MDM & GP Tips Blog

Jan 2012
31

Clean Naming for GPOs (Notes from the field): Part II

Team:

I wanted to share with you some of your peers humble suggestions for Group Policy naming. Again, what works for THEM might NOT work for you, but at least it can give you some food for thought.

From Ondrej in Slovakia:

I use names for GPO and I think it’s good way to have them this way:

GPO_RDS_APP_Office2010_v01
-    GPO – to make unique name for GPOs
-    RDS – name of part of change (Remote Desktop Services)
-    APP – managing APPlication (Software Restriction)
-    Office2010 – name of application
-    V01 – version of GPO

GPO_DisableIPV6_v01
-    GPO – to make unique name for GPOs
-    DisableIPV6 – short accurate name of changes in GPO
-    V01 – version of GPO

I think it’s very good to have versioning of GPO policies. When I change GPO I increase version number and I keep max 2 older GPOs for just history and help to find out changes I made.

 

From Charl in South Africa

who has 2,000 GPOs !

(edited a little for clarity):

"Here’s what we do:

-If the policy is domain linked, the GPO will start with the name of the domain it’s in; this works very well if you have multiple domains.

– For the GPOs linked to our old servers structure we kept the names as starting with "Servers" and these are slowly being migrated to the new servers OU structure and the names for these GPOs start with NS (New Servers – OK, it’s actually my company’s name that starts with an N, followed by S for servers).

– The OU is "Nxxxx  Servers". Next up is the GPOs linked for the XP OUs and they start with XP and similarly the Windows 7 GPOs start with NUW (Again, first letter of my company’s name being an N followed by U and W which stands for Users and Workstations).

– The next part of the name is followed by a dash (-), C and/or U and then another dash (-). This indicates whether the GPO has the Computer, User or both nodes enabled.

– The next part of the name indicates what the function of the GPO is and if there are multiple functions, these are separated by commas (,).

– Lastly, the name ends with a colon (:) followed by the department who ‘owns’
this GPO, i.e. Security, ServerOps, End User Computing, etc. Again, we only have about 5 owners.

So, on a daily basis I use the GPMC scripts to dump all the GPO names into a single file, DTS/SSIS then into SQL and then the fun starts:

– By using the dashes, commas and colons as separators, I can see with a stored procedure, which GPOs do not have owners as there is no colon and one of the owners defined after the colon. Which GPOs do not indicate whether they are Computer, User or both nodes-enabled GPOs.

– I can see which GPOs do not conform to the proper naming convention. It it does not start with a one of the five top-level GPO names, I know immediately that I have a problem.

– Digging a bit further (all automated now!) I can even see who made a GPO and indicated it is a Computer GPO, but the User node is still enabled. The exception reports only run IF something is wrong and the GPO guys from Server Ops know that Big Daddy form Security is watching them.

– For GPOs linked lower down, we use the abbreviations of the child OUs in the GPO name as well just after the top-level name.

So, by looking at a GPO name, I can identify where it is linked, whether is Computer/User/both, function and owner. Here’s an example:

I.e. XP-C-Power management, Screensaver lockdown:SO

I can quickly parse this, and see that the GPO is linked to OU containing XP machines, Computer node enabled, sets power management and screensaver and belongs to Server Ops.

How’s that for being in empowered?"

Jan 2012
25

A Clean naming Convention for GPOs

Many people ask me: Is there an ideal way to name GPOs?

Well, yes and no.

First, the big problem is that the swimming pool where the GPOs live that is, the Group Policy Objects node in the GPMC just sort of all runs together. One big blaaaah of all the GPOs.

So, first off there is no way to partition them or organize them. They're all just there.

Therefore, having a naming convention that works for your company could prove to be a lifesaver.

There no right or perfect way to create a GPOs name. One suggestion is a four part naming convention.

Part I: The Where.

Part II: The What.

Part III: The Who

Part IV: The Type.

For instance a GPO might be in charge of opening Port 123 on Sales Computers. Great. So, here's a name I might use:

EAST SALES COMPUTERS Firewall Open Port 123 (C) – JeremyM

All four elements are there. And in the Group Policy Objects list, all the GPOs are listed Alphabetically, so you'll see each Where together quickly. The (C) tells me that the C-omputer side of the GPO is used and not the user side. The name on the end shows who is the ultimate owner of the GPO or who is in charge or who to contact for issues or updates. (You could also put this in the GPO comment fields.)

Another perfectly fine choice is to re-arrange this list. Like:

(C) EAST SALES COMPUTERS Firewall Open Port 123 EAST SALES COMPUTERS – JeremyM

This will sort with all the Computer side GPOs grouped together first, then WITHIN that, all the EAST SALES COMPUTERS linked GPOs.

Again you're welcome to have the names be anything you want.. just note that whatever's first that's what's sorted upon based upon Alpha. Having all four elements makes things a lot easier, in this guys opinion.

A final trick here, is that sometimes I use an Underscore character _ to signify GPOs which are domain linked or are special in some way. For instance  _PolicyPak License GPO Expires 1-1-14 will bubble up to the top quite easily seen by everyone (as underscore is sorted BEFORE the letter A.) q

What's your naming convention? There's Shoot me your email with your solution. Thanks !

Dec 2011
21

Office 365 - Lync download (broken. Annoying.)

If this saves you an hour, I have done my due diligence.

In short, if you’re trying to get a new Win7 machine going with Office 365, installing the Lync client is the first step.

Except the download won’t "start."

image

I even ran Process Monitor against it to see what it was doing, and the install is in an endless loop looking for an MSI registry key that doesn’t exist.

Sigh.

Well, there IS a workaround, but I had to dig for it.

Look for a nice post from a helpful Microsoftie here. This helped me out, and hope it will help you out too.

http://community.office365.com/en-us/f/166/p/16355/75977.aspx?PageIndex=2

Nov 2011
14

Managing XenApp using Group Policy - Part I

I’ve been playing with XenApp 6.5 the last couple of weeks. I’ve been thinking a lot about Group Policy with regards to Citrix and XenApp servers. Really, there’s two pieces:

  1. Managing Applications and settings for users on XenApp servers … and…
  2. Managing the XenApp servers themselves.

This is just part I: Managing Applications and Settings for Users on XenApp Servers.

Managing Applications and Settings for Users on XenApp Servers Using Group Policy

One of the things that people ask me over and over again is… "On my Citrix XenApp servers, is there any way to manage my common applications’ settings using Group Policy?"

Here are the three normal ways you can do this:

Application Has an ADM/ ADMX template

Unless the application has a managed way to deal with it’s settings (ADM or ADMX template) you’ve got a problem. Office applications have ADM templates. Great. But name five other applications with ADM or ADMX templates.

In short: You can’t.

Managing XenApp Applications Using GP Preferences

In some circumstances, you could use Group Policy Preferences if you knew exactly what registry punch to punch (if available.)

Here’s a blog entry from Mr. XenApp Blog (Eric Haavarstein), on exactly how to do this. And, he shows how to use a tool from Fellow Enterprise Mobility MVP Mark Heitbrink which converts registry punches to GPPReferences Registry items. Awesome !

So, the blog entry is: http://www.xenappblog.com/2011/group-policy-management-import-registry-files/

And Mark’s tool is found here: http://reg2xml.com/

True Application Lock Down PLUS non-Registry based Applications

I like the tip from Eric and the tool from Mark. They’re great if that’s all you need to do.

But they DO have two major limitations. How to you still perform:

  • Dynamic changes if you want to. Do you know what to tweak any specific entry if you needed to to make a simple change? Ouch. Painful.
  • True lock down so users can’t work around your settings? You can’t do that with Group Policy Preferences. Users can just change the setting you put down.
  • File-based applications like FireFox, OpenOffice, Flash player, or others? You can’t manage those with Group Policy Preferences (since their stuff doesn’t live in the Registry.)

So what are you going to do?

Good news.

PolicyPak Software (www.PolicyPak.com) can do this. Big time.

Here is a video to show you exactly how you would do this.

The "cherry on top" is that PolicyPak is fully CitrixReady and also works with XenDesktop. Here’s a video for that too: https://www.policypak.com/technology-and-downloads/policypak-expands-xendesktop.html

If you’re interested in trying this out for yourself, you’ll need to sign up for a demonstration at www.PolicyPak.com/webinar. After that, you can get the download can give this a try yourself.

Oct 2011
11

Why isn't Group Policy Working on this Client?

Answer: Did You Check the DNS Configuration of the Client?

One of the most frequently encountered problems with Windows 2000 and above is that things just ‘stop working’ when DNS gets out of whack.

Specifically, if you’re not seeing Group Policy apply to your client machines, make sure their DNS client is pointing to a Domain Controller or other authoritative source for the domain. If it’s pointing to the wrong place or not pointing anywhere, Group Policy will simply not be downloaded.

As a colleague of mine likes to say, ‘Healthy DNS equals a healthy Active Directory.’

Moreover, in the age of multiple forests and cross-forest trusts, Group Policy could be applying from just about anywhere and everywhere. It’s more important than ever to verify that all DNS server pointers are designed properly and working as they should.

For instance, if clients cannot access their ‘home’ Domain Controllers while leveraging a cross-forest trust, they won’t get Group Policy.

Finally, to put a fine point on it, DNS leverages only the fully qualified name.

It’s not enough to verify that you can resolve a computer named xppro1 as opposed to xppro1.corp.com.

The first is actually the NetBIOS name and not the fully qualified domain name.

The second is the fully qualified domain name.

If you find yourself in a DNS resolution situation where resolving the NetBIOS name will work, but the fully qualified name will not work, then you have a DNS problem that needs to be addressed.

Oct 2011
03

I'm not perfect

But I do try. ?

Sometimes "imperfections" make it into my book. So, with that in mind, I’ve posted a list of the known errata for my Group Policy: Fundamentals, Security and the Managed Desktop book. It’s right here:

https://www.gpanswers.com/books/book-resources/

Also, for item #3, I created a video to show you how it’s done. Check it out here:

http://youtu.be/T6qkKtt0Mjk

Enjoy, Thanks !

Sep 2011
11

Group Policy "Vocabulary"

Let’s take a step back and get some of the terminology of Group Policy down. I find that when I’m talking with IT folks, sometimes they “blur the lines” here and there.

I’m a “precise” kind of guy, so if you are too, hope you’ll enjoy these definitions.

 

() Group Policy: The mechanism in Active Directory which allows administrators to perform
change and configuration management and policy-based management.

() Group Policy Object: This is the “noun” of Group Policy. The “thing” you create which allows you to make the control happen.

() Policy setting: This is one possible setting within a GPO you can perform. For instance, “Prohibit access to the Control Panel” is one Policy Setting.

() Enabled: One of the three usual settings within a policy setting. Enabled means “do this thing at this level.” So if you “Enable” something, you’re saying to “do it.”

() Disabled: Disabled can have several meanings. But usually it means “if set at a higher level, then un-do it.” For instance, if at the Domain Level you ENABLE “Prohibit Access to the control panel” then at the OU level you “Disable” it, you’re effectively reversing the setting.

() Group Policy Preferences: Sometimes called Group Policy Preferences Extensions. In the book I call these GPPEs or GPPrefs for short. GP Prefs are 21 new superpowers which add to the original 18 “in the box” superpowers.

() Item: Any time you create a new “thing” with GP Prefs, you create an “item.” Items can be Shortcuts, drive mappings, ODBC settings and a whole lot more.

() RSoP: Resultant set of Policy. This is the “sum total” of all the settings a user or computer is supposed to get. You can run various tools to see RSoP reports, but not all reports work the way you would expect with the new GP Prefs.

() GPMC: Group Policy Management Console. There are several versions of this tool. The latest works on Windows 7 or Server 2008 R2.

() RSAT: Remote Server Administration Toolkit. Remember “Adminpak” for WS03? RSAT is kinda like the Adminpak, but it works on Win7 or Server 2008 R2 and has the newest GPMC.

() AGPM: Microsoft’s Advanced Group Policy Management tool. It’s an add-on to the GPMC you already know and love. It doesn’t add more “stuff” to the desktop, but adds “Change management” and workflow to Group Policy.

() GPanswers.com: Your secret place to get smarter in Group Policy. Pass it on. (Not everyone is on this super secret newsletter, but if you think they should be, please send them to GPanswers.com where they can just sign up.)

 

This is GP 101.. If you’re ready to take your game to the next level, join us in San Francisco on Dec 5th 2011 for a 5 day intensive GP training workshop!

www.GPanswers.com/training !

Aug 2011
22

Supercookies.. the ugly snack you can kill using Group Policy

Here’s the deal: You know what cookies are. They’re little text files which save little bits of data about you. Say, the username of your favorite website, when you click "Remember me."

When you clear our your Internet Browser’s cache and cookies (say, in IE, Firefox, Chrome, etc) you wipe these files out.

Poof. Easy.

But what if a website decided to do a handful of "evil things." First, let’s say they read these cookies on your computer. Next, they used these cookies to build a "profile" about you, then store that profile in a secret area that cannot be quickly cleared out.  So, here’s the one-two-three punch:

() Punch #1 — the "profile" part is built so they can target you with ads on things they know you’re searching for. Say, Diapers, Diamonds, or Disinfectants.
() Punch #2 — the normal cookies part isn’t stored in your web browser’s normal cookies location. It’s often stored in the special cache within something you likely have on every desktop: Flash Player.
() Punch #3 (theoretical): Sell your personal / company data to the REAL bad guys.

Ow ow ow ow ow.

So, yes, indeed. Flash Player has a cache that can be used to store data — any kind of data, like personal data.

Hence the term — Supercookies. Because when you "clear cache and cookies" you don’t clear this out.

Great ! Just what we need .. another computer threat !

Okay, so how do you prevent the threat? There are two kinds of people I want to give the answer to: NON-IT folks and IT folks.

 

NON-IT Folks:

This advice will help if you have a handful of computers, because you’ll need to run around to each machine.

Option 1: Control Panel

Go to your Windows Control Panel, type in the word Flash as seen here then click on the Flash icon that appears.

image

 

Then, on each computer change the setting to "Block all sites from storing information on this computer" as seen here.

image

Boom. No more supercookies.

Option 2 (Still for Non-IT folks, but untested.):

There’s a special web page you can go to which should perform the same thing — only it’s a web page, and not your real control panel.  I’ve read that this MIGHT work for some versions, and not for other versions, so I wouldn’t rely on it if you really needed to… but I’m adding it here for completeness. Here’s the page anyway (use at your own risk.)

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html#117498

 

IT-Folks (Protecting your enterprise)

So, I’m sure you know where I’m going with this if you’ve got a lot of computers to manage: Use Group Policy!

Problem time though… Flash has no ADM / ADMX template to manage. It turns out Flash stores it’s files in a weird place, in a weird format, and as a system file.

So, you can’t use "out of the box" Group Policy to configure it.

Not to get all "commercial", but I created a video for you to see how lots of companies are handling this latest security threat.

Here’s the link: https://www.policypak.com/products/manage-flash-player-using-group-policy.html

TIP: If you’re truly impatient, fast forward to the 3.00 minute mark.

TIP 2: Sign up for one of my webinars and see how you can mitigate other security threats lurking in Acrobat, Java and other key components of your systems!

Here’s the link: https://www.policypak.com/component/gpa/?view=webinar

 

Talk soon!

Jeremy Moskowitz, Enterprise Mobility MVP

Aug 2011
09

The EASY way, is the HARD way. The HARD way, is the EASY way.

This week’s tip isn’t technical. It’s philosophical.

I had a mentor who once said to me: "The EASY way is the HARD way. The HARD way, is the EASY way."

What the heck is he talking about?

Here’s an example. I live in the city, and I own a scooter.

I usually take my scooter to the scooter shop all the way across town. A whole 12 minutes away! I’d also need to be "picked up" and wait half the day to get it done. OMG, who has time for THAT !?

So I figured, okay, why don’t I just bring my scooter to my corner car repair guy — who is awesome and reasonably priced, and does great work on my cars. He says he can do my oil change in a ‘jiffy’ (oil change pun intended.)

I take the scooter over there. Its a mere 60 seconds from my house (maybe less.) And he says "No problem I can just do this while you wait."

"Awesome!" I think.. "All the TIME I’ll save."

Then he starts taking various things apart. The WRONG things apart. I literally see a spring pop out of the whatever-the-heck-he’s-working-on and it (no joke) rolls down the street.

He gets the spring, puts it back together and says.. "Oops.. that wasn’t it."

Then he does end up finding the right oil drain. And drains the oil to transfer to an Eco-Friendly recycle vessel.

He comments: "Oh wow.. this oil weird. Its green! That’s wild.. I’ve never seen that before."

Now I have sinking "pit of my stomach" feeling that I’ve just done something wrong. Wrong guy — wrong tools — wrong skills.

"So, Jeremy, what kind of oil does it take? 10w-30 ?"   Arrgh.. I’m NOT the car / scooter professional. How the heck am I supposed to know?

So, now I’m finding holding the owners manual, flipping thru it, and it says "HP4 oil only" which is apparently a Honda-specific thing, and.. so, he pokes around his shop, and, of course, doesn’t have what I need.

I -could- have scooted to Pep Boys and maybe get it myself, but now my oil is drained out the scooter — rendering it unscotter-able, and I’m stuck there. Grrr.

"Hmm.. Pep boys can deliver it to us.. will take most of the day to get it." he says.

What started at 9.00 AM is now done by 5.00 PM. Fine, all fine. We got what we needed and it’s all done and fine.

But… What’s the moral of the story?  

The EASY way was the HARD way.  The HARD way was the EASY way.

So, when we try to take the EASY way, it quite often "ends in tears" (as a friend likes to say.)

We TRY to take a shortcut.. using the wrong tools, people or technology to get the job done. Hoping to save some time, or a buck.

And what do we get? Sometimes, you get lucky and it works out great. But, if you’re like me, any "easy" shortcut ends up hurting — painfully.

What would the "hard" way have looked like:

  • Using the RIGHT place — the scooter shop.
  • Using the RIGHT people — the professional scooter dudes.
  • Using the RIGHT tools — the right OIL they have in stock.

The "hard" part about this would have been to get picked up or just wait the hour to get it done at the RIGHT place. Indeed, the HARD way really wasn’t that HARD at all, now was it?

And, going the "hard way" — I would have saved the heartache of seeing my scooter "spring apart" by the wrong guy.

Oh sure.. the scooter is fine now. But was it worth the risk of going the "easy way?"

Next time you have an important decision to make remember: The EASY way, is the HARD way. The HARD way, is the EASY way.

Jul 2011
25

How to Troubleshoot ANY Computer Problem (mostly) -or- the Zen of Enterprise Computer Troubleshooting

This tip is a blast from the past, but I've re-tooled it for today, because this has been on my mind again recently.

But we all have troubles with computers. That's our job. But if you can follow these simple suggestions, you can troubleshoot yourself out of just about any computer problem Group Policy or otherwise.

So, let’s dig in and talk about the Zen of Enterprise Computer Troubleshooting.

First thing’s first: duplicate it.

Having one machine, in isolation does NOT a big problem make.

It FEELS like a big problem when Sally’s machine isn’t processing GPOs, or when my own laptop refuses to run Application XYZ today, but it did yesterday.

It’s frustrating, and infuriating, annoying, and .. well… that’s not the point.

The point is, my friend, it’s an "isolated issue." And honestly, isolated issues are just that. Isolated.

Until you can get another machine to do exactly the same thing, you really have no problem to troubleshoot at all, enterprise speaking.

Your problem feels big. But, honestly, until you can duplicate it, it’s shaky grounds for troubleshooting.

If the problem is in virtual world, like VMware, or HyperV, try to reproduce it in the physical world just to rule that out. Weird stuff can live inside those virtual worlds sometimes.

Second thing: Log Files — The application log and Windows Logs and the applications log

Next, let’s not forget about log files.

Many areas of the computer have various logging levels. When it comes to troubleshooting, 8 out of 10 times, I just lose my brain and forget to check the most obvious of places: the logfiles !

Start out by checking Windows Application and System logs. An application may quietly write the secret answer to your problem in those logs, and bingo.. problem solved.

Logs help you keep your sanity, because you can prove to yourself, after 20 hours of working on something (and you’re starting to see flying purple elephants)… that the thing  you think you’re seeing is something you’re actually seeing.

Many applications, themselves, have log files. Digging into those can sometimes be key gateway to figuring out what the problem is.

 

Third Thing: Shoot a video of the problem

If you're trying to reproduce a problem that you can't easily produce, use Camtasia or some other screen capture utility to actually watch yourself reproduce the problem. This is the ultimate tool to prove to the developer (or the boss) there really is a problem here.

It could get you a quicker repair, more time to troubleshoot, or the funding you need to take your problem to the next level.

In a recent case for me, I saw the problem.. got it on video .. then was never able to reproduce it again.

Having it on video was awesome to have, because at least I knew I wasn't crazy. After hours of trying to reproduce the issue again, at least I had something to prove I did get the problem to fire off one time. Closer inspection of the video (the next day) showed I had a different networking connection the first time, versus all the next times.

And.. Bingo. That was my problem.

 

Forth thing: Ask for help

Googling / Binging / Technetting for a solution can only take you so far. Don’t be afraid to ask a college or trusted friend for help, look over your shoulder, or help in troubleshoot. That's a good way to show someone what you've done so far and what did and didn't work.

(PS: This shouldn’t be blanket permission for everyone to just email me when they’re having their own personal Group Policy struggles.. For that we have the community forum at GPanwers.com, okay? ?

Additionally, give that "helper friend" permission to suggest WILD IDEAS. You’ve already thought of all the easy stuff. Now give them permission to "go a little crazy" and suggest some off the beaten path solutions to your problems.  In short, I’m saying to leverage the resources you have. I have my own "inner circle" to leverage when I need help, and you should foster yours. Know where to post and request help for issues when you need help, and learn the kinds of responses you can get from those systems.

Fifth thing: Learn to Give up.

Here’s something about me that you may not know. I do yoga.

I’m no "yoga superman" or anything. I’m 6 ft 2 and weigh, well, more than I should.

But the point is, that I really love it. And why? Well, beyond the health reasons, there’s  something more.

I get to understand my own limitations. Instead of stretching my body to a stupid level — where I might grab my legs behind my ears and actually hurt myself– I know to "give up" and do something else more productive during that time.
Even if I’m little embarrassed that the WHOLE CLASS can do the stretch (whatever it is), and I can’t – I don’t care. I try to put that whole "pride thing" behind me and learn to acknowledge my own abilities. Why? Because I’m 6 ft 2 "big guy", and not 5 ft 3 "Yoga gal." We’re going to have different limitations. I can’t stretch like she can, and she can’t lift two 5 gallon water bottles into her house up two flights of stairs at the same time.

Why bring this up now? Because after you’ve done all the proper troubleshooting you can, and after you’ve asked all the people in your inner circle, and after you’ve hit the books, and after you’ve Googled / Binged your brains out… it’s time to give up.

 

Learn to GIVE UP.

 

But learn to give up in the right way. Microsoft product support (PSS) is there for you to troubleshoot your Microsoft related stuff.

Heck, you might have free support incidents as part of a Microsfot Technet Plus subscription or other channel.

The point of all of our jobs, at its core is to SOLVE PROBLEMS with the TOOLS WE CHOOSE.

I can swing a hammer only so much before I need to call in a carpenter and show me what

I’m doing wrong.

It doesn’t help our companies or our personal sanity to keep swinging the hammer only to find we really needed a screwdriver and a blowtorch and a lesson in how to use those tools in the first place.

Not to get all "touchy feely" here, but there is a point we all need to find it within ourselves where we say: "I’ve done all we can. It’s worth X dollars in value to me to get the answers I need to continue being effective."

So I do personally call Microsoft Product Support Services when I'm at the end of my rope.  They do an AMAZING job and will not close the support call until YOU are satisfied the problem has been solved. I love that.

 

How does this tie in to Group Policy Troubleshooting?

I want you to think of the above steps as overall advice, and not specifically for Group Policy.

As for Group Policy troubleshooting, or troubleshooting in general, my (recapped) suggestions are to:

  • Validate your findings on another machine. Just one machine in isolation does not a "problem" make (even if you’re tempted to feel that way.)
  • Try similar and dissimilar machines. If the problem is happening on XP, does it happen with Windows 7 too? Vice / Versa?
  • Have you been able to take screenshots or videos to share with others?
  • Have you asked someone on your "inner circle" to look over your shoulder to make sure you didn’t just make a bone-headed mistake?
  • Have you enabled all the logs you can? In GP, for instance, there’s at least three Windows event logs and also some auxiliary logs for "GP-related" functions like MSI packages, etc.

Of course in my class, you'll learn incredibly practical tips on troubleshooting Group Policy specifically, with precise step-by-steps using what I've learned over the years.

That will help you get out of hot water faster and back in business usually the same day.

See you in class.. !