MDM & GP Tips Blog

Apr 2008
01

Help out the GP Team!

Want to help out the GP team at Microsoft directly?

The Microsoft Group Policy team would like to hear from you! Please take a few minutes and complete the survey on how you use Group Policy to help Microsoft enhance the manageability Group Policy provides to your organization. The survey can be found here and is completely anonymous. The survey will remain open through Friday, September 28, 2007. Thank you in advance for your time and input!



Apr 2008
01

Vista + SP1 = Gbye GPMC

Right. So, here's the deal. Let's talk about yesterday, today and tomorrow.

Today, the GPMC is part of Vista. That's great. One less thing to load.

But what's also (now) true is that if you install SP1 for Vista (not yet available) the GPMC will be uninstalled. Why?

Because this allows for something that I've personally advocated for. That is, when new goodies are ready to be launched in Group Policy land, let's GET IT OUT THE DOOR. And it used to be this way. The GPMC was a simple download and simple install. When bugs were found in the GPMC, that meant it was a quick fix to jam the fixes in, and re-upload the file for the masses.

But now (today) the GPMC is part of the Longhorn and Vista operating systems. Is this good? Not really, in this one dude's opinion. Because what if some new whiz bang feature is suddenly available? Then you'll have to wait until MAYBE an operating system service pack, or at worst a full operating system revision until it's updated.

But it seems going forward the team has made a decision. That is, the GPMC will "break free" from the operating system. This is good and bad. Good because bug fixes and updates will most certainly happen quicker. It's bad because, dang, the GPMC is so great it just feels like it SHOULD be part of the OS. Also bad because the poor GP team has the wrap up their own changes (called Out of Band) changes, where they could rely on different Microsoft build teams to keep it updated inside the operating system.

So, it's a little more work for the GP team, but in my opinion, a really good change. So, Vista + SP1 = no more GPMC. Until you download it (which will have more features anyway.)

So, are you freaked out? Or are you okay with it?

Send me an email. Would love to hear your opinion. (Note I may not be able to respond to all opinions, though I promise I will read it.) Thanks!

Click here for a link to my email.



Apr 2008
01

ADMX Converter and NetIQ Whitepaper and SEARCH !

Two quick notes:

Note #1:

In my testing of FullArmor/Microsoft's ADM to ADMX migrator tool, I encountered a bunch of issues. Namely, all sorts of ADM files I had hanging around wouldn't properly convert to ADMX. Actually, they WOULD convert, but then in the GPOE editor they would bomb out. So, after I reported these errors to FullArmor/Microsoft, I'm happy to say I got a great response for others in the same boat: "We've been working on a new release of ADMX Migrator and have resolved most of the issues including all of the issues raised by Jeremy. We will be feature complete in the next week and a half and expect to release beginning of October 2007. "

 

Note #2:

I have a new NetIQ sponsored whitepaper out called "Why GP Matters -- For Servers". Click here for that paper.

 

Note #3:

GPanswers.com now has a search engine. Check it out on the main page !



Apr 2008
01

Interview with Outgoing GP Team Lead -- Michael Dennis

Hello GPanswers.com blog readers. There are some big changes in the world of Group Policy. The Lead Program Manager, Michael Dennis is shifting roles within Microsoft after 9 years and 9 months on the job (to the day!).

In this GPanswers.com exclusive, I was able to interview Michael Dennis for an "Exit Interview" to find out some inside scoop about his tenure on the Group Policy team, and where he's going inside Microsoft.

Note to other websites and news sources: because this content is exclusive to GPanswers.com, you may site and source GPanswers.com. But please do not copy it wholesale to other websites.



 

---

 

[Jeremy Moskowitz, GPanswers.com]: Michael, thanks for this interview. I think lots of people would want to know what you would consider your best achievements during your time running the Group Policy team.
[Michael Dennis, Microsoft]: The biggest achievements go back some time ago, where we concentrated on developing what was to be known as "Group Policy". We had System Policy in NT 4.0, looked at that and it's problems. And, since this was in the middle of Active Directory's development, we looked at where we needed to better address the manageability of clients and servers.

The idea that Group Policy was to be built in a hierarchy and that this idea had never been done before was a big deal to us. So, we concentrated on core infrastructure: client processes, integration with Active Directory.

The byproduct of our "best achievement" was also our worst achievement. That's because the GUI that we shipped in Windows 2000 was problematic. People needed a "PhD" in Group Policy to use it effectively because administrators needed to know how "the whole thing worked." I wished we could have created the GPMC and RSOP and delivered it back then (it was in the specs.)

The other big achievement, I would say, is that you can pretty much "count on it [Group Policy] working." And we're honored that people can just count on Group Policy doing it's job. Because of that, our team has been even more focused on keeping that idea [of it "just working"] in the forefront. We have a very strong test team to make sure Group Policy does continue to "just work."

[Jeremy Moskowitz, GPanswers.com]: How did "Group Policy" get its name?
[Michael Dennis, Microsoft]: (Laughs). We were talking about this thing called "policy".
My thought at the time was that the word by itself was too broad. It means too many things to too many people.

So, when we took a step back and tried to figure out where we managed things, we saw "groups" of places that we targeted. Active Directory is used for containment [of Group Policy Objects] and also for the targeting of GPOs. So, right there that's three "groups" of things. Site, Domains and OUs can be "groups" of things in the logical sense. Then we also deal with Users and Computers: that's another two "groups" of things. And, while Group Policy objects don't link directly to security groups, we do leverage them for filtering. So, there's "groups" again.

So, "Group Policy" became the name, and I've been questioned about it ever since.

Could there be a better name? Perhaps, but in all the years that have passed nothing better has been suggested. And, regardless, "Group Policy" now has a life of it's own, both as a solution and as a technology.

[Jeremy Moskowitz, GPanswers.com]: What items do you wish could have made it into the Group Policy experience?
[Michael Dennis, Microsoft]: The good news is that the things I have been wishing for all along have been seen the light of day. Along the way, my wishes, my vision, the things I've wanted since Windows 2000's release are here now in Vista. Things like RSoP, the GPMC, the increased settings, etc make me feel very good about where Group Policy is today! I do wish we could have done those things a whole lot sooner.

Additionally, I wish that the Group Policy infrastructure was a more extensible system by partners. Our server side / client side extension model is heavy handed and requires a good deal of work by developers. Though it could be argued that our ADM/ADMX template structure does provide an easily extensible methodolgy. But, it would be even better if that part of the system enabled people to extend even more types of settings.

Lastly, I wish that the GPMC was more extensible from a reporting perspective to [3rd party tools.] That's an area which 3rd party tool vendors have been pretty vocal.

[Jeremy Moskowitz, GPanswers.com]: What are some things people don't know about the Group Policy team?
[Michael Dennis, Microsoft]: Sometimes, it's not clear to people where the Group Policy team "fits in" to the overall picture. The idea is that we build the infrastructure, we build the transport, and we build the server and client side pieces. But in Vista alone we partnered with about 120 different teams at Microsoft to get the new settings in place for this release. We're the "middleman." So, if you see a Group Policy setting who's behavior seems odd, or has "Explain text" [the text within policy settings] that could be clearer, that's not specifically the Group Policy team's doing.

Another thing is that Group Policy is not to blame for system "slowdown" issues at boot or logon. It's the Group Policy payload that's to blame if things are slow. If you tell Group Policy to do something that's heavyweight, it's going to just "do it." For instance, if you tell it to install Microsoft Office on a per-machine basis, great. But just know that it will do what you asked for, it will install all of Office before you get a logon prompt. Is that a slowdown? You betcha, but as an admin that deployed it, it's exactly what you wanted the system to do.

The good news is that Group Policy will do these things, then, once it's done it, it doesn't have to do it again, and doesn't get in your way "the second time" because we check to see what it's already done.

[Jeremy Moskowitz, GPanswers.com]: What's your favorite thing to "show off" using Group Policy ?
[Michael Dennis, Microsoft]: These days, I like to show off some of the new settings that made it into Vista. The removable devices settings [to restrict things like USB sticks, etc]; those settings people had been clamoring for. There are about 2400 settings in Vista, which brings a significantly larger level of control to the admins, so I like asking customers "What do you want to control?" and then show them how.

[Jeremy Moskowitz, GPanswers.com]: Why did you change from ADM to ADMX files?
[Michael Dennis, Microsoft]: Technically, we didn't have to get to ADMX to get to the new central store feature with Windows Vista. The big push for converting to ADMX was to allow us to support multiple languages appropriately.

In the old way, in Multilanguage environments, you would often run into a situation where the contents of the ADM files inside a GPO would be inadvertently written by another language. Historically, we borrowed the ADM format from NT 4.0 which had borrowed it from 98 which had borrowed it from 95. If XML had been around then, it would have been a good candidate for our file format.

But, now that we have XML, it became easier to support multiple languages, and it presents us future opportunities to make registry and settings enhancements with our now schematized language.

[Jeremy Moskowitz, GPanswers.com]: What was the biggest internal challenge you had to overcome while working at the GP team?
[Michael Dennis, Microsoft]: The most ongoing problem that our team faces is when we try to get other components of Windows to policy enable their feature.

Team X might respond "We just built this great new feature... why would anyone want to turn it off?" And we can understand that. But, for the most part, we worked through a lot of those issues.

Other challenges are the technicality of policy enabling some things. For instance, the new Windows Firewall with Advanced Security (WFAS). WFAS was tough to do. It's not easy or straightforward to policy-enable it right. The interface that the WFAS team did for Vista is superb, but doing it right has been tough.

The removable device policy settings, enabling these was a technical challenge, because three OTHER teams (plus the Group Policy team) had to come together to enable that in the system.

Over time, (since Windows 2000 and every release since) we've spent a fair amount of energy to put forth the right set of policy settings enabled in the system.

In versions of Windows before Vista, the product teams themselves didn't always think about policy-enabling their components. But, during Vista's development, a fair amount of teams, proactively recognized that they needed to policy enable their sections of the world, to be more manageable. They would come to us and ask "Please tell us how."

That was huge!

[Jeremy Moskowitz, GPanswers.com]: What's next for you?
[Michael Dennis, Microsoft]: I'm moving to the "Mobile Information Worker" team which is responsible for Smart Phones, PocketPCs, etc. My role will be to extend some of the management technologies in Windows Server System to Windows Mobile devices.

I will try to take my same vision and passion for manageability and apply it in this new space. Meanwhile, I'm leaving the Group Policy team in an outstanding position to move things forward without me.

[Jeremy Moskowitz, GPanswers.com]: Who is your successor?
[Michael Dennis, Microsoft]: That announcement will probably be made in another week or two. We're working on how things need to be organized, who's the right person, and how that be done. There's no rush to make an announcement. It might be a few more weeks (or maybe just a few days.)

I'll leave it to the Group Policy team to let you know so you can tell your folks on GPanswers.com.

[Jeremy Moskowitz, GPanswers.com]: Anything else you'd like to tell the GPanswers.com audience?
[Michael Dennis, Microsoft]: All thru the development of Group Policy, one key focus was to "get in front of customers" and understand what they're trying to do (from a scenarios perspective). This idea, of "scenarios that solve problems" is now imbedded in the team.

If a customer, has a well structured opinion about scenarios they'd like to see Group Policy cover, and they have a business case for doing something, they need to find a way to communicate that back to us.

We have a good feedback mechanism that's available to anyone at any time

Http://www.WindowsServerFeedback.com

There, you'll find a Group Policy button.

If your folks can say "here's my problem, here's my business case, and I need the system to be able to do this and here's why" that kind of information is very, very valuable to us. Those who make decisions about Group Policy going forward read every entry that comes thru that source.

Again, if you want to have an impact in Group Policy moving forward, tell us about what you need. But please don't just tell us "We need a policy setting that does X" without telling us "why."

The "how" is our job to figure out. What the Group Policy team really needs to know is the "why."

[Jeremy Moskowitz, GPanswers.com]: Thanks for taking the time to tell us about your experiences on the Group Policy team at Microsoft. All the best !
[Michael Dennis, Microsoft]: Thank you Jeremy, and thank you, members of GPanswers.com

Apr 2008
01

Yay and boo

Yay: I've been accepted as a Enterprise Mobility MVP for my third time. Thank you for all who helped me acheive that!

Boo! I found _another_ Vista bug {sigh}.

Here's the lashup...

If Vista recognizes that your hardware has changed enoughthat you must re-validate.. you are prompted to do so when your next user logs on. After validating, I found the following to be true:

1. Delegated permissions required to see your own GPresults are not available

2. Computer-side policy fails to execute

3. Remote Desktop into the machine becomes impossible

All is cleared up with a reboot of the affected machine after validation.

In short... After validation, you simply must reboot to get a normal experience.

But Vista doesn't make you reboot.