MDM & GP Tips Blog

My pal and fellow MVP Jeff Hicks noticed something. He noticed that the Group Policy Powershell cmdlets had a Backup-GPO and Restore-GPO (seen here…)

But there was no way to really get into the "Manage Backups" stuff that you can only get to within the GUI.

So he created it. You can see Jeff’s interesting blog post about using PowerShell to get to this part of the world here: http://jdhitsolutions.com/blog/2011/05/get-gpo-backup/

Also, I wanted to say THANKS to the folks who showed up for my "Secret Group Policy Meetup" at TechEd.

We got to the bottom of some sticky issues for those who attended and had a really fun overall "rap" session.

We even had several guest stars: Aaron Margosis, Microsoft Technical Services and fellow TechEd speaker, Thorbjorn Svolvold, Group Policy big-brain from Specops software and Zach Alexander from the Group Policy team at Microsoft. Thanks everyone for attending !

Photo Credit: Takayuki Shodai also in attendance, but not shown, since he’s taking the picture. Thanks Takayuki !

I ran GPupdate today on one of my Windows 7 machines and got this. . .

It's kind of a mouthful, but here's the short, sweet story here.

Group Policy relies on the Kerberos protocol. Kerberos relies on the clock. If the clock between your client and your server is skewed by more than the allowable value (normally 5 minutes) then you won't process GPOs correctly !

So, this warning, is saying: My clock is weird versus the domain controllers.

No problem. Usually, a reboot fixes this kind of thing. Or it gets fixed on it's own when the time sync service does its thing.

But, one of the key troubleshooting steps for GPOs is to VERIFY that your clients time is within 5 minutes of your DCs times.

Do this, and you’re off and running (sometimes.) ?

PS: Quick update from Jeff L. who suggested I also turn you on to this Microsoft KB article: http://support.microsoft.com/kb/816042

I'm not going to beat up Charlie Sheen in this blog post.  You'll see where the Charlie Sheen stuff comes into play. Lets get right down to GP bizness.

Lets pretend you had this setup. I have two GPOs linked to the East Sales Users OU: GPO 111 and GPO 222.

And, lets also pretend that they affect the same policy setting: Remove Games Link from Start Menu.

If we run a Group Policy Results report we can quickly see that BOTH GPOs (GPO 111 and GPO 222)

were correctly applied to the client machine (Win7Computer-32). As seen here.

Now, remember, I've said that GPO 111 and GPO 222 conflict on how they apply the Remove Games Link from Start Menu setting.

So, which one is going to win ?

Well, the quickest way to see the Winning GPO is to run the Group Policy Results report as seen here. In my not too complex (on purpose) example here we can see that GPO 111 is Winning over GPO

But what if we add something at another level, say the Domain level and Enforce those settings down?

If the GPO is Enforced, then that GPO should be the Winning GPO, and in my re-run GP Results report example here, that’s precisely what has occurred.

So, in short, the Winning GPO is the one which ultimately gets to express the setting upon the client computer.

If you can't figure out WHY a particular value is appearing on the client, look no further than looking for the one that's Winning !!

A fellow reader like you, named Dave King emailed me this screenshot.

Dave asked me a short, sweet question and included a killer screenshot.

First the question, then the screenshot

Jeremy..

If I set a GPO to be applied at the SITE level and it is working fine, and set another at the DOMAIN level and it is working fine…

When I go to the node and look at the applied Policies it shows only the one linked at the DOMAIN level.

What happed to the SITE one?

It is there and working, and when I run a Resultant set of Policy on the node it DOES show the SITE GPO and the DOMAIN GPO.

But it does not show the SITE GPO’s influence on the Node without running the RSOP.

Is there any explanation for this behavior?

Thanks,

*Dave*

First,  Dave, THANK YOU for having this so clearly marked up, expressing exactly what your problem was, and how I can help. This makes the job of helping you MUCH EASIER. (That is to say, if you are looking for a little help, I would please first encourage you to use the GPanswers.com forums.. THEN ask for help.) And if you ARE going to ask for help or look to get a question answered, THIS is exactly how to do it.

Now, lets take a look at the screenshot. (Seriously.. this is the EXACT screenshot I got from Dave. I didn't make these markups.. he did. Thank you Dave !)

What Dave is witnessing is completely normal. Dave is noticing that Site-Linked GPOs (in this example Hide Screen Saver Option, linked to Default-First-Site-Name) is actually WORKING on the client. He explains this when he tells me that he sees it show up in the RSOP (gpresult /R) report on the client.

Cool.

So the question really is.. Why can't I see it here, in the Group Policy Inheritance tab?

The answer is simple. The GPMC itself cannot know WHO will be in that site at any given time. So, to avoid confusion it won't show site-based GPOs in the Group Policy Inheritance tab.  For instance, lets pretend that Default First Site was really named Detroit. And, lets also pretend that there was a second site named Dublin (either Ireland, or Ohio.)

Now, if there is a GPO linked to Detroit and others linked to Dublin what is the Resultant Set of Policy RIGHT NOW for anyone in the Human Resources OU? Answer? We don't know.

We don't know, because we don't know if we're talking about users in Detroit or Dublin. So, the GPMC Group Policy Inheritance tab simply doesn't show (ie: assume) where the user (or computer) is at that moment.

Therefore, you'll see the GPO in the RSOP reports on the computer (because the computer ITSELF knows where it's at).. but the GPMC simply cannot make any assumptions.

Mystery Solved !

Thanks Dave.. This was a fun one !

I thought I would tip the hat this week to a Microsoft Premiere Field engineer who attempts to answer the age old question:

Windows Group Policy vs. Logon Scripts. What's the right option?

Since in a previous blog post of mine, I demonstrated why I personally feel Group Policy has the advantage, I thought I would share what I recently found about a balanced rationale about why one might one to use the built-in AD Users and Computers, versus Group Policy for logon scripts.

Here's the link to his article. Enjoy.

https://blogs.technet.microsoft.com/mspfe/2011/03/15/windows-group-policy-vs-logon-scripts-whats-the-right-option/

PS: My remaining seats in my April 11 14th Denver class are melting away like snow on a warm spring day. Don't wait if you're still interested. Confirm your seat TODAY by using www.GPanswers.com/training and signing up online or call 302-351-4903 and Diane will help you with a PO. Discounts for large teams !

This came up today with a group of new friends I met today in Wisonsin at a K12 education conference.

Someone asked How can I prevent people from stopping login scripts as they run?

I thought about this for a second, and realized, he was using Active Directory Users and Computers and running an old school script like this.

It was an easy fix. Simply start using Group Policy Scripts, which can be found here:

Doing it this way, if you DID want to run Logon Scripts visible, you would need to set

User Configuration | Policies | Administrative Templates |System | Logon/Logoff

Run Logon Script Visible.

Hope that helps !

This one has been bugging me for a LONG time, and likely affects your life too.

You're going along, typing in the name of a GPO, then.. Uh-oh.. a little typo.

You hit backspace, and Crappers.. it doesn't work !

My own personal workaround to this is to use Ctrl-Shift + Left arrow and wipe out the whole entry, or, of course, use the mouse to fix.

But, there's a hotfix, waiting for you, and it's right here.

Here's the weird part.. apparently, this hotfix isn't inside Windows 7 SP1or Server 2008 SP1 (if I'm reading the article correctly.) And the hotfix download page seems to say that it will only be part of SP2 !!

So, even AFTER you apply SP1 (when available) you should apply this hotfix to your machines running the GPMC.

The link to the hotfix is here: http://support.microsoft.com/kb/2466373

Special Thanks to Mark Parris who provided the inspiration to this tip. His blog can be found here: https://markparris.co.uk

One thing that seems to be confusing for the newer GP-practitioner is what GPMC version should I use?

The answer: Always the latest one.

That one, right now, is the GPMC for Windows 7 or Windows Server 2008 R2.

Those are equal in their capabilities.

You can install the Windows Server 2008 R2 as a feature of the operating system using the Server Manager utility as seen here.

You can install the Windows 7 GPMC by installing a downloadable piece called RSAT Remote Server Administration Toolkit.

That RSAT utility is found here, and note.. there are 32-bit and 64-bit versions.

Once installed (and it takes a while) you can install the GPMC in the Turn Windows features on or off as seen here.

Then, run GPMC.MSC, and you'll be off and running using the GPMC console !

By using the latest GPMC, on either Windows 7 or Server 2008 R2, you'll always have access to the latest abilities. Like GP Preferences, or creating AppLocker policies.

So, if you're using the old XP GPMC, get on board with the latest, greatest GPMC. You'll be happy you did !

Thanks to GPanswers.com member Bart for the meat of this tip !

You might have a situation where you want GPOs to apply to a collection of computers but only within certain time blocks.

Sure, you could manually link and unlink the GPO when the proper times come. But you're too busy for that.

Instead, use PowerShell, and automate the task!

First things first. Make sure the policy refresh interval on the workstations is set small enough to apply the activated GPO settings during the times you want. Normally, computers update every 90 120 minutes. To use this tip, you might want to tighten up the refresh interval just for this collection (like a Training room OU or Kiosk OU or something.) I wouldn't recommend you do this for your whole population. Do this using the policy settings located at “Computer Configuration | Administrative Templates | System | Group Policy | Group Policy refresh interval for computers.”

Where this came in handy was to activate and deactivate additional (outgoing) firewall rules specifically for a classroom setup for specific classes.

To use, simply set up a scheduled task to LINK and UNLINK the GPOs as needed.

To Enable:
Powershell -importsystemmodules -command “& {set-gplink -name ‘GPO_Computer_Classroom Outgoing Firewall’ -target ‘ou=classroom,ou=computer management,dc=yourdomain,dc=local’ -linkenabled YES}”

To Disable:
Powershell -importsystemmodules -command “& {set-gplink -name ‘GPO_Computer_Classroom Outgoing Firewall’ -target ‘ou=classroom,ou=computer management,dc=yourdomain,dc=local’ -linkenabled NO}”

PS: For more information, the PowerShell Cmdlets for managing GPO’s come with Windows 7 and W2k8-R2. For an overview of all GPO Cmdlets have a look at the TechNet site: http://technet.microsoft.com/en-us/library/ee461027.aspx

The Lockdown Question

Hey Jeremy, what's the best way to lock down my Windows machines? I hear this question dozens of times a year from students who are sitting down at the first day of my Group Policy training workshops. They are often very eager to get right down to business and wrestle this particular problem to the ground because they know that when they go back to their offices and implement what they're about to learn, that their environment will be more predictable and more secure.

See, I know we all feel it would be best if our pesky users would just stop playing with stuff within Windows, their applications and on their desktops.

And, sure, that's part of the art of desktop lockdown. But my suggestion would be to look at desktop lockdown from a holistic and incremental approach. There's no one best way to lock down your Windows machines.

But what is true, is that the technologies built-in to Windows 7 have enabled more control than ever and enabled a wide variety of situations. Lets explore some of my favorite ways to get started with desktop lockdown, then I'll give you some tips on how to expand your controls as you need to.

Lead with Group Policy and Group Policy Preferences

This pair of technologies is arguably the most powerful arrow in your quiver. But using Group Policy, you can restrict a user from some of Windows most tempting locations such as the control panel, desktop, Start Menu, Task Bar and more. Once a GPO is created, most of these settings are found within the User Configuration | Administrative Templates section. There are way too many settings to review here, but I would encourage you to poke around, take stock of the ones that are most interesting to you then try them out in your test lab — before rolling out into production.

When performing lockdown tests, I would suggest that you use two people, a designer and a tester. The Designer should set up the Group Policy settings and lockdown tests, then the Tester would validate the tests and try to wiggle around the designers intentions. Using two people during testing ensures good feedback. One person always validates the other.

As you're working through your resting, do note that some policy settings are reliant upon other policy settings being enabled or other conditions being set or present on the client machine before you actually see the result you're expecting. So again, having a Designer design and a Tester test helps make sure the settings you want to achieve have actually occurred on the client machine.

Group Policy Preferences also enables you to deliver desktop settings. Though not specifically designed for desktop lockdown, they can helpful in guiding users away from temptation and toward standardization.

Caption: The Group Policy Preferences can implement IE settings

Sometimes what the doctor ordered is a blend between both Group Policy and Group Policy Preferences. For instance, you might want use Group Policy Preferences to set a particular setting, plus use Group Policy controls to lock down certain areas of IE.

This is an advanced skill, which takes a little practice and patience. But with enough time, you'll find the right balance using the two.

I would also suggest that you check out a favorite document of mine entitled Group Policy Settings for Creating a Steady State which can be found here with literally dozens of ideas to help you get started.

Focus, then Expand

So going back to my students who ask me Hey Jeremy, what's the best way to lock down my Windows machines? As you can tell, I love to lead with the core lockdown starting with Group Policy and Group Policy Preferences, then expand outward using additional Windows 7 technologies.

If you're looking for more hard-core controls, you might want to consider checking out this the recently published document from Microsoft entitled Creating a Steady State by Using Microsoft Technologies.

Inside you'll discover some extra ideas you can try out, such as mandatory profiles, working with AppLocker to prevent applications from running, and even wiping back the hard drive of a machine every night!

We've just scratched the surface. For additional specific tips and tricks on desktop lockdown, it's a common feature in my GPanswers.com Tip of the Week. You can sign up the free tip of the week at https://www.gpanswers.com/register. You can also get hands-on experience with Group Policy and desktop lockdown in my in-person or online-based Group Policy Master Class at www.GPanswers.com/training.

BIO:

Jeremy Moskowitz, GPanswers.com and PolicyPak.com

Jeremy Moskowitz is a Enterprise Mobility MVP, the Chief Propeller-Head for GPanswers.com and Founder of PolicyPak, which makes software to increase desktop lockdown using Group Policy. Thousands of IT professionals have taken his Group Policy training. GPanswers.com was ranked as one of “The 20 most useful Microsoft sites for IT professionals” by ComputerWorld magazine. Jeremy is also a STEP member.