR OWN CITY" service. Simply click on the workshop page, find the link to SUGGEST YOUR OWN CITY. Or, go directly to www.GPanswers.com/suggest Once we get 5-7 interested people in the same city, we've got a class! This is still in beta, but hopefully will help us all out !

     

Technology Takeaway (r), a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks

TIP 1

Q. Can I disable the Startup Splash Screen in Adobe Acrobat Reader 7?

A. Yes you can. We've just added a custom adm file in our Tips section at GPAnswers.com. Thanks to Dan Thomson and Neil Toepfer for your help and support.

TIP 2

Q. I just added a custom ADM file (from GPanswers.com or from elsewhere), but I when I edit the GPO, I can't actually *SEE* any of the settings. What's going on?

A. Chances are the ADM settings are _Preferences_ not _Policies_. You will know this for sure if the icon before the setting has a red dot on it, and not a blue dot. In the Group Policy Object Editor you need to click the view menu, and choose Filtering. In the Filteringdialog box, you'll need to clear the last checkbox, which says Only show policy settings that can be full managed. And there you go! Your settings automagically appear!

Unfortunately the filtering setting is not saved when you close out the Group Policy Object Editor, so you need to un-select it every time.

If anyone has figured out a way around this, please let Ron, our tip guy know !

TIP 3

Q. Can I copy the settings from a GPO to another GPO? (From our FAQ)

A. The easiest way to do this is to make a copy of the original GPO, and rename it. Then you will have a new GPO with all of the settings of the original. To do this, open the GPMC and drill down to the Group Policy Objects node. Right-click over the GPO you want to use, and select Copy. Then, immediately select Paste. It will create a new GPO named "Copy of {oldname}". Simply rename it what you wish, and you're in business!

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com)

I have a neat-o calendar that I'm always updating with any public (and private) appearances.

So, check it out any time for up-to-date information!  

Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes. These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

  • "Fantastic Presentation !"
  • "Can't wait to go back to share the wealth !"
  • "Would recommend to other IT people in my company."
  • "I had a foot in the GPO door, and now I can hold it open."
  • "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.
For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)  

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.

HIDDEN EASTER EGG PART OF THE NEWSLETTER

You made it to the end of the newsletter... So, goodies await you!

WS03/SP1 Blocker Tool Available

In the same way that XP/SP2 could be blocked from Automatic Updates, so too can WS03/SP1. If you want to roll out WS03/SP1 on YOUR SCHEDULE, and not automatically accept it via Automatic Updates, I highly suggest you read this FAQ. The link to download the actual tool is found in the little gray box on the page on the right.

Another Group Policy Perspective

My pal Mark Russinovich had an interesting thought or two on Group Policy recently. A very interesting read..It echoes a similar statement I make all the time..if your users are local administrators, you could be in for a world of hurt.  

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

.If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

Aug 2005
04

Issue#9

In this issue:

  • It's Issue 9... Whaaa? I just saw issue 8?
  • Moskowitz, inc. Technology Takeaway (r)
    • Three juicy tips and tricks
  • Upcoming conferences, appearances, and classes
    • Classes and seminars
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Subscribe, unsubscribe, and usage information

Moskowitz, inc. and www.GPanswers.com -- Issue 9

Okay, okay.. I know we JUST had a newsletter. But, sometimes there's more news! Again, this newsletter comes out "Whenever I feel like it." And I feel like it!

So... In this newsletter, I've got good news... Yes, this is a full newsletter -- with tips and tricks and fun stuff for you.. It's all here!

As always, you can forward this newsletter to your friends --but please do so in one whole piece (please don't just cut and paste).

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks

TIP 1

How can I hide drives from my users?

Out of the box, Group Policy allows you to hide a few drives from your users, but what if you want to hide a drive such as 'N:'?

We've got ya' covered! Check out our tip (with screenshots!). It explains a neat tool called GPDriveOptions, available here, that will let you select any drive letters you want!

Then, in no time flat -- you're restricting specific drive letters!

TIP 2

How can I set the size limit for Temporary Internet Files in Internet Explorer?

Yizhar Hurwitz, MVP has created a great custom ADM file that will not only allow you to set the size limit for the cache, but also set its location, and enable automatic emptying of the cache when the browser is closed.

You can find it in our tips section!

TIP 3

Have you ever wondered if you could download the most current, or any previous version of the ADM files? Well you can!

Microsoft's Download Center has a page where you can download ANY version of a set of ADM files since their release.

You can find them at here!

Thanks to Ron Hrehirchuk, the "GPanswers Tip Man" for compiling this newsletter's tips and putting them on the web page for all of us to use!  

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com) I have a neat-o calendar that I'm always updating with any public (and private) appearances.

So, check it out any time for up-to-date information!

 

Classes and Seminars

Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

  • "Fantastic Presentation !"
  • "Can't wait to go back to share the wealth !"
  • "Would recommend to other IT people in my company."
  • "I had a foot in the GPO door, and now I can hold it open."
  • "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.
For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.

HIDDEN EASTER EGG PART OF THE NEWSLETTER

Fun Free Thing I Found at TechEd

Word on the street says this disk defragmenter really does the job. And the price is right! Haven't tried it myself, but, like I said, sounds interesting.

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

Jun 2005
01

Issue#8

In this issue:

  • It's Issue 8...
  • GPanswers.com -- Update !
  • Moskowitz, inc. Technology Takeaway (r)
    • Three juicy tips and tricks
  • Upcoming conferences, appearances, and classes
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Subscribe, unsubscribe, and usage information

Moskowitz, inc. and www.GPanswers.com -- Issue 8

Welcome to issue 8 of the Moskowitz, inc. newsletter.

Spring is here.. heck it's almost summer. And that means all sorts of good stuff is happening. As I write this, I'm at the Red Hat conference, which is pretty good, and not totally filled with Microsoft bashing. Indeed, the Red Hat folks really have a "Let's play nice" attitude with regards to Microsoft. Refreshing !

What am I doing here, at the RED HAT conference, you ask? It has to do with "Jeremy's Next Big Thing", which I'll discuss (hopefully) in the next newsletter.

In this newsletter, I've got updated class dates, some fun new tips and tricks, and more. As always, you can forward this newsletter to your friends -- but please do so in one whole piece (please don't just cut and paste).

 

GPAnswers.com News!

We now have a working "Group Policy Solutions Guide" on GPanswers.com. The goal is give you a one-stop-shop for 3rd party tools which snap-in to Group Policy.

Just click "Third Party Solutions Guide" after you click over to GPanswers.com to check it out! We have five sponsors (yay, sponsors!) and we also give free listings to free tools.

So, if you know of any free tools that hook into Group Policy -- let me know about it! If it's a free tool, it gets a free listing!

Again, check out the tools we have today!

Group Policy Intensive Training and Workshop

Learn more and sign up at here! (Don't forget to scroll all the way to the bottom of that page and locate your city!)

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks

TIP 1

We just had to fire one of our desktop administrators. The only problem is -- he knew the local Administrator password for all of our desktop machines. How can I change all computer's local passwords?

Answer 1

This free tool, looks very promising. It looks like it's been around a long time, but, hey -- what the heck! Give it a shot !

TIP 2

I'm looking for some "Plain English" definitions of events in my Event Log. Any idea where to find that?

Answer 2

Yes! My pal Randy Franklin Smith has just a resource. It's literally called "Plain English Explanations of Windows Security Log Events." Check it out! And be sure to say Hi to Randy !

TIP 3

I'm doing some testing as a user. But, we have restricted all sorts of things. How can I temporarily log in as a user, but strip away all GPOs?

Answer 3

Killpol to the rescue!This tool asks for credentials, then lets you kill policies (temporarily) for a logged in user. Really handy when you need it!

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com)I have a neat-o calendar that I'm always updating with any public (and private) appearances.

So, check it out any time for up-to-date information!

 

Classes and Seminars
Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

  • "Fantastic Presentation !"
  • "Can't wait to go back to share the wealth !"
  • "Would recommend to other IT people in my company."
  • "I had a foot in the GPO door, and now I can hold it open."
  • "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.
For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)
 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.

Useless Time Waster

Go here. (Don't ask.) In a nutshell, I drink a LOT of Snapple, and one of my best friends noticed. Any Java enabled web browser will do. Trust me, you won't be disappointed.

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go). For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

Feb 2005
20

Issue#7

In this issue:

  • It's Issue 7...
  • Moskowitz, inc. Technology Takeaway®
    • Three juicy tips and tricks
  • Upcoming conferences, appearances, and classes
    • Free live events
    • Classes and seminars
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Even more good stuff!
  • Subscribe, unsubscribe, and usage information
     

Moskowitz, inc. and www.GPanswers.com -- Issue 7

Welcome to issue 7 of the Moskowitz, inc. newsletter.

It's just cold cold cold where I live, and that's no fun. But, thankfully, I get to travel a bit to San Francisco and Los Angeles and a bunch of other warm places before the winter is up.

In this newsletter, I've got updated class dates, some fun new tips and tricks, and more. As always, you can forward this newsletter to your friends -- but please do so in one whole piece (please don't just cut and paste).

Also, I'd like to announce that I have a "Full Time Tips Man" helping out at GPanswers.com. It's Ron Hrehirchuk, who knocks out questions in the forum and does a lot of work getting the FAQ/Tips and Tricks section looking great! If you want to help add to the FAQ / Tips and Tricks section, the best way is to post a message inside the Community forum here. (Note that you must register for the forum to post.)

Thanks Ron, for all you do!  
 

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks
TIP 1/Question 1

I've been asked this question three times this month, so it must be on people's minds.

"Jeremy, can you explain to me why I might want to put users and computers into seperate OUs? We're debating how to implement our OU structure with regard to Group Policy. Any advice you have here would be helpful."

I've never been asked the same question three times in a month. Here's the acoop...Segmenting users and computers into different OUs is, first and foremost, a Microsoft Best Practice. And, it's a Best Practice for a good reason.

Here are three good reasons to separate users and computers into different OUs:

  • Easier troubleshooting
    • When users and computers are separated into different OUs, you can more easily figure out what's going on when you run Resultant Set of Policy tools (ie: GPRESULT, or the Group Policy Results Wizard in the GPMC.) You'll know precisely which GPOs are affecting the OU. True, you'd see this anyway, but by segmenting them, there's never a question about which half of the policy (user or computer) is affecting the target.
  • Easier delegation
    • You might want to grant others in your organization the ability to perform certain functions upon your structure. By seperating out users and computers, you can delegate some people to create user accounts and others to create computer accounts.
  • Easier implementation of loopback policy
    • The loopback processing attribute affects the computer object. By distinctly separating out computers (especially those which need loopback) it makes loopback troubleshooting a world easier.
       

TIP 2 / Question 2

Under an Active Directory user's properties (Account Tab | Log On To settings), you can restrict what computers a user can log into. This works great but it's not currently set for all of our "lab users" (and its a fair amount of work to set this manually). So here's the question: How can this be set via GPO?

Answer: There is no Group Policy settings which control this. However, using Active Directory Users and Computers, you can simply "multi-select" several users and select Properties. Simply click each user while holding down the CONTROL key to multi-select.

Then, in the Account tab, select Computer Restrictions and go from there!


TIP 3

Windows Server 2003 has the ability to allow two Remote Desktop connections for administrative purposes. This can be enabled by going to the properties of "My Computer", clicking on the "Remote" tab and enabling "Remote Desktop".

This can also be enabled on each server individually, using the registry setting below, or by creating a custom adm template and deploying the setting via Group Policy.

Registry Settings Involved:

Using regedit, navigate to
HKEY_LOCAL_MACHINE|SYSTEM|CurrentControlSet|Control|Terminal Server

If the value "DenyTSConnections" does not exist, create it as a DWORD.

Setting it to 0 will permit remote desktop connections and setting it to 1 will prohibit them.

Wouldn't it be great if you could set this up with Group Policy so ALL your servers just did this??

Well, you can. On https://www.gpanswers.com/faq/ we're working on a custom .adm Template that can be deployed via Group Policy by creating an .adm file using included code. After you implement it, you won't know how you did without it.

It'll be up this week in the FAQ/TIPS section! So stop by and tell your friends!
 

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com) I have a neat-o calendar that I'm always updating with any public (and private) appearances. So, check it out any time for up-to-date information!
 

Free Live Events
GROUP POLICY POWER HOUR Webinar

New date: Friday, December 03, 2004(was November 19th): 8:00 AM -- WEST COAST 11:00 AM -- EAST COAST Seminar #3 in the "The Group Policy Power Hour!" It's 1/2 hour of talk and demos, and 1/2 hour of Q&A! Here's the intro:

One of the key skills to master is to know what's going on at your client system. In this talk, Jeremy will demonstrate the various methods to get the Resultant Set of Policy, or RSOP, for your client systems. Both command-line tools and the GPMC can be used to gather this knowledge, so join Jeremy for this Power Hour session!

Registration is available here.

 

Classes and Seminars
Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

  • "Fantastic Presentation !"
  • "Can't wait to go back to share the wealth !"
  • "Would recommend to other IT people in my company."
  • "I had a foot in the GPO door, and now I can hold it open."
  • "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.

For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)  


Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.  

 

Technology Takeaway®, a service of Moskowitz, inc. (Supersecret, hidden, Easter-egg Part of the Newsletter)

We're just giving it away! --

More Technical Takeaway Tips (My way of saying thanks for making it all the way to the end of the newsletter!)

BONUS TIP #1

  Is your company starting to use Firefox? Terrific, except out of the box, it's not Group Policy enabled... Buuut... check out: http://spaces.msn.com/members/in-cider/ for a way to make it enabled! (We're working on making this a permanent section within our Tips collection.)

BONUS TIP #2

Check out http://www.grouppolicywiki.com
It's a way for people to simply "add what they know" to a common body of Group Policy knowledge.
I've contributed a bit, my pal Darren Mar-Elia (who runs GPOguy.com) has contributed a bit and Microsoft has contributed a LOT. Add your 2 cents! It's helpful and fun!

Useless Time Waster

Go here. (Don't ask.) In a nutshell, I drink a LOT of Snapple, and one of my best friends noticed. Any Java enabled web browser will do. Trust me, you won't be disappointed.

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

Nov 2004
27

Issue#6

 

In this issue:

  • It's Issue 6...
  • GPanswers 2.0 -- New year, new design
  • Moskowitz, inc. Technology Takeaway®
    • Correction from Newsletter #5
    • Three juicy tips and tricks
  • Upcoming conferences, appearances, and classes
    • Free live events
    • Classes and seminars
    • Upcoming conference appearances
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Subscribe, unsubscribe, and usage information
     

Moskowitz, inc. and www.GPanswers.com -- Issue 6

It's issue 6, and welcome again to the Moskowitz, inc. / GPanswers.com newsletter. Here's hoping you had a great Thanksgiving !

The personal news here is that I've hired a new assistant--well, I guess that makes it "personnel" news. His name is Jon Seitzer. If you'd like to drop him or note or just say "Hi," you can reach him at [email protected] .

As always, you can forward this newsletter to your friends --but please do so in one whole piece (please don't just cut and paste).
 

GPanswers 2.0 -- New year, new design

GPanswers.com is a little over one year old. And, well, it was time for a makeover. We've got some very exciting changes to the web site available immediately, and a little more coming up really soon.

First of all, we have an updated look and feel. Not just for the sake of doing something new, but rather because I kept hearing the same report: People told me they had trouble finding "where to click" to find stuff on the web site. I've had that all changed to be easier to find!

Additionally, GPanswers.com URLs are now "on their own." No longer are GPanswers.com URLs really just pointers to Moskowitz-inc. Of course, you can still get to Moskowitz, inc. pages in various ways on GPanswers.com.

Those are the changes as of today. Here is what's coming up in the next several days/weeks:

  • New searchable FAQ section
  • New Tips and Tricks section
  • Annnnnnd...the Big News! We are diligently workingon a sponsored "Group Policy Solutions Guide" whichenables YOU to easily locate 3rd-party softwarethat enhances Group Policy!

We're aiming to get each and every vendor that offers a Group Policy product to join the club! If you think there's a company and product that should be listed, just let me know! Additionally, we've updated the 2005 class location list and schedule. Be sure to click on "Group Policy Workshop" to get a full list of the updated schedule and/or to sign up for a class.

I hope you enjoy GPanswers.com 2.0 in our second year! PS: I'll likely send out a mini-announcement when the "Group Policy Solutions Guide" goes live.
 

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

Correction from Newsletter #5

I hate to have to start out with an apology. But, alas, it happens. That is, my Bonus Tip #1 in Newsletter #5—the "TWO Remote Desktop Sessions" tip--didn't pan out to be true. I did test it ... but I tested it with a Beta of SP2, and, well, that functionality was removed last minute from the ACTUAL SP2.

D'oh! My bad.

Three juicy tips and tricks

TIP 1

Recently, I've been searching for a way to avoid going to the task bar (oops, I mean "Notification Area") in order to disconnect various hardware. Often, I'm just "ready to roll" but, alas, it takes multiple mouse clicks to get the job done to disconnect USB flash disks, Firewire hard drives, or my USB camera.

Here's a tip you can use to save some time. It comes from this Microsoft KB article: "Remove hardware from a command line".

The syntax is a little hard to follow. In this case, I'm going to list the active USB devices.

C:>devcon find usb*
USBROOT_HUB4&1B96DD0A&1 : USB Root Hub
USBROOT_HUB4&23036E4B&1 : USB Root Hub
USBROOT_HUB4&A2AFF59&1 : USB Root Hub
USBROOT_HUB204&18075F55&1 : USB Root Hub
USBVID_05DC&PID_A400415DEF11191525121004 : USB Mass Storage Device
5 matching device(s) found.

Let's say I want to remove the USB Flash Disk that is currently attached. In the example, I can see that my device has a unique ID of "415DEF11191525121004." To remove it, I can quickly type in a command (or, better yet, batch file) that removes this device based on a string within the device. C:>devcon remove "@USB*525121004*" USBVID_05DC&PID_A400415DEF11191525121004 : Removed 1 device(s) removed.

In my short time using this utility, here's what I've found:

  • Some devices complain when being "ripped" out of the system like this. Couple your batch file with the Sysinternals tool called "Sync" which can flush the data to the disk before removal. I'm not saying it'll 100% prevent data damage, but it's certainly better to sync before removal.
  • When specifying the device to remove, be sure to put the unique device name between quotes.
  • Additionally, proceed it with an @ sign. Not really sure why, that's just the deal.
  • It seems that each time I remove a device (then plug it back in), I'm essentially re-forcing the PNP subsystem to do its thing when the device is plugged in next. I guess I'm really looking for a command to "eject" a device and not "remove" it.

The closest I've come is this:

"RUNDLL32.EXE SHELL32.DLL,Control_RunDLL hotplug.dll"

It starts the "Unplug or Eject Hardware" wizard, but that's about all it does. If anyone figures out the command syntax for disconnecting a device WITHOUT "removing" it, please let me know!

There's a nice website dedicated to things like this little utility here.
If you have any neat tricks to add to this, do let me know!
 

TIP 2

Everyone I know has cell phones. But heck if I know what carrier they're using. So, when I want to send a little text message (known properly as SMS messages), I have to just GUESS which service they're using.

Is it @vtext.com ? @tmomail.net ? @cingular.com ? Who knows?

And now, you don't have to. Just send an email to
@teleflip.com and -- voila! Instant SMS message to your friend or co-worker.
 

TIP 3

Ron Hrehirchuk is one of my most active GPanswers.com forum members. He's constantly knocking tough questions out of the park. Indeed, Ron is going to be helping me with enhancing the "Tips and Tricks" section.

Recently, Ron found this little gem.

The goal? To use Group Policy to control your EnergyStar-compliant systems. I checked it out, and it is very, very nice! I didn't actually use it though, because I don't have the right kinds of hardware. But it's certainly an interesting example of how Group Policy can be used in ways not normally considered.
 

Upcoming Conferences, Appearances, and Classes

Something new... On www.moskowitz-inc.com (or www.GPanswers.com) I have a neat-o calendar that I'm updating with any public (and private) appearances. So, check it out any time for up-to-date information!
 

Free Live Events
GROUP POLICY POWER HOUR Webinar

New date: Friday, December 03, 2004(was November 19th):
8:00 AM -- WEST COAST
11:00 AM -- EAST COAST
Seminar #3 in the "The Group Policy Power Hour!" It's 1/2 hour of talk and demos, and 1/2 hour of Q&A!

Here's the intro:

One of the key skills to master is to know what's going on at your client system. In this talk, Jeremy will demonstrate the various methods to get the Resultant Set of Policy, or RSOP, for your client systems. Both command-line tools and the GPMC can be used to gather this knowledge, so join Jeremy for this Power Hour session!

Registration is available here.
 

Classes and Seminars
Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? My favorite email this month was from Chris Curran from Sullivan Data Management.

Great Class!! Ever since the training everything GPO justseems to make a heck of a lot of sense. It's like you filledan eyeglass prescription or something.

Chris Curran

Sullivan Data Management

That's me ... Jeremy Moskowitz, your GPOptometrist.
Just contact me at [email protected]or call me at 302-793-3957.

 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.
 

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !