Error message for SRP settings in GPMC

Comments Off

Using Windows 7 or Server 2008 R2 when trying to see SRP settings in GPMC you get an error.

Microsoft has released a hotfix

Error message occurs when you use GPMC to view a software restriction Group Policy setting in Windows 7 and in Windows Server 2008 R2: “An error has occurred while collecting data for Software Restriction Policies”

Technorati Tags: , , , , ,

New whitepapers

Comments Off

MS released two new whitepapers this week that might be of interest

  • Advanced Group Policy Management (AGPM) Overview
  • Group Policy Preferences Overview

AGPM is a tool included in the Microsoft Desktop Optimization Pack which can only be aquired if you have a Software Assurance license with MS.
Read more about AGPM here
Download the Whitepaper here

The new Group Policy Preference Whitepaper is a new document released for Windows Server 2008 which gives you some information on how to handle Group Policy in a different way. You sure will not get disappointed if you read this document and haven’t looked to far into Group Policy in Windows Server 2008, I think you will download and test right away :D
Download it here

Technorati Tags: , , ,

GPMC scripts missing in Vista

Comments Off

If you are using Vista and previously used XP and the scripts included you might be missing them in Vista as they are not included.

Microsoft released the scripts as a downloadable package for Vista which you can download here:

Technorati Tags: , , ,

My first test of GPDBPA

Comments Off

It took me some time more than just last weekend to checkout the tool delivered from MS but here are my first thoughts about this tool.

First a print screen of the program:

Until today I have only run the program on two domain controllers so I haven’t really tested the tool completely but I have found some parts which you might find interesting.

First of all you should check the page named Critical Issues of course.
For me I got two errors here when I tried on my DC.

  1. Incorrect permissions on Default Domain Controller Policy
  2. DFS service not running on [MACHINE]

About the first error it complained about “Enterprise Domain Controllers” security group didn’t have the “Apply Group Policy” access which was correct so I now recieved this information and could open GPMC and correct the error.

Second error I’m a bit confused about since on Windows 2003 (and earlier) normally don’t have DFS running (if you don’t configure it of course). It’s using FRS for replication of SYSVOL and not DFS. I think this is a mistake from MS because I suspect the tool also has been designed with Windows Server 2008 kept in mind since it’s using DFS-R and not FRS and I think that’s why it’s watching the status of this service.

If you continue at “All Issues” you can find even more information. Some parts are information and some parts errors. I got a lot of errors which I don’t really understand. For example it complained about that:

  • I’m not using Roaming profiles!?!?
  • Offline Files disabled using reg-key (on a Domain Controller)!?!?
  • It complained that two out of four of my group policies (which affects my DC’s) had their user settings disabled!?!?

However the tool has also “Tree reports” which tells you a lot about your GPO’s so if you know what you are doing you can find some useful information about your GPO’s in this tool instead of searching for it using AdsiEdit for example.

As conclusion you can say that the tool has some improvements that need to be done before you can fully benefit from it but it’s a great start if you aren’t using anything today and I would recommend everyone to check it out and at least see if it tells you if you have any errors. :)

There are some other tools available on the market which you might want to check you if you don’t find this tool useful enough. You can find links on the Group Policy homepage

Technorati Tags: , , ,

Windows Vista SP1 removes GPMC

1 Comment

Maybe you have, or not, noticed that there has been as small discussion about GPMC in Windows Vista SP1 since the release of the “Windows Vista Service Pack 1 Beta White Paper“.

This is because in the white paper you can read the following: “Administrators requested features in Group Policy that simplify policy management. To do this, the service pack will uninstall the Group Policy Management Console (GPMC) and GPEdit.msc will edit local Group Policy by default. In the SP1 timeframe, administrators can download an out-of-band release that will give them the ability to add comments to Group Policy Objects (GPOs) or individual settings and search for specific settings.”

This means that when you install SP1 you will no longer have GPMC installed on your computer and you should install the new enhanced edition of GPMC that will be available for download.

There is a small catch. If you install the SP1 now you will have GPMC removed and there is no GPMC-version available for download so then you need to: “Beta testers will find that after installing Windows Vista SP1, they no longer have access to GPMC, and that the new, enhanced version of GPMC has not yet been released. In this case, administrators can continue to edit Group Policy by opening a remote desktop session directly to the server or to a PC running the release to manufacturing (RTM) version of Windows Vista.” as written on Windows Vista Blog

They wrote about this on and on this site they have some parts completely wrong and instead of me writing about it you can read some parts from it on Darren Mar-Elia’s Blog which I find amusing.

In my personal mind I think it was the best to remove GPMC for a number of reasons since on most of the computers you wouldn’t need it, you can get very far using only gpedit.msc and rsop.msc and you should risk having users that could do own things with the tool, like for example create a backup of all your GPO’s etc.

Lets also hope the new enhanced version is as good as the existing one! :)

Download Windows Vista Service Pack 1 White paper

Technorati Tags: , , ,

Import/Export WMI filters

Comments Off

Using GPMC to import/Export WMI filters is easy to do if you have only a couple of them (export them to .MOF files). But if you have several of them and you might want to transfer them to another domain you might not want to do it file by file.

In the Group Policy Team Blog they have written more or less an instruction on how to do this so I just wanted to post the link to it so you can read it too.

Customs Check– Importing and Exporting WMI Filters

Technorati Tags: , ,

Comments in GPMC

Comments Off

Introduced in the new GPMC for Windows Vista/Windows 2008 is adding comments of your own to settings you make in a GPO.

Whenever you do any setting in a GPO you can add on a Comment in the new Comment page writing whatever you like. This is stored in the GPO so you will always have it for reference for further use later or any other purpose you might have.

These comments you write will of course print out on your reports created from GPMC, which I think is a very nice feature added.

Comments are stored at \\\SYSVOL\\policies\{GUID}\[MACHINE]/[USER]\comment.cmtx which is of course an XML file containing all your comments of settings in the GPO.

Using comments for your settings might make your life easier but remember that they wont show up if you are still using XP!

Technorati Tags: , , ,

StarterGPOs – New feature in GPMC

Comments Off

In Windows 2008 they have introduced Starter GPO’s. This is some sort of template with which you can create real GPO’s with this as base for further editing and also with these templates it will be easier to have templates in a larger environment where you have several persons creating GPO’s, for example at department level.

. StarterGPO_Comments

As you can see in printscreen StarterGPOs have their own location in GPMC where you create your starters like any other GPO. Just right click and select New, Select a name and maybe a comment about this Starter and of you go.
When you open the Editor you will see that you only have Administrative Templates which is the only thing you can configure in these Starters. Software Settings and Windows Settings are excluded.

StarterGPO’s isn’t located in the same place as normal GPO’s.
A normal GPO would be in \\\SYSVOL\\Policies\ but a StarterGPO is located in \\\SYSVOL\\StarterGPOs but it’s still defined with a GUID

If you open one of these folders you wont find any GPT.ini file as normal when you have a GPO, instead you will find a StarterGPO.tmplx which is some sort of XML-file defining the Starter.

Technorati Tags: , , ,

Where do I find GPMC in Windows 2008

1 Comment

When you install Windows 2008 and promote it to a Domain Controller, GPMC isn’t in your Administrative Tools.

In Windows 2008 everything is divided into Roles and Features. Roles are major “changes” to a server, for example Domain Controller, Terminal Server etc. Features is more or less “Add/Remove Windows components” which we have had in the past but of course with some more things.

One of these “more things” is the GPMC which you need to add manually using the Server Manager: Add Features.
Add features GPMC Windows 2008

After GPMC has been installed you can find it as normal in the Administrative Tools.
GPMC visible in Administrative Tools

Technorati Tags: , ,

GPMC Scripts

1 Comment

Group Policy Management Console (GPMC) has some example scripts which get installed when you install GPMC. These scripts are not always used so I wrote a page about the scripts which you might find useful.

Technorati Tags: ,