MDM & GP Tips Blog

A fellow reader like you, named Dave King emailed me this screenshot.

Dave asked me a short, sweet question and included a killer screenshot.

First the question, then the screenshot

Jeremy..

If I set a GPO to be applied at the SITE level and it is working fine, and set another at the DOMAIN level and it is working fine…

When I go to the node and look at the applied Policies it shows only the one linked at the DOMAIN level.

What happed to the SITE one?

It is there and working, and when I run a Resultant set of Policy on the node it DOES show the SITE GPO and the DOMAIN GPO.

But it does not show the SITE GPO’s influence on the Node without running the RSOP.

Is there any explanation for this behavior?

Thanks,

*Dave*

First,  Dave, THANK YOU for having this so clearly marked up, expressing exactly what your problem was, and how I can help. This makes the job of helping you MUCH EASIER. (That is to say, if you are looking for a little help, I would please first encourage you to use the GPanswers.com forums.. THEN ask for help.) And if you ARE going to ask for help or look to get a question answered, THIS is exactly how to do it.

Now, lets take a look at the screenshot. (Seriously.. this is the EXACT screenshot I got from Dave. I didn't make these markups.. he did. Thank you Dave !)

What Dave is witnessing is completely normal. Dave is noticing that Site-Linked GPOs (in this example Hide Screen Saver Option, linked to Default-First-Site-Name) is actually WORKING on the client. He explains this when he tells me that he sees it show up in the RSOP (gpresult /R) report on the client.

Cool.

So the question really is.. Why can't I see it here, in the Group Policy Inheritance tab?

The answer is simple. The GPMC itself cannot know WHO will be in that site at any given time. So, to avoid confusion it won't show site-based GPOs in the Group Policy Inheritance tab.  For instance, lets pretend that Default First Site was really named Detroit. And, lets also pretend that there was a second site named Dublin (either Ireland, or Ohio.)

Now, if there is a GPO linked to Detroit and others linked to Dublin what is the Resultant Set of Policy RIGHT NOW for anyone in the Human Resources OU? Answer? We don't know.

We don't know, because we don't know if we're talking about users in Detroit or Dublin. So, the GPMC Group Policy Inheritance tab simply doesn't show (ie: assume) where the user (or computer) is at that moment.

Therefore, you'll see the GPO in the RSOP reports on the computer (because the computer ITSELF knows where it's at).. but the GPMC simply cannot make any assumptions.

Mystery Solved !

Thanks Dave.. This was a fun one !

One thing that seems to be confusing for the newer GP-practitioner is what GPMC version should I use?

The answer: Always the latest one.

That one, right now, is the GPMC for Windows 7 or Windows Server 2008 R2.

Those are equal in their capabilities.

You can install the Windows Server 2008 R2 as a feature of the operating system using the Server Manager utility as seen here.

You can install the Windows 7 GPMC by installing a downloadable piece called RSAT Remote Server Administration Toolkit.

That RSAT utility is found here, and note.. there are 32-bit and 64-bit versions.

Once installed (and it takes a while) you can install the GPMC in the Turn Windows features on or off as seen here.

Then, run GPMC.MSC, and you'll be off and running using the GPMC console !

By using the latest GPMC, on either Windows 7 or Server 2008 R2, you'll always have access to the latest abilities. Like GP Preferences, or creating AppLocker policies.

So, if you're using the old XP GPMC, get on board with the latest, greatest GPMC. You'll be happy you did !

Team: I had this email exchange with a friend of mine the other day.

The email title was: "Policy vs. Preference (I don't get it.)"

I thought you'd like it. Read all the way thru to the end for how to get more information TOMORROW, Friday at 12.00 PM EST.

[Note, we're having some login issues to the GPanswers.com web accounts. Sorry if you're affected right now; we're working to fix it... Thanks.]

--

Jeremy...

OK I'm having serious brain 'problem.' What, really, is the difference between an unmanaged policy setting and a preference (GPPreferences-style)?

I CAN remember, at this late hour, that managed policy settings are in the Policies key of the registry. Seems to me that unmanaged policy settings (which equate to settings that can tattoo, right?) are elsewhere, yeah? So what makes them different than changes made by Preferences?

I am just trying to hone my use of terminology and make my boss understand "Policy" vs "Preference" vs "PolicyPak". THANKS!!!!

Okay Frank.. So.. I'm sure there's some "complete and proper definition" somewhere at Microsoft about what a Policy is vs. a Preference.

But when I talk with people about "Policy" Vs. "Preference" here's the litmus-test I use to determine "which is which."

I define policy as "three things"... that is, these three things need to be TRUE for you to be able to call it a "True Policy." A policy means that the setting:

1. Properly goes to the "Policies" keys in the registry (one of only FOUR sanctioned locations)

and

2. UI lockout occurs such that users cannot scoot around it

and

3. UI lockout / setting reverts when GPO falls "out of scope" (ie: You whack the GPO.)

So, "Prohibit Access to the Control Panel" is a true POLICY. It meets these three criteria.

If you crack open the ADM/X, you'll see that the registry punch goes to the Policies keys... and once set, users cannot scoot around it.

A Preference is EVERYTHING ELSE.

So.. some criteria to check if it's a Preference would be:

1. Does it store its keys anywhere in the registry? (ie: OUTSIDE the 4 proper Policies keys?)

and

2. Does it still permit a user to manipulate the UI? (ie: No UI lockout?)

So, 99% of hand-created ADM or ADMX templates and a large percentage of GP Prefs items are just that.. Preferences. (Note that many GP Preferences items have a scope which are NOT the registry. For instance, "Local users and groups" deals with the local SAM and NOT the registry. Others, deal with services. But for the purposes of this discussions, I think you're asking about REGISTRY items, and many of the GP Preferences items are, indeed, registry focused.)

So, let's examine the GP Preferences "Internet Explorer Settings." They're Preferences.

Why? Because... once a user gets the settings...

Test #1: The keys aren't contained in the "Policies" keys
Test #2: Users can scoot around and change the values to whatever they want
Test #3: If you whack the GPO with a preference, what happens? It "tattoos" or "leaves behind" the settings you set.

Do note, if you whack the GPO with a GP Preference, on some items there is an extra flag which is called "Remove when no longer applies" which will DELETE THE VALUE (not REVERT the value). Which, could be harmful to your application. Ouch.

So, where does PolicyPak fit in?

In contrast.. POLICYPAK will "bridge the gap" when it comes to Registry punches and settings Applications' settings.

The free PolicyPak Community edition is able to:

1. Write keys anywhere in the registry

while

2. Performing UI lockout

and magically

3. Reverting to the value you want when no longer applies (not totally deleting the value!)

PS: There's a guide which I wrote to help clear up a lot of these questions. Let me know what you think:
https://www.policypak.com/solutions/why-group-policy-admins-need-policypak.html

Why isn't Group Policy Working on this client?
Did You Check the DNS Configuration of the Client?
---------------------------------------------------

One of the most frequently encountered problems with Windows 2000 and above is that things just 'stop working' when DNS gets out of whack. Specifically, if you're not seeing Group Policy apply to your client machines, make sure their DNS client is pointing to a Domain Controller or other authoritative source for the domain. If it's pointing to the wrong place or not pointing anywhere, Group Policy will simply not be downloaded.

As a colleague of mine likes to say, 'Healthy DNS equals a healthy Active Directory.'

Moreover, in the age of Windows 2003/2008 with its multiple forests with cross-forest trusts, Group Policy could be applying from just about anywhere and everywhere. It's more important than ever to verify that all DNS server pointers are designed properly and working as they should. For instance, if clients cannot access their 'home' Domain Controllers while leveraging a cross-forest trust, they won't get Group Policy.

Finally, to put a fine point on it, DNS leverages only the fully qualified name. It's not enough to verify that you can resolve a computer named xppro1 as opposed to xppro1.corp.com. The first is actually the NetBIOS name and not the fully qualified domain name. The second is the fully qualified domain name. If you find yourself in a DNS resolution situation where resolving the NetBIOS name will work, but the fully qualified name will not work, then you have a DNS problem that needs to be addressed.

Derek Melber has a new GP book by Microsoft Press. I'm holding my copy in my hand, and it's a great book for anyone looking to get more rounded on Group Policy. It's a short read, about 500 pages, and has some good information on 3rd party tools and solutions. (Which I'm a big fan of.) Derek's book also cracks open ADMX files (if you're into that kind of thing) as well as details sample output of many of the Group Policy GPMC scripts (available online at Microsoft.com.) So check it out. It's part of the larger Microsoft Server 2008 Resource kit. You can learn more about his book here. Congrats Derek !

I was recently interviewed by RunAsRadio.com. Really great guys.. Thanks for having me on your show. Everyone can click Here to hear the interview!

Greg from MCPmag almost got it right. So I set him straight about ADM and ADMX files. Check out his correction in MCPmag.com here.

It's only 11 months after RTM, so these files are right on time! :-) Just kidding, I'm sure it was a lot of work. These ADMX files for Office 2007 localize the GP settings into 8 languages, so that's pretty impressive. Just pop 'em in your central store, and get a beer. Don't know what ADMX files are? Then read the last two newsletters. Don't know what a central store is? Then read my free Chapter 5 in the "Book Resources" section here on this site. That's what we do here at GPanswers.com -- giving you the building blocks to get smarter in Group Policy. Since 2003 ! Check out the ADM and ADMX files here (one download.)

I get questions all the time like "Why isn't GP working?" Well, that's not often the easiest question to answer because there's a lot of moving parts to GP. With that in mind, Microsoft has some new documentation called the "GP Health Model" / GP Infrastructure. It's really an "Anatomy of GP" so you can say "Doctor, when I move my arm it hurts!" and see that it's really your shoulder and not your arm. Anyway, check out the doc. Very interesting stuff.

AGPM helps you edit and manager GPOs offline before going "live." If you've never seen AGPM in action hear it from The Chief, Kevin Sullivan from Microsoft. Great video with awesome production values Click Here