MDM & GP Tips Blog

Jun 2005
01

Issue#8

In this issue:

  • It's Issue 8...
  • GPanswers.com -- Update !
  • Moskowitz, inc. Technology Takeaway (r)
    • Three juicy tips and tricks
  • Upcoming conferences, appearances, and classes
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Subscribe, unsubscribe, and usage information

Moskowitz, inc. and www.GPanswers.com -- Issue 8

Welcome to issue 8 of the Moskowitz, inc. newsletter.

Spring is here.. heck it's almost summer. And that means all sorts of good stuff is happening. As I write this, I'm at the Red Hat conference, which is pretty good, and not totally filled with Microsoft bashing. Indeed, the Red Hat folks really have a "Let's play nice" attitude with regards to Microsoft. Refreshing !

What am I doing here, at the RED HAT conference, you ask? It has to do with "Jeremy's Next Big Thing", which I'll discuss (hopefully) in the next newsletter.

In this newsletter, I've got updated class dates, some fun new tips and tricks, and more. As always, you can forward this newsletter to your friends -- but please do so in one whole piece (please don't just cut and paste).

 

GPAnswers.com News!

We now have a working "Group Policy Solutions Guide" on GPanswers.com. The goal is give you a one-stop-shop for 3rd party tools which snap-in to Group Policy.

Just click "Third Party Solutions Guide" after you click over to GPanswers.com to check it out! We have five sponsors (yay, sponsors!) and we also give free listings to free tools.

So, if you know of any free tools that hook into Group Policy -- let me know about it! If it's a free tool, it gets a free listing!

Again, check out the tools we have today!

Group Policy Intensive Training and Workshop

Learn more and sign up at here! (Don't forget to scroll all the way to the bottom of that page and locate your city!)

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks

TIP 1

We just had to fire one of our desktop administrators. The only problem is -- he knew the local Administrator password for all of our desktop machines. How can I change all computer's local passwords?

Answer 1

This free tool, looks very promising. It looks like it's been around a long time, but, hey -- what the heck! Give it a shot !

TIP 2

I'm looking for some "Plain English" definitions of events in my Event Log. Any idea where to find that?

Answer 2

Yes! My pal Randy Franklin Smith has just a resource. It's literally called "Plain English Explanations of Windows Security Log Events." Check it out! And be sure to say Hi to Randy !

TIP 3

I'm doing some testing as a user. But, we have restricted all sorts of things. How can I temporarily log in as a user, but strip away all GPOs?

Answer 3

Killpol to the rescue!This tool asks for credentials, then lets you kill policies (temporarily) for a logged in user. Really handy when you need it!

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com)I have a neat-o calendar that I'm always updating with any public (and private) appearances.

So, check it out any time for up-to-date information!

 

Classes and Seminars
Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

  • "Fantastic Presentation !"
  • "Can't wait to go back to share the wealth !"
  • "Would recommend to other IT people in my company."
  • "I had a foot in the GPO door, and now I can hold it open."
  • "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.
For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)
 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.

Useless Time Waster

Go here. (Don't ask.) In a nutshell, I drink a LOT of Snapple, and one of my best friends noticed. Any Java enabled web browser will do. Trust me, you won't be disappointed.

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go). For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

Feb 2005
20

Issue#7

In this issue:

  • It's Issue 7...
  • Moskowitz, inc. Technology Takeaway®
    • Three juicy tips and tricks
  • Upcoming conferences, appearances, and classes
    • Free live events
    • Classes and seminars
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Even more good stuff!
  • Subscribe, unsubscribe, and usage information
     

Moskowitz, inc. and www.GPanswers.com -- Issue 7

Welcome to issue 7 of the Moskowitz, inc. newsletter.

It's just cold cold cold where I live, and that's no fun. But, thankfully, I get to travel a bit to San Francisco and Los Angeles and a bunch of other warm places before the winter is up.

In this newsletter, I've got updated class dates, some fun new tips and tricks, and more. As always, you can forward this newsletter to your friends -- but please do so in one whole piece (please don't just cut and paste).

Also, I'd like to announce that I have a "Full Time Tips Man" helping out at GPanswers.com. It's Ron Hrehirchuk, who knocks out questions in the forum and does a lot of work getting the FAQ/Tips and Tricks section looking great! If you want to help add to the FAQ / Tips and Tricks section, the best way is to post a message inside the Community forum here. (Note that you must register for the forum to post.)

Thanks Ron, for all you do!  
 

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

Three juicy tips and tricks
TIP 1/Question 1

I've been asked this question three times this month, so it must be on people's minds.

"Jeremy, can you explain to me why I might want to put users and computers into seperate OUs? We're debating how to implement our OU structure with regard to Group Policy. Any advice you have here would be helpful."

I've never been asked the same question three times in a month. Here's the acoop...Segmenting users and computers into different OUs is, first and foremost, a Microsoft Best Practice. And, it's a Best Practice for a good reason.

Here are three good reasons to separate users and computers into different OUs:

  • Easier troubleshooting
    • When users and computers are separated into different OUs, you can more easily figure out what's going on when you run Resultant Set of Policy tools (ie: GPRESULT, or the Group Policy Results Wizard in the GPMC.) You'll know precisely which GPOs are affecting the OU. True, you'd see this anyway, but by segmenting them, there's never a question about which half of the policy (user or computer) is affecting the target.
  • Easier delegation
    • You might want to grant others in your organization the ability to perform certain functions upon your structure. By seperating out users and computers, you can delegate some people to create user accounts and others to create computer accounts.
  • Easier implementation of loopback policy
    • The loopback processing attribute affects the computer object. By distinctly separating out computers (especially those which need loopback) it makes loopback troubleshooting a world easier.
       

TIP 2 / Question 2

Under an Active Directory user's properties (Account Tab | Log On To settings), you can restrict what computers a user can log into. This works great but it's not currently set for all of our "lab users" (and its a fair amount of work to set this manually). So here's the question: How can this be set via GPO?

Answer: There is no Group Policy settings which control this. However, using Active Directory Users and Computers, you can simply "multi-select" several users and select Properties. Simply click each user while holding down the CONTROL key to multi-select.

Then, in the Account tab, select Computer Restrictions and go from there!


TIP 3

Windows Server 2003 has the ability to allow two Remote Desktop connections for administrative purposes. This can be enabled by going to the properties of "My Computer", clicking on the "Remote" tab and enabling "Remote Desktop".

This can also be enabled on each server individually, using the registry setting below, or by creating a custom adm template and deploying the setting via Group Policy.

Registry Settings Involved:

Using regedit, navigate to
HKEY_LOCAL_MACHINE|SYSTEM|CurrentControlSet|Control|Terminal Server

If the value "DenyTSConnections" does not exist, create it as a DWORD.

Setting it to 0 will permit remote desktop connections and setting it to 1 will prohibit them.

Wouldn't it be great if you could set this up with Group Policy so ALL your servers just did this??

Well, you can. On https://www.gpanswers.com/faq/ we're working on a custom .adm Template that can be deployed via Group Policy by creating an .adm file using included code. After you implement it, you won't know how you did without it.

It'll be up this week in the FAQ/TIPS section! So stop by and tell your friends!
 

Upcoming Conferences, Appearances, and Classes

On www.moskowitz-inc.com (or www.GPanswers.com) I have a neat-o calendar that I'm always updating with any public (and private) appearances. So, check it out any time for up-to-date information!
 

Free Live Events
GROUP POLICY POWER HOUR Webinar

New date: Friday, December 03, 2004(was November 19th): 8:00 AM -- WEST COAST 11:00 AM -- EAST COAST Seminar #3 in the "The Group Policy Power Hour!" It's 1/2 hour of talk and demos, and 1/2 hour of Q&A! Here's the intro:

One of the key skills to master is to know what's going on at your client system. In this talk, Jeremy will demonstrate the various methods to get the Resultant Set of Policy, or RSOP, for your client systems. Both command-line tools and the GPMC can be used to gather this knowledge, so join Jeremy for this Power Hour session!

Registration is available here.

 

Classes and Seminars
Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? Here are some of my favorite feedback comments:

  • "Fantastic Presentation !"
  • "Can't wait to go back to share the wealth !"
  • "Would recommend to other IT people in my company."
  • "I had a foot in the GPO door, and now I can hold it open."
  • "Easily the best training about AD I've had in the last 5 years !!"

And my favorite of pack is from Joey P, who works for a major retailer writes:

"If you have folks that are even going to SNIFF Active Directory, they *MUST* take this class!"

I don't really know what Joey means, but I'll take it as a compliment.

Thanks, Joey -- and to ALL my students !

For a public class, sign up online.

For a private class, just contact me at [email protected] or call me at 302-351-8408 (note the new phone number.)  


Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.  

 

Technology Takeaway®, a service of Moskowitz, inc. (Supersecret, hidden, Easter-egg Part of the Newsletter)

We're just giving it away! --

More Technical Takeaway Tips (My way of saying thanks for making it all the way to the end of the newsletter!)

BONUS TIP #1

  Is your company starting to use Firefox? Terrific, except out of the box, it's not Group Policy enabled... Buuut... check out: http://spaces.msn.com/members/in-cider/ for a way to make it enabled! (We're working on making this a permanent section within our Tips collection.)

BONUS TIP #2

Check out http://www.grouppolicywiki.com
It's a way for people to simply "add what they know" to a common body of Group Policy knowledge.
I've contributed a bit, my pal Darren Mar-Elia (who runs GPOguy.com) has contributed a bit and Microsoft has contributed a LOT. Add your 2 cents! It's helpful and fun!

Useless Time Waster

Go here. (Don't ask.) In a nutshell, I drink a LOT of Snapple, and one of my best friends noticed. Any Java enabled web browser will do. Trust me, you won't be disappointed.

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

Nov 2004
27

Issue#6

 

In this issue:

  • It's Issue 6...
  • GPanswers 2.0 -- New year, new design
  • Moskowitz, inc. Technology Takeaway®
    • Correction from Newsletter #5
    • Three juicy tips and tricks
  • Upcoming conferences, appearances, and classes
    • Free live events
    • Classes and seminars
    • Upcoming conference appearances
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Subscribe, unsubscribe, and usage information
     

Moskowitz, inc. and www.GPanswers.com -- Issue 6

It's issue 6, and welcome again to the Moskowitz, inc. / GPanswers.com newsletter. Here's hoping you had a great Thanksgiving !

The personal news here is that I've hired a new assistant--well, I guess that makes it "personnel" news. His name is Jon Seitzer. If you'd like to drop him or note or just say "Hi," you can reach him at [email protected] .

As always, you can forward this newsletter to your friends --but please do so in one whole piece (please don't just cut and paste).
 

GPanswers 2.0 -- New year, new design

GPanswers.com is a little over one year old. And, well, it was time for a makeover. We've got some very exciting changes to the web site available immediately, and a little more coming up really soon.

First of all, we have an updated look and feel. Not just for the sake of doing something new, but rather because I kept hearing the same report: People told me they had trouble finding "where to click" to find stuff on the web site. I've had that all changed to be easier to find!

Additionally, GPanswers.com URLs are now "on their own." No longer are GPanswers.com URLs really just pointers to Moskowitz-inc. Of course, you can still get to Moskowitz, inc. pages in various ways on GPanswers.com.

Those are the changes as of today. Here is what's coming up in the next several days/weeks:

  • New searchable FAQ section
  • New Tips and Tricks section
  • Annnnnnd...the Big News! We are diligently workingon a sponsored "Group Policy Solutions Guide" whichenables YOU to easily locate 3rd-party softwarethat enhances Group Policy!

We're aiming to get each and every vendor that offers a Group Policy product to join the club! If you think there's a company and product that should be listed, just let me know! Additionally, we've updated the 2005 class location list and schedule. Be sure to click on "Group Policy Workshop" to get a full list of the updated schedule and/or to sign up for a class.

I hope you enjoy GPanswers.com 2.0 in our second year! PS: I'll likely send out a mini-announcement when the "Group Policy Solutions Guide" goes live.
 

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

Correction from Newsletter #5

I hate to have to start out with an apology. But, alas, it happens. That is, my Bonus Tip #1 in Newsletter #5—the "TWO Remote Desktop Sessions" tip--didn't pan out to be true. I did test it ... but I tested it with a Beta of SP2, and, well, that functionality was removed last minute from the ACTUAL SP2.

D'oh! My bad.

Three juicy tips and tricks

TIP 1

Recently, I've been searching for a way to avoid going to the task bar (oops, I mean "Notification Area") in order to disconnect various hardware. Often, I'm just "ready to roll" but, alas, it takes multiple mouse clicks to get the job done to disconnect USB flash disks, Firewire hard drives, or my USB camera.

Here's a tip you can use to save some time. It comes from this Microsoft KB article: "Remove hardware from a command line".

The syntax is a little hard to follow. In this case, I'm going to list the active USB devices.

C:>devcon find usb*
USBROOT_HUB4&1B96DD0A&1 : USB Root Hub
USBROOT_HUB4&23036E4B&1 : USB Root Hub
USBROOT_HUB4&A2AFF59&1 : USB Root Hub
USBROOT_HUB204&18075F55&1 : USB Root Hub
USBVID_05DC&PID_A400415DEF11191525121004 : USB Mass Storage Device
5 matching device(s) found.

Let's say I want to remove the USB Flash Disk that is currently attached. In the example, I can see that my device has a unique ID of "415DEF11191525121004." To remove it, I can quickly type in a command (or, better yet, batch file) that removes this device based on a string within the device. C:>devcon remove "@USB*525121004*" USBVID_05DC&PID_A400415DEF11191525121004 : Removed 1 device(s) removed.

In my short time using this utility, here's what I've found:

  • Some devices complain when being "ripped" out of the system like this. Couple your batch file with the Sysinternals tool called "Sync" which can flush the data to the disk before removal. I'm not saying it'll 100% prevent data damage, but it's certainly better to sync before removal.
  • When specifying the device to remove, be sure to put the unique device name between quotes.
  • Additionally, proceed it with an @ sign. Not really sure why, that's just the deal.
  • It seems that each time I remove a device (then plug it back in), I'm essentially re-forcing the PNP subsystem to do its thing when the device is plugged in next. I guess I'm really looking for a command to "eject" a device and not "remove" it.

The closest I've come is this:

"RUNDLL32.EXE SHELL32.DLL,Control_RunDLL hotplug.dll"

It starts the "Unplug or Eject Hardware" wizard, but that's about all it does. If anyone figures out the command syntax for disconnecting a device WITHOUT "removing" it, please let me know!

There's a nice website dedicated to things like this little utility here.
If you have any neat tricks to add to this, do let me know!
 

TIP 2

Everyone I know has cell phones. But heck if I know what carrier they're using. So, when I want to send a little text message (known properly as SMS messages), I have to just GUESS which service they're using.

Is it @vtext.com ? @tmomail.net ? @cingular.com ? Who knows?

And now, you don't have to. Just send an email to
@teleflip.com and -- voila! Instant SMS message to your friend or co-worker.
 

TIP 3

Ron Hrehirchuk is one of my most active GPanswers.com forum members. He's constantly knocking tough questions out of the park. Indeed, Ron is going to be helping me with enhancing the "Tips and Tricks" section.

Recently, Ron found this little gem.

The goal? To use Group Policy to control your EnergyStar-compliant systems. I checked it out, and it is very, very nice! I didn't actually use it though, because I don't have the right kinds of hardware. But it's certainly an interesting example of how Group Policy can be used in ways not normally considered.
 

Upcoming Conferences, Appearances, and Classes

Something new... On www.moskowitz-inc.com (or www.GPanswers.com) I have a neat-o calendar that I'm updating with any public (and private) appearances. So, check it out any time for up-to-date information!
 

Free Live Events
GROUP POLICY POWER HOUR Webinar

New date: Friday, December 03, 2004(was November 19th):
8:00 AM -- WEST COAST
11:00 AM -- EAST COAST
Seminar #3 in the "The Group Policy Power Hour!" It's 1/2 hour of talk and demos, and 1/2 hour of Q&A!

Here's the intro:

One of the key skills to master is to know what's going on at your client system. In this talk, Jeremy will demonstrate the various methods to get the Resultant Set of Policy, or RSOP, for your client systems. Both command-line tools and the GPMC can be used to gather this knowledge, so join Jeremy for this Power Hour session!

Registration is available here.
 

Classes and Seminars
Not free... but worth it! Upcoming classes!

I'd love to see you in one of the two-dayGroup Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates, and just about all you need to know to hit the ground running -- Fast!

Or ... if you think you might want your own in-house training of the course (with all the personalizedattention that affords), I'd love to join you on-site!If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004 conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training,and GPanswers.com for each of his sessions!

Wow! Thanks again, Microsoft!

How do attendees feel about the class? My favorite email this month was from Chris Curran from Sullivan Data Management.

Great Class!! Ever since the training everything GPO justseems to make a heck of a lot of sense. It's like you filledan eyeglass prescription or something.

Chris Curran

Sullivan Data Management

That's me ... Jeremy Moskowitz, your GPOptometrist.
Just contact me at [email protected]or call me at 302-793-3957.

 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.
 

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

Oct 2004
17

Issue#5

In this issue:

  • It's Issue 5...
  • Where do you want me?
  • Moskowitz, inc. Technology Takeaway (r)
    • Three juicy questions and answers...
  • Upcoming conferences, appearances, and classes
    • Free live events
    • Public courses until the end of the year ... and one for 2005 already!
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Subscribe, unsubscribe and usage information
     

Moskowitz, inc. and www.GPanswers.com -- Issue 5

It's issue five of the Moskowitz, inc. newsletter. Hopefully, you've all had some time to at least experiment with XP/SP2. Okay, okay ...here's my short, shameful confession: I haven't loaded it yet on my own laptop. Okay, sure, it's on my desktop machine, but not the one I travel with.

Why haven't I committed? Because I'm busy busy busy... running around the country, etc. I'm 1% fearful that I'll be that one guy who gets the BLUE SCREEN after the reboot.

I have some vacation time planned in December. That's when I'm making my own switch. Do you have a plan for your company? As always, you can forward this newsletter to your friends --but please do so in one whole piece (please don't just cut and paste).
 

Where do you want me?

I'm trying to come up with the Group Policy Intensive Training and Workshop class schedule for 2005. My plan is to do 12 PUBLIC training classes – one a month in a different city. I'm committed to having one in Orlando, Phoenix, Dallas, and Philly. All dates (except Orlando) to-be-determined. Everything else is open for negotiation.

So, if you think you've got a great location for a class (we only need 5 people to make it "a go"), then send me an email with a subject line of CLASS LOCATION: . I'll take the top 6 suggestions, and that'll be that. The winning results will be in the next newsletter.Of course, I'll still be available for PRIVATE training classes inside your company. You don't have to VOTE for that. Just send me an email when you're ready to get that started.
 

Technology Takeaway®, a service of Moskowitz, inc.

Here's what's on people's minds recently...

TIP / Question 1

We have a GPO that disables XP/SP2's Firewall until we can configure and test its use. So, when a new system starts up on our LAN, the GPO takes effect immediately and disables the firewall.

However, if the user has never connected to the LAN before, and simply dials in, the policy does not appear to have any effect. Ihave left a test machine connected for over 3 hours to give the background refresh time to occur, and have tried manually initiating processing with "gupdate /force" -- but neither had any effect. Again, if I then connect the system to the LAN, the policy takes effect immediately.

Answer 1

First, you need to be using the XP/SP2 ADM templates. (See previous newsletters for that.)

Then, you can drill down to:

Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall

There, you'll see both "Domain Profile" and "Standard Profile." And, the policy setting you're after is: "Firewall: Protect all network connections" and you want to set it to DISABLED (yes, Disabled). The policy settings in "Domain Profile" are used when AUTHENTICATED to a DC. The policy settings in "Standard Profile" are for when the computer ISN'T AUTHENTICATED to a DC.

Soooooooo.... You have a very special case, my friend. You should set *BOTH* the
Domain Profile | Firewall: Protect all network connections
and the
Standard Profile | Firewall: Protect all network connections

so they are Disabled.

Why?Because when you dial in you might not be actually authenticating to a DC. Rather, if you dial in (when already logged on) you're using pass-through authentication. You might need to GET the GPO ONE TIME on the LAN (ie: not dialed up) for this magic to work. Then, it should keep on working.
 

Question 2

How can I stop XP/SP2 from deploying to my clients via critical update?
 

Answer 2:

Take a look at the materials on Microsoft's web site here. There's an ADM template to squelch XP/SP2 from being automatically downloaded until YOU'RE ready. There's also other little odds and ends in there to help with the process.
 

Question 3

Jeremy, some things just aren't going to work after I install XP/SP2. Do you know what is known to "blow up"?
 

Answer 3

Check out this KB article which has a known list of stuff that might not work immediately after XP/SP2 is applied. There are lot of applications on this list, so be sure to give it a look-see BEFORE you leap into XP/SP2.
 

Upcoming Conferences, Appearances and Classes

Something new...
On www.moskowitz-inc.com (or www.GPanswers.com )
I have a neat-o calendar that I'm updating with any public (and private) appearances. So, check it out anytime for up-to-date information!
 

Its Free! Jeremy pairs with Microsoft TechNet Presenters at key events!

Microsoft is running around the country giving free all-day Active Directory, Group Policy and ISA talks. was just paired up with TechNet presenter Bryan Von Axelson, in Dover, DE and Philadelphia, PA and it was great!

I'll be there at some more dates, giving out some free books, some shirts -- oh, and some killer Group Policy tips, too! I get about 20 minutes to speak, but, believe me, you'll walk away with something you can use immediately.

Hope to see you there.

You can sign up for the free Microsoft events here. They're simply EVERYWHERE around the country. But I'm not. I'm scheduled to appear at two more before the end of the year: December 14th, 2004in my hometown of Wilmington, DE and December 16th, 2004in either Trenton, NJ or Allentown, PA. It's still being determined. I'll keep you posted as I know more.'
 

Not free... but worth it! Upcoming classes

I'd love to see you in one of the two-day Group Policy intensive training and workshop classes.These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates and just about all you need to know to hit the ground running -- Fast!

Hope to see you in class soon!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At the MMS 2004 and TechEd 2004, conferences, Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!In fact, he dedicated a whole slide to the book, the training, and GPanswers.com for each of his sessions!

Wow! Thanks, again Microsoft!

If you want to see the full course outline, and sign up for an upcoming public class, be sure to click here. Or ... If you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you on-site!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!) I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Just contact me at [email protected] or call me at 302-793-3957.
 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.
 

Technology Takeaway (r), a service of Moskowitz, inc. (Supersecret, hidden, Easter-egg)

We're just giving it away! -- More Technical Takeaway Tips (My way of saying thanks for making it all the way to the end of the newsletter!)
 

BONUS TIP #1

Did you know Windows XP's SP2 has a new ability to have TWO Remote Desktop Sessions? Out the box, XP SP2 only has one. You can enable the second one with a simple registry punch.

1) In the registry, drill down to: HKEY_LOCAL_MACHINE | System | CurrentControlSet | Control | Terminal Server | Licensing Core. 2) Create a new REG_DWORD value named EnableConcurrentSessions.
3) Set the value to 1.

You may have to reboot (or maybe not). And, voila! Instant double-team!
 

Bonus Tip #2

Microsoft had another nice online Q&A chat on September 29th with the guys who head up the Group Policy division within Microsoft.

If you missed the chat, you can catch the transcript. Some goodies in there, for sure!They even mentioned us -- GPanswers.com training! Hey, thanks! You make me blush!
 

Bonus Tip #3

Microsoft is having a large 14-part webinar series on Group Policy. They're doing one each Wednesday until the end of the year. Discover more about it!

My pal Matt Hester from Microsoft is doing the presentations, so be sure to catch some!
 

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

Aug 2004
11

Issue#4

In this issue:

  • It's Issue 4...All about Service Pack 2 for XP
  • Moskowitz, inc. Technology Takeaway (r) Part I:
  • Recap and Corrections from Newsletter #3
    • Recap + Update #1: XP/SP2 gives you more -- much more
    • Recap + Update #2: How to use these 700 new settings that affect XP/SP2 ?
    • Recap + Update #3: Loading XP/SP2 will prevent admins from performing RSOPs
  • Upcoming conferences and appearances
  • Moskowitz, inc. Technology Takeaway (r) Part II:
    • What happens if I load XP/SP2 and it bluescreens ?
    • Weeding through the bajillion firewall settings in XP/SP2
    • Da Big one: ADM Template Trouble!
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Subscribe and unsubscribe information
     

Moskowitz, inc. www.GPanswers.com -- Issue 4

It's issue four of the Moskowitz, inc. newsletter. Windows XP's Service Pack 2 is out, and it affects you.

Unless you were living under a rock, you already knew XP/SP2 would have some impact on your systems. If you believe the hype, XP/SP2 will change everything from the climate to my bowling average. Trust me, it's not that bad -- you just need some reliable information to help you get through the change.

Microsoft has some great data on XP/SP2, and the first place you should travel to is to what I call "XP/SP2 Central" on Microsoft.comhere.

Unfortunately, while I'm sure it's in there somewhere, this site doesn't specifically highlight how Group Policy might be affected by the installation of XP/SP2. So, that, my friends, is what this newsletter is all about. (And, as late-breaking information comes out, you might expect another newsletter not too far out!) Once again, I suggest you save a copy of this newsletter (print, inbox, etc) because when Service Pack 2 for XP comes to your organization, you'll want to recall some of the juicy goodies we'll be exploring in this issue.

You can forward this newsletters to your friends but please do so in one whole piece (please don't just cut and paste.)


Technology Takeaway (r), a service of Moskowitz, inc. (Part I)

Before we dive into the new stuff for this newsletter, let's take a quick stroll back to memory lane of Newsletter 3 which also had some Group Policy goodies for XP/Service Pack 2.
 

Recap + Update #1: XP/SP2 gives you more -- much more

In the previous newsletter, I said that XP/SP2 brings about 90 new Group Policy settings to the table. Well, I seemed to not have had my coffee that day, as I failed to mention the additional 619 policy settings which affect Internet Explorer when running on XP/SP2.

Again, I have a link to Microsoft's latest spreadsheet which helps bring our the differences here.That page has now been recently updated to link to Microsoft's FINAL (not Release Candidate) version of the spreadsheet.
 

Recap + Update #2: How to use these 700 new settings that affect XP/SP2 ?

A common question is: "How do I get these XP/SP2 policy settings to show up when I create a new Group Policy Object?"

A Microsoft article on how to do that is MSKB 816662, entitled: "Recommendations for managing Group Policy administrative template (.adm) files." (In the last newsletter, I had the wrong KB article. Again, not enough coffee.) Or, an explanation in plain English with some extra advice for a holistic approach to ADM template management can be found in Chapter 5 of my new Group Policy book.
 

Recap #3 + Update #3: Loading XP/SP2 will prevent admins from performing RSOPs

As we stated in the Newsletter 3, once you load XP/SP2, all INCOMING client communication to your clients will be prohibited. If you have viruses and other little nasties running around your network -- this is a good thing. However, you'll likely want to get back the functionality that's lost by this change.

So, what do you do? You have three options:

Option 1: Turn off the Windows Firewall in XP/SP2

Result: Would let the nasties back in if they're running around your network. Maybe not the best option for all organizations... The default setting for Windows Firewall is "Enabled" for a good reason!

Option 2: Leave the Windows Firewall on, but make sure I can still perform RSoP and otherwise manage my client computers. Perform this magic using policy settings only found in the Service Pack 2 ADM files.
or
Option 3: Manually run around and enable port 445 (to get RSoP back) on specific client machines. This option is tedious and not recommended.

The net result: Opening up port 445 is essential for administrative tools to work between Active Directory and the XP machine from where you do your administration.

Again, please check out Newsletter #3 for a full account for how to turn these settings on (which turns off certain Windows Firewall settings.)

All our newsletter stuff is found here. Additionally, please check out this articlewhich highlights the precise problem in Microsoft's words.
 

Upcoming Conferences, Appearances and Classes
It's free! GROUP POLICY POWER HOUR Webinar

Seminar #2 in the "The Group Policy Power Hour!"

It's 1/2 hour of talk and demos, and 1/2 hour of Q&A!

Here's the intro:

It's true: Group Policy is now self-documenting. You just need to know where to go to get the information. And securing users' access to which Group Policy functions they can perform is important. If you needed to grant someone specific access to modify a GPO, could you do that?

Come to this session to learn some "insider goodies" about the Group Policy Management Console (GPMC). Then, ask as many questions as you want in the second half of the POWER HOUR!
http://tinyurl.com/47xxt
 

Not free... but worth it!

I'd love to see you in one of the two-day Group Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates and just about all you need to know to hit the ground running -- Fast!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At both MMS 2004 and TechEd 2004 Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training! In fact, he dedicated a whole slide to the book, the training, and GPanswers.com for each of his sessions! Wow! Thanks, again Microsoft!

If you want to see the full course outline, and sign up for an upcoming public class, be sure to check out: 
www.gpanswers.com/live-class

Or... If you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you on-site! If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!) I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Just contact me at [email protected] or call me at 302-793-3957.
 

Technology Takeaway (r), a service of Moskowitz, inc. (Part II)

Here's some fresh, new material about XP/SP2!

What happens if I load XP/SP2 and it bluescreens?

As Hitchhiker's Guide to the Galaxy says, "DON'T PANIC." Here are the steps to rollback XP/SP2 to a (hopefully) previously working condition:

  1. Boot to recovery console. You can do this by booting off any bootable Windows XP CD if you haven't previously loaded it.
  2. Using the recovery console, locate the %windir% $NTServicePackUninstall$spuninst folder
  3. Rename "spuninst.txt" to "spuninst.bat"
  4. Then, execute the batch file with "Batch spuninst.bat"

This should remove XP/SP2 AND if you have it, XP/SP1, so be careful! This will return you to Windows XP -- NO SERVICE PACK!

This could be especially troublesome on unprotected networks if youstill have little nasties running around within the network!

Why does a bluescreen happen? Matrox Millenium drivers seem to be a major cause. Load latest drivers on Matrox web site, then re-apply the XP/SP2 installation.
 

Once XP/SP2 is installed, there a bajillion firewall settings. How can I figure out what they all do?-

Microsoft has a great document just for the "Star Feature" of XP/SP2, the Windows Firewall. Learn how to make it sing and dance the way YOU want.

The document is called:Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 and you can find it here.
 

Da Big one: ADM Template Trouble!

Those of you hear me speak, know I talk about a concept called a "Management Station." Your Management Station is where you DO your Group Policy work from.

You could create a new GPO by walking up to a Windows 2000 DC, then modify that same GPO by walking up to your Windows XP PC and editing it there. In this scenario, you've used two "Management Stations" -- both the Windows 2000 DC and the Windows XP PC.

The problem we need to take a moment to discuss is what happens when you use templates from Windows XP/SP2 and use them on any management station OTHER THAN XP/SP2.

And you'll get it about 50 (yes, 50) times (with various error messages.)

Here's the link from Microsoft which describes the problem: http://support.microsoft.com/?kbid=842933

But what is this technote really saying?

It's saying that you'll need to apply a patch on any management station you modify Group Policy from. Does this mean you have to patch EVERY server and EVERY workstation? NO! You only need to patch the locations from WHERE YOU CREATE AND EDIT GPOs.

So, where do you find the patches?

If you use Windows 2000 as your management station, you can use this patch, here.

Patches for XP/SP1 and WS03-RTM are forthcoming. I'll have an announcement on the BBS when Microsoft releases them.

Follow-up on this important bug, in the Moskowitz inc. Group Policy forums. Specifically, I've started a thread here in the forumsjust for this specific bug. So, sign up for the forums, and stay tuned!
 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.
 

Technology Takeaway (r), a service of Moskowitz, inc. (Supersecret, hidden, Easter-egg Part III)

We're just giving it away!
 -- More Technical Takeaway Tips
(My way of saying thanks for making it all the way to the end of the newsletter!)
 

Bonus Tip #1

Special GOLD STAR to Andy King who has a super solution for whacking MyDoom nasties with GPOs. Just check out our ongoing support forum. Specifically, Andy posted his solution here.
Thanks Andy!
 

Bonus Tip #2 (Keeping with our XP/SP2 theme)

Check this out on Microsoft's web site for a detailed how-to install XP/SP2 using SMS.
 

Bonus Tip #3

Microsoft had a nice online Q&A chat with the guys who head up the Group Policy division within Microsoft. If you missed the chat, you can catch the transcript. Some goodies in there, for sure!

They even mentioned us -- GPanswers.com! Hey, thanks!
 

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

Jul 2004
04

Issue#3

In this issue:

  • Moskowitz, inc. and www.GPanswers.com
    • Partnering with the GPTF.ORG
  • Upcoming conferences and appearances
    • Not free... but worth it!
  • Moskowitz, inc. Technology Takeaway (r)
    • XP's SP2 is imminent (save this email!)
    • Bonus!: Kill Spyware with Group Policy!
  • Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000
  • Subscribe and unsubscribe information

 

Moskowitz, inc. and www.GPanswers.com

It's issue three of the Moskowitz, inc. newsletter. As promised, it's strategically put out "Roughly whenever I feel like it."

And I feel like it!

Why? There's a lot of Group Policy buzz! There's a lot happening lately, and I want to be the first to bring it to you. So, let's kick off this issue.

I suggest you save a copy of this newsletter (print, inbox, etc) because when Service Pack 2 for XP hits, you'll want to recall some of the juicy goodies we'll be exploring in this issue.  

 

Introducing the GPTF.ORG

Harmony. Cooperation. Working together.

These phrases are not something that is normally associated with rival product vendors. But, that's exactly what is going to be happening with an upcoming group I've helped create called the "Group Policy Task Force" or, GPTF.

The GPTF is a consortium of vendors which make Group Policy product add-ons. Many vendors hook-in to what Microsoft's Group Policy already offers and takes it to the next level. Even Microsoft, themselves are a member. This strong showing of support from all vendors involved demonstrates their commitment to the Group Policy "way of life" which we know and love to use every day.

 

So, Where do I fit in?

I came up with the idea because there was no direct avenue for Microsoft to hear vendors' requests, assess how important those requests were to administrators like you, and actually get the wish into the next version of Group Policy product.

Additionally, because Group Policy is becoming more and more important it's only a matter of time before vendors start to want to have some interoperability between their products.

I will be helping with ongoing coordination efforts My official title in this role is called "Group Policy Evangelist" (how cool is that!?) If I only got a scepter or something to wield around... now that would be cool. But I digress.
(Actually, this one is pretty cool)
 

So, where do you fit in?

While the GPTF is not open for membership to the community-at-large (ie: network administrators) directly, there are two ways you can help.

First, you should communicate with your 3rd party product vendor about what you want to see regarding interoperability. If you see an avenue for cross-over between vendors, there's a good chance that we can make it happen now.

Also, if you have a specific wish you might want built right into Group Policy itself, we have a new forum at the GPanswers.com bulletin-board entitled "Group Policy Functionality Wish List" where you can post what you want! No guarantees that your wish is going to be embraced, but, if you don't A-S-K, you won't G-E-T.

You can check out the GPTF.ORG web site to see which vendors are participating. And, you can check out our official press release here.

 

Upcoming Conferences, Appearances and Classes

Not free... but worth it!

The number one thing holding back administrators from using Group Policy more is LACK OF TRAINING. Well, there's no excuse anymore!

Join us for one of my upcoming two-day "Group Policy Intensive Training and Workshop" classes.

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At both MMS 2004 and TechEd 2004 Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training!

In fact, he dedicated a whole slide to the book, the training, and GPanswers.com for each of his sessions! Wow! Thanks, again Microsoft!

So, to sign up for an upcoming public class, and check out the full course outline, be sure click here.
Or... If you think you might want your own in-house training of the course (with all the personalized attention that affords),

I'd love to join you on-site! If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!)

Just contact me at [email protected] or call me at 302-793-3957.
 

Technology Takeaway (r), a service of Moskowitz, inc.

XP's Service Pack 2 is almost ready to burst forth on the scene.

Are you ready?

If I were you, I'd be glued to Microsoft's SP2 site for Microsoft professionals which is here.

I'm quite sure there will be some upcoming prescriptive guidance for it's proper deployment and implementation, so stay tuned. However, Release Candidate 2 (RC2) is out, and you can play with it today. And, you should. This is because when you apply XP/SP2 to an existing XP system, you get new functionality, new power, and the ability to manage more stuff with about 90 new policy settings to play with! (Correction for anyone reading the archive version of this newsletter, that should have read 611 new settings if you include al the IE ones)

I have a link to Microsoft's latest spreadsheet which helps bring our the differences here. The biggest thing to expect with XP/SP2 is the fact that the Windows Firewall (formally known as the Internet Connection Firewall) is ENABLED (that is, turned ON) by default. So, as soon as XP/SP2 is installed, there's a good chance things won't work as expected.

Once the Windows firewall is turned on, you won't even be able to ping your XP/SP2 machines. In other words, all INCOMING client communication to your clients will be prohibited (though as of XP/SP2 RC2, there is an exception for Remote Assistance on port 3389.)

So, what do you do?

Here are some suggested avenues to mitigate your potential upcoming pain.


Option 1: Turn off the Windows Firewall in XP/SP2

If you're thinking "I'm already working just fine, I don't want the Windows Firewall at all" you can disable it when users authenticate to your domain controllers.

The new policy setting is located here: Configuration | Administrative Templates | Network |Network Connections | Windows Firewall | Domain Profile and is named Windows Firewall: Protect all Network connections policy setting

This policy setting is a little weird. In order to turn off the Windows Firewall, you need to set the policy setting to DISABLED. This is because, the new default sets XP/SP2 to have the firewall ENABLED; so you're essentially REVERSING the edict.

Turning off the Windows firewall might be just the thing, or it might be overkill. If you think it might be overkill, read onward!
 

Option 2: Leave the Windows Firewall on, but make sure I can still manage my client computers

Like I said earlier, once the Windows Firewall is on, all inbound client communications is kaput. But, you'll occasionally need to talk TO your clients from the servers.

Specifically, if you use GPRESULT or the Resultant Set of Policy tools built into the GPMC, you won't be able to ask the client "What's going on?" without adjusting the XP/SP2 client.

So, how do you fix it?

Drill down to Configuration | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile and ENABLE the policy setting named Windows Firewall: Allow Remote Administration Exception

Now your requests will successfully go through.

Also, according to some sources, this is the same policy setting you would enable if you have your Active Directory Administration tools running on your XP/SP2 machine, such as Active Directory Users and Computers or the GPMC. This is because ENABLING this policy additionally opens up port 445 which is essential for these tools to work between Active Directory and the XP machine from where you do your administration. However, in my testing Active Directory Users and Computers, AD Domains and Trusts, and many other administration tools worked just fine without me needing to open up port 445 via this setting. Your experience might be different depending on the tools you use.

A common question is: "How do I get these XP/SP2 policy settings to show up when I create a new Group Policy Object?"

A Microsoft article on how to do that is MSKB 816662, entitled: "Recommendations for managing Group Policy administrative template (.adm) files."

Or, an explanation in plain English with some extra advice for a holistic approach to ADM template management can be found in Chapter 5 of my new Group Policy book.
 

***BONUS TIPS***

We're just giving it away!
-- More Technical Takeaway Tips
 

BONUS TIP #1

Want to preemptively kill spyware and the like leveraging GPOs? This BLOG demonstrates how to use SpywareBlaster to leverage GPOs to configure your clients.

Use at your own risk. I haven't tried it out, but it sounds good on paper.

Thanks to contributor Bill Avellan for locating this!


BONUS TIP #2:

Are your incremental backups larger than you think they should be? Maybe it's a bug with Group Policy. Check out the fix here. It corrects a problem if you're using Group Policy to change file permissions.

Thanks to contributor Gary Busby for this one!
 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards just fine.) Thanks for understanding!

Order your signed copy today by clicking here:

Thanks for reading! And, as promised I'll send out the next newsletter "Roughly whenever I feel like it" or whenever big news hits. Until next time!
 

Subscribe and Unsubscribe Information

- subscribe to this newsletter
- unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:
www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

May 2004
30

Issue#2

In this issue:

  • Moskowitz, inc. and www.GPOanswers.com, er, GPanswers.com updates
    • Help GPanswers.com rise to the top!
    • Helping your fellow Group Policy administrator!
  • Upcoming conferences and appearances
    • It's free! Windows Server 2003 Group Policy Essentials Webinar
    • Not free... but worth it! Upcoming classes.
  • Moskowitz, inc. Technology Takeaway (r): five juicy questions (and answers!)
  • Get a signed copy of Group Policy, Profiles andIntelliMirror for Windows 2003, Windows XP and Windows 2000
  • Subscribe and unsubscribe information


Moskowitz, inc. and www.GPOanswers.com, er...

It's stunned analysts everywhere. Okay, actually,no one seemed to notice. But, I've decided to change the name of GPOanswers.com to GPanswers.com

Why the change?

Well, the GPO (Group Policy Object) is the "molecule" that makes the Group Policy world go round. However, the name GPOanswers.com wasn't all encompassing enough.

In reality, the forum and the web site is about all aspects of Group Policy, not just the GPO "molecule."

To that end, I've renamed it to be www.GPanswers.com. Note that www.GPOanswers.com will still point to the same place.
 

Help GPanswers.com rise to the top!

There's only one "go to" location for Group Policy help on the web. And that's. GPanswers.com!

Only problem? Our Google rank is in the tank.

I'm not a "Google-head" -- that is, I don't have a genuine understanding of the Google-rhythm, or whatever the algorithm is called that pushes certain pages to the top of the ranks.

Long story short, the only thing I know that helps is if others POINT to the web site. So, if you're interested in helping out the community, then, please create a web site link from your web site to GPanswers.com.

You'll be helping everyone who is interested in getting some extra Group Policy help.  


Helping your fellow Group Policy administrators!

Hopefully, you're finding the updated resources of GPanswers.com useful. We have some dedicated folks in the forum (www.moskowitz-inc.com/bbs) constantly knocking out questions for others in need.

If you're an expert (or use Group Policy a lot) we would encourage you to help out others! That's the spirit of the forum ...give a penny, leave a penny... er, ask a question, answer a question.

Also, if you come across something that's new and exciting which EVERYONE should know about, then let me know.

I'll make it a permanent link in the GPanswers.com site.

Note that I've changed the policy of the forum a bit. That is, we now require that you are a registered member of the forum to post. This is because guests don't have the ability to receive emails when someone responds to their posts. And we want to make sure that all answers are getting to their respective question-askers.


Upcoming Conferences, Appearances and Classes

It's free!


Windows Server 2003 Group Policy Essentials Microsoft Technet Webinar

 

From the Microsoft site:

Just getting started with Windows Group Policy? Unsure of where WindowsR Group Policy applies or how to manage them? In this session you'll learn just what Group Policy is, and how you can deploy it correctly. Join this webcast to hear Active Directory and Group Policy guru Jeremy Moskowitz (from GPOanswers.com) and author of the recently overhauled "Group Policy, Profiles and Intellimirror for Windows 2003, Windows 2000 and Windows XP teach you the ropes. Learn how to modify Group Policy objects to lock down desktops and manage your user environments. Gain insights into the thorny issues surrounding permissions. Discover how to delegate the job of creating Group Policy. Last, you'll learn how to troubleshoot Group Policy --through tools and with your bare hands.

Sign up here: http://go.microsoft.com/fwlink/?LinkId=27801

Not free... but worth it! Upcoming classes

We'd love to see you in the upcoming two-day Group Policy intensive training and workshop class. Here's what one IT manager said after taking the training:

Facing the challenge of upgrading our multi-site user environment I was very concerned with my staff's limited knowledge of Group Policy.

Much like most sites we struggled with estimating outside resource requirements for our Active Directory project. Looking for Group Policy specific training proved to be a challenge and I turned to a resource from my computer security group who recommended Jeremy.

After speaking with Jeremy about the classes I immediately identified him as someone who would be a valued resource, as he clearly understood many of the problems I was facing. After the class which wrapped up on 4/24 I find myself adjusting my project plan, as my staff went from being unsure of the challenge ahead to being able to confidently plan and implement a strong Group Policy environment.

The class was very detailed and Jeremy really knows how to control the class. The labs are great assuring that everyone can touch and feel Group Policy. Jeremy proved to be a solid professional, and from what I can tell one of the few who can drill down to the expert level in Group Policy.

Maurice McClain,
GSEC Manager IS Operations

Thanks Maurice!

Also, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

Indeed, at TechEd 2004 Mark Williams from the Group Policy team encouraged the 1500 attendees to check out the new Group Policy book and the training! In fact, he dedicated a whole slide to the book, the training, and GPanswers.com for each of his sessions!

Wow! Thanks, Microsoft!

So, to sign up for an upcoming public class, and check out the full course outline, be sure to visit: www.gpanswers.com/my-online-class

Or... If you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you on-site! Just contact me at [email protected] or call me at 302-793-3957. If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!)

 

Technology Takeaway (r), a service of Moskowitz, inc.

Here are some questions on people's minds recently...

Question 1:

I implemented an Account locked out policy on my domain. I set the policy to lockout after 3 tries, but most user accounts still get locked out with our old account policy. So, next, I tried to disable the policy but my domain Administrator account still gets locked out according to the old lockout policy. What could be causing this?

Answer 1:

This sounds like you have a DNS problem. I know, I know – how can this possibly be a DNS issue, you ask? I submit that perhaps not all of your Domain Controllers are receiving the updated domain policy. Hence, they are retaining some other policy you set. So, my advice? Make one DNS server the authoritative source and have all Domain Controllers (temporarily) use that DNS server for resolution. Hopefully, the latest policy will take affect, and you'll be updated.

Question 2:

How do restrict users from opening and editing the registry in Windows XP. All domain controllers are 2003 server.

Answer 2:

Software Restriction Policies to the rescue! There are plenty of great Microsoft articles on Software Restriction Policies in Technet or online. (Or, you can get it in plain English in my book.) Don't forget, though, that Software Restriction Policies are only valid for Windows XP or Windows 2003 as clients – those with Windows 2000 clients are out of luck! Oh, and it doesn't matter if your DCs are 2000 or 2003.

Question 3:

Are Group Policy Objects cumulative? If a GPO is linked to the domain and then a separate GPO is linked to an OU, do features of the domain GPO "flow" down to the OU and apply with features set in the OU GPO as long as they don't conflict? I thought that if a GP was assigned to an OU then its features would overwrite any features set by a GP assigned to a level above.

Answer 3:

If you have no GPOs that conflict anywhere in your SOM (scope of management), they will apply cumulatively. However, if you have a GPO which says to do one specific thing at, say, the Domain level, and another GPO which ways to do a specific thing, at, say the OU level, the one "closer" to the user (or computer) will apply. So, here's a simple example: At the domain level, imagine that you restrict the control panel, but at the OU level, you make it available again. Since the GPO linked to the OU is closer to the target account, thataffect will take effect.

Question 4:

I blew up the Default Domain Policy in my Windows 2000 domain. How can I recover that?

Answer 4:

You're in luck! (Well, not really since you blew up a critical GPO.) Microsoft has just released RecreateDefPol.exe. It restores the Default Domain and Default Domain Controllers policy GPOs in case of accidental deletion. This tool is for use exclusively on Windows 2000 Server, Advanced Server, and DataCenter Server. Do not use this tool on Windows Server 2003; use Dcgpofix.exe instead (included in Windows Server 2003). You can download the tool directly from Microsoft here: http://tinyurl.com/3yyr3

Question 5:

I love using the Group Policy Software Deployment functionality. However, recently I tried to decommission a file server we were using, and well, chaos ensued. Any recommendations or "best practices" for using Group Policy Software Deployment?

Answer 5:

Use DFS in conjunction with software deployment, and you'll be in clover. Why? Because DFS will abstract the REAL severname from the equation. That is, you can bank on the DFS share being there, even if you change the underlying file server name. So, my recommendation is to use {dfsname}{rootshare} like corp.comsoftware instead of {specificserver}{sharename}. This way, if you change servers, you can easily move the file share to the new server, change the DFS pointer, and everything just keeps on truckin' !

 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards just fine.) Thanks for understanding!

Order your signed copy today by clicking here: www.gpanswers.com/books Thanks for reading! And, as promised I'll send out the next newsletter "Roughly whenever I feel like it" or whenever big news hits. Until next time!

Subscribe and Unsubscribe Information
==============================================

- subscribe to this newsletter
- unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address :https://www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

May 2004
21

Issue#1

In this issue:

-Jeremy's put together his first newsletter!
- Moskowitz, inc. and www.GPAnswers.com updates:
- It's OUT! The most anticipated sequel of the year!
- How to get your copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000
- Join us at www.GPAnswers.com
- Upcoming Group Policy intensive class: onsite and public
- Upcoming conferences and appearances
- Moskowitz, inc. Technology Takeaway (r): five juicy questions (and answers!)
- Subscribe and unsubscribe information

 

Can it really be true? Jeremy's put together his first newsletter!

If you're getting this newsletter, it probably means that you've handed me, Jeremy Moskowitz, a business card at a conference, meeting, or seminar -- or you've specifically asked to be part of this list. I've converted your email address from the business card to this email listserver, which can easily handle subscribing and unsubscribing, as well as offering a host of other features. All information on subscribing and unsubscribing can be found at the end of this newsletter. If you choose to unsubscribe, you won't get any more newsletters like these.

However, I hope you stay with me! This newsletter's intent is to keep you updated on the comings and goings of Moskowitz, inc. and www.GPAnswers.com, provide a technical tip or three, and generally keep you apprised of the state of affairs. In the words of Scott Adams, the creator of Dilbert, this newsletter will come out "roughly, whenever I feel like it." Some newsletters will have lots of news. Other issues will be shorter. In all cases, I'll try to make efficient use of your time.

I do hope you'll stay aboard. Moskowitz, inc. and www.GPAnswers.com updates

Here's a brief rundown of what's new at Moskowitz, inc and
www.GPAnswers.com.

 

It's OUT -- March 22nd! The most anticipated sequel of the year!!

...and it's 100% Jar-Jar Binks free!

That's right! The follow-up to the wildly successful Windows 2000: Group Policy, Profiles and IntelliMirror is here! It's called Group Policy, Profiles and IntelliMirror for Windows 2003, Windows 2000, and Windows XP. If you liked the first one, you're going to love this edition!

It's not an update -- it's an OVERHAUL!

The best news is that 90-95% of the material is applicable to Windows 2000 users. Even if you have just one Windows XP machine in your domain, you'll want to take a look!

Here are the major changes:

- We shifted the focus primarily to Windows 2003 Server and Windows XP (from Windows 2000 Server and Professional). The Group Policy Management Console (GPMC) changes everything.

Warm-ups and usage are in Chapters 1 and 2. We continue all examples of Group Policy application by demonstrating the GPMC in the remaining chapters of the book.

- The "secret underbelly" of Group Policy Processing has changes for Windows XP. Come to Chapter 3 to find out what. I've also made sure to have the most technically accurate information for Windows 2000 processing possible. (Chapters 1, 2, and 3)

- Group Policy Troubleshooting is never easy, but with additional techniques in Chapter 3 and Chapter 4, you'll have that extra edge!

- If you're getting into automation with scripting, Chapter 7, "Scripting Group Policy Operations," is for you. This chapter, written by the one and only Bill Boswell, will quickly get you up to speed with a gaggle of great stuff you can do once you learn the scripting interface. All in all, this chapter will just make your life easier. We even have a super-secret trick in the book to script the "push" of GPOs to your client systems! Zowie!

- There are lots of new add-on tools available for Group Policy management. Some are in the Microsoft Windows 2003 Resource Kit, others are third-party products, and others are free tools. There's even one feature of the GPMC which can be thought of as an add-on to help us migrate GPOs from one domain to another. It's all in the chapter entitled "Group Policy and Profile Tools."

- Security is a hot topic. Group Policy lets you access the heart of the security within Active Directory and across your whole network. Chapter 6, "Group Policy Security Implementation," is completely revamped to home in on this important subject. There is information here that is simply not available in any other text.

- Other changes you'll find in the book include new strategies for ADM template management (Chapter 5), Windows XP Profile behavior (Chapter 8), Windows XP folder redirection changes (Chapter 9), Group Policy software distribution changes (Chapter 10), remote Installation Services changes (Chapter 11), migrating GPOs with the GPMC (Appendix B), and a third-party tools list (Appendix B).

- Oh, and did I forget to mention the five downloadable web resources? Everything from Restricted Groups tables to a quick reference of all the newest policy settings for Windows 2003, Windows XP, Windows XP + SP1, and Windows XP + SP2!

So I hope you'll agree with me: this edition isn't just a revision, it's a total overhaul! This book is in the Mark Minasi Windows Administration Series. And Michael Dennis, the Lead Program Manager of Group Policy at Microsoft, kindly provided the Forward. Here's an excerpt from the Foreword:

At Microsoft, we have a lot of downloadable documentation on Group Policy, Profiles, and IntelliMirror (r). What Jeremy provides with this book is a "one-stop-shop" for practical, how-it-works information, including real-world examples of implementing and troubleshooting Group Policy, Profiles, and IntelliMirror. Indeed, his digging and prodding into the Group Policy internals means that there is information in his book that you simply cannot find anywhere else. Jeremy has always provided an independent eye into how Group Policy works. Best of all, his writing style will keep you engaged throughout the entire book.

Jeremy's book uncovers the basics of Group Policy and GPMC and then reveals the hidden nuggets that truly unleash the power of Group Policy. He describes the many underlying and overt changes since Windows 2000 that make this book a valuable successor to his previous work. The practical, (often prescriptive) technical information just keeps rolling in -- chapter after chapter.

-- from Michael Dennis, the Lead Program Manager of Group Policy

 

Buy Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 in three ways!

If you're ready to get crackin' with your Group Policy workout, you can get the new book in one of three ways:

- You can order it from Amazon for $35.00 plus shipping by clicking here: http://www.amazon.com/exec/obidos/tg/detail/-/0782142982

- You can order it from Bookpool for $30.95 plus shipping by clicking here: http://www.bookpool.com/.x/ehonrnhp8m/sm/0782142982

- If you order the book from me, I'll sign the book for you, free! I've had many requests for this service, and I'm honored that you would want it! If you order it from me, you get the book, shipping included! Usually, I try to ship out the week's orders on Mondays and Thursdays. If you need a guaranteed shipping date, then Amazon might be a better choice. The cost is $45. The slight extra cost goes toward the shipping from SYBEX to me, then me to you (not for the signature.) Again, note that shipping -is- included.

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards just fine.) Thanks for understanding! Order your signed copy today by clicking here:www.gpanswers.com/books
Join us at www.GPAnswers.com

 

You've got questions, we've got answers. And we won't ask for your home phone number like Radio Shack. Come join your peers at www.GPAnswers.com for the following goodies:

- All the Web downloads from the book (you don't have to track them down at SYBEX's Web site)
-Additional ADM templates
-Additional VB scripts
-Pointers to all the best Microsoft Group Policy stuff
-Newsletter archives
-And an ongoing battery of new stuff as it comes up!

Best of all, there's the www.GPAnswers.com Discussion Forum!

Here, your peers are waiting to chat with you about all sorts of Group Policy, Profiles, and IntelliMirror topics: everything from troubleshooting to trying something new! And you never know who might be lurking and posting -- just waiting to answer your question or hear your feedback.

We've already received a lot of buzz... so, c'mon and join the fun! Note that joining the Forum doesn't automatically join you to the newsletter, so, if you're receiving this newsletter because someone forwarded it to you, be sure to sign up for both!
Subscription information can be found at the end of this newsletter.

 

Now Available! Group Policy intensive class! Public and Onsite!

You've asked for it, and here it is: a two-day Group Policy intensive workshop! It's really three days of stuff presented in two days. If you need to get up to speed and get using that Active Directory you've got lying around, then this is the class for you! It'll consist of about 50% instruction, 50% demos, and 50% hands-on practice. Okay, somehow, that's 150%! But would you expect anything less?

You can see an outline of the course here:
www.gpanswers.com/online-class And... This class can be taught as a private class within your company (with all the personalized attention that affords). Just email me at [email protected] for details.

 

Technology Takeaway (r), a service of Moskowitz, inc.

Here are some questions on people's minds recently...

QUESTION 1: Can you have different policies governing different types of users within the Domain? Specifically I am looking to have non-privileged users expire and change passwords every 45 days and privileged users every 30.

ANSWER: Unfortunately, no. You cannot have different Account or Password policies within the domain. If you must perform what you describe, you must have two domains.

QUESTION 2: I have a standalone PC with Windows XP Professional and I want to create a few users with restricted use. For example, remove the icons on the desktop or take away "run" in the Start menu. Now I have tried this with GPEDIT.MSC, but when I do, even the Administrator account is affected. How can I log on as an Administrator and restrict users for certain parts but not get the restriction myself?

ANSWER: You should avoid using GPEDIT.MSC on local machines. When you do this, you have the least amount of control over your Active Directory. Really, you're only able to control just that one machine. Instead, you should set up GPOs linked to the domain-level or OU-level to affect your users or computers. You can use Group Policy filtering (via user groups) to specify which specific users or computers will be affected. You can remove Administrators from the processing in this fashion.

QUESTION 3: Can you restrict the use of floppy and/or CD-ROM drives on workstations in a domain with Group Policy?

ANSWER: Yes. Check out these two policy settings: User Configuration|Administrative Templates|Windows Components|Windows Explorer | Hide these specified drives in My Computer And User Configuration|Administrative Templates|Windows Components|Windows Explorer | Prevent access to drives from My Computer

QUESTION 4: We have a Win2000 Server network environment and are running AD. About 95% of our end-user PCs are Win98 SE. How do I set Group Policies so that I can restrict end users' ability to change wallpaper, etc?

ANSWER: Bad news. Active Directory Group Policy cannot affect Windows 98 clients. Group Policy only affects Windows 2000, Windows XP, and Windows 2003 machines. You'll need to use old-style SYSTEM POLICY, which creates CONFIG.POL files. Remember -- these SYSTEM POLICIES will be permanent entries in your registry until you specifically change and invert the settings (a distinct disadvantage to Active Directory Group Policy).

QUESTION 5: I want to leverage GPOs such that a temporary user can log on only to the computer he is given. Once there, I want him to only be able to use Word, Excel, Acrobat, and Internet Explorer, but not be able to access Windows Update, Yahoo, or Hotmail. I am new to both Active Directory and Group Policy, and I don't want to mess with other users.

ANSWER: This question has a fourfold answer:

1. First, load a workstation with the specific software you want him/her to run. Your list above is fine. You can do this manually, or via Group Policy Software Installation.

2. To restrict a user to a specific computer, you need to be running NetBIOS. Then, in the user's Account tab, click the "Log on to" button and specify the computer you want to restrict the user to.

3. Users, that is, non-administrators, cannot go to Windows Update. You don't have to do anything to restrict access to this site.

4. To restrict users from all other Web sites, you'll need to get familiar with how to implement Internet Explorer Maintenance policies -- either via local GPOs or via Active Directory GPOs. The process is fairly detailed, but here are the steps in a nutshell: Configure a computer's IE settings to be as restrictive as you want, then use the Internet Explorer Maintenance Settings (specifically, those located in User Configuration |Windows Settings | Internet Explorer Maintenance | Security | Security Zones and Content Ratings) to import the current computer's settings. Then the other computers you apply the GPO to will embrace the same settings as well.

In short, you may be new to Group Policy, but you'll have to get familiar with it to do lots of tasks -- so, better get started learning!

 

Subscribe and Unsubscribe Information

- subscribe to this newsletter
- unsubscribe from this newsletter

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

Thanks for reading!