Issue #26
- The fate of DesktopStandard's PolicyMaker tools
- Inside Specops GPupdatea free way to "push" updates to GP clients
- Public GP Training Schedule Update
- Cities that are scheduled for public courses
- Subscribe, Unsubscribe, and Usage Information
It was so great to see each of you at WinConnections last month. Holy moly, that was awesome! You really rocked my world with your support of my sessions and the book signing. You guys make it worth getting out of bed in the morning.
Here's some great new stuff for you to take with you this week and into Thanksgiving. Something to be thankful forfree tools!
In this issue we'll talk about two new free things for you to add to your GP arsenal.
Thanks for coming out to see my talks and say hello. Looking forward to having you an upcoming Group Policy training class this year. If ever there was a year to get smarter in GP, this is it!
Group Policy News
The Fate of the DesktopStandard PolicyMaker Tools
The big news is finally here: Have you been wondering what Microsoft is doing with the "crown jewels" of the DesktopStandard acquisition? We'll explore that first before we move on to other stuff. And we'll do that in Good, Bad, and Ugly fashion.
The Good: Policymaker Technology is going to be free
The PolicyMaker technologies will officially be called Group Policy Preferences. I'll call them GPP for short. GPP can do 20-some-odd big things with Group Policy that you couldn't do before. Here's a list of some things that are now possible, which weren't possible before (without scripts, or a whole lot of work).
- Map network drives
- Set environment variable
- Copy files to client
- Create and update INI file
- Modify Registry settings on the clients (REG_SZ, REG_DWORD, REG_BINARY,REG_MULTI_SZ, and REG_EXPAND_SZ)
- Create shortcuts (URL/File/Shell)
- Open Database Connectivity (ODBC)
- Control devices
- Set folder options
- Define file associations
- Tweak internet settings
- Handle local users and groups (change passwords, add/remove from groups, disable users, etc.)
- Set network options (like VPN or dial-up connections)
- Configure power options (Windows XP)
- Map printers (even TCP/IP printers)
- Set regional options
- Create scheduled tasks
- Set properties on services
- Tweak the Start Menu
- Dictate shares and share permissions on servers (mostly)
Thanks to Jakob Heidelberg for compiling this list for me. So, more is good right? Well, no. More can sometimes be bad. Which leads us to...
The Bad: There's overlap and you have to install something
Okay, this stuff isn't really bad but it could be at least confusing .
It appears that you'll be able to do some items in two places in GP land. For instance, it appears like you'll be able to set power management options in two places. Only one way was available before integrating GPP into the mix. Now, another way is available afterintegrating GPP into the mix.
Same thing with printers. You could already zap printers down (to Vista clients) before integrating GPP into the mix. Now, there's anotherway to zap down printers.
This can get confusing to inexperienced administrators.
Additionally, all these new settings require a CSE (Client Side Extension), as do all GP extensions. So, this isn't bad, it just means you have a liiiiittle bit of work to do on your client machines in order for the new magic to be available. Here's the breakdown of where the new technology will run and what it needs to run:
- The CSE will ship in the box for Windows Server 2008.
- The CSE will be an extra download for XP, 2003 and Vista.
- The CSE will not work for 2000.
If you know how to use GP Software Installation, you can deploy the GPP client lickety-split to your machines.(What? You don't know how to use Group Policy Software Installation? Check out www.GPanswers.com/book and flip to Chapter 11 stat!)
The Ugly: Why is it Preferences and not Policies? (And why hasn't it debuted yet?)
So, why are they called the Group Policy Preferences and not something more..."Policy-ish?"
Well, that's an interesting point. Let's take a moment to review the difference between a policy and a preference.
A policy is generally how we expect GP to work. That is, when you use Group Policy to, say, prevent access to the Control Panel, GP will generally send the signal down to the system, and the program (Explorer, in this case) will pick up the message and lock our access to Control Panel.
Simple.
And, if you delete the GPO, what's the expected behavior? The expected behavior is that the settings will revert back and allow access to the Control Panel.
Pretty much every setting contained within Administrative Templates works in this way. This is probably one of the top three reasons you've come to love Group Policy. This area is controlled by the Registry or Admin Templates Client Side Extension (CSE). That CSE is smart enough to know what to set the value to, and even better, smart enough to know what to set the value back to when the policy no longer applies.
But other areas of Group Policy don't work in this way; for instance, Security settings. Take something simple like an Internet Explorer setting which changes the Proxy server, like you see here in Figure 1. 
Figure 1: The IE Maintenance CSE has a history of not "acting like you would think."
Sure, Group Policy will deliver your changes, but the real challenge is what happens when that setting no longer applies. If the CSE is smart it knows how to put back the original value. But, if the CSE isn't smart, it doesn't have a value to put back. And, in short, what you plunk down with Group Policy could end up tattooing the Registry.
That's precisely the problem with the Internet Explorer 6 settings. The CSE isn't too smart. It doesn't know precisely what to do when the value is taken away, so it just freaks out and leaves it in place, even though the expected behavior (as far as the Administrator is concerned) is to change the policy setting back to the default. But it doesn't do that.
Unfortunately, that's precisely one of the challenges with the PolicyMaker, er, GPP Extensions. They're called Preferences because they do tend to tattoo the computer with the wish you lay down using GP.
I know this stuff isn't even out yet, but here's a Group Policy Preference tip, for future reference. This tip will get you out of some jams, but could get you into other jams, so be careful.
Whenever you create a new wish you can optionally check "Remove this setting when it is no longer applied," as shown in Figure 2. 
Figure 2: The GPP Common tab
(Note this screenshot is using PolicyMaker and not actually the Group Policy Preference extensions.)
Buuut, you need to be exceptionally careful. In some cases, this will work the way you think, but in some cases it won't.
Good Example: Let's say you wanted to use the new GPP Extensions to map a drive letter S: to all of the Sales guys. And when Fred moves from Sales to Marketing you want to delete the mapping. This setting works great for that, and will work as you expect it to.
But, here's an example where you need to use this with extreme caution.
Use with Caution Example : Let's say you wanted to use the new GPP Extensions to push the Registry value 100 to your Sales application. The GPP Registry Extension will do the job. But if you chose to "Remove this policy when it is no longer applies"WATCH OUT! The entire Registry key will be deleted. Ow, ow, ow, ow, ow!
My team working on PolicyPak Software is very aware of this interesting GPP nuance. And our PolicyPak CSE is a great alternative which issmart and does know how to precisely put down a value and take it away when it no longer applies. In short, PolicyPak (fromPolicyPak.com ) is true-blue, full Group Policy, and will never tattoo your computer's Registry.
The other Ugly thing is, well, where is it? Now that Microsoft has announced that it will be part of Windows Server 2008 (in the box) and then an available update for XP and 2003, when can we get our hands on it? I'm sure the answer is "soon," but that's not really my question. My question is, if it's going to ship in the box for Windows Server 2008, how stable is it going to be? Hopefully, very. But I'm concerned that it's RC1 (that's Release Candidate 1) and we're JUST NOW able to give our feedback and bug reports. That means this puppy could ship with unfixed bugs, but that's the facts of life in software sometimes.
In short though.. I'm psyched. It's a Whole New World for GP goodness we're getting our hands on, and it's free. And I love free stuff. So, congrats to the GP team for a real win here. Let's hope those bugs are few and far between.
That's all the time we have for the GPP Extensions. More when they officially make their debut. However, Microsoft has a whitepaper that details the major new categories of features and describes some other odds and ends including the distinction between a policy and a preference.
That paper is found here and every GP admin should read it.
This Month's Newsletter Sponsored by: NetIQ
Are you using Group Policy optimally? Ever wonder if you can do more with it? Learn the best practices you need in order to leverage Group Policy on your servers in this new whitepaper, "Why Group Policy Matters for Servers," authored by Group Policy guru Jeremy Moskowitz an NetIQ. Download it now
This Issue's Big Tech Tip...Technology Takeaway ®, a Service of Moskowitz, inc.
All about the Free Specops Gpupdate Tool
A quick note from Jeremy Moskowitz: This tech tip was written by friend, and guest contributor, Claus Jensen of www.chinchilladata.dk. Periodically, at GPanswers.com, we explore the free tools in the Group Policy world so you can be a more effective administrator. You can inspect both free and for-a-fee tools in our Solutions Guide at GPanswers.com/solutions .
Let's say that you have just deployed some strict, new security settings to all the computers in the Danish branch office via Group Policy. But you want them to be effective immediately.
Of course, you could wait for the ordinary background processing of Group Policy, which happens every 5 minutes for domain controllers and takes between 90 and 120 minutes for workstations, member servers, and users. Alternatively, you could call all your users and ask them to run Gpupdate, which might be a bit much to ask. And waiting up to two hours doesnt sound too appealing either.
What if you had machines that required a reboot to get some Group Policy settings updated; for instance, a server that needed an updated disk quota assignment? Are you going to run around to each machine and reboot it?
You're impatient (let's call it security conscious). So why wait? Specops is a Swedish company specializing in tools for Active Directory. They have a free tool available that allows you to run Gpupdate, and to shutdown, restart, and start the computers in your Active Directory domain. The tool is called Specops Gpupdate. This newsletter will describe installation and use of this magnificent tool that will ease the burden of administering and forcefully applying Group Policy's power in the enterprise.
Before You Get StarteD
You'll start out by downloading Specops Gpupdate here ( http://www.specopssoft.com/products/specopsgpupdate/ ). Then, youll install it on your Windows XP SP2, Windows Vista, or Windows Server 2003 machine, which should also already be running Active Directory Users and Computers (ADUC). (Note that if youre running Windows Vista, you may encounter some problems if you install the tool in a different directory than the default one.) Youll also need to make sure .NET Framework 2.0 is installed.
Installation of Specops Gpupdate
Installing Specops Gpudate is easy! Youll first need to run the Specops Gpupdate installer (SpecopsGpupdate.msi) inside the download.
Then, from the %CommonProgramFiles%SpecopssoftSpecops ADUC Extension directory, run SpecopsAducMenuExtensionInstaller.exe with the /add parameter as seen in Figure 1 (top). This will add the Display Specifiers for Specops Gpupdate into Active Directory (note that this is different than a schema update). Once the display identifiers are in Active Directory, only Administrators with the Specops GPupdate tool installed will be able to see them. Other users using ADUC will not be able to see the new menu items, which you can see in Figure 3 (bottom). 
Figure 3: The Domain DisplayIdentifiers aren't like Schema Updates. They can be removed.
The information about the Display Specifiers is saved in the Configuration container in Active Directory. So, adding the display identifiers is something that only needs to happen once per Active Directory forest. Because of this, you will need to be a Domain Admin or Enterprise Admin in order to make this happen. The good news is that its also easy to later remove them (unlike a schema change). If you ever tire of using Specops GPupdate and you want to erase the changes it made to the Active Directory Display Specifiers, you just run SpecopsAducMenuExtensionInstaller.exe with the /remove parameter.
Using Specops Gpupdate
When Specops Gpupdate is installed and the Display Specifiers are added, youre ready to start using it! The commands it brings to the table are:
- GPupdate
- Restart Computers
- Shut Down Computers, and
- Start Computers
You can see these new Specops Gpupdate commands by selecting the Action menu, or right-clicking over certain common entities in ADUC. Specifically, you can right-click over the following types of objects in ADUC to start using your new superpowers:
- Domain-LevelBy selecting one or more domains, you execute the command on all computer accounts in the selected domain or domains.
- Specific OUBy selecting one or more OUs, you will execute the command on all computer accounts in the OU and all nested OUs.
- Specific Computer account or accountsYou can select one or more computer accounts and execute the command on these accounts.
- Security groupsThe command will be executed on all computer accounts in the selected and nested groups. Be aware that group nesting depends on you having a domain functional level of at least Windows 2000 native.
In Figure , you can see that weve right-clicked over an OU to expose the new commands Specops GPupdate provides: GPupdate, Restart Computers, Shut Down Computers, and Start Computers. 
Figure 4: Action menu in ADUC
Let's examine the four different commands you can select:
- GpupdateThis is why Specops Gpupdate is so cool. You can do a remote Gpupdate for both the computer and the currently logged-in user. There is an optional parameter equivalent to /force on the command-line version of Specops Gpupdate.
- Restart ComputersThis is useful if you have changed Group Policy settings that can only be applied after a reboot.
- Shut Down ComputersSimilar to the Restart Computers command, but the computers will not turn back on after they have been shut down.
- Start ComputersThis selection allows you to send a Start command to the computers using Wake-On-LAN. This means that, remotely, you can have a computer start up (and in doing so, of course, reapply Group Policy) and then have the computer ready for the user.
One of the best parts about Specops GPupdate is that it provides real-time reporting of its actions with a nifty bar graph that literally moves as it makes contact with each machine. As you can see in Figure 5, five computers have been asked to run the Gpupdate command. Four of the computers have successfully updated the Group Policy settings, but one of the computers could not be reached, either due to not being online, or due to a firewall blocking the WMI commands. Don't worry, Windows Vista works just as well with Specops Gpupdate as Windows XP. The error here is simply that the machine was not turned on. 
Configuration of Permissions on the Target Computers
The commands contained within Specops GPupdate arent special, though it is really nice that theyre wrapped up in one place with a cool bar graph thingie. What I mean is that the different commands require you to have the relevant permissions on the target computers in order to work. Lets take a look at the commands again, but this time, lets see what security access rights we need in order to execute them on the target machine:
- GpupdateFor this command, you need permissions to run WMI and to start processes on the remote computers. Beware of any firewalls that block WMI. This one is tricky, so Ill explain how to adjust for this potential problem in just a bit.
- Restart Computers and Shut Down ComputersThese require you to have the permission to shut down the computer remotely. Again, beware of firewalls that block RPC (more on this later).
- Start ComputersOf course Wake-On LAN needs to be implemented at the hardware level on the remote computers, but you will also need permission to read the computers IP address in the DHCP database. If youre a member of the group DHCP Users youll have the required permissions. Also, note that the Start Computers command is only guaranteed to be compatible with Microsoft DHCP servers.
What if you have the firewall turned on at your target computer? This can be resolved by configuring the Allow Remote Administration Exception policy setting. You will find it at Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile in the Computer part of the Group Policy Object Editor. Here you can specify which computers are allowed to perform remote administration. The Explaintext for this policy setting is a must-read. Please be aware that this policy setting only works with Windows XP/SP2 or later. Don't forget: If youre not using Microsofts built-in XP (or Vista) firewall, youll need to do the same thing that this policy setting is meant to do, that is, youll need to open ports 135 and 445.
There were a lot of changes to DCOM functionality in Windows Server 2003/SP1, one of which was that, by default, only Administrators can start WMI remotely. We need to change this so we can run Specops Gpupdate against our target computers. You need to make the account that you use to run Specops Gpupdate a member of the built-in Distributed COM Users group. To make sure that this group has the correct permissions, perform the following steps:
- Start the program dcomcnfg.exe on a sample target computer.
- Expand Component Services and then expand Computers.
- Select My Computer and click the computer or properties icon in the toolbar.
-
Figure 6: GPO with the needed settings for using Specops Gpupdate
Common Problems with Specops Gpupdate and How to Avoid Them
Even if you configure the remote computers correctly, you may run into some problems when using Specops Gpupdate. Here are some things to keep in mind to avoid potential problems
- If youre using the Start Computers command, you need to ensure that the computer's Wake-On LAN is enabled in the hardware/BIOS. Similarly, Wake-On-LAN might fail if your computers BIOS is old and crusty. So make sure that you are running the latest version of BIOS and the latest drivers for the NIC.
- If the computer running Specops Gpupdate is on a different subnet or VLAN than the computer you are trying to start, you may need to enable directed broadcasts on any routers and switches between the two computers.
- Because Specops Gpupdate is using DHCP to find the IP and MAC addresses for the target computers, you need to be using Microsoft DHCP to store the IP addresses for the computers that you want to start. The servers also need to have undergone the DHCP authorized procedure which prevents rogue DHCP servers from spitting out IP addresses to anyone who asks.
If, despite your best efforts, you cannot resolve the problem, you can enable Specops Gpupdate debugging, which will generate a log file that will help you further troubleshoot the problem. You enable debugging by going to HKEY_LOCAL_MACHINE | SOFTWARE | SpecopsSoft | Specops Gpupdate and setting the debug Registry key to 1. When you have run the Specops Gpupdate commands you can see the result of your actions in the logs contained within: C:Documents and Settingslogged on userLocal SettingsApplication DataSpecopsSoftSpecopsGpupdate.log.
Heres an example log where I ran Specops Gpupdate against a computer named xp1.knowhow.local, but the computer isnt taking my commands. Hopefully, by reading the log, I can determine what Specops GPupdate thinks is going on, fix the problem, and move on to some other issue.
SpecopsGpupdate: Starting Tracing for Specops Gpupdate, the time is '5/26/2007 11:07:26 AM', assembly name is 'SpecopsGpupdate, Version=1.0.2.13, Culture=neutral, PublicKeyToken=null'.
SpecopsGpupdate: ---> Program.Main
SpecopsGpupdate: Command to execute is 'gpupdate'.
SpecopsGpupdate: The selection is of a type that do not need expansion, only remove the command.
SpecopsGpupdate: Number of computers selected is '1'
SpecopsGpupdate: Group Policy refresh selected.
SpecopsGpupdate: ---> Program.GetNumberOfThreads
SpecopsGpupdate: <--- Program.GetNumberOfThreads
SpecopsGpupdate: ---> SpecopsGpupdate.UpdateGroupPolicies
SpecopsGpupdate: Main form initialized.
SpecopsGpupdate: Main form shown.
SpecopsGpupdate: The WOL starter is running.
SpecopsGpupdate: <--- SpecopsGpupdate.UpdateGroupPolicies
SpecopsGpupdate: <--- Program.Main
SpecopsGpupdate: Processing computer 'LDAP://DC1.knowhow.local/CN=XP1,OU=Denmark,OU=Clients, DC=knowhow,DC=local'.
SpecopsGpupdate: Operating System version is '5.1 (2600)'
SpecopsGpupdate: Hostname 'XP1.knowhow.local', force update 'False', Windows 2000 'False'.
SpecopsGpupdate: This is a non-Windows 2000 box that is updated.
SpecopsGpupdate: The command is 'gpupdate /wait:0'.
SpecopsGpupdate: An exception occurred when calling the WMI method, exception is 'The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)'.
As you can see from the log, Specops Gpupdate is able to easily determine the location of the computer object, the version of the operating system, and the hostname. Then at the end, we see The RPC server is unavailable. This usually means the computer is off, or the firewall on the machine is preventing us from dictating an update. Now we have things narrowed down, and a quick check of the computer and its firewall should give us the answer pretty quickly.
If you run into a problem that isnt described here, or have questions about Specops Gpupdate, you can visit the Specops forum specifically geared for Specops GPupdate located here: http://www.specopssoft.com/forum/forum.asp?FORUM_ID=15 . Specops personnel monitor the forum and are quick to answer any questions relating to Specops products.
The Future of Specops Gpupdate
The latest version of Specops Gpupdate is version 1.0.1.13, which was released in October 2006, and there havent been any additional updates to this free product. But in the Specops Gpupdate forum, several new features have been discussed by current users and the Specops staff. Stay tuned, and maybe well get some new features soon, like the ability to schedule commands or a command-line interface.
Final comments
I hope that this has given you some insight into the free Specops Gpupdate software tool. Considering the added functionality that you get from this tool, it should be in every Domain and Group PolicyAdministrators tool belt. Since it works with OUs, groups, and single-computer accounts, you have total control over your PCs and serversno more waiting for the background processing of Group Policy to occur. The possibilities are endless!
About Claus Jensen
Contact info: [email protected]
Website: www.chinchilladata.dk
Claus is currently the only trainer outside the USA who is certified to teach Jeremys GPanswers.com training. Claus works for a Danish consulting firm who works with several large businesses in Denmark. Claus has been an MCT for 5 years and a great friend to the GPanswers.com community.
About GPanswers.com Training
Choosing the Right Course for You
Of course you want GP training. And we know you'd prefer to use GPanswers.com as your go-to source for GP training. We try to make it as easy for you as possible.
We have GP courses that fit what you need.
- Are you dealing with mostly XP machines? We have an XP-focused course.
- Are you warming up to Vista? We have a Vista-focused course.
- Do you want to learn in an intensive format? Learn it in TWO DAYS.
- Less intensive? Learn it in THREE days.
- Want even more Advanced material? We've got that too.
- Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?
You can find out more about the different public and private courses available from the workshops section of GPanswers.com .
We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take based on your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private (on site) and public classes. Use the Rightsize tool to get a complete understanding of your options.
Public coursesBeginning of 2008 scheduled
I have limited classes for the beginning of 2008:
- Jan 15, 16, 17, 18: Portland, OR: Group Policy Essentials Course, Advanced One Day Course and XP-to-Vista Catch-Up Course. We really need you to sign up now if we want to make this class happen.
- Jan 29, 30, Feb 1, 2: Orlando, FL: (Yes, I spun up this course so that you, yes you, can get approval to go to Orlando in the dead of winter time.) Group Policy Essentials course, Advanced One Day Course and XP-to-Vista Catch-Up course
- Feb 4, 5, 6, 7: Washington, DC: Group Policy Essentials course, Advanced One Day Course and XP-to-Vista Catch-Up course
- March 4, 5, 6, 7: Nashville, TN: Group Essentials course, Advanced One Day Course and XP-to-Vista Catch-Up Course.
For any public class, sign up online at: https://www.gpanswers.com/workshop/
What about OTHER CITIES in 2008?
You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go for 2007.
Now tell me where you want me to go for 2008. The cities with the most votes get classes in their city. Bigger cities are a better bet, so you might want to vote for your closest "major airport" city.
Here's a deal you can't pass up!
Okay, let's assume I'll be in your city teaching a public class. How would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two, three, or four days, and you get a free student attendee!
Such a deal!
Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.
Private courses
If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!
If you have even a handful of in-house people interested in the training (about 68), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, Japanor wherever! Have passport, will travel!
Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, Security, and Product Support Services teams at Microsoft!
For a public class, sign up online at: https://www.gpanswers.com/workshop/ .
For a private class, just contact me at [email protected] or call me at 302-351-8408.
Get signed copies of...
Group Policy: Management, Troubleshooting, and Security
For Windows Vista, Windows 2003, Windows XP, and Windows 2000
-and-
Windows & Linux Integration: Hands-on Solutions for a Mixed Environment
If youre in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Security directly from me for $45 (including shipping).
- If you order the book from me, Ill sign the book for you, free! Ive had many requests for this service, and Im honored that you'd ask!
- If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
- The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
- We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.
This book is in stock! We can ship it out today!
Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.
Order your signed copy today by clicking here .
Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book .
Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0470106425 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)
Free Stuff
- I just did a radio interview at RunAs radio. Check it out here.
- I'll be doing a GP Webinar for Centrify on Windows/Linux/Mac + GP Integration sometime in January or February. Stay tuned for that !
Don't forget our Sponsors
I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before!
So, head on over to the Solutions Guide and see what other goodies are available!
Subscribe, Unsubscribe, and Usage Information
If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription .
Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).
For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter
You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.
While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.
If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]
Please POST your technical question on the GPanswers.com/community forum whenever possible.
If you have questions about ordering a book, contact my assistant Margot at: [email protected] . I endeavor to respond to everyone who emails.
Thanks for reading!
However, if I use the policy setting User Configuration | Policies | Administrative Templates | Start Menu and Taskbar | Remove Help menu from Start Menu, as seen in Figure 2, the Help option disappears in the Windows Vista Start Menu.
But the general case here is that policies always beat preferences. Rock always beats scissors. Or does it? Can the rock crumble when its hit by the scissors? Lets continue onward to see at least one interesting case where it doesnt work that way.
Click on image for larger view 
Click on image for larger view
But why then does that Administrative Templates setting named Disable changing proxy server settings work in a way the other guys dont? Because IE 7.0 (and 6.0 and 5.0) are all coded to look in the proper policies keys. And if theres a value there that IE recognizes, then IE makes sure to honor that.
For most people, the medium-length answer will be good-enough. But youre not most people. Youre looking for the most detailed knowledge you can get. So if youre curious to know why the Internet Explorer GPPE won against the Internet Explorer Maintenance Group Policy settings, read on for The Longer Answer.
Click on image for larger view
We have a FAQ on the same page you should read before you buy. But by all accounts, people are very happy with their PDF purchasing experience.
You might be asking yourself: why don't *I* see these in my GP editor? Because you're not using Windows Server 2008 as your editor or the download update (which isn't yet released) called RSAT which contains the updates.
Figure: The XMLLite component's command-line switches
Figure: You can verify that the Group Policy Preference Extensions were installed on Windows XP and Windows Server 2003 by selecting Show updates.
Figure: Installing the Windows Vista MSU file is like installing an executable
Figure: You can verify that the Group Policy Preference Extensions were properly installed
