GPMC scripts missing in Vista

Comments Off

If you are using Vista and previously used XP and the scripts included you might be missing them in Vista as they are not included.

Microsoft released the scripts as a downloadable package for Vista which you can download here: http://www.microsoft.com/downloads/details.aspx?familyid=38c1a89b-a6d2-4f2a-a944-9236999aee65&displaylang=en&tm


Technorati Tags: , , ,
Share

Help for troubleshooting Group Policy

Comments Off

Everyone that has ever tried to troubleshoot group policy problems knows how hard that can be.

Darren Mar-Elia (MS MVP) has created a GPO logging ADM & ADMX which you can use in a GPO to enable some logging features without having to know where to enable it manually.

It wont help you resolve your problem but it gives you some options on how to troubleshoot depending on what it is.

Find his custom adm/admx here: http://www.gpoguy.com/gpolog.htm


Technorati Tags: , ,
Share

How-to: Using Software Restriction Policies

7 Comments

Using SRP is not that common today and what I will write here is a small how-to so that you can start trying it today and maybe even sometime soon apply it in your production environment.

SRP

First thing to notice is that SRP is a very powerful tool so try in a test-environment before you apply it to users in production.

First you need to choose your default level which you do at Security Levels:

SRP2

Default when you start using this, the default level is “Unrestricted” which allows all programs to run. Which means you can use SRP to block specific programs but the power is that you can change this so “Disallowed” is the default level which means you specify which programs you can run (all others are blocked) instead of blocking specific programs.

So to start with change so “Disallowed” is default. Double-click on “Disallowed” and press the button “Set as Default”

SRP3

This means that all clients affected by this policy now would be able to run anything except what you define as exclusions which you do at “Additional rules”:

SRP4

As you can see in the above picture you have two default values already included. These two values are registry paths which makes all programs defined in these two registry paths to unrestricted which of course makes them available to run even if you selected “Disallowed” as your default choice in the above selection at “Security Levels”.

There are four different choices on how to enable/disable programs to run:

  • Hash-rule
  • Path-rule
  • Network zone-rule
  • Certificate-rule

The normal ones to use is HASH or PATH. HASH is always something you should prefer to use since if the user tries to run a program it looks at the hash-value and evaluates if you can run the program or not. Sometimes when you have different versions of a program for example it might be a problem to use HASH, then you use PATH instead. Also if you don’t have the program installed in the same location on each computer but you know somewhere in the registry where it types the path to the program you can use PATH and use the registry location instead.

I will show you the two ways of allowing Windows Live Messenger to run

Hash:

SRP6
As what you can see above is that it takes the values from the executable and stores the hash-value of the file. When someone tries to run the program the system evaluates this hash-value and compare it with the one you defined and then selecting if you can run the program or not.

Path:

SRP5
As you can see above is that you need to select the path to the executable. This path needs to be same on each computer you would like to use this on but of course you can use environment variables as I have done in the above picture. You could also use a registry location if you did know where the path to the program where stored.

You can of course also use this to block programs instead of allowing them. This is not really the preferred method on how to use SRP but fully functional.
On my computer I have “Unrestricted” as my default and I added an application on my desktop named radio.exe as “Disallowed”

SRP7

So the result if I’m trying to run the file is:

SRP8

As conclusion you can see that this is a powerful way of giving your users minimal rights in the system with the result that your users will have a large problem messing up the computer :)

This only covers some parts of SRP. For example local administrators also get these rules but that you can exclude in the “Enforcement” choice and also dll-files are excluded by default but you can change that too. Make sure to try this in a safe environment before applying it to production as you might get a big headache if you have made some wrong turns in setting this up. :)


Technorati Tags: , ,
Share

Troubleshooting Group Policy in Windows 2008

Comments Off

Microsoft has released a new troubleshooting library for Windows 2008.

This is to include all events etc. for troubleshooting problems with Group Policy.

Here you will find the information: http://technet2.microsoft.com/windowsserver2008/en/library/e695eea4-01c4-429e-8fd1-c98e3ef6f7791033.mspx


Technorati Tags: , ,
Share

Group Policy Survey

Comments Off

The Microsoft Group Policy team would like to hear from you!  Please take a few minutes and complete the survey on how you use Group Policy to help Microsoft enhance the manageability Group Policy provides to your organization.  The survey can be found at http://www.surveymonkey.com/s.aspx?sm=mosdF9Z6WNKIJ76gL_2bxv4w_3d_3d and is completely anonymous.  The survey will remain open through Friday, September 28, 2007.  Thank you in advance for your time and input!

See original post in the Group Policy Team Blog


Technorati Tags: ,
Share

How-to: Using Restricted Groups

3 Comments

There are a lot of questions in newsgroups, forums etc. about how to use Restricted Groups in the right way so I wanted to post a how-to for people to read.

Finding Restricted Groups is easy but it only works in a domain with Active Directory so trying to find it within your local GPO on your computer isn’t possible.
Restricted Groups

At first you right click on Restricted Groups and select “Add Group”.
What you get is the default window to choose a group, either from your domain or maybe from your local computer depending on what configuration you want.
Restricted Groups2

Now you have two different choices of what you want to do with the group you selected. Either you use “Members of this group” or “This group is a member of”. The differences of these choices are big so I explain in two steps.

1. “Members of this group”

This is the choice you make when you want to add users to a group. What you select here is what you will see on your computers affected by this policy. So if you for example want to add a user to the local admin group on the computers then don’t forget to add administrator also or the administrator account will be removed from the local administrators group on the computers.

As an example can be this picture where you have both the local administrator account and also the built-in Authenticated Users group.
Restricted Groups3

2. “This group is a member of”

This choice you can use if you want to add your selected group into another group. So what you can tell is that this is the opposite of what you defined in choice 1 described above. This is also not something that will override any other configuration you have done. So if you in first choice selected “Authenticated Users” and with this option select that it will be added to the “Administrators group” any other user you might have added to the group (manually perhaps) won’t be overwritten by this choice.

So this example which you can see in this picture will add the “Power Users group” into the “Administrators group”.
Restricted Groups4

To summarize this it’s fairly easy to use Restricted Groups and it’s also the easiest way to add/remove users in groups and you can control it in a much better way than you ever can doing this manually. If you are doing this manually today it’s time to stop and using the right way instead.


Technorati Tags: ,
Share

My first test of GPDBPA

Comments Off

It took me some time more than just last weekend to checkout the tool delivered from MS but here are my first thoughts about this tool.

First a print screen of the program:
GPDBPA

Until today I have only run the program on two domain controllers so I haven’t really tested the tool completely but I have found some parts which you might find interesting.

First of all you should check the page named Critical Issues of course.
For me I got two errors here when I tried on my DC.

  1. Incorrect permissions on Default Domain Controller Policy
  2. DFS service not running on [MACHINE]

About the first error it complained about “Enterprise Domain Controllers” security group didn’t have the “Apply Group Policy” access which was correct so I now recieved this information and could open GPMC and correct the error.

Second error I’m a bit confused about since on Windows 2003 (and earlier) normally don’t have DFS running (if you don’t configure it of course). It’s using FRS for replication of SYSVOL and not DFS. I think this is a mistake from MS because I suspect the tool also has been designed with Windows Server 2008 kept in mind since it’s using DFS-R and not FRS and I think that’s why it’s watching the status of this service.

If you continue at “All Issues” you can find even more information. Some parts are information and some parts errors. I got a lot of errors which I don’t really understand. For example it complained about that:

  • I’m not using Roaming profiles!?!?
  • Offline Files disabled using reg-key (on a Domain Controller)!?!?
  • It complained that two out of four of my group policies (which affects my DC’s) had their user settings disabled!?!?

However the tool has also “Tree reports” which tells you a lot about your GPO’s so if you know what you are doing you can find some useful information about your GPO’s in this tool instead of searching for it using AdsiEdit for example.

As conclusion you can say that the tool has some improvements that need to be done before you can fully benefit from it but it’s a great start if you aren’t using anything today and I would recommend everyone to check it out and at least see if it tells you if you have any errors. :)

There are some other tools available on the market which you might want to check you if you don’t find this tool useful enough. You can find links on the Group Policy homepage


Technorati Tags: , , ,
Share

Windows Vista SP1 removes GPMC

1 Comment

Maybe you have, or not, noticed that there has been as small discussion about GPMC in Windows Vista SP1 since the release of the “Windows Vista Service Pack 1 Beta White Paper“.

This is because in the white paper you can read the following: “Administrators requested features in Group Policy that simplify policy management. To do this, the service pack will uninstall the Group Policy Management Console (GPMC) and GPEdit.msc will edit local Group Policy by default. In the SP1 timeframe, administrators can download an out-of-band release that will give them the ability to add comments to Group Policy Objects (GPOs) or individual settings and search for specific settings.”

This means that when you install SP1 you will no longer have GPMC installed on your computer and you should install the new enhanced edition of GPMC that will be available for download.

There is a small catch. If you install the SP1 now you will have GPMC removed and there is no GPMC-version available for download so then you need to: “Beta testers will find that after installing Windows Vista SP1, they no longer have access to GPMC, and that the new, enhanced version of GPMC has not yet been released. In this case, administrators can continue to edit Group Policy by opening a remote desktop session directly to the server or to a PC running the release to manufacturing (RTM) version of Windows Vista.” as written on Windows Vista Blog

They wrote about this on Betanews.com and on this site they have some parts completely wrong and instead of me writing about it you can read some parts from it on Darren Mar-Elia’s Blog which I find amusing.

In my personal mind I think it was the best to remove GPMC for a number of reasons since on most of the computers you wouldn’t need it, you can get very far using only gpedit.msc and rsop.msc and you should risk having users that could do own things with the tool, like for example create a backup of all your GPO’s etc.

Lets also hope the new enhanced version is as good as the existing one! :)

Download Windows Vista Service Pack 1 White paper


Technorati Tags: , , ,
Share