“New” forum for GP-questions

Comments Off

MS has created a “new” forum for GP-questions.
It has been there since beginning of February so it’s quite new still.


If you don’t find the existing forums enough then you can always check and ask you questions also here. :)

Technorati Tags: , ,

CSE for Windows Group Policy Preference

Comments Off

Microsoft has finally released the new CSE’s required to recieve settings done in the new GP Preference that is released with Windows Server 2008.

They are now here for XP, Server 2003 and Vista


Group Policy Preference Client Side Extensions for Windows XP (KB943729)
Group Policy Preference Client Side Extensions for Windows XP x64 Edition (KB943729)
Group Policy Preference Client Side Extensions for Windows Vista (KB943729)
Group Policy Preference Client Side Extensions for Windows Vista x64 Edition (KB943729)
Group Policy Preference Client Side Extensions for Windows Server 2003 (KB943729)
Group Policy Preference Client Side Extensions for Windows Server 2003 x64 Edition (KB943729)

Technorati Tags: , , , , , ,

New: Group Policy settings reference for Windows Server 2008

Comments Off

Microsoft has released a new Group Policy settings reference and this time for Windows Server 2008.

This file contains all Group Policy settings since Windows 2000 so this is the only file you need. For Windows Server 2008 24 new settings are available where 12 of them are for Terminal Services functionallity.

This reference file is also for the new admx/adml-format so to know for sure you can use settings described in this file you need to start using Windows Vista or Windows Server 2008 to configure your GPO’s.

Download the new reference file here (xls and xlsx file available)

Technorati Tags: , , , , , ,

ADMX Migrator update

Comments Off

Microsoft with Full Armor has released a new version of the ADMX Migrator tool.

This is version 1.2 of this tool and as stated on the download page these are the changes:

  • Enhancements and bug fixes to support a wider range of ADM templates for conversion to ADMX.
  • Enhancements to code and documentation for conversion error reporting and warnings.
  • Improved handling of internationalized ADMX templates.

A first look at the tool and it seems to work as expected. I haven’t tested to convert any adm-files expect a small one which seemed to work just fine. It’s also easy to build your own admx-files using the tool which can be handy when you want to stop creating adm-files in notepad :)

admx migrator 1.2

Download the new tool from here

If you have problem with the tool please report it here

Technorati Tags: , , ,

Microsoft Office 2007 – ADMX finally

Comments Off

Finally MS released the Office 2007 templates for Group Policy in the new ADMX-format.

You can now benefit here also to have those stored in your Central Store so that you decrease the load for replicating GPO’s between servers etc.

These new templates is of course not with all languages and I wouldn’t be to sure that they will be released either.
The download file also contains an excel-file for reference.

Download the new templates here

Technorati Tags: , , , ,

Download Administrative Templates (.ADMX)

1 Comment

MS has released the Administrative Templates as a downloadable package.

At first I wasn’t sure why but then I could see that this package also includes all language files for the admx-files which will make it easier if you have people in different countries all creating GPO’s and they want to create them in their own language. So it’s much easier way to collect the adml-files rater than needing to install different Vista’s just to get the adml-files.

Download the files from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=05d0598b-95f9-4bdd-af36-b365d68ec5f6&DisplayLang=en

Technorati Tags: , ,

Update: GPDBPA-tool on localized Windows

Comments Off

I asked the question if they were going to change this tool so it also is runnable on localized versions of Windows.

The answer is that it won’t install on a localized version but you can install it on an English Windows XP and then transfer the files to your localized version and then run it. The files are located at %ProgramFiles%\GPDBPA\

They don’t guarantee success but you might want to try it (in LAB-environment first of course).

Technorati Tags: ,

Help for troubleshooting Group Policy

Comments Off

Everyone that has ever tried to troubleshoot group policy problems knows how hard that can be.

Darren Mar-Elia (MS MVP) has created a GPO logging ADM & ADMX which you can use in a GPO to enable some logging features without having to know where to enable it manually.

It wont help you resolve your problem but it gives you some options on how to troubleshoot depending on what it is.

Find his custom adm/admx here: http://www.gpoguy.com/gpolog.htm

Technorati Tags: , ,

How-to: Using Software Restriction Policies


Using SRP is not that common today and what I will write here is a small how-to so that you can start trying it today and maybe even sometime soon apply it in your production environment.


First thing to notice is that SRP is a very powerful tool so try in a test-environment before you apply it to users in production.

First you need to choose your default level which you do at Security Levels:


Default when you start using this, the default level is “Unrestricted” which allows all programs to run. Which means you can use SRP to block specific programs but the power is that you can change this so “Disallowed” is the default level which means you specify which programs you can run (all others are blocked) instead of blocking specific programs.

So to start with change so “Disallowed” is default. Double-click on “Disallowed” and press the button “Set as Default”


This means that all clients affected by this policy now would be able to run anything except what you define as exclusions which you do at “Additional rules”:


As you can see in the above picture you have two default values already included. These two values are registry paths which makes all programs defined in these two registry paths to unrestricted which of course makes them available to run even if you selected “Disallowed” as your default choice in the above selection at “Security Levels”.

There are four different choices on how to enable/disable programs to run:

  • Hash-rule
  • Path-rule
  • Network zone-rule
  • Certificate-rule

The normal ones to use is HASH or PATH. HASH is always something you should prefer to use since if the user tries to run a program it looks at the hash-value and evaluates if you can run the program or not. Sometimes when you have different versions of a program for example it might be a problem to use HASH, then you use PATH instead. Also if you don’t have the program installed in the same location on each computer but you know somewhere in the registry where it types the path to the program you can use PATH and use the registry location instead.

I will show you the two ways of allowing Windows Live Messenger to run


As what you can see above is that it takes the values from the executable and stores the hash-value of the file. When someone tries to run the program the system evaluates this hash-value and compare it with the one you defined and then selecting if you can run the program or not.


As you can see above is that you need to select the path to the executable. This path needs to be same on each computer you would like to use this on but of course you can use environment variables as I have done in the above picture. You could also use a registry location if you did know where the path to the program where stored.

You can of course also use this to block programs instead of allowing them. This is not really the preferred method on how to use SRP but fully functional.
On my computer I have “Unrestricted” as my default and I added an application on my desktop named radio.exe as “Disallowed”


So the result if I’m trying to run the file is:


As conclusion you can see that this is a powerful way of giving your users minimal rights in the system with the result that your users will have a large problem messing up the computer :)

This only covers some parts of SRP. For example local administrators also get these rules but that you can exclude in the “Enforcement” choice and also dll-files are excluded by default but you can change that too. Make sure to try this in a safe environment before applying it to production as you might get a big headache if you have made some wrong turns in setting this up. :)

Technorati Tags: , ,

Troubleshooting Group Policy in Windows 2008

Comments Off

Microsoft has released a new troubleshooting library for Windows 2008.

This is to include all events etc. for troubleshooting problems with Group Policy.

Here you will find the information: http://technet2.microsoft.com/windowsserver2008/en/library/e695eea4-01c4-429e-8fd1-c98e3ef6f7791033.mspx

Technorati Tags: , ,

Older Entries Newer Entries