Jeremy Moskowitz Troubleshoots Group Policy

While at DevConnections, Richard talked to Jeremy Moskowitz about what every IT person needs to know about troubleshooting group policy in this RunAs Radio podcast.

Jeremy Moskowitz is a Group Policy MVP who runs Moskowitz, Inc., a company specializing in Microsoft consulting and education. Since becoming one of the world’s first MCSEs in Windows NT and Windows 2000, Jeremy has performed Active Directory, Group Policy and Windows management planning and implementation for some of the world’s largest organizations. He has been seen at some of the world’s largest conferences including Microsoft TechEd, Microsoft MMS, MCP Magazine’s TechMentor, and Windows Connections.

He is the noted author of multiple books on Windows. His most popular book is Group Policy: Management, Troubleshooting and Security, the flagship title in the “Mark Minasi Windows Administration Series.” He also has a book about Windows & Linux integration, entitled Windows & Linux Integration: Hands On Solutions for a Mixed Environment.

Jeremy is a frequent contributor to Microsoft Technet Magazine, REDMOND Magazine, Windows IT Pro Magazine and others. Jeremy runs GPanswers.com and WinLinAnswers.com, two Web sites to help people get their tough Group Policy and Windows / Linux questions answered.

Alan Burchill Talks Group Policy Preferences

There should be an image here!In this RunAs Radio podcast, Richard catches Alan Burchill while at Tech Ed New Zealand. Alan digs into the new Group Policy Preferences features introduced with Windows 7 and Windows Server 2008 R2 but available for XP, Vista, even Server 2000 and up! The conversation explores how group policy can now be used to map drives, printers and other features, leading to the virtual elimination of login scripts. Check out Alan’s Web site for videos and information on this and other group policy techniques.

Alan Burchill has been working in the IT industry for over 10 years focusing on Microsoft centric solutions where he has worked for and consulted for large multi-national companies and government agencies. Alan has extensive experience with implementing and designing group policy for corporate server and desktop SOEs. He has been a speaker at Microsoft TechEd Australia where he talked about implementing and using Group Policy. Alan has also developed and deployed Microsoft security patching strategies for desktop and server fleets.

[awsbullet:Jeremy Moskowitz]

Windows Group Policy Administrator’s Pocket Consultant

There should be an image here!Portable and precise, Windows Group Policy Administrator’s Pocket Consultant delivers ready answers for the day-to-day administration of Group Policy. Zero in on core support and maintenance tasks using quick-reference tables, instructions, and lists. You’ll get the focused information you need to solve problems and get the job done — whether at your desk or in the field!

Get fast facts to:

  • Configure Local GPOs and Active Directory-based GPOs
  • Manage policy preferences and settings
  • Model policy changes through the console
  • Migrate and maintain the SYSVOL
  • Diagnose and troubleshoot replication issues
  • Know when to enforce, block, or override inheritance
  • Filter policy settings, search GPOs, and manage permissions
  • Use Advanced Group Policy Management, including change control
  • Manage operating system-specific deployment issues

Use Group Policy To Deploy Applications In Windows Server 2003 Part II

Through the Microsoft Management Console (MMC) and group policies you can configure a Windows Server 2003 server to automatically distribute software to Windows clients by either assigning or publishing applications. Although the basics of this process are fairly straightforward, there are situations that will require you to use advanced publish and assign options.

For example, if you were installing Office XP onto a system that already had Office 2000, you would probably want Office XP to replace Office 2000 rather than keeping both versions. Advanced publish and assign options allow you to do this and more.

Part I of this article showed you how to get started by opening the Software Installation Properties sheet. Part I also introduced you to two tabs available from the properties sheet: the Deployment tab and the Upgrades tab.

Part II of this article introduces the remaining tabs: Categories, Modifications, and Security.

The Categories tab
The Categories tab allows you to select the categories in which the installation package should be included. By default, the Categories list will be empty because Windows doesn’t come with any existing categories.

You can create categories by right-clicking on the Software Installation container and selecting Properties from the resulting menu to open the container’s Properties sheet. You can then select the Properties sheet’s Categories tab and use the Add button to create categories.

The Modifications tab
The Modifications tab allows you to associate modification files with the installer package. Modification files allow you to create different custom installations for the same application. For example, you could configure different Microsoft Office installations for different departments. Some installations would include the entire Office suite while others would exclude certain applications, such as Access or PowerPoint.

Normally, you won’t have to worry about modification packages because they are rarely used. However, if you do choose to use modification packages, it’s absolutely critical that you apply them in the correct order. Windows tends to be very unforgiving when working with modification files. So it’s essential that you use the Move Up and Move Down buttons to arrange any modification files into the correct order before clicking OK.

The Security tab
The Security tab is where you can build a list of users and/or groups from the present domain and trusted domains.

You may then assign specific rights to each user or group based on which permissions you want them to have pertaining to the installer package. For example, by default, Authenticated Users have Read permissions to the package. Likewise, Domain Admins and the System have full rights to the package. These are usually all the permissions that you need, unless, of course, you wanted to deny permission to a user or group.

[rsslist:http://ah.pricegrabber.com/export_feeds.php?pid=hjehfab&document_type=rss&limit=25&topcat_id=all&category=topcat:all&col_description=1&form_keyword=group+policy]

Use Group Policy To Deploy Applications In Windows Server 2003 Part I

Through the Microsoft Management Console (MMC) and group policies you can configure a Windows Server 2003 server to automatically distribute software to Windows clients by either assigning or publishing applications. Although the basics of this process are fairly straightforward, there are situations that will require you to use advanced publish and assign options.

For example, if you were installing Office XP onto a system that already had Office 2000, you would probably want Office XP to replace Office 2000 rather than keeping both versions. Advanced publish and assign options allow you to do this and more.

Getting started
To access the advanced publishing and assigning options, open the MMC, add the Group Policy snap-in, and navigate to the Software Installation container. Right-click on the Software Installation container to access the Software Installation properties sheet. Select the default location of the Windows installer package that you wish to push to your client machines, select the Advanced radio button and click OK. Doing so will return you to the main Group Policy screen.

Then, right-click on the Software Installation container and select New | Package from the resulting menu to display the Open dialog box which lists the contents of default locations that you selected. Next, select the exact Windows Installer (.msi) file you wish to push and click OK. The installation properties window for your chosen .msi file will then be displayed. You can then configure the advanced publish or assign options for your installation through the series of tabs at the top of the window.

The Deployment tab
On this properties sheet you will find the Deployment tab, where you can select whether you want to assign or publish the application. There are also three check boxes that control auto installation by file extension activation, automatic uninstallation, and whether or not the package is visible in the Add/Remove Programs dialog box.

At the bottom of the Deployment tab, you’ll notice an Advanced button. If you click this button, you’ll see a dialog box that contains some advanced diagnostic information, such as the name of the automatic installation script that you’re creating. This dialog box also contains a check box you can select to ignore language options when deploying the package.

The Upgrades tab
The Upgrades tab contains Add and Remove buttons that you can use to build a list of applications that the new application should replace. Once you’ve created the list, select the check box to make the new package a mandatory upgrade to the previously existing package.

When you click the Add button you’ll have the option to select a package from the current group policy object or from another specific group policy object. You can also decide whether Windows should uninstall the old package prior to installing the new package or if Windows can perform an upgrade by installing the new package on top of the previously existing application.

[rsslist:http://ah.pricegrabber.com/export_feeds.php?pid=hjehfab&document_type=rss&limit=25&topcat_id=all&category=topcat:all&col_description=1&form_keyword=group+policy]

Distributing Security Zone Settings Using Group Policy

Once you have configured Security Zone to meet security requirements, you may need to distribute settings to workstations throughout a network. While you can use the Internet Explorer Administration Kit’s Profile Manager to do the job, you can avoid having to install additional software if you use the method provided by the Group Policy editor.

Deploying security zone settings using group policy is a two-step procedure that involves exporting the Security Zone settings as an INS configuration file and then configuring your Windows Vista clients to use the Automatic Browser Configuration feature to import those settings. The beauty of this distribution method is that you can regularly update the Security Zone settings and then easily distribute the updates.

To begin, launch the Group Policy editor by typing group policy in the Search field on the Start Menu and press Enter. When you see the Group Policy editor window, go to the tree view and open the following branch: User Configuration | Windows Settings. Right-click on Internet Explorer Maintenance icon and select the Export Browser Settings command from the shortcut menu. When you see the Save .INS File And .CAB Files dialog box, type the full path and name of the .INS file and click OK. Once you save the INS file, copy it to the root directory of a local intranet server.

At this point, you’ll need to enable Automatic Browser Configuration on all of your Windows Vista clients. You can e-mail these instructions to your users or deploy them manually.

Launch the Group Policy editor by typing group policy in the Search field on the Start Menu. When you see the Group Policy editor window, go to the tree view and open the following branch: User Configuration | Windows Settings | Internet Explorer Maintenance | Connection. Double-click Automatic Browser Configuration. In the Automatic Browser Configuration dialog box, select both the Automatically Detect Configuration Settings and the Enable Automatic Configuration check boxes. Then, type the URL to the INS configuration file in the Auto-config URL (.INS File) text box.

[awsbullet:Group+Policy]

Group Policy Processing In Windows Server 2003 Part VI

If your network contains a single domain and a couple of DCs, and all computers are on the same network, you really don’t have to concern yourself with indicating the correct target DC when making changes to the group policy. However, if you have multiple domains, DCs, and users with the ability to change the group policy, getting the target right for group policy edits is important. In addition, you could have more than one DC receiving edits, causing edits at other DCs to be lost during replication.

You have two possibilities for specifying options for controlling DC group policy changes:

  • Dynamically through the Group Policy Editor console
  • Dynamically through policies defined in the Administrative Templates branch

To configure the options through the console, open the properties for the domain, click the Group Policy tab, and edit the Default Domain Policy object. Select the root of the object, then choose View | DC Options to display the Options For Domain Controller Selection dialog box.

Options you’ll find on this screen include the following:

  • The One With The Operations Master Token For The PDC Emulator: This option causes Windows Server 2003 to use the same DC as the target for all group policy creation and editing, with all other DCs receiving updates through replication. This ensures that you don’t experience editing collisions caused by multiple concurrent policy changes on different DCs. With this option selected, the Group Policy console automatically focuses on the specified DC. Typically, the DC with the Operations Master token is the first DC created in the domain, although this can change.
  • The One Used By Active Directory Snap-Ins: This option enables you to select a DC when using the Group Policy console snap-ins. As long as you select the right one, edits happen on the selected DC. Selecting the DC, however, is a conscious, manual process, inviting error. If you forget to change the focus and inadvertently make changes on the wrong DC, those edits could be lost during replication or cause other problems, so use this option with care.
  • Use Any Available Domain Controller: This option allows changes to be made on any DC, making it the least desirable option. If you have only a few DCs and only one person making policy changes, then this option is acceptable.

If you prefer to establish these options through a policy (a better method as it then applies to all administrators), configure the policy settings at the domain level. Open the Default Domain Controller GPO and modify the policy User Configuration/Administrative Templates/System/Group Policy/Group Policy Domain Controller Selection as desired. The available options are the similar to those discussed above and include:

  • Use the Primary Domain Controller
  • Inherit from Active Directory Snap-ins
  • Use any available domain controller

At this point, you should have a relatively good understanding of what group policy objects are and how they enable you to apply policies, at least in a general sense. You also should have enough information to start planning a group policy implementation.

[rsslist:http://lockergnome.4jobs.com/MKT/RSS/rss.asp?key=windows+server+2003]

Group Policy Processing In Windows Server 2003 Part V

Another important question to ask is ‘how are GPOs applied over slow links?’. Although most users log on over a relatively high-bandwidth connection such as a LAN, remote and roaming users often log on through low-bandwidth dial-up connections. Other factors can affect connection bandwidth as well. During group policy processing, Windows Server 2003 uses a relatively complex method to determine the connection speed.

Windows Server 2003 first attempts to ping the server, making several attempts to determine an average transmission rate. Failing the ping, Windows Server 2003 measures the connection speed by testing file system performance, the same method used in Windows NT. If Windows Server 2003 detects a slow connection, it processes the group policies as follows:

  1. The security policy is processed.
  2. The policies in Administrative Templates are processed.
  3. The software installation is not processed.
  4. The scripts are not processed.
  5. The folder redirection is not processed.
  6. The Internet Explorer maintenance is not processed.

You can configure the slow-link behavior through the Computer Configuration/Administrative Templates/System/Group Policy/Group Policy Slow Link Detection policy of the group policy object and for user policies through the same node of the User Configuration branch. You can configure these settings for each GPO, enabling you to apply group policies differently for each GPO across a slow link.

As mentioned above, Windows Server 2003 updates group policies automatically based on the refresh interval you specify for group policies, with the default refresh interval being 90 minutes. You can force a group policy refresh in between automatic refreshes, if needed. You can refresh the Computer Configuration policies and User Configuration policies separately.

To refresh Computer Configuration policies, select Run from the Start Menu. In the Run dialog box, type gpupdate /target:computer /force and click OK.

To refresh User Configuration policies, select Run from the Start menu. In the Run dialog box, type gpupdate /target:user /force and click OK.

[rsslist:http://lockergnome.4jobs.com/MKT/RSS/rss.asp?key=windows+server+2003]

Group Policy Processing In Windows Server 2003 Part IV

By default, GPO processing is synchronous, which means that the processing of one GPO must be complete before processing of the next one begins. Computer Configuration policies apply at system startup, and User Configuration policies apply at logon and complete prior to the user interface becoming available to the user.

In most cases, you’ll want to continue to use the default synchronous behavior. You can, however, configure Windows Server 2003 to process policies asynchronously. With asynchronous mode, GPO processing can occur simultaneously and on multiple threads, providing better performance and faster processing. To ensure reliable application of policies — particularly where certain policies need to override policies set at lower levels — you should use synchronous mode. Use asynchronous mode only when performance is an issue, and then use it judiciously.

You configure GPO processing mode through the Default Domain Policy. To do so, open the Active Directory Users And Computers console. Right-click the domain and choose Properties. When the Properties window appears, choose Default Domain Policy and click Edit. Next, Expand the Computer Configuration/Administrative Templates/System/Group Policy branch. Double-click the Group Policy Refresh Interval For Computers policy, click Enabled, and then set the interval and the offset range. When finished, click OK and close the Group Policy console.

[rsslist:http://lockergnome.4jobs.com/MKT/RSS/rss.asp?key=windows+server+2003]

Group Policy Processing In Windows Server 2003 Part III

Windows Server 2003 automatically refreshes GPOs every 90 minutes by default, although it applies a randomized 30-minute offset interval to the refresh period to ensure that large groups of users don’t refresh their GPOs at the same time. Refreshing the GPOs ensures that changes to group policies are implemented in a timely manner.

You can tailor the refresh rate to your network’s needs. Increasing the refresh interval can help reduce network traffic if you seldom change policies. Decreasing the refresh interval causes group policy changes to be applied more quickly and is desirable whenever you expect to change policies more frequently or want to make sure that changes apply in a timely fashion. Decreasing the refresh interval also causes more network traffic, however, this is a factor you should consider when deciding on the refresh interval.

You can specify an interval as low as seven seconds or as high as 45 days. Obviously, high intervals such as the maximum are relatively useless, since changes should be applied much more quickly in almost all situations. Very short durations are also undesirable in most situations because of the excessive network traffic they create.

You specify the GPO refresh interval through the Default Domain Controllers GPO. To do so, open the Active Directory Users And Computers console. Right-click the domain and choose Properties. Choose Default Domain Policy and click Edit. Expand the Computer Configuration/Administrative Templates/System/Group Policy branch. Next, double-click the Group Policy Refresh Interval For Computers policy, click Enabled, and then set the interval and the offset range. Finally, click OK and close the Group Policy console.

[rsslist:http://lockergnome.4jobs.com/MKT/RSS/rss.asp?key=windows+server+2003]

Group Policy Processing In Windows Server 2003 Part II

In most cases, a user who logs on from a workstation should have his group policies applied based primarily on the settings defined by the user object in the Active Directory rather than their computer object. A user who logs on from a computer that’s part of the server’s OU, however, should take his settings from the computer’s object location rather than the user object. There can be many other situations in which you want the computer object’s GPO(s) to take precedence over the user object, as determined by your organization’s structure, computer function, and so on.

Group policy loopback is supported only in pure Windows 2000 and Windows Server 2003 environments (both clients and domain controllers). Group Policy loopback enables group policies to be applied based only on the computer from which the user logs on. Loopback provides for two processing modes:

  • Merge mode: In this mode, Windows Server 2003 processes the group policies for the User Configuration first, followed by those for the Computer Configuration. In effect, this causes the Computer Configuration group policies to have precedence over any User Configuration settings. When the Computer Configuration object doesn’t specify a given policy, the User Configuration object defines the policy setting.
  • Replace mode: In this mode, Windows Server 2003 processes only the Computer Configuration group policies, ignoring the User Configuration group policies.

Keep in mind that in either mode, the user might have several GPOs applied. For example, the user might be affected by a site GPO, a domain GPO, and two OU GPOs. When the client retrieves the GPO list from the DC, the contents of the list are determined by the loopback mode. With merge mode, the client requests the list normally (based on the user location in the AD) and then submits a second request based on the computer location. The result is that GPOs might actually be processed twice.

In this example, the initial GPO list and order of processing are GPO1, GPO2, GPO3, and GPO4. When the second request based on the computer location is fulfilled, the response is added to the list, resulting in a final GPO process list of GPO1, GPO2, GPO3, GPO4, GPO1, GPO2, GPO5, and GPO6. In the case of replace mode, the client requests the list based only on the computer location in the AD, giving the result GPO1, GPO2, GPO5, and GPO6.

Setting the loopback mode

To set the effective loopback mode, open the Active Directory Users And Computers console, right-click the container in which you want to apply the loopback setting (site, domain, or OU), and choose Properties. When the Properties window appears, click the Group Policy tab.

Select the group policy in which you want to define the loopback setting and choose Edit. Next, expand the Computer Configuration/Administrative Templates/System/Group Policy branch. Double-click User Group Policy Loopback Processing Mode, select Enabled, then select either Merge or Replace from the drop-down list. Click OK to close the dialog box, then close the Group Policy console.

[rsslist:http://lockergnome.4jobs.com/MKT/RSS/rss.asp?key=windows+server+2003]

Group Policy Processing In Windows Server 2003

In a previous series of articles on Windows Server 2003 group policy, I described what group policies are and how they work. The next question to ask is ‘How does Windows Server 2003 apply group policies?’

Before you can fully understand the implications of group policies, you need to see how Windows Server 2003 applies them. In this series of articles, I’ll look at how Windows Server 2003 applies the group policies you create.

Which comes first?

Windows Server 2003 processes the local group policy object (GPO) first, followed by the site, domain, and applicable organizational units (OUs). The client requests a GPO list from the domain controller (DC) and then processes that list to apply the policies contained in the GPO(s). The client processes the GPOs according to the priority in the DC-supplied list. Windows Server 2003 processes GPOs at startup, logon, and when the GPO refresh period is reached, which by default is 90 minutes.

One the client side, a group of DLLs — referred to as client-side extensions — perform the group policy processing. Each DLL is responsible for specific policies. Below is a list of the client-side extensions and the policies they process.

  • Registry: Userenv.dll
  • Disk Quota: Dskquota.dll
  • Folder Redirection: Fdeploy.dll
  • Scripts: Gptext.dll
  • Software Installation: Appmgmts.dll
  • Security: Scecli.dll
  • IP Security: Gptext.dll
  • EFS Recovery: Scecli.dll
  • Internet Explorer Maintenance: Ledkcs32.dll
  • Remote Installation Services: None

Each GPO can include policy settings for both User Configuration and Computer Configuration. The client gives precedence to the Computer Configuration policies over the User Configuration policies by processing the User Configuration policies first. In some situations, this precedence can cause unexpected results. For example, a user’s computer might reside in one OU and the user account in a different OU. So how do you determine which GPO is applied? Group policy loopback lets you control that behavior.

[rsslist:http://lockergnome.4jobs.com/MKT/RSS/rss.asp?key=windows+server+2003]

Planning For Group Policy In Vista

One of the benefits of connecting your Vista workstation to a Windows Server 2003 server is that you can increase security by applying security from the server. Through Group Policy, you can apply different security settings from a central location (being the server) to users and computers.

Group Policy provides a wide range of settings that you can use to control the computing environment. Settings range from desktop restrictions to software distribution policies. By applying such restrictions, you can limit the types of changes that a user can make to his or her computer. The result in turn reduces the administrative overhead associated with troubleshooting and repairing system changes made by users.

Given the complexities associated with Group Policy, you need to take some time to plan the implementation. First, you need to identify the restrictions that need to be applied and the users and computers to which they need to be applied.

Next, you need to consider the Active Directory (AD) structure. You can control the application of Group Policies using the logical structure of Active Directory. For example, linking a Group Policy Object (GPO) to a domain will affect more users than simply linking a GPO to a specific Organizational Unit (OU). Therefore, you need to have a solid understanding of the domains and/or Organizational Units within your AD structure to implement Group Policy.

[rsslist:http://ah.pricegrabber.com/export_feeds.php?pid=hjehfab&document_type=rss&limit=25&topcat_id=all&category=topcat:all&col_description=1&form_keyword=group+policy]

Software Restriction Policies In XP

Software restriction policies let administrators control what types of software users can run on their computers. Doing so protects computers against malicious software and potential conflicts. Software restriction policy can be implemented through Group Policy, making it easy to apply to multiple computers. You can also implement software restriction policy on a standalone computer through the Local Security Policy.

Software restriction policies can be used to:

  • Control what software can run on computers
  • Restrict access to specific files on multi-user computers
  • Prevent executable files from running
  • Identify the users which the restrictions will apply
  • Identify those users who can add trusted publishers

When you implement a software restriction policy, you need to determine the security level: Unrestricted or Disallowed. With the Unrestricted security level, all software is allowed to run which means you must configure additional rules to block specific software. Conversely, with the Disallowed security level, no software is allowed to run which means you must configure additional rules to allow specific software. However, it is usually easier to create a few allow rules as opposed to many block rules.

To configure a restriction policy through Group Policy:

  1. Open Active Directory Users and Computers.
  2. Locate the appropriate container (the Organizational Unit containing the client computers). Right click the container and select Properties.
  3. From the Group Policy tab, click the appropriate Group Policy Object and click Edit.
  4. Navigate to Windows SettingsSecurity SettingsSoftware Restriction Policy.
  5. Open the Security Levels folder to set the default security level (Unrestricted or Disallowed).
  6. Open the Additional Rules folder to identify one or more applications and whether they are allowed to run.

[rsslist:http://ah.pricegrabber.com/export_feeds.php?pid=hjehfab&document_type=rss&limit=25&topcat_id=all&category=topcat:all&col_description=1&form_keyword=xp]

Todd Lamothe Resets Our Computer With Windows SteadyState

Richard and I talk to Greg Lamothe at RunAs Radio about Windows SteadyState. SteadyState allows administrators to configure PCs to roll back to a base configuration after every reboot. Combined with Group Policy for restricting access to resources, you can create the perfect kiosk computer that cleans off all traces of the previous user, ready for the next.

Todd Lamothe is a Systems Administrator for the County of Lennox & Addington — Information Services Department; supporting their Libraries and Museums throughout their 12 points of service. He also provides support for the Leeds & Grenville and Prince Edward County public Libraries as well as other departments within the County of Lennox & Addington. He is a member of the Ottawa Windows Server User Group (OWSUG) and its associated certification study group, member of the board on the newly formed SQL Pass Ottawa Chapter and is also a Microsoft Certified System Administrator and a Microsoft Certified Trainer. He started using Windows SteadyState in the County of Lennox & Addington’s libraries when the program was in Version 1.1 and called the Microsoft Shared Computer Toolkit. He was part of the closed beta team for version 2.0 and now is working with 2.5.