MDM & GP Tips Blog

Jul 2007
17

Issue #24

Issue #24

edit

  • Let's get an understanding of ADMs and ADMXs, finally !
  • Did you miss the Fourth ? (Edition, that is...)
  • Some more goodies about PolicyPak Software
  • Public GP Training Schedule Update
    • Different course levels
    • XP and Vista coverage
    • Cities that are scheduled for public courses
  • Subscribe, Unsubscribe, and Usage Information

GPanswers.com News and Updates

GPanswers.com is a free service, as you know. And we try try try to keep it as up-to-date as possible. But we're a limited full time staff (that's me!) so every once in a while, I ask for some part time helpers to help give us a "boost."

These just aren't "any ol' people" .. they need to be READY and WILLING to help the cause of GP everywhere ! (Okay.. maybe that's a little much, but you get the idea.) We've added three super helpful folks to our GPanswers.com staff.

Staff Changes

In the office, I've changed my office assistant to Margot Cullen. Margot is just awesome. So, if you need receipts, want to call in to sign up for a public class, or ask her personal and revealing questions about what I do on the weekends, she's your gal. She can be reached at[email protected]. Please do not send technical questions to Margot. Please use the Community Forum (GPanswers.com/community) for that. Thanks !

GPanswers.com Helper Additions

After a long search, I'm proud to announce two helpers to GPanswers.com: Jakob Heidelberg and Eric Johnson. Jakob is a Danish Windows Expert, and well known blogger. If you read my blog, you'll be sure to love his as well. Click here for information about Jakob !and Be sure to read his blog !

Eric Johnson who works at a private healthcare firm will also be helping out at GPanswers.com. No blog from Eric yet, but maybe soon!

These two guys are going to help answer questions in the forums, and help with the Tips and Tricks section at GPanswers.com. In fact, if you look at some (most!) of the Tips and FAQ questions, you'll see Eric already hard at work. Many tips and such at the bottom will say:

" Verified by: Eric Johnson
Edited by: Eric Johnson
Last Edit date: June 30th, 2007
This question originally posted on August 7th 2004. "

That way, you get a good idea that we double-checked the accuracy of our tips and also the last time we touched them for a checkup. Hope you like that new GPanswers.com feature. If you want to submit a Tip / Trick / FAQ question .. there's only one place!

That's at the GPanswers.com/community forum, specifically in the "Submit a Tip / Trick" section here. You will need to register for a community forum account before submitting.


This Month's Newsletter Sponsored by: NetIQ

Download our new white paper, "Best Practices for Managing AD & Group Policy", to understand how your organization can improve its control over changes to Active Directory and Group Policy. You'll get the answers you need to assure changes are identified, tracked, and safely made across Active Directory and Group Policy.  

Click the link to learn more: NetIQ


Inside ADM and ADMX Templates

ADM files. You either love 'em or your hate 'em. Maybe both.

And that's because they're both necessary, but also confusing. And to add to the mix, Microsoft now has ADMX files which can only seemingly add to the confusion.

In this issue we'll tackle ADM files. Next issue -- ADMX files.

So, let's begin with the "unconfusion."

Why do we need ADM files?

Group Policy is made up of multiple areas. If you dive down into the Group Policy Object Editor (GPOE), you'll find lots of "stuff" you can do with Group Policy. For instance, Software Restriction Policy, Group Policy Software Installation, Folder Redirection. And yes, the one we play with most: "Administrative Templates" as seen here. The Administrative Templates node is on both the User and Computers sides. As suspected users can only embrace User side policy settings and Computers can only embrace Computer side policy settings.

But how do these magical settings get "born?"

It all starts when the stork brings us a new application. Really!

Okay, not really. But when new applications are "born" there's potentially some settings we can manipulate. That's where ADM files come into play. They describe the areas of the application that's ready to accept settings. ADM files are limited, right away, unfortunately, because they can only address registry settings within an application. But, an application might save it's settings in various places: .ini files, .js files, .XML files and other areas. ADM files can only address registry-based settings.

In the box ADM files

So how do all those policy settings in the box for Computer Configuration | Administrative Templates and User Configuration | Administrative Templates get there in the first place? If you right-click over the words "Administrative Templates" and select "Add/Remove Templates" in either the User or Computer side, you'll see the default templates which make up the standard configuration.

The breakdown of these files is:

  • Conf.adm -- NetMeeting settings.
  • Inetres.adm -- Internet Explorer settings, including connections, toolbars, and toolbar settings. It is equivalent to the options that are available when using the Internet Options menu inside Internet Explorer.
  • System.adm -- Operating system changes and settings. Most of the Computer and User Administrative Template settings are in this ADM template.
  • Wmplayer.adm --Windows Media Player 9 settings.
  • Wuau.adm -- Controls client's access to Windows Software Update Services servers' clients.

Adding your own ADM Template Files

Well, that's easy. First, just get the ADM template you want to use. Maybe you've downloaded one from GPanswers.com. (We have about a dozen interesting ones.) Or maybe you want to utilize the ADM files for Office 2003 or Office 2007. That's great.

Just click Add as seen in Figure 1 and add in the template. By default, templates are looked for in the Windowsinf directory, but there's no reason you cannot store them anywhere else. Here's something you may not know: once the ADM template is added, that ADM template gets added to the GPO itself.

For instance, in this example, I've added "nopassport.adm" which will let us squelch the "Do you want to add your passport?" message the first time a user logs into an XP machine. And also Word11.ADM (from the Office 2003 ADM template download.) You can see these additions in the "Add/Remove Templates" window.

Then, inside the GPO itself, specifically, the GPT, in the ADM directory, you can see the nopassport.adm and Word11.ADM file added. Click for larger graphic...

Why is it added to the GPO? Because if you then try to edit this GPO on another management station, you'll be able to see the settings contained within the ADM files.

Why Can't I see the ADM file additions?

Well, maybe you can, or maybe you can't see your ADM file additions. And this is causing a lot of confusion for a lot of administrators. Indeed, this is a top 5 FAQ at GPanswers.com, so I hope to put it to rest right here.

You should at least be able to see the results of adding the two templates as seen here. Two new nodes will appear. Computer Configuration | Nuisances (because of nopassport.adm) and User Configuration | Microsoft Office Word 2003 (because of Word11.ADM). If you dive down into the Word 2003 settings, you'll see a huge array of configurables, as seen here. Click for larger graphic...

But, you cannot see the settings within the new Nuisances node. Why not? To understand that, you need to understand the idea of "proper" vs. "improper" policies keys that an ADM template might affect.

Proper vs. Improper Policies Keys

Microsoft documentation states that four Registry areas are considered the approved places to create policies out of Registry hacks:

  • HKLM|Software|Policies (computer settings, the preferred location)
  • HKLM|Software|Microsoft|Windows|CurrentVersion|Policies (computer settings, an alternative location)
  • HKCU|Software|Policies (user settings, the preferred location)
  • HKCU|Software|Microsoft|Windows|CurrentVersion|Policies (user settings, an alternative location)

The settings contained within Word 2003's ADM writes to these "proper" locations. But the nopassport.adm file doesn't. Indeed, nopassport.adm writes to HKLM | Software | Microsoft | MessengerService | PassportBalloon

So, Microsoft puts up a little safety gate before it allows you to see these settings. The idea is that any of the settings that don't write to the proper Policies keys (listed above) will tattoo the registry. So, even if you whack the GPO, there's no way the setting will "revert" back. For example, let's say you added the nopassport.adm file, and chose squelch the "Do you want to add a passport?" pop-up balloon to every machine in your domain. Then, later, the boss said he really liked that setting. You've got a long road ahead of you because all computers now will embrace the setting - basically forever - until you expressly put that setting back.

In contract, regular policy settings have a "default" value. And if you whack the GPO, those settings will revert back to something. For instance, if you choose to prohibit access to the Control Panel using the built-in ADM templates. Then later, change your mind, all you need to do is whack the GPO and voila! The Control Panel comes back.

Again - not so with the Passport message - because the policy setting isn't in a place that will ever revert. So Microsoft protects you by (initially) not showing the policy settings at all - so you don't shoot yourself in the foot !

Seeing ADM templates

So, seeing the ADM templates isn't all that hard. The editor, by default, doesn't show you the settings. But it's easy. Click on the word "Administrative Templates" (either User or Computer half). Then select View | Filtering. Finally, uncheck (yes, uncheck) "Only show policy settings that can be fully managed." When you do, you'll see "Passport Solicitation" as a policy setting show up under the Setting column as seen here.  Click for larger graphic...

XP vs. Vista in the editor

Did you notice a subtle difference in the policy setting that just popped up? Look at the icons of policy settings that ship in the box. Click for larger graphic...

Now, look at the icon for a policy setting from an ADM template where the settings don't write to the proper Policies registry keys.  Click for larger graphic...

This blue vs. red icon differential helps you know which settings will tattoo, and which won't. But again, it's all based upon where the setting actually targets its settings. In Vista, by the way, the situation changes a bit when you use ADM files in your management station. ADM files show up in their own node called the "Classic Administrative Templates (ADM)" node, as seen below. What was red-dot settings now show up as a scroll icon with a downarrow (but while editing the setting itself, it has a little "No Enter" sign) all seen below.    Click for larger graphic...

The settings that were blue-dot (those that write to the proper Policies keys) show up as little scroll icons, as seen here. Click for larger graphic...

Next time..

This newsletter is about to get to be "too long." So, what we'll do is cut it off here, and talk more about ADM vs. ADMX files a little more in the next issue.

How PolicyPak Software Changes Things

Before I even jump to the good parts, let me just say that PolicyPak software is now ready for you to download and check out today! So, if you decide halfway through reading this, "I just gotta start playing !" ... well, you can! Just go to PolicyPak.com, register for an account, validate the account, and download the software you put in your download cart! As we've just learned, ADM templates are great, but, they're not the best solution to settings management. You still need to:

  • Figure out all the ways the target application needs to be controlled
  • Create the ADM files by hand

Then, those ADM files ...

  • "Tattoo" the Registry (boo!)
  • Can't even get to some areas of the Registry with ADM files at all! (Think reg_binary values or HKEY_Classes_Root.)

And finally,

  • The ADM language doesn't let you "craft" a look and feel similar to the application you're actually trying to control.

Not to mention that ADM files only manipulate the Registry. If your application has tweaks in .ini files, or custom configuration files or databases, ADM files just won't be able to get in there to adjust the settings you need them to.

Enter PolicyPak.

PolicyPak Software is a new venture of mine that offers software that lets you naturally control your existing applications with Group Policy.

How do we do it?

We have our own Group Policy CSE, a Client-Side-Extension. This isn't an "agent", it's an organic extension to Group Policy. Installation is super-easy. You run a component which extends the Group Policy Object editor on your administrative machine (where you create your GPOs). Then you deploy the CSE using Group Policy Software Installation to your target machines, and you're ready to control your applications using Group Policy.

  • Wanna control Adobe Acrobat Reader using Group Policy? Try PolicyPak for Adobe Acrobat Reader.
  • Wanna control Microsoft Windows Live Messenger using Group Policy? Use PolicyPak for Windows Live Messenger.
  • Wanna control WinZip using Group Policy? We're working on PolicyPak for WinZip (and lots of others...)
  • Wanna control something we don't support yet? Suggest an application at www.PolicyPak.com/suggest !

Click for larger graphic...

Our goal is to have lots of PolicyPaks to control the applications you already have.

You'll purchase them a la carte, so you'll get only the PolicyPaks you need.

Not only have we already "done the research for you", the interface looks almost exactly like the target application. No learning curve! You're gonna love them! In this example, we're changing the color of the Highlight Color in the Forms tab. Click for larger graphic...

Try doing THAT with an ADM template ! Or this trick.. Setting where files should be saved when users utilize Windows Live Messenger. Click for larger graphic...

So, how can you check them out?

We're ready for you to check us out and it for a test drive. Just mosey over to www.PolicyPak.com, register for an account and give our two PolicyPaks a whirl.


About GPanswers.com Training

Choosing the Right Course for You

Did you know that here at GPanswers.com, we have GP courses that fit what YOU need?

  • Are you dealing with mostly XP machines? We have an XP-focused course.
  • Are you warming up to Vista? We have a Vista-focused course.
  • Do you want to learn in an intensive format? Learn it in TWO DAYS.
  • Less intensive? Learn it in THREE days.
  • Want even more Advanced material? We've got that too.
  • Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?

You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take for your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private and public classes. Use the Rightsize tool to get a complete understanding of your options.

Public courses—2007 scheduled

So, here's the 2007 (first half) line-up:

  • August 8–9: Chicago, IL: Two-Day Group Policy Intensive Course (XP Focused)
  • August 10: Chicago, IL: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • Oct 23, 24 and 25: Netherlands: Three-Day Group Policy Less-Intensive Course (XP Focused). Sign up here.

For any public class, sign up online at: https://www.gpanswers.com/workshop/

What about the SECOND HALF of 2007?

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go for the first half!

Now tell me where you want me to go for the second half. The cities with the most "votes" get classes in their city.

Here's a deal you can't pass up!

Okay, let's assume I'll be in your city teaching a public class. But how would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two or three days, and you get a free student attendee!

Such a deal!

Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, the Security Team and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.

LIMITED TIME Private Course Special Offer

If you book three-days of private class training which completes before Sep 7, 2007, I'll include all travel expenses. So, maybe you'd like the Two-Day XP Training with the One-Day XP-To-Vista Catchup day. Or, maybe the Vista Two-Day and One-Day Advanced training.

Any three training days qualifies for this special offer.

I have some free time in the summer I want to fill, and want to give you an incentive to help me book that unused time. So, you pay no travel expenses if the class completes before Sep 7, 2007!


Get signed copies of...

Group Policy: Management, Troubleshooting, and Security

For Windows Vista, Windows 2003, Windows XP, and Windows 2000

-and-

Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

  If you’re in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Securitydirectly from me for $45 (including shipping).

  • If you order the book from me, I’ll sign the book for you, free! I’ve had many requests for this service, and I’m honored that you'd ask!
  • If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
  • The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
  • We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.

This book is in stock! We can ship it out today!
Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.

Order your signed copy today by clicking here.

Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0470106425 (GPO book)
 http://www.amazon.com/gp/product/0782144284 (WinLin book)


Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before! So, head on over to the Solutions Guide and see what other goodies are available! Our newest sponsors at the Solutions Guide:

  • FullArmor corp, with their Endpoint Policy Manager
  • PolicyPak Software, with their PolicyPak family of tools

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

.For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected] Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistant Margot at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

May 2007
31

Issue #23

GPanswers.com Special Mid-Newsletter Update

Are you going to be at Microsoft's TechEd next week?
I am, and I hope you'll come by and say Hi!
In fact, I've got some really big news, so I'm breaking it down in three bites to make it easier to digest.
I'm speaking at TechEd, and so are some other speakers you'll be interested in.
It's here: PolicyPak Software! Group Policy—Enable Your World!
More ways to connect at TechEd (free book signing and more!)
SPEAKING TIMES AT TechED
I'll be speaking twice—same talk (just repeated). Come to one, or both!
Topic: Deep Dive into Windows Vista Group Policy Changes and Troubleshooting

Session ID: CLI408
Time #1: Tuesday 8.45 Room S330
Time #2: Thursday 9.45 Room: N320 A

The beauty of Group Policy changes is not skin deep. There are some basic and detailed changes lying under the hood. And Jeremy Moskowitz of GPanswers.com and author of "Group Policy: Management, Troubleshooting, and Security" is just the guy to bring them to you. In this session, learn why you can't just run gpresult.exe anymore and get the results you want. Discover what happens if you reconnect to the network after a long absence. Learn how to crack open the new Vista event log and trace Group Policy flow to figure out what might be going on. Learn how other areas, like Offline Files and Group Policy Software Installation can be tweaked to give you just the information you need to fix what ails you. If you're looking for Group Policy answers to your troubleshooting questions, this is the session for you.

OTHER Group Policy Speakers and Speeches

Actually, there's so much Group Policy stuff going on I can't list it all! But here's a sampling. CLI331 - Using Group Policy with Windows and Windows Server 2008
Wednesday, June 6 10:15 AM - 11:30 AM, S330
And
Thursday, June 7 1:00 PM - 2:15 PM, S320 A
Speaker(s): Mark Williams and Jason Leznek

This scenario-based walkthrough uses a series of demonstrations to offer an in-depth understanding of new and enhanced Group Policy functions in Windows Vista, and plans for the Windows Server 2008 timeframe. This session showcases Windows Vista as a Windows Vista Group Policy administrative workstation. Learn about new Group Policy features in Windows Vista, including the new format and functionality of Administrative Template (ADMX) files (and interop with legacy ADM files), the ADMX central store, improved awareness of changing network conditions, using multiple local Group Policy Objects (MLGPOs), and Group Policy Management Console (GPMC) integration into the operating system. Demos include using the new event viewer ("Crimson"), and showcase a selection of the hundreds of new policy settings delivered with Windows Vista. Finally, we provide an introduction to the products acquired from DesktopStandard and discuss their future availability and roadmap.

CLI316 - Microsoft Desktop Optimization Pack: Advanced Group Policy Management (AGPM)
Tuesday, June 5 4:30 PM - 5:45 PM, N320 A
Speaker(s): Derek Melber, Winni Verhoef

Advanced Group Policy Management, a Microsoft Desktop Optimization Pack technology, adds an important level of control to Group Policy management. By adding delegation and workflow for Group Policy management, the enterprise administrator gains granular control over Group Policy deployment. This session explores the AGPM product and how it can help the Enterprise regain control over Group Policy management.

CLI03-TLC - ADMX File Creation and Management
Wednesday, June 6 3:45 PM - 5:00 PM, Yellow Theater 1
Speaker: Judith Herman

Microsoft Windows Vista introduced ADMX files to define Group Policy settings. This session describes how to create, edit, and manage ADMX files (and their associated ADML files for multi-lingual support). The discussion covers the syntax of these files and how they are used with the ADMX Central Store.

Okay—Here's the Big News: PolicyPak Software
Two TechEds ago, I had a flash of realization about Group Policy. Group Policy does some amazing stuff. It controls Windows itself really, really well. But what it doesn't control really, really well are third-party applications.
Sure, there's ADM templates. But ADMs are just NOT the ideal solution. With ADM templates you have to: Figure out all the ways the target application needs to be controlled Create the ADM files by hand Then, those ADM files "tattoo" the Registry All the while, you can't even get to some areas of the Registry with ADM files at all! (Think reg_binary.)

And finally, The ADM language doesn't let you "craft" a look and feel similar to the application you're actually trying to control. Not to mention that ADM files only manipulate the Registry. If your application has tweaks in .ini files, or custom configuration files or databases, ADM files just won't be able to get in there to adjust the settings you need them to.
Enter PolicyPak.
PolicyPak Software is a new venture of mine that offers software that lets you naturally control your existing applications with Group Policy.

How do we do it?
We have our own Group Policy CSE, a Client-Side-Extension. This isn't an "agent", it's an organic extension to Group Policy. Installation is super-easy. You run a component which extends the Group Policy Object editor on your administrative machine (where you create your GPOs). Then you deploy the CSE using Group Policy Software Installation to your target machines, and you're ready to control your applications using Group Policy. Wanna control Adobe Acrobat Reader using Group Policy? Try PolicyPak for Adobe Acrobat Reader. Wanna control Microsoft Windows Live Messenger using Group Policy? Use PolicyPak for Windows Live Messenger. Wanna control WinZip using Group Policy? We offer PolicyPak for WinZip.

Our goal is to have lots of PolicyPaks to control the applications you already have.
You'll purchase them a la carte, so you'll get only the PolicyPaks you need. And the interface looks almost exactly like the target application. No learning curve.
And PolicyPaks act a lot more like Group Policy than ADM templates do.
You're gonna love them!

So, how can you check them out?
Two ways:
Way #1: We're still in "private beta", but you can get on board if you send me an email letting me know that you're interested, and telling me how you plan to test our software out. This can be a simple test lab or a pilot group.
Way #2: Come to Booth #914 at TechEd and meet the Specops Group Policy Gurus. That's me, Darren Mar-Elia of GPOGuy.com, and SDM Software and the Specops Guys who make some awesome Group Policy software (www.specopssoft.com)! We'll be there most of the conference to show off our stuff and answer your tough Group Policy questions! And I'll have live demos of my new software and we can talk about what you think! We have a website, www.PolicyPak.com, with more information and images of the PolicyPak interface that you can check out, too. But right now there is no way to download the beta software. It is a PRIVATE BETA open only to people who email me directly. If you think you can get me some feedback before TechEd starts, I especially want to hear from you!

Book Signing at NetIQ's Booth At NetIQ's booth, I'll be giving away 100 free signed copies of my new book. All you need is one of my famous "Group Policy Book/Training Postcards" and then just be one of the first 100 people in line to get your free, signed copy. Come to NetIQ's booth before the free book signing on Wednesday from 1:00 to 2:00 for all the details!

More at TechEd to Love
There is likely going to be more news and stuff to love at TechEd this year, and when I find out about it, the quickest way I can tell you about it is via my blog at www.GPanswers.com/blog. Keep checking it for updates as they happen! See you at TechEd 2007 (booth #914!, mostly!)

May 2007
09

Issue#22

Newsletter 22. In this issue:

  • Jeremy Talks About Vista and Group Policy, and Other News from GPanswers.com
  • May the Fourth (Edition) Be With You . . .
  • Moskowitz, inc. Technology Takeaway®
    • Some tips about using GP to manage Office 2007
  • Public GP Training Schedule Update
    • Different course levels
    • XP and Vista coverage
    • Cities that are scheduled for public courses
  • Subscribe, Unsubscribe, and Usage Information

There's lots to tell you in this issue! There was so much, in fact, that I held some back for the next edition, which will be out much sooner than normal.


This Month's Newsletter Sponsored by: BeyondTrust Corporation

Enable users who don't have administrative privileges to run all applications!

BeyondTrust Privilege Manager was the first product to enable the security best practice of Least Privilege in Windows environments by allowing administrators to assign end users permissions to required or selected applications. Built for Windows 2000, XP, and Vista, and applied through Group Policy.

Click the link to learn more:BeyondTrust


GPanswers.com News

Holy cow—it's here! 786 pages!

You wanted it, and now you can get it. The biggest GP book of all time, and it's available RIGHT NOW. That's right, I've got an updated version of my popular Group Policy book. It's not called "4th edition", but that's really what it is.

Learn more at www.GPanswers.com/book (and in the note below).

In short, it's long. Fully updated for Vista, XP/SP2, and Server 2003.

200 new pages. You're gonna love it. Get a signed copy at www.GPanswers.com/book!

Jeremy talks about Group Policy and Vista

In case you missed it, here's a link to an interview conducted by Greg Shields of Redmond Magazine where he and I chatted about some of the new customizations in Group Policy that come with Windows Vista and why you should start implementing them now to prepare for what's to come in Windows Server Longhorn.

Download the podcast from here

Updated GPanswers.com/community forum

We've moved and shaken a little bit in the forums, and now things are more streamlined. If you have a question about something in the book, or something about the material that the same chapter in the book would cover, you can just post to one place. (Trust me, this makes sense when you check it out.) So, join the community forum today!

don't forget the blog

Some people have asked why they don't see as many newsletters anymore.

Because now I have my little blog, so that when I have a neat little nugget to share, I can do it immediately.

I don't have to compile all those little tips into a big newsletter.

So, I'm saving the newsletter for longer tips that I think tell a bigger story.

Getting to the blog is easy. Just shuffle over to www.GPanswers.com/blog and you can use the RSS link on that page to get updated whenever there are goodies to be had!

Welcome to Cynthia

I have a new right-hand here in the offices of Moskowitz, inc. Her name is Cynthia Talmage, and she can help you order a case of books, sign up for Public class, or help you get that Private class you always wanted. You can also ping her just to say Hi. You can say Hi by emailing [email protected].

Welcome to Eric

Eric has joined Adam to help out with the GPanswers.com community forum. As a long-standing member, he has already provided countless tips and nuggets of advice to other visitors, and now he is also helping to keep the forum in order to make it even easier to get the best quality information about Group Policy from your peers. A warm welcome to Eric. Why not join him and our other regulars in the GPanswers forum today?

Spread the Word

If you enjoy this newsletter and are anxious to read the material we had to leave out for next time, why not share the GPanswers love?

Spread the word! How?

Simply forward the newsletter email that you received to a colleague or friend and they can decide if they like the content, and if so, they can sign up here to make sure they don't miss out on future releases.

Or maybe you can mention the newsletter in your blog or just shout "I love GPanswers.com" to the guy next to you in traffic. However you do it—let people know why you think GPanswers is THE place to go for Group Policy information.


Fourth Edition of Jeremy's Group Policy Book... renamed:

Group Policy: Management, Troubleshooting, and Security

Every single chapter has gotten an update for Vista, but I still make sure you have all the information you need for both Windows XP and Windows 2000. Here are some of the highlights of the new edition:

  • A real lab guide makes it easier to follow along with all of the hundreds of examples. So, you can walk through everything with me if you want to.
  • Multiple Local GPOs for Vista with walk-through examples.
  • Understanding and troubleshooting Vista's method for determining if you're online or offline, and what that means for GP processing.
  • Troubleshooting in a Vista world.
  • Find out what happens with ADM and ADMX files when you create a GPO. Or what happens if you edit a GPO from Vista or XP. And back again!
  • Software Restriction Policies secrets.
  • Tricking Restricted Groups so it’s not “rip and replace”.
  • Controlling User Account Control, and tweaking it for specific scenarios.

There's so much more ... read more detail and some reviewers' comments here. You can order the book from popular online retailers, or get it SIGNED if you order it directly from me. Just click here !


Technology Takeaway®, a Service of Moskowitz, inc.

A quick look at Group Policy for Office 2007

Many of you will be facing the challenge of planning a deployment of Office 2007, or you may already have some early adopters in your organization. So in this edition, we'll take a look at how to implement some of the useful Group Policy controls for this new version of Office.

First things first—the ADM templates

Microsoft has released a collection of ADM files (yes, ADM files) so you can manage these policies from an XP or 2003 machine just as easily as from Vista/Longhorn. These can be downloaded as a single extractable file here: http://go.microsoft.com/fwlink?linkid=75729

A little side note: What's strange is that ADMX files for when you use Vista management stations are STILL missing in action. I've seen pre-beta versions, but they never seem to materialize.

Anyway, once you have downloaded and extracted them, add them to your GPMC by editing or creating a policy, then right-clicking Administrative Templates | Add/Remove templates | Add. Browse to the extracted files and add the ones you need.

There are settings available for the machines side or the user side but the vast majority target user settings.

Help your users save things properly

One gripe system admins often have is that their users simply don't follow corporate guidelines, ignore all their training, and save things where they should not—particularly in places such as My Documents. This is a little unfair—many users would argue that if you want them to save somewhere, you should make it an easy place to find. You might also consider just preventing them from saving anywhere else but the place you designate. Let's look at helping your users find the right place first.

On XP/2003/2000, you would look under User Configuration | Administrative Templates; with Vista go down one more level to "Classic administrative templates" (which indicates their ADM file format). There you will find Microsoft Office 2007 System | File open/Save dialog box.

The first section in there deals with the Places Bar—the "favorites" area of the Open and Save dialog boxes. You can add up to 10 locations which will appear in the order you enter them, and you can give them meaningful names—no more "X: (fileshare on SRV27)", but "Your shared work files". You can use UNCs and combine environment variables for profile locations, and so on.

So, we've made it easy to find the right place, how about blocking the "wrong" places? This requires a combination of two settings, both of them under the section "Restricted browsing". Enabling "Activate Restricted Browsing" will mean that in the Save As dialog, users will not be able to navigate to any folder which is not explicitly allowed by the second (multi-value) setting, "Approve locations". Note that if you set the first one, you MUST provide a list in the second one.

Notice that these settings restrict where users can save, but do not limit where they can browse to open files (which they might have previously put in the wrong place).

Using Corporate standard templates

Anyone working for a large company will likely be familiar with the idea that they should stick to certain corporate guidelines for their documents; in other words, layout, styles, fonts, etc. should be consistent between documents and between authors.

In order to facilitate this process, marketing departments (usually aided by IT, of course) often create standard templates for users to use for their letters, faxes, presentations, and so on.

When the process is implemented badly, users will save their own copies of these templates which become out-of-date once the originals are updated, and all their future documents then deviate from company standards. Here's some simple rules of thumb if your business has gone to the effort of making these standard documents:

  • Save them once in a central fileshare to which all users have read access and only a limited number of individuals have any modify permissions.
  • Tell users to use these and only these.
  • Better still, configure their Office apps to know where to find the templates, so when they create a new document, the application automatically gives them the right choices.

Now in Office 2000/2003, this was easy to do through the UI. In the always-connected world of Office 2007, however, it is just as likely for the app to try and find a jazzy-looking resume from the internet as it is to deliver the corporate memo template.

So, under Office 2007 System | Shared Paths | Workgroup Templates, set the UNC or the drive and folder where the templates are stored. (You can also do this for previous versions using the matching ADM files.)

Managing file types during your migration

There are lots of good reasons why the underlying file type has been changed after all these years, and many admins are thanking the development team for making all the files sitting on their fileservers and in their email systems so much smaller. But there is the potential problem of compatibility if your network is too big to upgrade everyone all at once.

You could download and install the Office 2007 compatibility pack on all your machines that have older versions, but this could be quite time consuming. As a short-term measure you might want to simply change the default for your Office 2007 applications to save in the older format.

Using Excel as our example, you need to look under User Configuration | Administrative Templates | [Classic Administrative Templates(ADM)] | Microsoft Excel 2007 | Excel Options | Save. The setting for "Save Excel Files as", once enabled, has a drop-down list of choices. The most likely option you would want is "Excel 97-2003 workbook".

Note that the application will use this as the default file format when saving, but does not prevent the user from making a different choice. It also does not prevent the user from changing the default in the UI by graying out the choice under the Office button | Excel options | Save. However, when they restart Excel it resets the policy setting, even before a GP refresh.

That's all the time we have for tips in this issue! Next time there'll be more about the way the GP engine works, and some information about the improved troubleshooting tools available under Vista. Please continue to submit your own tips or links to useful information in the GPanswers.com forums.


Choose the Right Active Directory and Group Policy Course for You

Did you know that here at GPanswers.com, we have GP courses that fit what YOU need?

  • Are you dealing with mostly XP machines? We have an XP-focused course.
  • Are you warming up to Vista? We have a Vista-focused course.
  • Do you want to learn in an intensive format? Learn it in TWO DAYS.
  • Less intensive? Learn it in THREE days.
  • Want even more Advanced material? We've got that too.
  • Already know XP GPOs pretty well? How about our XP-to-Vista Catch-Up course?

You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a Group Policy "Rightsize" Tool which guides you step by step in choosing the best course to take for your situation. Read the course details for the dates you have in mind to make sure you get the skills that match your needs. We have both private and public classes. Use the Rightsize tool to get a complete understanding of your options.

public courses—2007 (First Half) scheduled

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go! So, here's the 2007 (first half) line-up:

  • May 21–22, Washington, DC: Two-Day Group Policy Intensive Course (XP Focused)
    • We almost have enough people to run this class. Sign up TODAY to secure your seat! We need you to sign up ASAP (or we might have to cancel!)
  • May 23–24, New York, NY: Two-Day Group Policy Intensive Course (XP Focused)
    • We almost have enough people to run this class. Sign up TODAY to secure your seat!
  • May 25, New York, NY: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • June 18–19, Phoenix, AZ: Two-Day Group Policy Intensive Course (XP Focused)
    • We almost have enough people to run this class. Sign up TODAY to secure your seat!
  • June 20, Phoenix, AZ: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • June 21, Phoenix, AZ: One-Day Group Policy XP-to-Vista Catch-Up Course
  • July 16–17, San Francisco, CA: Two-Day Group Policy Intensive Course (XP Focused)
  • July 18: San Francisco, CA: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • August 8–9: Chicago, IL: Two-Day Group Policy Intensive Course (XP Focused)
  • August 10: Chicago, IL: One-Day Group Policy Advanced Course (XP/Vista Focused)

For any public class, sign up online at: https://www.gpanswers.com/workshop/ Some notes:

  • This is the first time the Advanced Group Policy course has been made available to the public. If you've taken the Two-Day or Three-Day course, check it out. If you sign up for the Two-Day Intensive and One-Day Advanced at the same time, you'll get $100 off the third day.
  • Phoenix is the only place you can take the One-Day XP-to-Vista Catch-Up course right now.

Here's a deal you can't pass up!

Okay, so I'll be in your city teaching a public class. But how would you like to get a FREE student in the class? Easy: Be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two or three days, and you get a free student attendee!

Such a deal!

Lots of companies have been the hosts for public classes, and they've gotten free training for one of their folks! So, if you're interested in free training for one of your teammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Private Course Special Offer

If you book a private class which completes before August 31, 2007, I'll include all travel expenses. I have some free time in the summer I want to fill, and want to give you an incentive to help me book that unused time. So, you pay no travel expenses if the class completes before Aug 31, 2007!


Get signed copies of...

Group Policy: Management, Troubleshooting, and Security

For Windows Vista, Windows 2003, Windows XP, and Windows 2000

-and-

Windows & Linux Integration: Hands-on Solutions for a Mixed Environment

  If you’re in the continental USA, you can order the Fourth Edition of Group Policy: Management, Troubleshooting, and Securitydirectly from me for $45 (including shipping).

  • If you order the book from me, I’ll sign the book for you, free! I’ve had many requests for this service, and I’m honored that you'd ask!
  • If you order it from me, the shipping is included! Usually, I try to ship out the orders the SAME DAY. But if you positively need a guaranteed shipping date, then Amazon might be a better choice.
  • The slight extra cost goes toward the shipping from Sybex to me, then me to you (not for the signature). Again, note that shipping is included.
  • We take all kinds of credit cards. No PO orders for books, please, unless it's an order for 10 or more.

This book is in stock! We can ship it out today!
Note, that I can only take orders from and ship to those in the continental United States. Thanks for your understanding.

Order your signed copy today by clicking here.

Also available is Windows & Linux Integration: Hands-on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0470106425 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)


Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before! So, head on over to the Solutions Guide and see what other goodies are available! Our newest sponsors at the Solutions Guide:

  • Biscom Corp with their FaxCom Suite for Windows
  • BeyondTrust Corporation with their BeyondTrust Privilege Manager product
  • NetIQ with their GP Guardian product
  • SDM software with their GP Health Reporter

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

 

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistant Cynthia at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Jan 2007
12

Issue#21

Newsletter 21: Rounding off 2006 and looking ahead to 2007 In this issue:

  • It's Issue 21
  • Jeremy's joined the bloggers
  • Moskowitz, inc. Technology Takeaway (r)
    • The questions on everyone's lips about the next generation of MS software
    • A tip for protecting some accounts from the wrong GPOs
  • Public GP Training Schedule Released (first several months)
  • Subscribe, unsubscribe, and usage information

In this issue, I'm happy to say, we've got a full plate. We've got a link to my interview with Michael Dennis (who is leaving the Group Policy team after 9 years!), a bunch of tips and tricks, and my 2007 public training schedule (for the next few months.) So, let's get started!


This Month's Newsletter Sponsored by: NetIQ

As an IT professional, NetIQ is interested in your thoughts and opinions on managing group policy. We know these responsibilities are critical in today's enterprise, and we value your feedback. Please take a few minutes and complete our brief Group Policy Survey, co-authored by Jeremy Moskowitz. Respond by February 15, and you will be entered for a chance to win a $300 Amazon.com gift certificate.Take the survey today.


GPanswers.com News

Jeremy's GP blog keeps you right up to date

If you just can't get enough information about Group Policy, then my blog would be a good place to go to get the latest and most important stuff you need. Take a look at the GPanswers.com blog to make sure you don't miss out on any updates.

GPanswers.com excluSIve -- "Exit Interview with Michael dennis, Outgoing team lead for Group Policy"

Speaking of the blog, I got an exclusive opportunity to interview the outgoing Team Lead for Group Policy, Michael Dennis. Michael has been the lead Program Manager for 9 years and 9 months to the day before changing posts (this Monday.) Learn about where Michael feels Group Policy is going, what he feels is his top achievements are so far at Microsoft, and what's next for the King of Control. Again, this is on the GPanswers.com blog.

how can i best help GPanswers.com ?

If you've ever asked yourself, "How can I help GPanswers.com" out? Well, here's your chance.

Sure, we take tips and tricks to help others. But today, I'm asking for something more.

Indeed, you're not helping me out, you're really helping out Ron Hrehirchuk, our original GPanswers.com Guy Friday.

I don't want to get into too many details here, but Ron is gravely sick and is unable to care for his family. Ron has done more for GPanswers.com than I can remember, and he did it for you, our loyal fans for several years.

Now, it's Ron and Ron's family's time of need.

In short, I (Jeremy) am personally asking you to donate to Ron's family's fund.

Click here.

It's via PayPal and it's quick and easy to do. The link is here. And it would meen a lot to me, personally, to know that the GPanswers.com folks have made a difference in someone's life who tried to help make a difference in yours.


Technology Takeaway (r), a Service of Moskowitz, inc.

FAQs about Group Policy for the latest MS products

Can I install the Group Policy Management Console (GPMC) on Vista?

The GPMC for Windows 2000, XP and 2003 is still available, the latest version is "GPMC with service pack 1." You can download GPMC with sp1 from MS here. However, Vista will ship with GPMC v2 already built-in, so there's no need to download anything, just start using it! Note that the old version won't work in Vista, so don't try to install it.

What about converting my old custom ADM files to ADMX format?

Before we get too far along in this topic... who is making custom ADM files and what are you making them for? Drop me a line and let me know.

As you know by now, the method for storing available group policy settings for Vista is an XML-based file format known as ADMX. This is the format your new custom policy definitions need to use if you want to include them in GPOs you will create on a Vista machine, although the policies themselves can be applied to earlier OS versions.

So, the problem is how do you get your current ADM files to the brand new ADMX file version?

At first, Microsoft did not give any indication that they would provide anything to help update existing ADM files, but thankfully they must have been listening to the GP community and (in conjunction with FullArmor corp) have released a free ADMX migrator tool to convert ADM files. This tool also provides a GUI environment for creating and editing ADMX files. You might also want to look at the free XML Notepad 2007 editor which would also allow you to do this and includes useful tools like find and replace and the ability to compare two XML files to find the differences (maybe an old and new version of your custom policy file).

Here's the trick: I've used the tool, and it works as advertised, but can be a little hard to get the policy settings you're creating to come out "just right." So, be patient with the tool, and take some "time off" if you get a litle frustrated. (And, don't forget -- it's free!)

How do I know what GP settings are available in each WIndows version?

Whenever a new service pack or operating system is released, MS issues a complete spreadsheet of all the Group Policy settings, along with the Explaintext and which OS version the policy setting will affect.

The latest version of the Group Policy Settings file is up to date to Vista build 6000 - the RTM version of Vista.

The new file layout also includes columns to let you know if the policy requires a reboot or logoff in order for the policy to take effect. (Note, it's not 100% accurate .. it's missing some , but it's a darn good start.)

You can filter the list easily on these columns, and use the usual Find feature (CTRL-F) to search for particular text. The older file for versions of Windows up to 2003 sp1 / XP sp2 is still useful if you are not moving to Vista just yet, as it shows which ADM files you will find the settings in when working with these older systems.

I'm not using Vista but I want to manage my IE7 deployment, what can I do?

In the last newsletter we talked about how you can use the blocker toolkit which you can use to prevent the installation of Internet Explorer 7 if you / your users / some applications you need are not ready for it just yet. If you are ready and want to roll out, though, you might like to download the ADM files for IE7 which will let you create GPOs which manage IE7 on XP sp2 and 2003 sp1 (the supported OS for IE7). Why didn't these ship as ADMX files? No idea. I wish they did.

Notes from the field: Protecting your users and computers from an "inadvertant" link of GPOs

Imagine this: You've got an OU full of users or computers. But corporate policy says "Don't link any GPOs to them." Maybe these are lab machines, or your machines or some other type of machine or user accounts which just shouldn't get GPOs. Okay, super.

All well and good until someone doesn't get the memo and still links a GPO to this OU.

Oops.

Now you have a problem.

Turns out, there IS a way to guarantee that no one can link a GPO to the OU.

Here's the trick (and stay with me here): don't make it an OU.

That's right -- don't use an OU for these accounts, use a "container." Just as the default containers for Users and Computers prevent you linking policies to them, so do any other containers you create. The accounts in here will still get domain and site policies, of course (subject to security filtering), but you can guarantee that they won't get any additional policy settings.

How do you create a container? Bad news -- it's not something you can do within Active Directory Users and Comptuers. But it is easy enough to do: use ADSIEdit.

On an admin workstation which has the "Ssupport Tools" installed (or directly on a server) fire up Start > Run and type ADSIedit.msc. (Note: if you are logged on without domain admin rights you need to use runas and provide an admin account for this procedure to work). You should see something like the screenshot below.

Choose the relevant domain and right click, select New > Object as shown here:

 gp

Choose to create a new container object class, provide a useful meaningful name for the new object and finally click finish.

gp

So now you have a new container which will show up in AD users and computers for example, but simply will not appear in the GPMC or any other GP editing tool since you can't link any policies to it.

Simple yet effective.

That's all the time we have for tips in this issue. please continue to submit your own tips or links to useful information in theGPanswers.com forums.


Choose the right Active Directory and Group Policy Course for you

Did you know that here at GPanswers.com, we have three courses, including an ADVANCED course? You can find out more about the different public and private courses available from the workshops section of GPanswers.com.

We also have a "Group Policy "Rightsize" Tool" which helps you decide the best course to take for your situation. We have both private and public classes, so use the Righsize tool to get a total understanding of your options.

For the first time ever, we're making the "Less Intensive Three-day" course as well as the "One Day Advanced" course available to the public.

As Vista becomes more popular, we'll make our Vista classes more available. Right now, Vista classes are only available as Private classes.

public courses -- 2007 (First Half) scheduled

You used the "Suggest a city" form at https://www.gpanswers.com/suggest and told me where you would like me to go! So, here's the 2007 (first half) lineup:

  • Feb 1, 2: Seattle, WA: Two day Group Policy Intensive Course (XP Focused)
  • Feb 27, 28: Chicago, IL: Two day Group Policy Intensive Course (XP Focused)
  • Mar 1: Chicago, IL: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • Mar 5, 6: Atlanta, GA: Two day Group Policy Intensive Course (XP Focused)
  • Mar 7: Atlanta, GA: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • Mar 13, 14, 15: Portland, OR: Three-day Group Policy Less-Intensive Course (XP Focused) -- Taught by James Conrad
  • Apl 17, 18, 19: Cleveland, OH: Three-day Group Policy Less-Intensive Course (XP Focused) -- Taught by James Conrad
  • May 9, 10: San Fran, CA: Two day Group Policy Intensive Course (XP Focused)
  • May 11: San Fran, CA: One-Day Group Policy Advanced Course (XP/Vista Focused)
  • May 21, 22: Wash, DC: Two day Group Policy Intensive Course (XP Focused)
  • May 23, 24: New York, NY: Two day Group Policy Intensive Course (XP Focused)
  • May 25: New York, NY: One-day Group Policy Advanced Course (XP/Vista Focused)

For any public class, sign up online at: https://www.gpanswers.com/workshop/ Some notes:

  • This is the first time the Advanced Group Policy course has been made available to the public. If you've taken the two-day or three-day course, check it out. If you sign up for the "Two-Day Intensive" and "One-Day Advanced" at the same time, you'll get $100 of the third day.
  • I'm working on updating the Two-Day and Three-Day classes for Vista and hope to make them an available course offering by March - April.

Here's a deal you can't pass up!

Okay, so I'll be in the above cities teaching the private classes. But how would you like to get a FREE student in the class? Easy: be the "host" of the class. Allow me and our GPanswers.com students to use your conference room for the two or three days, and you get a free student attendee! Such a deal! Lots of companies have been the hosts for public classes, and they've gotten free training. So, if you're interested in free training for one of your treammates (maybe even you!) contact me if you're in one of the above cities, and we'll see about working out the details to have you host the class.

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training (about 6 - 8), the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan - or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/

For a private class, just contact me at [email protected] or call me at 302-351-8408.


Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)


Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and 3rd party products which extend the reach of Group Policy or let you do something you haven't discovered before!

So, head on over to the Solutions Guide and see what other goodies are available! New sponsors this time:

  • BeyondTrust Corporation with their BeyondTrust's Privilege Manager product.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected] Please POST your technical question on the GPanswers.com/community forum whenever possible. If you have questions about ordering a book, contact my assistantMark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Sep 2006
25

Issue#20

Newsletter 20: Looking ahead to Vista, IE7 and other upcoming software releases In this issue:

  • It's Issue 20
  • Industry Update
  • GPanswers.com updates
  • Moskowitz, inc. Technology Takeaway (r)
    • IE7 is on the horizon, how do I control my rollout?
    • What do I need to know about GP in Vista?
    • What about Exchange 2007, Office 2007 etc.?
    • How do I know what settings are available in each OS version?
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Upcoming conferences, appearances, and classes
  • Welcome new sponsors
  • Free Education!
  • Subscribe, unsubscribe, and usage information

This Month's Newsletter Sponsored by NetIQ

Download "Why Group Policy Matters," the informative whitepaper co-authored by Jeremy Moskowitz and NetIQ. This paper discusses the power of Microsoft's Group Policy and how organizations can better leverage the technology to address key business issues and help your organization attain its efficiency goals. Download the paper today.


GPanswers.com News

New assistant for the GPanswers.com community forum

While Ron takes a break, Adam Vero has stepped up to the plate to help keep GPanswers.com the best web resource for all things relating to Group Policy. Our thanks go to Ron for all his help in the past.

Adam has over 13 years of IT experience in a variety of fields including programming, teaching, systems management and now runs his own consultancy business, Meteor IT Ltd.

If you have not already joined in the discussions, why not come on in to the GPanswers.com forums and share your questions, answers, experiences and hot tips with other GP fanatics.  


Industry News: Microsoft Buys DesktopStandard

This, my friends, is a whopper.

If you haven't read the news, do so here. Now that you've done that, what exactly does this all mean?

Well, Group Policy (the engine) has a lot of moving parts called CSEs, or Client Side Extensions. There are 18 in XP and 21 in Vista. And DesktopStandard's PolicyMaker produc adds another 21 CSEs. So, if none get "cut", eventually we'll have 42 CSEs. (I predict several will be cut, like Powermanagement, because Vista already has a similar one.)

DesktopStandard also has (had?) a product called GPOVault: This is a "Check-in / Check-out" GP management system which is built right into the GPMC. I like this tool because, well, it's just built right in to the GPMC, which means I don't have to load ANOTHER console to do the dirty work. So, the idea is the Sally creates the GPO, Fred makes sure it's Kosher and Kirk puts it in play. All around a welcome addition.

The last "big" product DesktopStandard had was PolicyMaker Software Update. Imagine WSUS that actually worked with GPOs and that understood Active Directory. And, instead of using an SMS for the "really big guys", we could just deploy patches using GPOs! Wouldn't that be a great product? Well, that's what this was. However, I'm 99% sure this product won't see the light of day at Microsoft. Microsoft already uses WSUS for the "small" customers and SMS's patching technology for the big customers. This product kind of fit in the middle, and well, I bet that's about it for this product.

In the end analysis -- it's great. More stuff for GPO admins to know and love. And more power to do what they love to do.

Stay tuned for more info as it comes up. You bet I'll be all over this when I have more to share.

Technology Takeaway (r), a Service of Moskowitz, inc.

Looking ahead to Vista, IE7 and other upcoming software releases

IE7 is now at Release Candidate 1, so it's only a matter of time...

Maybe you have already tested IE7 and are happy that it interacts with your systems properly. Or perhaps you have some intranet application that either won't accept it (some look for a user-string of IE5 or IE6 specifically so they spit it out as being unacceptable) or don't work in some way (blocked popups causing issues for example). Or maybe you just haven't had a chance to test it yet. Either way, like all good system admins, you probably want to be sure that your users can get the most out of the new features and continue to work efficiently

You can download IE7 RC1 here if you have not already done so, and take a look at the new additions such as tabbed browsing and the phishing filter that mean Microsoft is closing the feature-gap on other browsers such as Firefox and Opera. Once IE7 is finally released it will be made available via Windows Update as a high-priority update. There has been much speculation that this means a high proportion of users will get the new browser before they know what to do with it, and before system administrators have been able to thoroughly test with intranets and other internal systems. Have no fear, it's a lot more controlled than that!

For starters, if you are using SMS, WSUS or SUS to manage all of your updates anyway, then read no further, you have it all under control (although if you are still using SUS 1.0 you should be aware that support ends on December 6th so you really ought to be upgrading to WSUS fairly soon).

So, if you're not using SMS or (W)SUS, what happens? Well, if your users are not local admins, then - nothing. They don't get prompted to install the update and it won't be pushed on them or automatically installed, period. If they are local admins then they will still get a choice to install or not - and we know how good some users are at making uninformed choices. For this scenario, Microsoft have kindly provided the IE7 Blocker Toolkit which will make sure that these less-managed machines won't get the new browser through Windows Update. In a nutshell, this blocking is done by creation of a registry key. The toolkit provides a script which can be run to create or remove this, and better still an ADM template to apply this via Group Policy. Here's a quick step-by-step on how to do this:

1) Download and run the IE7 Blocker Toolkit which will prompt for a location to extract the files, including the ADM file we will need in a moment.

2) Run the GPMC and create a new policy or edit an existing one which is linked to a location containing the computers which you wish to block from receiving IE7 via Automatic Updates

3) Navigate to Computer Configuration > Administrative Templates and right click > Add/Remove Templates. Click "Add" and Browse to where you extracted the files (see below)

 gp

4) Now that the ADM template is added, browse down to Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateAutomatic Updates Blockers. If you see "There are no items to show in this view" as shown below, then go to Step 5, otherwise skip to step 6

 gp

5) If you can't see the settings from the ADM file, you need to change the Filtering you have on. Go to View > Filtering and then CLEAR the box "Only show policy settings which can be fully managed" which is ticked by default as shown below.

 gp

6) Now you can see the setting to block the delivery of IE7 set it to "enabled" as shown below, and users will not get prompted by Automatic Updates to install this and if they do use the "Custom" feature of Windows Update they will be prevented from installing it.

gp

Unfortunately this won't prevent users with local admin rights from downloading and installing the browser as an MSI for themselves, but that's the reason to only let those who know what they are doing to have those admin rights in the first place, right?  

What do I need to know about Group Policy in Windows Vista?

Not much has changed, really - apart from a total re-write of the format for policy templates, where and how they are stored, and a whole bunch of new settings! The two most important things to understand are that your existing policies will simply continue to work on your existing machines, and that you can only edit policies for Vista and Longhorn on a Vista or Longhorn machine.So, what is happening to ADM files? The short answer is that any custom ADM files you have will continue to work and the new GPMC will be able to use them in creating or amending policies. But the new ADMX format and syntax (which is XML-based) provides a few key benefits.

The biggest of these is that you can create a single central store for ADMX files which are used by your policies, rather than each policy storing its own copy in the GPT, which can lead to sysvol "bloat" and slow down replication between DCs. The second important point here is the separation between the ADMX file which contains settings and their effects, and an associated ADML file which contains language-specific bits which are exposed through the GUI (the description of the settings and the "Explain" tab for example). So admins can view and manipulate the same policies using a different language interface, rather than all having to share a common language which may not be native to many of them. Of course, for in-house custom files the same is true - but someone has to write the ADML files to go with the ADMX.

You have probably heard that there are all kinds of new policy settings available to manage aspects of your Vista machines. Some of the most important classes are those for Power Management, Device installation and Removeable Storage. All of these are areas you may want to control centrally to manage costs (by reducing wasted power consumption) and business risk (reducing the ability of Joe from Sales taking the whole customer database with him on a USB thumbdrive when he leaves). Printer management and IE configuration have also both been made easier with GP for Vista. There's much more information on the MS website about these new Group Policy categories.

Other things which have changed in Vista Group Policy processing include:

  • the fact that the whole process now runs as an independent service
  • you can have multiple Local Group Policies (yes - policy local admins differently form your normal users at last!)
  • much better handling of connection status through "network location awareness" - slow link determination, or updating GP when a VPN is connected or a machine returns from hibernation for example

If you want to know more, get it straight from the horse's mouth by watching this 42-minute webcast:

Program Manager Mark Lawrence discusses the Group Policy improvements in Windows Vista 

(Live ID / Passport required to register)

One last thing for this edition while we're on the subject of Vista - your WSUS server won't get updates for Vista Beta editions without being configured to do so. Recommendation from MS is to configure a separate WSUS server (which must have WSUS sp1) just for your Vista Beta machines to update from, and configure this to fetch the updates from the MS Beta Update Server

Configuration is straightforward, simply by running a VBS script which is already on the WSUS server from a command prompt:

cscript.exe "%programfiles%update servicestoolsToggleMUUrl.vbs" beta

You can revert to the normal update server by repeating this command without the 'beta' on the end, but as already mentioned, you really ought to be doing this on a dedicated box anyway, and remove / reinstall WSUS completely once your Beta phase is over. More info here.    

What other GP goodies are there out now for upcoming products?

Just a couple of quickies about other upcoming bits of software which you may want to begin testing, and how this impacts on your GP world.

Firstly, Office 2007 brings with it a whole bunch of changes to the way it is deployed and of course more GP settings to control it. Significantly, to deploy from a central administrative install using GPSI you only need to point at the main MSI file and this will detect that this is being called by GP and go off to get all the MSI files it needs from the install point.

There is no longer on e single huge all-in-one "office.msi", in other words. Another big change for GP fans is that Outlook 2007 security can now be configured through regular Group Policies rather than having to configure a security template and publish this via the Exchange server. You can still do it the old way if you prefer, but for new installs a pure-GP method makes good sense. More about configuring security for Outlook 2007.

Of course, to manage Group Policy for Office 2007 you need to get the ADM files which are found in the Office 2007 Resource Kit here. (NB: this link only works if you are a registered Office 2007 Beta user, ie you installed the Beta, ran one of the apps and registered the product)

Exchange 2007 Beta can be run on 32 bit systems, although the final release code will only work on 64 bit and you won't get support if you put your production environment on the 32-bit version. However - for either platform you need to be running MMC version 3 (which we talked about in Newsletter 18) as well as .Net 2.0. Read more about MMC 3.0 here and download the version you need before you try and install the Beta. Click here to view the full system requirements for Exchange 2007 Beta 2  

How do I know what settings are available in each WIndows version?

A particularly common question, along with its cousin "where do I find the setting to do 'X'?"Periodically, MS issue a complete spreadsheet of all the Group Policy settings, along with the text you see on the explain tab to help work out what it does, and a column showing what the reuirements are (in other words, which OS version and other things are needed to make the setting work). You can filter the list easily on these columns, and use the usual Find feature (CTRL-F) to search for particular text.

The latest version of the Group Policy Settings file is up to date to Vista Release Candidate 1. If you are using Vista Beta 2 some of these settings do not apply, and you should check the Vista Beta2 GP settings instead, although the file is a lot less detailed. The older file for versions of Windows up to 2003 sp1 / XP sp2 is still useful if you are not moving to Vista just yet, as it shows which ADM files you will find the settings in.  

That's all the space we have for tips in this issue. please continue to submit your own tips or links to useful information in theGPanswers.com forums.


Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)


Choose the right Active Directory and Group Policy Course for you

Did you know that here at GPanswers.com, we have three courses, including an ADVANCED course. (It's true!) Online, we have a new-ish "Group Policy "Rightsize" Tool" which helps you decide the best course to take for your situation. We have both PRIVATE and PUBLIC classes. Again, use the Righsize tool to get a total understanding of your options.

Upcoming Public Classes, Appearances and Conferences

Public Two-Day Workshops for the Remainder of 2006:

  • Oct 12-13: Phoenix, AZ -- FULL ! (Come to Portland, Dallas or Seattle)
  • Oct 23-24: Portland, OR -- 11 seats left ! (Special note: No laptop required for this course. Leave your laptop at home if you want!)
  • Oct 30-31: Dallas, TX-- Lots of seats left
  • Nov 21-22: Seattle, WA -- Lots of seats left

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity! Learn more and sign up at: https://www.gpanswers.com/workshop

(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan - or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/

For a private class, just contact me at [email protected] or call me at 302-351-8408.

Free Education with Moskowitz / Microsoft / Techtarget / Dell Roadshow

Jeremy Moskowitz and TechTarget + Microsoft team up to bring you a 19-city roadshow tour titled: Deployment, Managing, and Monitoring: Getting the Job Done. Here, you’ll hear me talk about how to use the tools in the box to deploy your Windows XP, Windows 2003, and Vista systems, how to use Group Policy to manage your systems, and finally how to keep tabs on them with some slick free tools!

The roadshow is still rolling until November, so there’s a good chance we’ll be near you soon! Check it out and sign up here.

Upcoming Conferences

  • TechMentor: Oct 9-13 in Las Vegas. I'll be speaking on Win/Lin integration topics. All sorts of other good stuff. Check it out here. Use promotion code 'moskowitz' when signing up.
  • WinConnections: Nov 6-9 in Las Vegas. I'll be doing a pre-con on Group Policy, then some regular sessions on locking down computers, some awesome tips on Group Policy tools, and how to integrate Windows and Linux into Active Directory. Check it outhere.

Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and 3rd party products which extend the reach of Group Policy or let you do something you haven't discovered before!

So, head on over to the Solutions Guide and see what other goodies are available! 

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistantMark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Jul 2006
21

Issue#19

Newsletter 19: The File Server Migration Toolkit In this issue:

  • It's Issue 19
  • GPanswers.com updates
  • Moskowitz, inc. Technology Takeaway (r)
    • "Deep Dive" into the File Server Migration Toolkit
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Upcoming conferences, appearances, and classes
    • Classes and seminars
  • Welcome new sponsors
  • Free Education!
  • Subscribe, unsubscribe, and usage information

This issue, we've got another "big article". It's about the File Server Migration Toolkit. Why should you care? How is it related to Group Policy? Ah the suspense ! So, without further ado!


This Month's Newsletter Sponsored by NetIQ

Learn how to leverage Group Policy’s capabilities to secure and manage your desktop. Moderated by Active Directory guru Jeremy Moskowitz, this information-packed Webcast will show you how business objectives can be paired with Group Policy settings for a more secure and managed environment. Sign up today for the live webcast on July 27th.


GPanswers.com News

Announcing 1-day Advanced Group Policy Course

Have you already taken the two-day or three-day workshop? Are you looking to get "more" of what you already love? Then check out our one-day Advanced Group Policy course. We cover four big topics:    

  • How to create a “totally locked down” workstation
  • How to use Group Policy tools to increase your troubleshooting ability
  • How to zap registry punches down to your client machines with ADM templates and tools
  • How to leverage a test lab for good Group Policy deployment practices

It's a one-day hands-on course. Right now, it's only available as a private class. So, if you want me on site, you can add this on to you two or three day workshop class -- or just have me come by for the day!

New "Rightsizing Tool" for GPanswers.com Training

I'll talk about this a little later in the newsletter. But I haven't always done a good job making it easy to decide which Group Policy class is ideal for each person or organization. Now, online, I have a new “Group Policy ‘Rightsize’ Tool” which helps you decide the best course to take for your situation. Check it out here.

New "At a glance view" of newsletter archives...

People were telling me it was hard to know what was in each previous newsletter. Too much to read to find out. Well, now at www.GPanswers.com/newsletter you'll see an at-a-glance view of all our old archives. Just find the newsletter you want -- and enjoy!

In case you didn't get the memo...

Free gift to anyone who has ever taken a GPanswers two-day or three-day Group Policy workshop (where either James or I was the instructor).

It's about time I said thanks. So, thanks!

Here's the deal: the gift is free, the shipping isn't. Sorry, I'm a small business, and that's the breaks.

Shipping for your free gift is only $5, though.

And if you hate the gift, I’ll cheerfully refund your $5 and you can keep the gift. Really! (I sound like Ron Popeil, don’t I?)

Here's the fine print:

  • Shipping for the gift is a flat $5
  • We can accept Paypal or credit card for shipping
  • US residents only
  • If you can remember, please specify which public class or private class you attended (location and approximate month and year).

Note, that if you like the gift, but have never taken the two-day or three-day class, you can get one for a whole $12 (including shipping). Gifts ship right away.

Technology Takeaway (r), a Service of Moskowitz, inc. -- All About the File Server Migration Toolkit

Admit it. You've got 'em. Windows NT and Windows 2000 file servers that you just can't seem to shake. You know you want to get your file servers updated to Windows 2003/SP1 or Windows 2003/R2. And, we both know why you're not there yet: users are using UNC paths to point to shares on these file servers. And you know that if you move the data from the original servers to the new servers, all those users with UNC paths pointing to those shares are going to call the help desk (then the help desk is going to hunt you down, and you'll have to go into hiding.)

Or how about this sticky Group Policy problem: you got started using Group Policy Software Installation, and serving your installations using one file server. Now you have 50 GPOs deploying applications to your Windows XP and Windows 2000 machines. But, oops! You're ready to turn off that original file server.

But you can't.

Those 50 GPOs are depending on it.

What are you going to do?

A typical environment where files and software are originally being deployed from a Windows 2000 file server and/or Windows NT files is seen below.

gp
Figure 1: You're currently depending on NT 4 and Windows 2000 file servers (aren't you?)

So just turning off these servers isn't an option, and just copying the data to new shares on a new server isn’t an option. So what are you going to do? The good news is that there’s an answer [solution?] to these two tales of woe. Microsoft has a cool tool to help you take control of your old file servers and bring the data into the 21st century—seamlessly.

Enter the File Server Migration Toolkit . . .

    The File Server Migration Toolkit, or FSMT is a free download available here. The FSMT consists of three parts:

  • DFS Consolidation Root Wizard: This is another GUI tool which works some serious magic. It allows you to maintain the original UNC paths of the servers, even if you’re planning on ultimately turning those servers off.
  • DFSconsolidate.exe: This is a command line tool which is called by the DFS Consolidation Wizard. While it’s possible to use this tool on its own, we’re only going to explore its use in conjunction with the DFS Consolidation Root Wizard.
  • File Server Migration Wizard: This is a GUI tool which helps you plan your migration from the source servers to the target servers. Then, it actually performs the copy of the original files to the target destination. We’ll explore this a bit later.

Understanding Our Goals . . .

The first thing to know is where to start. You need to pick a source server (where the files are currently stored) and a target server (where you will migrate the files to). Let’s work through an example to help us understand where we are and where we’re going. Our Before Picture: You can see this in Figure 1. We have an NT 4.0 file server (nt04) with three shares containing user data. We have a Windows 2000 server with one share used to deploy software. Let’s take a closer look at what’s happening in our world. Our Windows XP machine needs access to the following:

    • nt04ntshare1
    • nt04ntshare3
    • w2ksoftware

Our Windows 2000 machine needs access to these servers and shares:

    • w2ksoftware
    • nt04ntshare2

Now, let’s introduce our target file server, fileserver6, whose job it will be to receive these shares and requests.

Our After Picture: The goal is to consolidate these existing shares onto fileserver6 and turn off the Windows 2000 and NT 4 servers. We need to perform this task in a way which preserves the original paths of each of the aforementioned shares. Yes, you read that right. We want to be able to access the data that’s currently on the computers we’re turning off as if they were still turned on. Oh, and of course, you want to make sure security is preserved all along the way.

 gp
Figure 2: Our goal is to turn off the NT 4

and Windows 2000 file servers but allow access to all data using the original server names (even though those computers are off

Here, in Figure 3 we can see our Windows XP machine accessing a directory of files on both nt04ntshare1 and nt04ntshare3 shares. The goal is for this Windows XP machine to continue to perform the same commands, using the same UNC paths after we move the files and turn the original file servers off.

gp 
Figure 3: Here, our Windowx XP machine is viewing files via UNC paths

To get to our promised land, we'll leverage a part of Windows that has been around for a while, but still isn't in widespread use: the Distributed File System, or DFS. DFS's goal is to accept incoming connections and route them to existing shares (this is sometimes called referrals). You might say it's like a "share of other shares" because it allows you to basically "hang" existing shares off a new DFS share, or, more technically the "DFS root". There are two kinds of DFS roots: standard and domain-based (sometimes called an Enterprise root). Standard roots only live on one server. Enterprise roots live at the domain level, which means that they're fault tolerant. If one server that's part of the DFS referrals goes down-no problem-referrals just keep on truckin'. Learn more about DFS (which is substantially different in Windows Server 2003 than in Windows Server 2003 / R2) by reading more at the following link.

Here's the roadmap to get to your destination:

  • You'll determine where you want to stash your new files. In our example we're going to be using fileserver6.demo.com.
  • You'll rename any file servers you plan on permanently retiring. Since you're retiring them anyway, it doesn't really matter much what the name becomes.
  • We'll be renaming our nt04 server to nt04-ret to signify that it's retired. Same goes for w2k to w2k-ret. Then, finally, when we're all done, we'll be turning off this server permanently.
  • We'll use the DFS Root Consolidation Wizard to control basically, "reroute" new incoming requests for the retiring servers (nt04 and w2k) to the new location (fileserver6). Note that I could use two separate servers in my migration example. That is, I could use one server to hold the DFS Roots and another to hold the files. However, to keep things simple, I'll use fileserver6 for both roles.
  • We'll actually move the files we need from the shares on our old servers to our new location on fileserver6.

So let's do it!

Getting Started with the FSMT and DFS Consolidation Wizard

The FSMT comes as a single MSI, but, as we stated has three separate components. The File Server Migration Wizard is meant to be run directly on the target file server. However, the DFS Consolidation Root Wizard and the Dfsconsolidate.exe command-line tool can be run anywhere; you can choose to run these tools on the target server or not.

Note the FSMT documentation makes special note of MSKB article 829885 which talks about a DFS hotfix. The implication is that this hotfix must be loaded upon the target DFS server. However, this hotfix is built into the Windows Server 2003/SP1, and is not needed when the target server is Windows Server 2003/SP1 (in my case fileserver6.) However, the FSMT documentation doesn't tell you one critical step: be sure the DFS service is started and set to Automatic for future restarts.

After the FSMT is loaded, as I mentioned earlier, we must change the name of NT04 server to nt04-ret and the name of w2k to w2k-ret (or something else that's meaningful to you). The reason why we must change the name is so that when clients try to connect to nt04 or w2k neither actually exists anymore. And, we'll be able to fool those incoming requests to nt04 or w2k into shimmying over to the new place on fileserver6.

In my tests, renaming an NT4 server wasn't as easy as I would have liked. Simply renaming it doesn't magically change the name in Active Directory (like it would if I renamed a Windows Server 2003 or Windows XP machine). I had to drop the machine into a workgroup, rename the machine, and rejoin the domain (demo.com.) And, of course, along the way several reboots were required. Finally, I had to delete an orphaned computer account for NT4 using Active Directory Users and Computers. In contrast, renaming the Windows 2000 server was a snap. Just rename and reboot -- easy. No muss, no fuss.

Now that my NT4 server and Windows 2000 servers are renamed, I'm ready to run the DFS Root Consolidation Wizard. The Wizard is pretty straightforward, asking only a minimum of information:

  • DFS root server: This is the location where the DFS root will be held. In DFS terms, this will be a "standard root"-which exists solely on the server you specify. Note that the root cannot be on a Domain Controller. In my example, I'm choosing to put the DFS root on the same server where the files will ultimately go-fileserver6. However, you can create the root on a server cluster if you want to increase the redundancy of the stand-alone root.
  • Local path of the folder: This is the top level directory where you want to store each migrated server. If we were migrating 10 servers, you would expect 10 subdirectories underneath this top level directory containing names of each migrated server. For my examples, I'm choosing the name c:migservers
  • Specify which servers to consolidate (as seen in Figure 4): Here, you'll map the original name to the current name (as seen below.). We're migrating two servers, (original name nt04, current name nt04-ret and original name w2k, current name w2k-ret) so we'll have two mappings in the list.

gp
Figure 4: The "DFS Consolidation Root Wizard" helps you map renamed servers to original names

If the Wizard finishes without errors, you've completed the first big step. Now, before you do anything else - take a moment to pause and check something out: Go back to your Windows XP machine (see first figure) and run those exact same dir commands access the servers and shares nt04ntshare1 and nt04ntshare3. Without rebooting the Windows XP machine (or logging off and back on), note those same dir commands just continue to work! This is because the DFS Root Consolidation Wizard has now mapped nt04 to nt04-ret-so all the shares via UNC paths still work.

And, let's take a quick second to see what really happened in the c:migservers folder on fileserver6. Below, you can see it created two subdirectories, which are each shared, and which contain another subdirectory of each server's original share.

 gp
Figure 5: The DFS Consolidation Root Wizard created a new share representing the old server

However, using Explorer locally and drilling down to one of the directories, say, ntshare1, will get you an error. This is because a DFS link only points to the right (new) location when using a remote referral (not a local one). Also note that each server is now represented by a share, #servername, such as #NT04, seen above. This was created by the DFS Consolidation Wizard.

It is possible to use the DFS Consolidation Wizard if your shares are on Domain Controllers. However, the same rule applies for Domain Controllers as for regular file servers. That is, the server (Domain Controller) must also be renamed. And unfortunately this can be a pain in the neck. Microsoft does have some Domain Controller renaming guidance:

  • For NT 4.0 Domain Controllers, see MSKB 150298
  • For Windows 2000 Domain Controllers, see MSKB 296592
  • And, even though it's easier still with Windows Server 2003, there's some guidance at MSKB 325354.

There is one piece of magic that the DFS Consolidation Wizard cannot directly help with, and that is if you already have hard coded, persistent mappings. Meaning that if someone has used the /persistent flag while using the net use command to map a drive letter (or the corresponding Explorer commands) those mappings will now fail. But if you're using log in scripts to map the drive letters each and every time a user logs in-no problem! This is because every time a request goes to the old server name, a new lookup to the DFS is generated and routed appropriately.

Actually Migrating the files

  To actually migrate the files, you create a project contained within the File Server Migration Wizard (FSMW), which appears as an icon on the start menu. The beginning steps are rather straightforward: create a new project, point the File Server Migration Wizard toward the new DFS consolidation point you created earlier (fileserver6), and watch it recognize the servers, as seen in Figure 6.

gp 
Figure 6: The File Migration Wizard should recognize your servers after you consolidate them using the DFS Consolidation Wizard

Then, you can tell the FSMW which directory you want to plunk the new files in. I chose a new directory on fileserver6 called c:migfiles.

A quick note on what is and is not copied. Of course the files themselves are copied. But the FSMW also copies both NTFS and shared folder permissions. What aren't copied are references to local groups. If local groups have permissions on the source's shared folders, you can use the Resource Kit tool SubInACL.exe to adjust the permissions before or after the migration to replace the local groups, or you can use a local group migration tool like the Active Directory Migration Tool (located here ).

When the project is formed, you then have the ability to make any micro-adjustments you might need (as seen in the circled area on the right of Figure 7). For instance, you might want to put the contents of ntshare1 in a directory named "Sales stuff" instead of ntshare1. This might boggle the minds of your users, but you may have a valid reason.

gp
Figure 7: You can change settings for each share if desired, then click Continue to step through the rest of the Migration.

Finally, you can just step through the rest of the process by clicking on the Continue button, circled above at the bottom of Figure 7. The process is painless, but could take a (long) while depending on just how many servers you are consolidating. For lots and lots of servers, consider breaking up the effort into multiple "projects" to allow for some settling-in time and attention to errors. If there are errors during the copying you'll have the ability to fix the errors and retry. A nice touch is that the target servers are still available during the copying phase. In other words, there's no server downtime from the copying of files from the source server to the target server. Additionally, because it's possible to repeat this phase multiple times to fix errors, another nice touch is that only failed copy attempts are retried. You don't need to copy the whole universe again if you've already copied 90% of it.

The last phase is called Finalize. This phase should really only be done when users won't be accessing the servers. That's because in this phase, you'll disable any original access to the source shares and close any open connections. Additionally, all other project settings are locked.

At this point, you're ready for your final test. Unplug the network connections from the original servers. Then, like we did with our Windows XP machine, make sure you can get to the copied servers using the original UNC path names.

Once you're satisfied that you can get to the copied data using the original UNC paths, you can turn off your old servers, recycle them, reformat them and redeploy them for another purpose, or make a fish tank out of them (or any another arts and crafts project you'd like).

The Future of the File Server Migration TOOLKIT?

The FMST is a great tool which gets the job done. However, there are some small nitpicky points that I’d love to see addressed going forward.

As stated, the FSMT uses what’s called “stand-alone” DFS roots to do the job. In other words, it puts the DFS root on one specific server. Sure, in my example, I used fileserver6 for both the storage of the standalone DFS root as well as the ultimate storage point for my migrated files. However, I could have also split the duty between file servers. That is, one server could house the DFS root, and another server could have held the data. So, what would happen today if that server holding the DFS root went offline? That would be a major problem, because there would be no way to route to the new file server(s). The ideal solution would be to use the more powerful domain-based roots which are fault-tolerant. Then if the one server holding the DFS roots should fail, the fault-tolerant nature of domain-based DFS would kick in. Today, FSMW doesn’t use domain-based, fault-tolerant roots, but I really wish it did. Again, as I mentioned earlier, a workaround would be to put the standalone root on a set of clustered servers. If one server went down, referrals would continue. The FSMT product team tells me that all parts of FSMT are fully cluster aware and compatible: it will create cluster consolidation DFS roots and add cluster names instead of DNS aliases if roots are hosted on cluster. So – nice touch.

Another problem is that you simply must rename the servers to do any of the redirecting magic. I would love to keep the server, name intact, and just redirect a specific share. This would allow me to keep using the server for whatever else it’s doing, but just migrate the specific shares I want to. To do this, we would need symbolic links within the original share that would route us to the new goal. But right now, Windows Server 2003 isn’t quite there. Perhaps with Longhorn server.  

The last note here is that you’re not actually forced to turn off servers you’ve migrated from. You can, if you so choose, keep the server online performing other roles. The problem is that it might be a challenge having other network services and clients find the newly renamed machine. DFS is some pretty strong magic, but it’s only for files; lots of other services won’t be able to magically find the newly renamed server.  

The FSMT is a cool tool, which works as advertised. And the price is right—free. It should be noted that as good as the tool is, it’s not meant to be a permanent solution. The help file notes that these consolidated DFS roots shouldn’t be maintained forever. The idea is that over time you’ll properly design your DFS, point users toward the new, updated structure, and then phase out the roots you created with the DFS Consolidation Wizard.  

Hopefully this will get you out of some tough jams, and into your 21st century file servers. Other FSMT resources:

  • Newsgroup support
    • You can use the microsoft.public.windows.server.migration newsgroup to ask questions about the File Server Migration Toolkit.
  • The FSMT Solutions accelerator (additional guidance)

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here. Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Choose the right Active Directory and Group Policy Course for you

Did you know that here at GPanswers.com, we have three courses, including an ADVANCED course. (It's true!)

And, historically, I haven’t done such a hot job in making it obvious what your available options are for public and private training. So, here’s the executive summary. Online, we have a new “Group Policy ‘Rightsize’ Tool” which helps you decide the best course to take for your situation.

Two-day intensive Group Policy workshop class

  • This course is best for Domain Administrators and qualified OU administrators.
  • This course has “intensive” in the name, so be prepared to work and learn!
  • This class is available as a private two-day course.
  • This class is available as a public two-day course.
  • Consider adding the One-Day Advanced course (below) as a third-day (if taking as a private two-day)

Three-day “Less Intensive” Active Directory warm-up and Group Policy workshop class

  • This course starts with a half day warm-up of Active Directory, managing users, and delegating permissions.
  • Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration experience can get a bit of the fundamentals before diving into the Group Policy waters.
  • This class caters more to OU administrators (than Domain Administrators)
  • This "Three-day less-intensive" course is ONLY available as a private course.
  • Consider adding the One-Day Advanced course (below) as a fourth day

One-day Group Policy “advanced” class

  • This class is a great “add-on” after your two-day or three-day Group Policy class. We cover four big concepts in this class:
    • How to create a “totally locked down” workstation
    • How to use Group Policy tools to increase your troubleshooting ability
    • How to zap registry punches down to your client machines with ADM templates and tools
    • How to leverage a test lab for good Group Policy deployment practices
  • This class is only available as a private course. Consider adding it to your two-day or three-day private course as an additional day.
  • It is suggested (though not required) that students attend either the two-day intensive or three-day less-intensive Group Policy workshop classes before this one.

Upcoming Classes, Appearances and Conferences

Public Two-Day Workshops for the Remainder of 2006:

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity! Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Free Education with Moskowitz / Microsoft / Techtarget / Dell Roadshow

Jeremy Moskowitz and TechTarget + Microsoft team up to bring you a 19-city roadshow tour titled: Deployment, Managing, and Monitoring: Getting the Job Done. Here, you’ll hear me talk about how to use the tools in the box to deploy your Windows XP, Windows 2003, and Vista systems, how to use Group Policy to manage your systems, and finally how to keep tabs on them with some slick free tools! Did I mention this is 19 cities?? So, there’s a good chance we’ll be near you soon! Check it out and sign up here.

Upcoming Conferences

  • TechMentor: Sep 25-29 in Las Vegas. I'll be speaking on Win/Lin integration topics. All sorts of other good stuff. Check it out here. Use promotion code 'moskowitz' when signing up.
  • WinConnections: Nov 6-9 in Las Vegas. I'll be doing a pre-con on Group Policy, then some regular sessions on locking down computers, some awesome tips on Group Policy tools, and how to integrate Windows and Linux into Active Directory. Check it outhere.

Welcome New Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at GPanswers.com/solutions. Inside, you'll find both free and 3rd party products which extend the reach of Group Policy or let you do something you haven't discovered before! Recently we've added:

  • NetIQ: Group Policy Administrator
  • Smartline: Devicelock

So, head on over to the Solutions Guide and see what other goodies are available!

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book, contact my assistantMark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Jun 2006
09

Issue#18

Newsletter 18: Grab Bag and Major Announcements In this issue:

  • It's Issue 18
  • Free Giveaway!
  • Moskowitz, inc. Technology Takeaway (r)
    • Three juicy tips
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Upcoming conferences, appearances, and classes
    • Classes and seminars
  • Free Education!
  • Welcome Mark!
  • Subscribe, unsubscribe, and usage information

This month, there’s a lot of stuff to talk about. (This is where you ask me, “Jeremy, in which month isn’t there a lot of stuff to talk about?”) Last month, I asked you which newsletter format you liked most: small tips, one large tip, or a mix. The mix wins it! So, since I’ve had several “one large tip” emails in the last few newsletters, this one is a gaggle of small tips. Gotta mix it up.

Quick TechEd Notes

A quick note for those of you who are going to TechEd: I'll be speaking on Windows & Linux Integration (session SVR211), Monday 1.30 PM in Room "156 ABC". Hope to see you there! Even though I'm not speaking on Group Policy stuff, doesn't mean there aren't some great talks! Be sure to check out the following GP related talks:

  • Mark Williams (GP Team @ Microsoft):
    • MGT310 Group Policy: What's New in Windows Vista Wednesday, June 14 2:00 PM - 3:15 PM, 210 ABC
    • MGT310R Group Policy: What's New in Windows Vista (Repeat Session) Friday, June 16 1:00 PM - 2:15 PM, 259 AB
  • Emily Hill, George Roussos
    • CLITLC09 Group Policies in Windows Vista to Control Devices and Drivers Friday, June 16 2:45 PM - 4:00 PM, CLI/MGT/SEC/SVR Theater 2
  • Derek Melber (DesktopStandard and all-around smart GPO-meister):
    • MGT425 Troubleshooting Group Policy Friday, June 16 10:45 AM - 12:00 PM, Grand Ballroom A

So, without further ado!


This Month's Newsletter Sponsored by Centrify

Now you can use Group Policy to manage Mac desktops just as you do Windows.

Centrify DirectControl not only delivers Active Directory-based single sign-on and access control for Mac OS X, but it is also the only solution that enables IT managers to centrally secure and configure Macs via Group Policy. Use GP to require screensaver password locks, lock down system sharing and firewall preferences, and centrally configure other security settings. Request an evaluation of DirectControl for Mac OS X today.


 

Announcement From the Better Late Than Never/Use Your Manners Department:

Free gift to anyone who has ever taken a GPanswers two-day or three-day Group Policy workshop (where either James or I was the instructor).

It’s about time I said thanks. So, thanks!

Here’s the deal: the gift is free, the shipping isn’t. Sorry, I’m a small business, and that’s the breaks.

Shipping for your free gift is only $5, though.

And if you hate the gift, I’ll cheerfully refund your $5 and you can keep the gift. Really! (I sound like Ron Popeil, don’t I?) Here’s the fine print:

  • Shipping for the gift is a flat $5
  • We can accept Paypal or credit card for shipping
  • US residents only
  • If you can remember, please specify which public class or private class you attended (location and approximate month and year).

Note, that if you like the gift, but have never taken the two-day or three-day class, you can get one for a whole $12 (including shipping).

It may take a little while for you to get the gifts (like a week or two.. but rest assured, they'll get there.)  

Technology Takeaway (r), a Service of Moskowitz, inc.

Tip 1: How to troubleshoot a machine that claims it cannot find a Domain Controller.

(This tip comes to us courtesy of Dan Home from Intelliem.com.) Two computers out of the 1000+ systems in our central site had these “Event 1054” errors. Unfortunately, these two systems were mission-critical systems. And, most interesting of all, there were NO OTHER VAGUELY RELATED ERRORS OF ANY KIND, visible or logged, on these systems. They just weren’t getting policy [“getting policy” ok terminology?] correctly (everything else was fine).

I said to myself, “Self, if they’re having these errors there must be something insidious going on.”

Here is a screenshot of the 1054 error on the machine:

gp After MUCH back-and-forth testing, we discovered the source of the problem: LINK NEGOTIATION! The switch between these systems and the DCs had one tiny little misconfiguration, and these particular systems weren’t “discovering” quickly enough what kind of network link they should have. So, in a final test, I hard-coded the NICs to 100/Full.

And the errors vanished like . . . well, something that vanishes.

Thanks again Dan Holme from Intelliem.com for this cool, simple troubleshooting tip!!

Tip 2: How do I get MMC 3.0 functionality on my Windows XP machine?

Last month, you read about how to control printers using GPOs. And we did so using Windows 2003/R2’s new Print Management Console. You might have noticed that it had a different look and feel to it. That new look and feel is the MMC 3.0 (as opposed to MMC 2.0) which can be seen in this screenshot.

gp
(Click on image for a larger view)

Since you likely control your Active Directory universe from an Windows XP machine (and not a Windows 2003/R2 machine) you might want to step-up to the MMC 3.0 look and feel on your Windows XP machine. Here’s how we do it:

  • Ensure that your Windows XP machine has SP2 installed.
  • Get the MMC 3.0 interface (one for 32-bit Windows XP and one for 64-bit Windows XP)
  • Enable the MMC 3.0

We’ll assume you already have Windows XP / SP2. Now, to get the 32-bit version of MMC 3.0, click here. To get the 64-bit version of MMC 3.0, click here: . Note that it seems as if 64-bit Windows XP systems get “second class citizen” status here, as there doesn’t seem to be a “final” version of the code, rather, that link for 64-bit Windows XP MMC 3.0 seems only to be Release Candidate 1.

Update: You can now download from Microsoft a copy of MMC 3.0 for XP x64 and MMC 3.0 for 2003 sp1 as well as 2003 x64 and ia64 Finally, once installed on your Windows XP machine, edit the registry to add a new key.

  1. Navigate to HKEY_LOCAL_MACHINE | SOFTWARE | Microsoft | MMC.
  2. From the Edit menu, select New, Key. (Yes, ‘key’, not value)
  3. Enter “UseNewUI”.

Note that the new Action pane seems to be available regardless of whether the setting is performed or not. However, the new “Add/Remove Snap-ins” is definitely different once you perform the setting, as seen below. gp (Click on image for a larger view) You may not see much “new stuff” while you’re inside your console (such as when you’re inside the “Actions” pane.) That’s because each snap-in needs to specifically take advantage of MMC 3.0 goodies.

Tip 3: Ready for Vista?

  While not specifically a Group Policy–related tip, I thought y’all would find this interesting. You can do a quick “health check” on your existing hardware (running Windows XP) and figure out if it’s a good candidate to put Windows Vista on it.

Just trot on out to the machine in question, and click here.

You’ll get asked a handful of questions about what you want to DO with Windows Vista. Then, out pops a suggestion about which version of Vista you should get and which areas need attention. You’ll get an HTML report (IE-readable-only, of course) that tells you which features are A-OK and which might not work. You also get a report about the drivers on your current machine and how they’ll fare with Vista (see second screenshot below).

 gp

 gp
(Click on image for a larger view)

Note that some items are peripherals (like my Brother MFC-3220C printer), but some are built into the machine (like the SigmaTel C-Major Audio device.) Let’s hope all these drivers are available by Vista showtime.  

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)

Now Available: Private GP Course in "Less-Intensive" Format

Everyone knows the two-day Group Policy course is really three days of material packed into two intensive days. However, some customers have asked for a less intensive format.

Your wish has been granted!

This course starts with a half day warm-up of Active Directory, managing users, and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration experience can get a bit of the fundamentals before diving into the Group Policy waters.

This "three-day less-intensive" option is ONLY available as a private course. Note, the "two-day intensive" option is available as either a private or a public course. Learn more about the Group Policy courses here.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy intensive training and workshop. Students LOVE the class, and managers LOVE the results.

You BOUGHT and IMPLEMENTED Active Directory—now DO SOMETHING with it.

Public Two-Day Workshops for the Remainder of 2006:

Because I got invited to do a 19-city roadshow with TechTarget and Microsoft (see next section) I had to move around some of my class dates.
July 11–12: Denver, CO
July 25-26 (changed dates): Austin, TX (by popular demand!)
Aug 23–24: Phoenix, AZ
Sep 25–26 (changed dates): Seattle, WA
Oct 31–Nov 1 (changed dates): Portland, OR

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.  

Free Education!

I’m honored to announce that I’m working with two pairs of vendors to get you free stuff in the upcoming year starting in June! (Y’all know how much I love free stuff!)

Announcement #1:

Jeremy Moskowitz and NetIQ + FullArmor team up to bring you, over the next year or so, some webinars, whitepapers, and roadshow opportunities. Here, you’ll see me outline some of the difficulties that administrators have when working with the native Group Policy toolkit. Then, NetIQ + FullArmor will talk about how their products fill in those gaps ! I’ll keep you posted with mini-updates via “un-newsletters” when a webinar or roadshow date is approaching.

Announcement #2:

Jeremy Moskowitz and TechTarget + Microsoft team up to bring you a 19-city roadshow tour titled: Deployment, Managing, and Monitoring: Getting the Job Done. Here, you’ll hear me talk about how to use the tools in the box to deploy your Windows XP, Windows 2003, and Vista systems, how to use Group Policy to manage your systems, and finally how to keep tabs on them with some slick free tools! Did I mention this is 19 cities?? So, there’s a good chance we’ll be near you soon! First two cities are Charlotte, NC (June 27, 2006) and Atlanta, GA (June 28, 2006).

The best two places to see the city list will be my web site calendar (which runs along the right-hand side), and also here, the official TechTarget/Microsoft web site. Dates will be added when confirmed. Hope to see you there!  

Welcome Mark, my new assistant!

Also, a big welcome to my new assistant. His name is Mark, and he can be reached at [email protected]. He can help you get signed up for a class, get you a case of books, or troubleshoot a gift order. He’d love to get a welcome email from you! However, please don’t send Mark any technical questions. Post those to GPanswers.com/community.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Mark at: [email protected]. I endeavor to respond to everyone who emails.

Thanks for reading!

Apr 2006
25

Issue#17

In this issue:

  • Your opinion please!
  • Windows 2003/R2 Printer Magic
  • Get a signed copy of...
    • my GP book: Group Policy, Profiles and IntelliMirror
    • my Windows & Linux Integration book
  • Now Available: Private GP Course in "Less Intensive" format
  • Public Group Policy Intensive Training and Workshop Schedule Update
  • Subscribe, Unsubscribe, and Usage Information

It's all about more control, baby

This Newsletter’s “big topic” is printers, and deploying them via Group Policy. But, before I talk about that, I have to ask you folks a thing or two.

Thing #1:

  • Do you like these newsletters with one big topic in them?

or

  • Do you like the original format with lots of little questions and lots of little answers?

Send your one word vote of BIG or LITTLE to [email protected]. Or, if you have more than one word to say, you can do that too.

Thing #2:

Want to be famous? I’m working on a project which highlights “creative uses” for Group Policy. So, if you think you’ve got a special implementation using Group Policy—I want to hear about it. For instance, one company I know uses Group Policy to lock down PCs as cash-registers. That’s cool! Another company I know wrote some sweet custom scripts to automate their entire Group Policy universe. Wow! That’s the kind of stuff I want to hear! Or, do you have a special “process” behind your Group Policy that goes beyond the “in the box” delegation? Anything neat or cool—special implementations are what I’m looking for. And, like I said, you can have your name in lights (if you so choose).

Give me a paragraph or two on your cool implementation, and what you’re doing that makes your organization unique. Send to[email protected] with a subject line of SPECIAL.

Now, on with the show!

Be sure to read through to the end. I’ve got a gaggle of new dates and cities for the public Group Policy course for the rest of 2006.


Newsletter Sponsored by: DesktopStandard

Provide all of your Windows 2000, XP and Windows 2003 end-users easy access to the correct printers via Group Policy, today!

Configuring printers is one of the essential desktop management tasks for which there is no built-in Windows solution. DesktopStandard's PolicyMaker Standard Edition solves this issue and many others. It includes both Shared Printer policy and TCP/IP Printer policy for managing printer connections. Standard location-based filters allow targeting of print connections so that jobs can automatically print to the most appropriate printer based on where the computer is located.

Click the link to learn more: PolicyMaker Standard Edition


Windows 2003/R2 Printer Magic

Let me guess what one of your biggest headaches is.

Printers.

Yes, it’s that “little thing we don’t like talking about much.” But, it’s been on my mind lately, so let’s figure out how we can “Do more with Group Policy!”

Are you one of Microsoft’s customers who is implementing Windows 2003/R2?

Or, are you one of Microsoft’s customers who just read the above line and is saying to themselves, “What the heck is Windows 2003/R2?”

Windows 2003/R2 can almost be thought of as “Windows Server 2006.” But that’s not what it’s called. It’s Windows 2003/R2. To use “R2” you need to load it upon a Windows 2003 Server with SP1. Then you load the R2 bits, and voila! You’ve got an R2 machine!

R2 has an armload of neat-o new features. And if you’re interested in reading about all the neat-o features it has, read here.

But only one of those features has any Group Policy-related goodness. But, oh friends, it is very good!

It’s the Print Management Component—a new add-in that R2 brings to the table. The Print Management component does a LOT of keen-o-rific stuff, like centrally manage almost all aspects of all of the printers on your Windows network. What’s not to like about that? And even better, it brings an extra superpower to the table: the ability to deploy printers to users or computers via Group Policy.

ZAAAP! You can just “beam” printers down to your mere mortals.

That’s right. You can now say “Whenever Sally moves from XPPRO1 to XPPRO12, she keeps her printer mappings.” Or, you can now say: “Whoever sits down at XPPRO5 will get the same printer settings.”

The god-like power you have using Group Policy is truly compelling!

Keen readers of my Group Policy book will note I had a tip (on pages 139-140 of the 3rd edition) about using loopback policy to perform the same idea. That is, by sitting down at any given machine you can dictate the printers. Now, finally, it’s part of the operating system.

Getting ready to perform the magic

Before we can get started with the Print Management Components, we need to perform several steps:

1. Update our Windows 2003 schema to Windows 2003/R2 schema

2a. If we want to use our Windows 2003 server as the place where we perform our printer management, we need to load the Print Management Component on our Windows 2003 machine.
 -or-
2b. If we want to use an Windows XP machine as the place where we perform our printer management, we need to load the Adminpak for R2 tools on our management station.

Updating the schema and installing R2

Updating the schema is likely the hardest part of the job, because you’ll need approval from your Active Directory big-wigs that this is an OK procedure to do. Once you have approval, this operation is best performed directly upon the Schema Master in your domain.

The reason for the schema upgrade is that to-printer connection objects get a new “fast query” lookup via LDAP in Active Directory. This way, the Print Management Console (which we’ll explore in a bit) doesn’t have to inspect every GPO in the domain to figure out where printers are currently deployed.

Just pop in the R2 media. You are then presented with the option to “Continue Windows Server 2003 R2 Setup.” If you click that, however, you get the message seen below.

 gp

 gp
Figure 1: In order to upgrade Windows 2003 to R2, the schema must be upgraded. (Click image for larger view)

The dialog box says it all. In short, you need to run the command adprep /forestprep which is located in the R2 CD-ROM in the cmpnentsr2adprep directory.

 gp
Figure 2: Once you press ‘C’ to continue, your schema will be upgraded to the R2 schema.(Click image for larger view)

From here, we’ll assume you want to test drive this on your Windows 2003 Server and upgrade it to R2. We’ll also assume that you want to manage your printers from there (as opposed to an Windows XP management station).

Once the schema update has been performed, you can then run the “R2Auto.exe” on the root of the R2 CD-ROM and select to “Continue Windows Server 2003 R2 Setup.” At this point, you may be informed that you have a service pack installed (and continuing will prevent any possibility of uninstalling it). Select “Yes.” Once you do, you’ll be at the “R2 Setup Wizard.” The Wizard is self-explanatory.  

Installing the Print Management Components

Next on the docket is loading the Print Management Component. Again, this is a comprehensive tool which allows you to manage many facets of your printer universe. To load the Print Management Component, go to Add/Remove Programs | Windows Components | Management and Monitoring tools and select Print Management Component, as seen below.

 gp
Figure 3: You can load the Print Management Console components into a Windows 2003/R2 server.

Note that next time the (annoying) Configure Your Server Wizard appears, you’ll see that it’s been installed as seen here:

 gp
Figure 4: The Configure Your Server Wizard now has a new option. (Click image for larger view)

Now that the Print Management Components are loaded, you’re ready to deploy printers to either your users or your computers. You can do this “by hand” using the regular Group Policy editor snap-in, or using the tools provided in the Print Management console.

Deploying printers using GPOs

Let’s deploy printers by hand first using the Group Policy editor, then we’ll move on to the Print Management console.  

First step: Define Deployed Printers

To zap a printer down to your users or computers, you start out by creating a GPO and linking it to an OU containing either users or computers. Say, the Sales Users OU.

When you edit your next GPO, you’ll see a “Deployed Printers” node in both the computer and user half of the GPO along with a new Action called “Deploy Printer” in the Action menu as seen below.

 gp
Figure 5: You’ll be able to manage printers directly within the Group Policy Object editor (Click image for larger view)

Note that if you don’t see the “Deployed Printers node”, it’s likely that you don’t have the updated Adminpak tools on your management station (the computer from which you’re editing this GPO). To get the latest tools, get the R2 Adminpak here. Note that it isn’t “one big .msi” like Adminpak.msi. Rather this is a collection of smaller files for specific updated components like the Print Console.

Once you select User Configuration | Deployed Printers | Deploy Printers (as seen in Figure 5 ) or Computer Configuration | Deployed Printers | Deploy Printers, you’ll be ready to blast new printer assignments down. Just type serverprinter into the “Enter printer name” dialog (shown below), click Add, and you’re done.

gp
Figure 6: Enter the UNC path of the printer you want to push. (Click image for larger view)

Or are you? Here’s where the going gets tough. That is, just when you think you’ve got it super-easy, you need to go the last mile of this journey manually. All you’ve done right now is define which printer the folks affected by this GPO should get. But now you need to actually tell them to get it. That trick is done through a little executable program that you have to kick off via Login script (for printers assigned to users) or Startup script (for printers assigned to computers).

Second Step: Assign the PushPrinterConnections executable

The “moving part” to make the printer assignment is a little .exe called pushprinterconnections.exe. If you’re deploying printers to users, the .exe needs to be run in the user’s Login Script. If you’re deploying printers to computers, it needs to be run in the computer’s Startup Script.

The pushprinterconnections.exe gets placed on your R2 server in the windowsPMCSnap directory along with some other bits associated with the Print Management console (which we’ll talk about in a minute). You can see that here.

 gp
Figure 7: You’ll need to copy the pushprinterconnections.exe to each GPO’s script container. (Click image for larger view)

The key point is that the location where it starts out isn’t the location where you need to run it from. Your job is to take the file and plunk it directly into the GPO itself. Here are the rough steps to do this:

  1. While editing the GPO, drill down to the script type (User Login, or Computer Startup).
  2. Click the Show Files button.
  3. Copy the pushprinterconnections.exe into the window that opens up.
  4. Back at the properties of the script, click Add, locate and select the pushprinterconnections.exe file.
  5. Click OK

gp
Figure 8: Call the pushprinterconnections.exe from directly within the scripts portion of the GPO. (Click image for larger view)

Note: If you want to enable troubleshooting logging information, type –log in the Script Parameters box. A per-user debug log file will be written to %temp%. A per-machine debug log will be written to %windir%temp. (Note that these are totally different directories.) It’s worth noting that you shouldn’t use the –log parameter in a production environment—you wouldn’t want the utility filling up your client machine hard disks with megabytes of log files.

A quick “future looking” note about Vista. This utility isn’t required for Vista. The ability to push down printer connections is built in.

So, the first thing that PushPrinterConnections.exe does when you run it is to check if it is running on Windows Vista. If it is running on a Vista machine, the utility exits without doing anything. So network administrators don’t have to worry if they accidentally push out the pushprinterconnections.exe utility down to Windows Vista clients.

The results!

At this point, you should see goodness when you log in as the user or restart the computer. Note that these printers won’t “change” during background refresh after you’re already logged in. That’s because the pushprinterconnections.exe only runs at login or startup.

gp
Figure 9: Success on an Windows XP machine! (Click image for larger view)

The easier way to do it (sort of)

We just deployed printers to our users or computers by hand using the Group Policy editor. However, there’s an alternate method: using the Print Management Console. The Print Management Console gives a “one stop shop view” of printers deployed via GPOs. In this list, you can see each of my printers (HPLaser1 and HPLaser2) and which GPOs they’re being dictated in, and which side—user or computer—is being forced.

 gp
Figure 10: The Deployed Printers node in the Print Management Console “hunts down” GPOs which are using the Deployed Printers feature. (Click image for larger view) However, the Print Management Console has another trick up its sleeve: the ability to zap printers directly by creating GPOs of its own.

Using the Print Management Console, just drill down to Print Management | Custom Printer Filters | All Printers, locate the printer you want to zap down to a computer or user, and select “Deploy with Group Policy”, as shown below.

 gp
Figure 11: You can see any printer in the Print Management Console and zap it down using Group Policy. (Click image for larger view) With no disrespect to the designers of R2, this is where it starts to get a little bit difficult to work with. It starts out innocently enough as you can see in the “Deploy with Group Policy” dialog box below.

gp
Figure 12: The interface for deploying printers via GPOs using the Print Management Console. (Click image for larger view)

The interface from here on out is, well, almost a throwback to pre-GPMC days…and we all hated those days. But that’s the interface we have here after we perform our next step.

The idea here is to click Browse and either find a GPO you happen to know is linked to a Site, Domain, or OU (because, of course, you have that memorized) or drill down into an OU and choose to create a new GPO that’s linked to the level you drilled down to. You can see this in Figure 13.

gp
Figure 13: Click to create a new GPO to affect your target OU. (Click image for larger view)

And, of course, you all knew that an icon of two people with a little star over their heads means “Create a new GPO and link it here.” Right? (Maybe not.) Thankfully, the tooltip tells the tale of the inexplicable icon.

Once you’ve created the GPO and linked it, it’s time to deploy the printer. Here you select which side of the house you want to deploy to: users, computers, or both. In my case, I’m deploying to Nurse Users, so I’m choosing users.

Now, here’s where you gotta stay with me—so I’ve numbered the steps like a “follow the bouncing ball.” Before I reveal these steps, I want to confess that I tried this procedure no less than 5 times before I finally figured it out.

 gp
Figure 14: Steps to deploy a printer using this dialog. (Click image for larger view)

Why did I go though the painstaking trouble to number the steps and show you exactly where to click? Because the procedure is to:

  1. Choose the user and/or computer side of things.
  2. Click the Add button.
  3. Then click OK

In short, I kept missing the ADD button and was driving myself completely nuts! I think I was missing it because “Add” is ever-so-slightly higher in the dialog than the checkboxes, and my brain thought “Why would I need to click here? I should just click OK and be done.” But my brain was wrong. Learn from my brain.

Here’s the trick: Deploying printers via the Print Management Console doesn’t do 100% of the required steps. That is, while it puts the printer in place in the Deployed Printers node, it doesn’t jam the pushprinterconnections.exe into the Logon Script or Startup Script. this means you have to go back in, via the GPMC, edit the GPO, and jam in the pushprinterconnections.exe (basically, what I showed you in the first part of the article). Frustrating? A little, but now you know what you have to do!

If I’m missing something here, dear readers, don’t be shy. It’s a mystery to me why this whiz-bang Print Management console only does half the job while using the “Deploy with Group Policy” feature.

Final thoughts

Clearly, this ability to zap printers down to either users or computers is a nice leap forward. But, the bad news is subtle: That is, this new magic isn’t built on the client-side extension goodness that IS Group Policy. Rather, this is a little hack that Microsoft put together to zap printers down to users. What I’d like to see is the ability for users to get a changed GPO, and have the printers change on the fly with the background refresh interval. It’s not there yet, but appears to be coming soon with Vista.

One more note about all this before we move on:

  • Windows 2000 machines only support per-user printer connections.
  • Windows XP or Windows 2003 support per-user or per-computer printer connections.

Finally, if you want to learn more about the Print Management Console for the other goodies it brings to the table, be sure to read the “Print Management Step-by-Step Guide for Windows Server 2003 R2” found here.  

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

  Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment fromwww.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)  

Now Available: Private GP Course in "Less Intensive" format

Everyone knows the two-day Group Policy course is really three days of material packed into two intensive days. However, some customers have asked for a "Less Intensive" format.

Your wish has been granted!

This course starts with a half day warm-up of Active Directory, managing users, and delegating permissions. Then, we move on to the Group Policy goodies. This way, those with less Group Policy and day-to-day administration experience can get a bit of the fundamentals before diving into the Group Policy waters.

This "three-day Less Intensive" option is ONLY available as a private course. Note, the "two-day intensive" option is available as either a private or a public course.

Learn more about the Group Policy courses here.

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.

You BOUGHT and IMPLEMENTED Active Directory—now DO SOMETHING with it.

So, learn to properly drive that "Ferrari" you bought by coming to a class!

Classes for remainder of 2006:

  June 7–8: Austin, TX (by popular demand!)
July 11–12: Denver, CO
Aug 23–24: Phoenix, AZ
Oct 24–25: Portland, OR
Nov 21–22: Seattle, WA

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop
(Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or, if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Here's a testimonial from someone at a major upscale jewelry retailer who said his knowledge of Group Policy helped him and his SMS team be more efficient all around.

Jeremy, We actually use the SMS+ZTI (Zero Touch Installation) scripts you talked about in your last two newsletters. For us, we could only be successful with SMS+ZTI in conjunction with Group Policy settings -- a lot of which you taught. I made a Staging OU and redirected all new systems which get added to the domain to this new OU. The GPOs for this OU are quite restrictive. It makes the machine basically unusable. Heck, I make sure they’re presented with POPUPS which instruct users to call the help center if they get the popup message. This forces our deployment team to move the machine to a correctly managed OU. Some additional things that have accomplished via Group Policy since your class:
  • Our new laptops come with Wireless cards. But, I needed to make sure they are initially disabled. Then, only turned on for the “right” people -- if you know what I mean. I created a wireless access GPO that disables the wireless service from starting (and removed administrators from enabling it as some extra protection.) I also used a technique in your class to guarantee who gets Wireless turned on, and who doesn’t. So now when we want to enable the access it’s just a quick change!
  • I set up Restricted Groups for different OU’s. This helped with Sarbanes Oxley’s local admin requirements. Using a MOF through SMS we now report who has local admin rights.
  • We implemented Microsoft Live Communicator – through Group Policy we restrict the settings.
So yes, your class was very helpful in getting me on my way. I can only hope it helped other administrators “see the light” like I did! Thanks, Jeremy!

Sponsor Update

At GPanswers.com, we want to welcome the following sponsors to the Solutions Guide:

  • FullArmor Corporation
  • Smartline, inc.

Be sure to check out their cool tools and all other vendor's tools at the Solutions Guide.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Jon at: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Mar 2006
28

Issue#16

Why is this follow-up newsletter needed?

I want to thank you all for your comments and observations about my "Newsletter 15" rant. Some of you opted to post in my community forum, and there are some nice comments there. Others posted "side discussions" on, say, the SMS lists.

(PS: This whole newsletter update is being posted to the GPanswers.com newsletter folks and the SMS-list folks.)

I've spent the extra "quality time" getting to know the BDD a bit better. I'm ready to put this whole thing to bed, and I'm grateful for the insights everyone has brought to the table.

Again, if you have comments, my preferred way to handle them is via the Community forum. Or, if you're getting this on the SMS-list, then, feel free to post there too.

Special thanks to the BDD team (Michael Niehaus) for making contact to help me get to the bottom of some of my questions, as well as key members of the SMS-list (Rod Trent and Todd Hemsell) who chose to reach out to help everyone better understand why this is important to them.

Thanks, all.

PS: If you wish to respond, please do not email me about this topic. If you want to participate, please post herehttp://tinyurl.com/htaxw on my community forum.  

Findings

Ultimately, here are my findings after seriously going through the BDD materials. (Yes, true, I went thru them semi-seriously before. But this pass was even more so.)

Indeed, I found some videos of the whole process here and watched every single one and I suggest anyone interested in learning this better also watch them.

Warning: Whomever is giving the talk is clearly just READING from a script. And, hence, it's a little easy to "tune out" even though the information is quite good. With all that re-exploring, here is the Reader's Digest version on my findings:

About BDD/Standard

I seem to have been correct that the BDD, at the end of the day, deploys "Ghost-style monolithic images." These images are based on an "assisted scripted process" which helps wrap up all the steps (including hardware-specifics and timed reboots into the process.)

But in the words of the BDD team in a personal email: "In the end, this is captured as an image."

I think, in the end analysis, this is the big dealbreaker for me.

Let's say I change hardware. Or add something that requires another step.

Sure, I can go BACK and tweak my script to then create ANOTHER Ghost-style image. But that seems like more work to me. And now I've got different images running around.

Not that the BDD team or Microsoft needs my advice, but here it is: Take a hard-line stand, and support ONE method.

And that method should be a 100% automated, scripted install.

Here's why: People who already use Ghost-style tools already USE those tools without the process and guidance the BDD offers. And, the manufacturer of those Ghost-style tools should provide any process around them -- Microsoft shouldn't.

I don't think folks already using Ghost-style tools would necessarily jump ship over to BDD. I do think the BDD team could attract more flies by answering the problem of "How can I build a glorious, sexy scripted install that works on ALL my hardware, even if my hardware changes a lot?"

While it has a lot of excellent prescriptive guidance, I would be surprised to learn that many, many people use the BDD/Standard edition.

The BDD team has expressed that they do not assume AD is in place with the BDD/Standard edition. Therefore, none of the process involves any use of GPOs or scripts with GPOs. My suggestion to the BDD team: Start assuming people have AD and can "get it together" enough to use GPOs.

Seriously, even SBS installations run AD and most use GPOs, and they have 10-50 users.

If the target audience for the BDD doesn't even have ONE DC (hence, no AD) I think it's safe to assume that they DONT or WONT want to use a tool like this.

Do people WITHOUT AD really think "process" when doing anything? If the BDD's target audience really assumes about 500+ machines, then, c'mon -- we're ONLY talking AD here. :-)

About BDD/Enterprise

I think this is where the majority of administrators will find usefulness. The ZTI scripts which are part of the BDD really do add the "finishing touches" that SMS needed when the OSD was released.

And, I think that was my confusion, too. That is, that the OSD doesn't, by itself, come with the ZTI scripts. No no.. THOSE only come with BDD/Enterprise.

So, my overall suggestion would be to roll up the USEFUL BITS of BDD/Enterprise and marry them RIGHT to the OSD. I mean, is there a majority case in using ZTI without the OSD? If not, put the goodies where the SMS admins can just use 'em.

It seems, overall, that the SMS admins and I agree on the general "philosophy". That is SMS admins seem to often use BDD/Enterprise to smoke "broken" machines then use SMS to lay down their applications. That sounds awfully familiar when I teach about smoking a machine using RIS then laying down applications with GPOs. It's the exact same theory. (Yes, it’s true that GPOs require MSI packages, where SMS can deliver just about anything.)

There are some differences, and some similarities.

Difference #1.

With RIS, I need to walk out to the machine to kick it off -vs-With SMS, if the client is loaded and responding, I can kick it off remotely. If the SMS client isn't responding I need to either use RIS to boot WinPE or run out there with a WinPE CD-ROM. (Meanwhile, WinPE is still a "licensed" entity. RIS is included as a component for all Windows servers.)

Similarity #1

Both RIS and SMS/OSD seem to use the same "idea" of how they store files. That is, they're not “Ghost-style Monolithic images.” RIS stores "bunches of files" stored on the RIS server. SMS/OSD uses a "WIM" format. Both formats store about 20% less information than a "Ghost-style monolithic image."

So, at the end of the day, an SMS/OSD and a "naked" RIS install are going to take about the same amount of time. (That is, unless you're doing something tricky with the ZTI scripts and downloading a true Ghost-style image with your Ghost-style tool.)

My only question today is: If they're so SIMILAR in the underlying technology, why do we have two ways to skin the same cat? In the future, the BSD team tells me we won't. That's the right idea.

Advantage #1

SMS has always done a good job "staging" files in secondary sites. And, if you have a very large environment, say, with 25 branch offices, using RIS can be a challenge. This is because you'll likely want to load ONE RIS server and replicate it to all your branches. You would use Robocopy, XCOPY, DFS, or something else to copy that one RIS server to your 25 branches. But this route could be fraught with peril. (However, I would suggest that with the improvements with WS03/R2 this might be vastly improved.)

Onward and upwared

This isn't a BDD comment, specifically. But I think it's simply silly that that I must "run out" to a bare-metal machine with a WinPE disk, or have a RIS server available alongside my SMS just to boot WinPE to then get bare-metal installs up to speed. Unless I'm missing something, this is a kind of a big hole that the SMS team needs to address. I don't know enough about SMS 4.0 to know if this hole is plugged.

I like the idea that the ZTI scripts are "open" and customizable. And this, I think, is why SMS admins are "passionate" about the BDD in general. Again, however, my suggestion (for what it's worth) is to put the ZTI scripts right into the OSD if that's the people who use them.

Ultimately, the BDD has a nice message: Put some process around the way you do your deployments.

I can't rant about that. Clearly,

I'm not a huge fan of "Ghost-style monolithic images." I'd rather see you script the whole install, even if it takes longer. But the BDD's goal is to prescribe some repeatable guidence for those who choose to use Ghost-syle tools. Again, I can't argue with that -- if that's the way you're choosing to do your deployment. As I said in the original newsletter -- if you're happy with Ghost and their ilk, then keep on using it. The BDD helps you put some "process" around that deployment method if you choose to use it.

That's just good thinking all around.

However, in this "Son of rant" I've made some suggestions going forward I hope might be well received by both the BDD and SMS teams going forward.

One last piece of the puzzle: BDD will surely evolve in the Windows Vista timeframe. I would expect it to take on the new WIM/XIMAGE/IMAGEX formats Vista will support. But, that's another discussion for another day, isn't it?

PS: The BDD team responded in full to this content before it went live. And I've tried to inject the relevant feedback about the current state of the BDD and SMS/OSD back in before we went live. However, I'm currently seeking permission to print a full transcript of the conversation so you can read the response directly from the BDD team. In that response the BDD team discusses future directions, which are certainly interesting. When available, it will NOT be a newsletter. It will only be posted here http://tinyurl.com/htaxw on my community forum.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected] If you have questions about ordering a book, contact my assistant Jon at: [email protected] We endeavor to respond to everyone who email

Mar 2006
22

Issue#15

Newsletter #15

  • My Rant: Why imaging? Why SMS?
  • Get a signed copy of...
    • my GP book: Group Policy, Profiles and IntelliMirror
    • my Windows & Linux Integration book
  • Public Group Policy Intensive Training and Workshop Schedule Update
  • Upcoming appearances and schedule
  • Thanks Netpro!
  • Subscribe, Unsubscribe, and Usage Information

This issue is (I’m sorry folks) a rant. It’s not about the war, or politics—but about something close to us, that we can all rally behind: disk imaging and management products.

So, without further ado, my rant.

After I rant for a while, I'll give you an update on my 2006 Group Policy Class Schedule and suggest some other great stuff for you to check out.

Before I forget—the Sacramento, CA Two-Day Group Policy class is ON for March 30, 31. We have three seats available. If you want one of those seats—sign up soon at www.GPanswers.com/workshop.

PS: A hearty THANK YOU to the folks who came and saw me and Tom present Win/Lin topics at this season's TechMentor in Orlando. I'm gone now (off to the next thing).. but thanks for brightening our days there -- you were a super audience !


Newsletter Sponsored by: Special Operations Software

Sometimes the out-of-the-box Password Policy in Windows isn't just enough. If you need many Password Policies perActive Directory domain or more granularcontrol of howpasswords can be created you should have a look at Specops Password Policy.

Redmond Magazine says that "Password Policy is easy to install and easy to use. It provides much more granular control and doesn't have a long learning curve."

Click the link to read more on how Specops Password Policy can benefit your organization with increased security.


As Dennis Miller says I don't mean to go off on a rant here

My good friends at TechNet Magazine have recently released their March/April 2006 magazine. And, let me tell you—it’s excellent, specifically, if you’re running SMS to roll out your desktops and/or contemplating using the new Business Desktop Deployment (BDD) to roll out desktops.

And, I have some questions (and please don’t answer me directly via email. Please, please, please answer this question or agree/disagree with this rant by going to http://tinyurl.com/htaxwon my community forum and post your 2 cents there.)

My three questions are:

  1. Why does Microsoft have 7 ways to deploy a desktop?
  2. Why bother with image-style desktop deployments at all? and
  3. Why bother with SMS-style tools?

So, let’s get started on this very special “rant” issue.

Microsofts desktop deployment options

By my count, Microsoft has seven ways of “officially” deploying a desktop: Category 1: via winnt.exe

  • Put in the CD and restart the machine. This basically runs winnt.exe and installs Windows.
  • DOS-style Network boot disk to connect over the network to run winnt.exe
  • WinPE-style to again run winnt.exe (almost the same as a DOS-style network boot disk in practice)
  • Remote Installation Services (via PxE) where winnt.exe gets invoked

Category 2: via image

  • SMS + Operating Systems Deployment Pack (OSD)
  • Business Desktop Deployment (BDD)
    • Standard Edition and
    • Enterprise Edition
    and
  • Vista’s all-new image-based deployment

The methods in Category 1 “build” a PC from scratch, loading Windows step by step (or via answer file), but fundamentally “create” a PC by formatting it and loading each file.

The methods in Category 2 “photocopy” from an image source in Ghost style.

So, here’s the question (again): why bother using either the Zero Touch Deployment for SMS (with the Operating System Deployment pack), the BDD, or the upcoming Vista image-based methods to roll out your desktops?

First of all, unless I’m missing something—these latest tools from Microsoft compete with each other for your desktop rollout attention. Not to mention that Vista will also come with its image-style based deployment mechanism. So, between the BDD, SMS+OSD and Vista’s Imaging mechanism—I’m one confused guy—and I’m trying to understand why each has it’s place.

So, that’s three image-style mechanisms to do the same job. That’s my real question: can someone (anyone) explain why I might choose, say, the BDD over the SMS+OSD even if could deploy both at exactly the same hard and soft costs. (Again, don’t reply here…post about it, at http://tinyurl.com/htaxw.)

To me, it seems a main selling point of both the BDD and SMS+OSD appears to be that it will “maintain state” as you do a desktop upgrade from say Windows 2000 to Windows XP. With a little elbow grease, you use the built-in User State Migration tool, shoot up a copy of the user’s important stuff, blast down a new desktop, and restore the important stuff (like desktop backgrounds, etc., etc.)

Great. But again, why bother specifically saving the state?

If you’re using the network to store the important stuff (say, by using Roaming Profiles), and use Group Policy to maintain your application settings, why specifically go out of your way to preserve any of it? Those of you who’ve heard my talks on desktop deployment know it will still be there waiting on the network when you deploy that new desktop to the user.

So, if you want to educate me… please do so. Again, respond by posting to http://tinyurl.com/htaxw.

Beyond the Microsoft image-based deployments

Since I'm already off on a rant here, let me take it one step farther…

Truthfully, I don't even see the point of having any image-style/“photocopy-style” deployments (including other non-Microsoft image-style deployments a la Ghost, PowerQuest, or anything else). Those of you who’ve seen me speak at conferences or those who have taken my more in-depth two-day Group Policy course know my feelings about image based deployments. Yes, they’re fast—but, ultimately, they’re a “photocopy.” To recap the process, you essentially wrap up a “perfect” PC with a set of “core” applications and make a big image. Then, you deploy that image to a zillion machines. And you do it fast.

Great.

But, this means several downsides when thinking long term. First, there’s the problem with the “photocopy” aspect in terms of hardware deployment.

Yes, I know—Windows sysprep is supposed to be the answer. Sysprep’s job (especially with the -pnp switch) is to shut the machine down for photocopying. Then, once the photocopied machine is turned back on, it’s supposed to magically discover all the correct hardware, and birds will land on the computer singing and chirping.

Except it’s not guaranteed (especially the birds). Not to mention the problem with photocopying from one machine to another—the required drivers might not be there. If you’re photocopying the same image for a Dell Latitude and an IBM Thinkpad—you let me know how that’s working out for you. If you can sleep at night while doing this, you’re a stronger man than I.

Okay, I’m sure the BDD and SMS+OSD deployment have some provisions to handle this situation. But, I was at a loss on specifically how to add new drivers to either the BDD or SMS+OSD if, say, a new network card showed up in your next desktop shipment. What I am sure of is that in each case, the WinPE image (which provides you the ability to access the image) would indeed need to be tweaked to accommodate this (already a hassle). But my confusion is what about the drivers for when Windows is actually running? If I’m pulling down a fully formed image, how can I jam in new drivers? If you know, and can educate me, please do so.

Even if there is a native way to do this (easy or cumbersome) it appears that Binary Research (the original makers of Ghost) has created something to help fail-safe the process. Their “Universal Imaging Utility” product (found here) is supposed to help inject a bazillion drivers into your images—specifically to remediate this very problem I’m describing.

The next big problem with the photocopy is—it’s obsolete the very day it’s placed into service. Why? Let’s explore a typical photocopy-style rollout. Let’s say we’re deploying our image to 1000 desktops. Just to give it a name, we’ll call our project OurImage 1.0. After rolling out 300 of our 1000 desktops someone on the deployment team realizes they’ve forgotten a critical application patch, or bite-sized application, or a configuration setting, or misspelled a directory, or any number of a 1,000 things that can go wrong during image building. So, the desktop engineering team cleans up the image, and rolls out OurImage 1.1. They then roll out to the next 300 desktops. (And, of course, the problems weren’t big enough to retrofit the first 300 desktops and disrupt users.) So, now, you have 600 desktops deployed: half on OurImage 1.0 and half on OurImage 1.1.

Not ideal, to be sure.

Then, one of the applications in the image has a new minor version (which the manufacturer strongly recommends you start deploying right away). Back to the drawing board, and a new revision, OurImage 1.2, is created. The deployment rollout must go on! And OurImage 1.2 is now deployed to the next 300 clients.

So, now, that’s three somewhat-different images over 900 clients. Now when any of those users calls the helpdesk for help, which version of the image are they using? Remember each version of the image has slightly different application versions tucked inside.

Or, consider this case: the image is rolled out to 300 people—both Sales and Marketing. But Sales is constantly playing around with applications in the image they have no right to even use. Should those applications have ever been in the image at all? Sure,those applications are needed for the Marketing guys. But not for Sales. So what do some IT departments do? They send someone to trot out to the Sales desktops and manually uninstall those applications (or script it, or touch it with SMS or something).

So, it must appear as if I’m “down” on photocopy-style desktop deployments such as Ghost, SMS+OSD or the BDD. It’s not that I’m down on them, just utterly confused why anyone would use them.

With that in mind, what’s my proposed desktop deployment solution?

Group Policy of course (with a little help from Remote Installation Services)!

Why RIS? Because RIS doesn’t “photocopy” an image. It “builds” the computer from scratch, installing just the software it needs in order for Windows to run. And, there are provisions for centrally adding new and updated drivers when new hardware comes out (like NICs, sound cards, etc.).

Why Group Policy? Because you can deploy just the applications you need to just the specific people who need them. If Fred in Sales shouldn’t get an application only Marketing would use, then it’s not in any photocopy where you’d have to worry about it. Fred only pulls down applications Fred needs.

Yes, I know the downside to my strategy. That is, in order for my suggested strategy to be successful, you have to be 100% committed to the MSI promised land (or buy 3rd party Group Policy tools to deploy applications other than only MSI apps).

Now, before you napalm my house—let me wrap up this section with this one thought:
I AM NOT SAYING TO ABANDON GHOST, POWERQUEST OR ANY OTHER IMAGE-BASED TOOL IF IT’S WORKING FOR YOU.

I know lots of people are quite attached to their desktop deployment methods. If something is working for you, and you’re happy—keep on truckin’.

Don't let me stop you.

The main reason I'm down on image-type deployments is for the reasons I mentioned above:

  • Again, first, it’s a photocopy, and even though sysprep -pnp should work from machine to machine, it doesn’t always. If it does work for you—fantastic. Consider yourself blessed, and continue to make use of the speed that photocopying provides.
  • However, consider the second problem: “core applications” in the image make it difficult to customize each user’s experience for them. If you get away from photocopying, you get away from deploying unnecessary apps (or forgetting to put apps in your image).

So again, yes I know RIS is slow. Slower than a photocopy, yes. And, if you’re comfortable photocopying machine to machine to get the OS deployed then, again, keep on doing that. All I’m asking is for you to consider not imbedding the applications in the image.

My problem

Now, if you want to help me out you can explain a few things to me.

  1. If you’re actually using the SMS+OSD—how is it really “zero touch” as it’s touted? I don’t get it. I’ve read countless pieces of documentation, but it still appears as if the client needs to be “seen” by the SMS system in order to zap a new photocopy upon it. That means it needs to be an SMS client. If I’m cracking out a desktop or laptop from the cardboard box and put it on the wire, I’m totally unclear how SMS will “find” this new machine and zap it my corporate photocopy. From what I’m reading it seems (dig this) that the prescription is to actually use RIS to deploy that initial desktop, then get the SMS client loaded, then zap down the remaining applications. Wait a second—that sounds like “The Jeremy Prescription” (except you substitute GPO for SMS!) If I’m missing something, and you’re an expert here, please, please educate me.
  2. The BDD has lots of wizard-driven steps to help you create your photocopy and then deploy it. Why would anyone would use the BDD at all, for any reason, when there are clearly other options which do the job? And, unless I’m looking it wrong, it seems the BDD requires a Ghost-style imaging tool to do the work. Indeed the documentation talks about the Powerquest tool quite a bit. Again, I’m at a loss to understand why the RIS/Group Policy/MSI combo wouldn’t be the preferred way to go here—or just about anywhere.

More stuff to rant about(Or, why I'm already unpopular with the SMS team at Microsoft)

Since I'm ranting about SMS anyway

The issue of TechNet magazine I mentioned has a whole article dedicated to SMS troubleshooting. When people ask me if I’d prefer SMS over Group Policy, I’ll tell them “Even if you gave me all the licenses I need for SMS, I’d still pick Group Policy over it any day.” Yes, yes, I know SMS has more features than Group Policy does.

But a Dodge Caravan has more features than a Mazda Miata. Get the picture?

In the end analysis what are the features people use when they buy that Dodge Caravan, er, SMS? Let’s look:

  • Software Deployment with targeting (which can be done with Group Policy Software Installation and WMI filters)
  • Hardware and software inventory (which can not be done natively with Group Policy but is, I hear, coming soon with 3rd party Group Policy tools.)
  • SMS has Software Metering tools—but no one I know uses it much.
  • SMS has compliance/patch-management tools. I do know some companies which do make use of these—but only because the free WSUS wasn’t yet available, and now they feel like they’re “locked in.”

So, why would I pick Group Policy over SMS even if someone handed me unlimited free licenses? The TechNet article in the same issue entitled “No Desktop Left Behind: SMS Troubleshooting Basics” about sums it up. Not to saturate you with all the steps the author expertly describes, but, holy cow does it ever take some troubleshooting skillz (that’s skillz with a ‘z’) to get to the bottom of things when SMS stops working. In a nutshell: SMS has about a zillion moving parts. The author expertly demonstrates how to “trace” where the problem is within all those moving parts.

In a basic (very basic) comparison, the same operation (software deployment) for Group Policy is refreshingly simple. There are, in short,many fewer moving parts to troubleshoot when things go wrong. Yes, okay, maybe I’m a little biased due to my love of all things Group Policy. And that isn’t to say Group Policy always works, either.

What I am saying, however, is that when Group Policy “breaks” it’s a much easier proposition to figure out where the problem is, then actually get to fixing it. For the record, in case you think I’m making stuff up here to specifically beat up SMS, I am certified in SMS 2.0 and do know a little about what I’m talking about. (And, yes, I know SMS 2003 is a different, though similar animal.)

Simpler is better

Okay, poor SMS. I just beat it up a little bit, and I’m feeling a little guilty here. But, ask yourself if you need a tool like SMS at all.

If you need it—you need it.

But, the question is do you really need it?

I've personally met a handful of people who seem to be with me; ditching SMS and Tivoli (and the like) for a pure Group Policy-based solution to their management.

Here's the thought process: By not introducing an SMS-style tool, you’re reducing complexity.

Again, the Group Policy moving parts are already built-into the operating system.

So, if you can make use of the moving parts inside the box, my advice is to do so.

Now, let me be super-clear before the hate mail comes in from the SMS team (or SMS-style product companies). As I said: if you need it—you need it. That’s the trick, and the trap I see many organizations fall into. Many organizations inadvertently increase their complexity by adding an SMS-style management tool for not a lot of benefit. When I ask people “Why did you end up deploying your SMS-style tool?” The #1 response I get is “We needed a way to distribute software.” And 10% actually use the overall “power features” SMS provides over Group Policy.

So, again, my feeling is that, yes, an SMS-style tool is great—if it truly gives you something you cannot achieve a different way. Again, SMS provides software distribution, hardware and software inventory, patch management, image deployment, and software metering. If you need something on this list that Group Policy cannot do natively (or enhanced with third-party tools) then, yes, go get it.

But, if you don't need it—why introduce it, even if you’re getting the licenses for free?

Wrapup

For the love of Pete (whoever he is) do NOT email me directly about this rant. While I strive to answer everyone’s email, I’m making an exception in this case. It’s not because I don’t love you, it’s because I want you to respond publicly here where we can all talk about it. Key points to talk about:

  • If you’re using the BDD…why? What does the BDD give you that other methods do not?
  • If you’re using SMS+OSD…why? How’s it working out for you?
  • How can you add drivers when Windows runs using the BDD or SMS+OSD?
  • If you’re using the “Jeremy Method” of RIS + Group Policy + MSI, how’s that working out for you? Was getting to the MSI promised land a tough haul? Did you succeed, or give up?
  • Why save user state and restore it using the USMT during the BDD or SMS+OSD process? If you’re using the network properly (redirected MyDocs and Application Data), what precisely are you saving by using the USMT?
  • Has anyone introduced an SMS-like product only to then realize it was overkill and the same task could be performed via Group Policy? How did you handle that?
  • Or, is SMS your life blood and you’re using it for a task I didn’t describe here?

Thanks for listening.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)

-and-

Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)  

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.
You BOUGHT and IMPLEMENTED Active Directory—now DO SOMETHING with it.
So, learn to properly drive that "Ferrari" you bought by coming to a class! Classes for first half of 2006 (lots of date changes since the last newsletter. Sorry about that.):
Mar 30-31, 2006: Sacramento, CA—This class is ON. If you want a seat, I suggest you sign up now. Only three seats left!
Apl 18-19: Atlanta, GA
Apr 20-21, 2006: Tulsa, OK (not Okla. City, as previously reported.)
Apr 26-27, 2006 (new class): Richmond, VA
May 15-16, 2006: London, England

Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: https://www.gpanswers.com/workshop (Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or,if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.

Upcoming Appearances and schedule

It's going to be a busy month for me. Embrace the travel! Love the airport. Embrace the security dweebs patting me down. Well, maybe not.

Here's my ever-so-brief schedule.

NetPro Directory Experts Conference: Mar 26 - Mar 29

I'll be speaking on Windows/Linux authentication integration. My speech is 9.15 Tuesday the 28th. www.dec2006.com/agenda_tues.cfm

Linuxworld Boston: Apl 3 - Apl 6

Again, on Windows/Linux authentication integration. My specific speech date is 4/4/06 and it'll be at 2.30 PM. Hope to see you there !tinyurl.com/7dspg

WinConnections Orlando: Apl 9 - Apl 12

I'll be speaking on a variety of topics at this WinConnections. "Group Policy Toolbelt", Shared Computer Toolkit" & "Windows–Linux Integration: Authentication Services" and a 3-hour Group Policy Pre-Conference warm-up. www.winconnections.com

Microsoft Teched Boston: Jun 11 -1 5

Again, on Windows/Linux authentication integration. Don't know my exact speech date yet. tinyurl.com/7lktw

Thanks, Netpro!

Recently Netpro had a cool webinar, and they mentioned us—GPanswers.com. Neat! Thought I’d return the favor. Here’s how to check out the webinar with a good message for anyone managing Active Directory. WEBCAST: 16 Steps to a healthier and happier Active Directory

Before going about securing Active Directory, you should make sure that certain configurations have not created unexpected security holes. In this webcast, NetPro CTO Gil Kirkpatrick will examine various aspects of Active Directory, from backup to DNS configuration to Group Policy management, that, when executed properly, can ensure a secure installation. Register here.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected]

If you have questions about ordering a book, contact my assistant Jon at: [email protected] We endeavor to respond to everyone who emails.

Thanks for reading!