MDM & GP Tips Blog

I was going to entitle this blog post What the duck?

But I thought better of it.

Here's the deal: People often ask me how to troubleshoot things. Very, very specific things.

Instead, let's take a step back and talk about two (similar) techniques to get YOUR troubleshooting skills better aligned.

Method one: What do you think?

In Galaxy Quest, this was a deleted scene. But I loooove it. At 1 minute and 10 seconds to 2 minutes 14 seconds in, Tech Sargent Chen is being asked how to fix something". It doesn't really matter what that SOMETHING is.

Watch how he handles it end to end

How to actually perform troubleshooting (1 minute 10 seconds to 2 minutes 14 seconds.)

Yes, laugh at it of course.. but there's some actual validity to what is going on here. By simply asking What does that mean? during  a crisis, you can quickly get to the bottom of many many issues and find the root causes of a world or problems.

This very recently helped me troubleshoot a problem on my web site, but can be used for just about anything.

Method two: Ask the duck?

I had never heard of this one before, but GPanswers.com fan John Straffin pointed this out to me when he wrote in and said he had an Ask the duck moment.

I had NO idea what he was talking about, but he pointed me toward this Livejournal entry: http://hwrnmnbsol.livejournal.com/148664.html 

and this Wikipedia entry:

http://en.wikipedia.org/wiki/Rubber_duck_debugging

Reading it says it all. In short, re-explaining your challenge to a fake friend can help reframe your brain and make discoveries in all kinds of unique ways.

Now, I Ask the duck all the time.

Team:

I went to the doctor today. Nothing major. (Cough, cough.)

Anyway.. I’m walking down the hall, and I see this:

Look closely at the door name: Nope, nothing special in THERE.
Then, look toward the handle. Yep… KEY in the DOOR.

That’s okay. It’s only my personal medical records in there. No biggie, right? Sigh.

So, this got me thinking about, ya know.. being Evil.. which I am not.. and none of you are. (Little known fact: Everyone on GPanswers.com and PolicyPak.com goes thru a strict pre-screening regiment to ensure only "Non Jerkfaces" are getting these tips, thoughts, and updates.)

Anyhoo.. seeing this totally unlocked and MARKED door made me think about what it would take to be Evil if I wanted to.

And the most evil thing I could think of, was taking a drive out of a server. (No, I didn’t go in the door, and don’t know if that’s possible without a screwdriver.)

Some servers use RAID of course, which stripes the data across multiple drives. Could stealing just one drive mean I get anything? Well, with enough elbow grease I suppose I could go "block level" on that drive and see what I could find. Not easy, but, hey, possible…at least PLAUSABLE.

So this is making me think about how to protect against "Un-Jeremy stealing a server disk.

The answer is simple: Bitlocker.

If I stole a drive in the 60 seconds it took me to make the photo, I would have $100 in metal, and not much else.

I know people think of Bitlocker as a great idea for LAPTOPS. No brainer, sure.

But desktop and servers are equally vulnerable, honestly.. they’re just LESS PORTABLE.

Yes, you may have some physical security.. but.. that’s possibly circumventable. (How many times have you seen the cleaning crew in a bank branch late at night? Here in Philly at least, it’s ALL THE TIME ! No joke.)

So you could have "theoretically high" security, but still "circumventable security."

Bitlocker in Windows 8 and Server 2012 have some new features, which make me pretty happy. For my own systems, I use Bitlocker, but the big pain in the neck is WAITING for a drive to FULLY Bitlocker itself. Windows 8 now can use "Used Disk Space Only" .. which is awesome when I throw a new 1TB drive up.

For desktop and servers, there’s "Network Unlock" which also auto-unlocks machines as they boot (when they see that they’re on the network.) If they’re OFF the network, those drives, once again, become $100 pieces of metal.

So, in short, if you’re hesitant to consider Bitlocker for DESKTOPS and SERVERS.. reconsider, then start thinking about it.

I did.. in the 60 seconds it took me to take that photo.

PS: Class is filling in nicely in Tampa, FL. Smart, good looking NON-Evil people like you are joining up to learn more about managing Windows 7, 8, Server 2008 and 2012. Tampa, Florida, December.. Be there:

https://www.gpanswers.com/training/sign-up-now-live/

Q&A: Yes we take POs. No we cannot "save" a seat for you without a CC or PO. Price is right on the website. Yes, we do group discounts. Call Laura at 215-391-0096 for help with a PO or group. Yes you will get smarter. No it’s not boring. Yes, it’s me teaching. Yes, you will be tired and loving every second of it. Yes, you could possibly get a raise after taking the class because you’re smarter (no guarantees.)

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)

Folks.. People are asking me how to learn more about Group Policy + PowerShell.

Well, at TechEd 2012, I worked with Jeff Hicks (PowerShell MVP) to give a one-two combo talk on Group Policy + PowerShell.

First, here is a link to the whole darn talk… !

Next, here's a link to Jeff hicks page which has the Show Notes.

Lastly.. Here are some fun pictures Jeff played the part of Professor PowerShell and I played the part of The Pointy Haired Boss.

PS: This talk mentions my Group Policy Health Check service.. which can help orgs of all sizes reduce login times, increase security, and figure out precisely what you're doing right and wrong with GP. Make contact by clicking here.

Team:

I am back from TechEd Orlando, and … Holy Moly.. I cannot fathom how much "stuff" goes on at TechEd every year.

First.. THANK YOU to everyone who I met in person, came to my talks and got to spend some time with. You guys really make TechEd fun for me.. because the amount of work leading up to TechEd is backbreaking. Thanks for being so .. great !

So, at TechEd, in my own little piece of the TechEd world, I had FOUR "duties."  Three speeches and a book giveaway and signing. I have pictures from two of these events:

Here are pictures from the Viewfinity Book Signing Event:
https://www.dropbox.com/sh/tvjoa9gtaaqwg2s/YGS8Am8mo_

Yes.. that’s the line.. and EVERYONE got a copy of my Group Policy book for Windows 7. Killer !
The best part was.. MOST people were already part of the GPanswers.com Team, and when and where to be there.. Awesome !

Also, super fun, was my speech with Jeff Hicks, PowerShell MVP. Jeff played the part of "Professor PowerShell." I played the part of the "Pointy Haired Boss." Here are the pics:
https://www.dropbox.com/sh/v6vvqw09ak69qqb/15KXzzoXzZ

If you couldn’t make TechEd Orlando, I hope to see some of you in TechEd Europe.

If I won’t see you NEXT week, here are two other things you might want to check out THIS WEEK:

1) Tomorrow .. Tuesday, June 19th … for those in my local area (like 100 miles of Philadelphia) I’ll be speaking at the "GR8 Exchange Lync & System Center Conference." It’s not free, but it’s a really good deal at only $179. Me and lots of other speakers I think you’ll like. Check it out here: http://exchangelync.eventbrite.com/

2) Also Tomorrow.. Tuesday, June 19th… My friends at Avecto are having a webinar that DOESN’T have me. But, it looks interesting anyway, so I thought I would share. 10.00 AM EST.

Okay… Thanks Team.. and.. talk with you soon !

PS: I got a tremendous amount of feedback from my speeches at TechEd. Here’s my favorite comment:

"
Mr. Moskowitz is a fantastic presenter, and an absolute treat to see. His presentation showed me ideas I’ve never thought of implementing before, and now I’m VERY eager to use them at my business (although I don’t think my users will be as enthusiastic!) ? Thanks, Mr. Moskowitz!
"

Thanks whoever-you-are ! If you’re interested in getting me at your own organization for a private class, please email me, and make contact. I’ve got some available dates now that TechEd is over, but I’m assuming those dates will fill up fast.

Thanks !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)

The Windows Server 8 and Windows 8 Preview edition have a new spreadsheet which covers all the Group Policy settings that are controllable.

It's right here: http://www.microsoft.com/en-us/download/details.aspx?id=25250

So, get it while it's hot and make a cool discovery !

Sweden was… AWESOME ! And now I’m back and ready to kill it here in the USA.

While I was away in Sweden.. something magical happened. We had 10 people already sign up for the Salem, OR class. Holy crap. Maybe the fastest "ON" we’ve ever had. So.. um… don’t wait if you’d like to get smarter in Win7 / Win 8 / Security / GPOs and have some fun. (www.GPanswers.com/training).

So, in Sweden, I recorded a podcast in front of a super nice and warm live studio audience.

Special thanks to my hosts at Labcenter.se (Michael Anderberg, and Johan Person, Michael Nystrom), who were super awesome to me during my time there. In this podcast you’ll learn:

– What its like to be an MVP (and if there’s a secret handshake).

– Why did I get starting diving deep into Group Policy?

– Why my childhood helped me become the GP geek I am.

– Learn a GP trick to .. um… be an Evil Genius. (Don’t do this.)

– What the big secret of GP is, that most people don’t know.

– What GP does GREAT and also NOT so great (and how to fix it.)

And.. like lots of other fun stuff.

The link is…

https://moskowitzinc.infusionsoft.com/app/linkClick/364/1d1e1a3bae61d021/4707048/b9c8669df6fdd932

Enjoy.. ! And leave a comment / Tweet it. And, if you’re not following me on twitter.. whatruwaitingfor ?

Twitter: jeremymoskowitz

Team:

I wanted to share with you some of your peers humble suggestions for Group Policy naming. Again, what works for THEM might NOT work for you, but at least it can give you some food for thought.

From Ondrej in Slovakia:

I use names for GPO and I think it’s good way to have them this way:

GPO_RDS_APP_Office2010_v01
-    GPO – to make unique name for GPOs
-    RDS – name of part of change (Remote Desktop Services)
-    APP – managing APPlication (Software Restriction)
-    Office2010 – name of application
-    V01 – version of GPO

GPO_DisableIPV6_v01
-    GPO – to make unique name for GPOs
-    DisableIPV6 – short accurate name of changes in GPO
-    V01 – version of GPO

I think it’s very good to have versioning of GPO policies. When I change GPO I increase version number and I keep max 2 older GPOs for just history and help to find out changes I made.

From Charl in South Africa

who has 2,000 GPOs !

(edited a little for clarity):

"Here’s what we do:

-If the policy is domain linked, the GPO will start with the name of the domain it’s in; this works very well if you have multiple domains.

– For the GPOs linked to our old servers structure we kept the names as starting with "Servers" and these are slowly being migrated to the new servers OU structure and the names for these GPOs start with NS (New Servers – OK, it’s actually my company’s name that starts with an N, followed by S for servers).

– The OU is "Nxxxx  Servers". Next up is the GPOs linked for the XP OUs and they start with XP and similarly the Windows 7 GPOs start with NUW (Again, first letter of my company’s name being an N followed by U and W which stands for Users and Workstations).

– The next part of the name is followed by a dash (-), C and/or U and then another dash (-). This indicates whether the GPO has the Computer, User or both nodes enabled.

– The next part of the name indicates what the function of the GPO is and if there are multiple functions, these are separated by commas (,).

– Lastly, the name ends with a colon (:) followed by the department who ‘owns’
this GPO, i.e. Security, ServerOps, End User Computing, etc. Again, we only have about 5 owners.

So, on a daily basis I use the GPMC scripts to dump all the GPO names into a single file, DTS/SSIS then into SQL and then the fun starts:

– By using the dashes, commas and colons as separators, I can see with a stored procedure, which GPOs do not have owners as there is no colon and one of the owners defined after the colon. Which GPOs do not indicate whether they are Computer, User or both nodes-enabled GPOs.

– I can see which GPOs do not conform to the proper naming convention. It it does not start with a one of the five top-level GPO names, I know immediately that I have a problem.

– Digging a bit further (all automated now!) I can even see who made a GPO and indicated it is a Computer GPO, but the User node is still enabled. The exception reports only run IF something is wrong and the GPO guys from Server Ops know that Big Daddy form Security is watching them.

– For GPOs linked lower down, we use the abbreviations of the child OUs in the GPO name as well just after the top-level name.

So, by looking at a GPO name, I can identify where it is linked, whether is Computer/User/both, function and owner. Here’s an example:

I.e. XP-C-Power management, Screensaver lockdown:SO

I can quickly parse this, and see that the GPO is linked to OU containing XP machines, Computer node enabled, sets power management and screensaver and belongs to Server Ops.

How’s that for being in empowered?"

Many people ask me: Is there an ideal way to name GPOs?

Well, yes and no.

First, the big problem is that the swimming pool where the GPOs live that is, the Group Policy Objects node in the GPMC just sort of all runs together. One big blaaaah of all the GPOs.

So, first off there is no way to partition them or organize them. They're all just there.

Therefore, having a naming convention that works for your company could prove to be a lifesaver.

There no right or perfect way to create a GPOs name. One suggestion is a four part naming convention.

Part I: The Where.

Part II: The What.

Part III: The Who

Part IV: The Type.

For instance a GPO might be in charge of opening Port 123 on Sales Computers. Great. So, here's a name I might use:

EAST SALES COMPUTERS Firewall Open Port 123 (C) – JeremyM

All four elements are there. And in the Group Policy Objects list, all the GPOs are listed Alphabetically, so you'll see each Where together quickly. The (C) tells me that the C-omputer side of the GPO is used and not the user side. The name on the end shows who is the ultimate owner of the GPO or who is in charge or who to contact for issues or updates. (You could also put this in the GPO comment fields.)

Another perfectly fine choice is to re-arrange this list. Like:

(C) EAST SALES COMPUTERS Firewall Open Port 123 EAST SALES COMPUTERS – JeremyM

This will sort with all the Computer side GPOs grouped together first, then WITHIN that, all the EAST SALES COMPUTERS linked GPOs.

Again you're welcome to have the names be anything you want.. just note that whatever's first that's what's sorted upon based upon Alpha. Having all four elements makes things a lot easier, in this guys opinion.

A final trick here, is that sometimes I use an Underscore character _ to signify GPOs which are domain linked or are special in some way. For instance  _PolicyPak License GPO Expires 1-1-14 will bubble up to the top quite easily seen by everyone (as underscore is sorted BEFORE the letter A.) q

What's your naming convention? There's Shoot me your email with your solution. Thanks !

If this saves you an hour, I have done my due diligence.

In short, if you’re trying to get a new Win7 machine going with Office 365, installing the Lync client is the first step.

Except the download won’t "start."

I even ran Process Monitor against it to see what it was doing, and the install is in an endless loop looking for an MSI registry key that doesn’t exist.

Sigh.

Well, there IS a workaround, but I had to dig for it.

Look for a nice post from a helpful Microsoftie here. This helped me out, and hope it will help you out too.

http://community.office365.com/en-us/f/166/p/16355/75977.aspx?PageIndex=2

I’ve been playing with XenApp 6.5 the last couple of weeks. I’ve been thinking a lot about Group Policy with regards to Citrix and XenApp servers. Really, there’s two pieces:

1. Managing Applications and settings for users on XenApp servers … and…
2. Managing the XenApp servers themselves.

This is just part I: Managing Applications and Settings for Users on XenApp Servers.

Managing Applications and Settings for Users on XenApp Servers Using Group Policy

One of the things that people ask me over and over again is… "On my Citrix XenApp servers, is there any way to manage my common applications’ settings using Group Policy?"

Here are the three normal ways you can do this:

Application Has an ADM/ ADMX template

Unless the application has a managed way to deal with it’s settings (ADM or ADMX template) you’ve got a problem. Office applications have ADM templates. Great. But name five other applications with ADM or ADMX templates.

In short: You can’t.

Managing XenApp Applications Using GP Preferences

In some circumstances, you could use Group Policy Preferences if you knew exactly what registry punch to punch (if available.)

Here’s a blog entry from Mr. XenApp Blog (Eric Haavarstein), on exactly how to do this. And, he shows how to use a tool from Fellow Enterprise Mobility MVP Mark Heitbrink which converts registry punches to GPPReferences Registry items. Awesome !

So, the blog entry is: http://www.xenappblog.com/2011/group-policy-management-import-registry-files/

And Mark’s tool is found here: http://reg2xml.com/

True Application Lock Down PLUS non-Registry based Applications

I like the tip from Eric and the tool from Mark. They’re great if that’s all you need to do.

But they DO have two major limitations. How to you still perform:

• Dynamic changes if you want to. Do you know what to tweak any specific entry if you needed to to make a simple change? Ouch. Painful.
• True lock down so users can’t work around your settings? You can’t do that with Group Policy Preferences. Users can just change the setting you put down.
• File-based applications like FireFox, OpenOffice, Flash player, or others? You can’t manage those with Group Policy Preferences (since their stuff doesn’t live in the Registry.)

So what are you going to do?

Good news.

PolicyPak Software (www.PolicyPak.com) can do this. Big time.

Here is a video to show you exactly how you would do this.

The "cherry on top" is that PolicyPak is fully CitrixReady and also works with XenDesktop. Here’s a video for that too: https://www.policypak.com/technology-and-downloads/policypak-expands-xendesktop.html

If you’re interested in trying this out for yourself, you’ll need to sign up for a demonstration at www.PolicyPak.com/webinar. After that, you can get the download can give this a try yourself.