May 04
G JohanssonGP Preferences, Windows 7 action center, backup, GPO, GPP, Grouppolicy, Windows 7
Alan Burchill has written a blogpost about removing notification about backup from the action center in Windows 7.
Since the post shows what you can really do with GPP I think this was worth linking to direct.
How to use Group Policy to turn off the Backup Notification in the Windows 7 Actions Center
Check out his blog too while you’re at it.
Technorati Tags: action center,
backup,
GPO,
GPP,
Grouppolicy,
Windows 7
Apr 29
G JohanssonGPO GPO, Grouppolicy, Troubleshooting
This is an “old” post from the Group Policy Team about Troubleshooting but it’s really good and something everyone should use as starting point when they wonder why their gpo didn’t work.
http://blogs.technet.com/grouppolicy/archive/2010/02/24/troubleshooting-group-policy.aspx
Use it and develop it further to add you “standard” checks to have your standard procedure.
We all need to troubleshoot Group Policies sooner or later… 
Technorati Tags: GPO,
Grouppolicy,
Troubleshooting
Apr 27
G JohanssonADM, Windows 7, Windows Server 2008 R2 ADM, GPO, KB, Support, Windows 7, Windows Server 2008 R2
A new Knowledge base has been released with a hotfix for solving problems if you still are using adm-templates in GPO and are using Windows 7 or Windows Server 2008 R2.
When you do a settings report of a GPO which contains references to an adm-template (not admx-template) and for some reason this adm-template doesn’t exist in the default paths anymore (you may have cleaned them out) you get “Extra registry settings” in the report instead to show these settings.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;981704
Of course the better way is to convert the adm-template to an admx-template instead and use the central store!
Technorati Tags: ADM,
GPO,
KB,
Support,
Windows 7,
Windows Server 2008 R2
Apr 26
G JohanssonADMX, GPO GPO, Microsoft, MSDN
This is just one of those things that you need to share quickly.
http://gps.cloudapp.net/
I think you will have it more easier to find your setting for a GPO here instead of trying to find it in GPO-editor.
Well done!
Technorati Tags: GPO,
Microsoft,
MSDN
Mar 25
G JohanssonGPO Accelerator, Download, GPO
GPO Accelerator is now available as a download at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=A46F1DBE-760C-4807-A82F-4F02AE3C97B0&displaylang=en
This program contains a lot of templates (GPO’s) which are for securing your environment. This to save loads of workhours for securing and preparing a your environment.
Don’t forget to read the documentation and please try the settings on a few computers first before applying to everyone.
Technorati Tags: Accelerator,
Download,
GPO
Feb 07
G JohanssonADMX, GPO, Windows Server 2008, Windows Vista ADMX, Download, GPO, Microsoft, Vista, Windows Server 2008, Windows Vista
Microsoft has released a new Group Policy settings reference and this time for Windows Server 2008.
This file contains all Group Policy settings since Windows 2000 so this is the only file you need. For Windows Server 2008 24 new settings are available where 12 of them are for Terminal Services functionallity.
This reference file is also for the new admx/adml-format so to know for sure you can use settings described in this file you need to start using Windows Vista or Windows Server 2008 to configure your GPO’s.
Download the new reference file here (xls and xlsx file available)
Technorati Tags: ADMX,
Download,
GPO,
Microsoft,
Vista,
Windows Server 2008,
Windows Vista
Oct 15
G JohanssonADMX, GPO, Office 2007 ADMX, Download, GPO, Microsoft, Office 2007
Finally MS released the Office 2007 templates for Group Policy in the new ADMX-format.
You can now benefit here also to have those stored in your Central Store so that you decrease the load for replicating GPO’s between servers etc.
These new templates is of course not with all languages and I wouldn’t be to sure that they will be released either.
The download file also contains an excel-file for reference.
Download the new templates here
Technorati Tags: ADMX,
Download,
GPO,
Microsoft,
Office 2007
Sep 30
G JohanssonADM, ADMX, Custom, GPO ADM, ADMX, GPO
Everyone that has ever tried to troubleshoot group policy problems knows how hard that can be.
Darren Mar-Elia (MS MVP) has created a GPO logging ADM & ADMX which you can use in a GPO to enable some logging features without having to know where to enable it manually.
It wont help you resolve your problem but it gives you some options on how to troubleshoot depending on what it is.
Find his custom adm/admx here: http://www.gpoguy.com/gpolog.htm
Technorati Tags: ADM,
ADMX,
GPO
Sep 30
G JohanssonGPO GPO, Software Restriction Policies, SRP
Using SRP is not that common today and what I will write here is a small how-to so that you can start trying it today and maybe even sometime soon apply it in your production environment.
First thing to notice is that SRP is a very powerful tool so try in a test-environment before you apply it to users in production.
First you need to choose your default level which you do at Security Levels:
Default when you start using this, the default level is “Unrestricted” which allows all programs to run. Which means you can use SRP to block specific programs but the power is that you can change this so “Disallowed” is the default level which means you specify which programs you can run (all others are blocked) instead of blocking specific programs.
So to start with change so “Disallowed” is default. Double-click on “Disallowed” and press the button “Set as Default”
This means that all clients affected by this policy now would be able to run anything except what you define as exclusions which you do at “Additional rules”:
As you can see in the above picture you have two default values already included. These two values are registry paths which makes all programs defined in these two registry paths to unrestricted which of course makes them available to run even if you selected “Disallowed” as your default choice in the above selection at “Security Levels”.
There are four different choices on how to enable/disable programs to run:
- Hash-rule
- Path-rule
- Network zone-rule
- Certificate-rule
The normal ones to use is HASH or PATH. HASH is always something you should prefer to use since if the user tries to run a program it looks at the hash-value and evaluates if you can run the program or not. Sometimes when you have different versions of a program for example it might be a problem to use HASH, then you use PATH instead. Also if you don’t have the program installed in the same location on each computer but you know somewhere in the registry where it types the path to the program you can use PATH and use the registry location instead.
I will show you the two ways of allowing Windows Live Messenger to run
Hash:
As what you can see above is that it takes the values from the executable and stores the hash-value of the file. When someone tries to run the program the system evaluates this hash-value and compare it with the one you defined and then selecting if you can run the program or not.
Path:
As you can see above is that you need to select the path to the executable. This path needs to be same on each computer you would like to use this on but of course you can use environment variables as I have done in the above picture. You could also use a registry location if you did know where the path to the program where stored.
You can of course also use this to block programs instead of allowing them. This is not really the preferred method on how to use SRP but fully functional.
On my computer I have “Unrestricted” as my default and I added an application on my desktop named radio.exe as “Disallowed”
So the result if I’m trying to run the file is:
As conclusion you can see that this is a powerful way of giving your users minimal rights in the system with the result that your users will have a large problem messing up the computer
This only covers some parts of SRP. For example local administrators also get these rules but that you can exclude in the “Enforcement” choice and also dll-files are excluded by default but you can change that too. Make sure to try this in a safe environment before applying it to production as you might get a big headache if you have made some wrong turns in setting this up.
Technorati Tags: GPO,
Software Restriction Policies,
SRP
Sep 09
G JohanssonActive Directory, GPO GPO, Restricted Groups
There are a lot of questions in newsgroups, forums etc. about how to use Restricted Groups in the right way so I wanted to post a how-to for people to read.
Finding Restricted Groups is easy but it only works in a domain with Active Directory so trying to find it within your local GPO on your computer isn’t possible.
At first you right click on Restricted Groups and select “Add Group”.
What you get is the default window to choose a group, either from your domain or maybe from your local computer depending on what configuration you want.
Now you have two different choices of what you want to do with the group you selected. Either you use “Members of this group” or “This group is a member of”. The differences of these choices are big so I explain in two steps.
1. “Members of this group”
This is the choice you make when you want to add users to a group. What you select here is what you will see on your computers affected by this policy. So if you for example want to add a user to the local admin group on the computers then don’t forget to add administrator also or the administrator account will be removed from the local administrators group on the computers.
As an example can be this picture where you have both the local administrator account and also the built-in Authenticated Users group.
2. “This group is a member of”
This choice you can use if you want to add your selected group into another group. So what you can tell is that this is the opposite of what you defined in choice 1 described above. This is also not something that will override any other configuration you have done. So if you in first choice selected “Authenticated Users” and with this option select that it will be added to the “Administrators group” any other user you might have added to the group (manually perhaps) won’t be overwritten by this choice.
So this example which you can see in this picture will add the “Power Users group” into the “Administrators group”.
To summarize this it’s fairly easy to use Restricted Groups and it’s also the easiest way to add/remove users in groups and you can control it in a much better way than you ever can doing this manually. If you are doing this manually today it’s time to stop and using the right way instead.
Technorati Tags: GPO,
Restricted Groups
Older Entries
RSS
Recent Comments