DNS

Your DCs should be pointing to each other for DNS and your clients should be pointing to the DCs. If your clients are using other DNS servers, you’re going to have problems at some point. If you are, for some reason, required to use third-party DNS for external lookups, put those DNS servers in as Root Hints servers instead of pointing clients or DCs at them.

Just Say NO to top level policies

The Default Domain Policy should be your only top level GPO unless you have a really good reason to add more. In addition, the Default Domain Policy should be edited very sparingly. Why? Anything you link at the top level applies to EVERYTHING in your Domain. Do you really want all of your servers and Admin accounts locked down with the same policies you give to everyday workstations and standard user accounts? Decide on an organizational structure for your OUs where you can link your GPOs instead of linking them at the top level.

Group Policy doesn’t apply to Groups

Despite the name, you can’t apply Group Policy to a Group directly. GPOs can only apply to users and computers. If you need it to apply to a group of users or computers, you’ll need to remove Authenticated Users from the Security Filtering for the GPO and then put your group there to apply it to your subset of objects.

Getting a 5 minute hang at logon?

You’ve got a logon script problem. The default timeout for scripts is 5 minutes.

Group Policy Preferences not applying in XP (or other older OS’es)?

Is the CSE installed? Pre-Windows 7 OS’es will ignore Group Policy Preferences unless the Client Side Extensions are installed.

Enforced policies & block inheritance

If there are GPOs at a higher level that you don’t want to apply, you can use the Block Inheritance option on an OU to stop those GPO’s from applying. To combat this, a GPO can be set as Enforced so that it can’t be overridden at a lower level. If you can avoid both of these options, do so. They can cause major headaches.

Is something disabled?

This is something you’ll see in gpresult.exe output. When you right-click on a GPO, the Link Enabled option should be checked. If it isn’t, the icon next to the GPO will be lighter than other GPO’s. Also, make sure that the GPO Status in the Details tab of a GPO is set to Enabled.

Are you applying settings to the right OS version?

If you’re running a mixed environment of XP, Vista, and 7 like just about everyone, make sure that the policy that you’re trying to apply wasn’t intended to a different OS. When you’re editing a GPO, each option will have a “Supported on” area that tells you which operating systems are supported.

Group Policy – Supported Windows version

Permissions

This is also something that will show up in gpresult.exe (seeing a trend here?). By default, the Security Filtering for a new GPO is set to Authenticated Users; that’s everybody including Domain Users and Domain Computers. There’s no reason to change it unless you only want that GPO to apply to a subset of objects. You can put Deny’s in the Delegation, but I won’t usually recommend it.

File/share permissions

If you’re storing scripts outside of Sysvol, deploying software, mapping drives/printers, or using Folder Redirection, file and share permissions are your biggest enemies. Double, triple, and quadruple check them and they could still be wrong. If you’re having problems accessing a network resource, try connecting to it manually to see if you still can’t connect. The Event Log will also tell you if your user/computer can’t access the resource.

Precedence

Lowest linked GPO wins. If there is a top level policy set by a Domain Admin and 16 sub-OUs down there is a conflicting policy set by a departmental Admin, the lowest linked policy will win out unless the Enforced option has been checked. When in doubt, go to the OU in the GPMC and check the Group Policy Inheritance tab and you’ll be able to see the order they are processed.

Group Policy Precedence

Slow links

I’ve seen a few networks where the clients would detect that they were on slow links even if they weren’t. You’ll see in your gpresult.exe output if the client thinks it is on a slow link. If this is a continuing problem, you can disable slow link detection in Group Policy in Computer Config, Policies, Administrative Templates, System, Group Policy, Group Policy slow link detection, and set it to 0.

Loopback processing

No user polices? Check to see if Loopback processing is set to Replace.

Misplaced Objects

Is the user or computer where they’re supposed to be? I helped someone troubleshoot a problem for three days only to discover that the user account was in the wrong OU. Moved the user, refreshed the policy, problem resolved.

Apply policy to the correct object type

Make sure that you’re applying user polices to users and computer policies to computers. Separating your users and computers into separate OUs makes this easier to keep track of.

Folder Redirection oddities

Folder Redirection can do some weird things if you don’t watch out your settings. If you’re migrating to a new server name and moving all of the files yourself, make sure that you disable the option to move the users’ files to the new location. If not, you’re going to wind up with some angry users with missing files.

If the move option is disabled in Windows 7, the old folders will still be left behind even if a user logs in to the computer for the first time. You’ll either need to delete those folders or change the option to move the contents of the folder.

If you’re redirecting the My Documents folder, make sure that you mind the naming convention that the GPMC uses. If your file server is still using the old “My Documents,” the GPMC may try to change that to just “Documents.”

• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)
• Troubleshooting Group Policy – Part 1: User communication (0)

DNS

If you’ve gotten to the point where it looks like Active Directory (AD) is the problem, you’re most likely looking at some kind of replication issue. By far, the most common cause of AD replication problems (short of failed DCs) is DNS. Are you using AD integrated DNS? Are your DCs pointing to each other for DNS? Are the firewalls between each DC open on the correct ports?

Event Log

So the obvious place to look first is the Event Log. If you’re having replication problems, you’ll have errors in the Event Log, most likely a lot of them. Take a look here first for anything actionable.

GPOTool

GPOTool.exe is a handy utility that Microsoft puts into the Microsoft Product Support Reports suite of utilities. It is buried a bit, but after extracting the executable before installing the tools, GPOTool.exe can be found in your computer’s temp.

Running GPOTool.exe from one of your DCs without any switches will run through all of your GPOs and verify that your Group Policy Templates and Containers are synced and consistent across all of the DCs. You can also use the /gpo option if you just want to check one specific GPO.

GPOTool

Sysvol Replication

Are you still using FRS for Sysvol replication? Move to DFSR.

If you’re stuck on FRS, Microsoft has a great tool for troubleshooting FRS replication issues called Ultrasound.

If you’ve moved on to DFSR, you can run diagnostics by running the DFS Management snap-in, go to Replication, Domain System Volume, right-click and choose Create Diagnostic Report. Choose Health Report and you can stick mostly to the defaults. On the Options tab, make sure to change your Reference Member to the PDC Emulator (or the machine you typically connect to for editing Group Policy).

DFS Diag

As you can see, my one DC isn’t having replication problems (thank goodness!). If it was, you would get some nice errors or warning that you could use to track down the root cause of the problem.

DFS Diag Report

In the last post of this series I will cover a few common problems.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)
• Troubleshooting Group Policy – Part 1: User communication (0)

When all else fails, reboot!

There are a few changes in Group Policy that require a reboot for the computer or a logoff/logon for the user. If you have clients that go long periods without rebooting or users that just lock their computers at the end of the day, this could be why some policies aren’t updating. If you’re deploying software to computers, using Folder Redirection, or have startup/shutdown scripts, you’ll need your computers to restart occasionally. The same goes for logon/logoff scripts, if you’re relying on scripts in your policy for changes, users will need to actually log out on occasion to get changes. If you can, time your policy changes that require a reboot with Patch Tuesday since the computers will, most likely, reboot to apply patches.

Wait… or run gpupdate

Group Policy refreshes every 90 minutes with a randomized offset of 30 minutes. If you change a policy right now, it could be as much as 2 hours before all of your clients get the policy. (Depending on how long Sysvol replication takes in your AD (or if you have a DC on the other side of a slow connection), it could possibly be longer.) If you made the change an hour ago and clients aren’t getting the setting, that’s completely normal. On the client, you can run gpupdate.exe to update changes that have been made to Group Policy. Running a gpupdate.exe /force will ignore any processing optimizations and reapply all of the Group Policy. Or, you can just keep on waiting until all of your computers complete their regular refresh.

gpupdate

Group Policy should refresh on its own without you having to manually run gpupdate.exe on every computer. Running the command manually is a great way for testing or to make sure a user/computer gets the change immediately, but shouldn’t be a necessity on every system. If gpupdate.exe hangs or generates an error, you may need to move on to the Event Log.

Gpresult

Gpresult.exe is a great invaluable tool for troubleshooting Group Policy that has been improved in Windows 7 and Windows Server 2008 R2. The output of gpresult.exe contains a wealth of information like what GPOs are applying to the computer/user, if the GPO was filtered, if the GPO is empty, whether or not the computer is on a slow link, security group memberships, OS version, site name, roaming and local profile locations, which DC the policy was retrieved from, and much more. Basically, gpresult.exe takes the RSoP data and turns it into something that a human being can actually read.

If you’re running the latest and greatest, you can run gpresult.exe /h nameofyourreport.html and get a pretty HTML report about what GPO’s are applying to the current user that looks just like the Setting tab in the GPMC. You may notice that the Computer area will be blank. Run the same command with an Elevated Command Prompt to see the Computer Area.

gpresult HTML output

If you don’t want pretty reports or want the output as text, you can run gpresult.exe with different options to get the output in text. The /r option will give you a pretty limited report that includes everything except the actual settings that are being applied. Personally, I like the verbose output with the /v option. By default, the output will be shown in the Command Prompt window. You can run gpresult.exe /v >> verbose_output.txt to save the output into a text file. If you want total information overload, /z provides “super-verbose” information.

gpresult verbose text output

Resultant Set of Policy (Logging)

Resultant Set of Policy (Logging) is available in the GPMC by right-clicking on a user or computer object, click All Tasks, and click Resultant Set of Policy (Logging). I personally prefer running gpresult.exe on the client side. RSoP Logging requires that the management station that you’re using have the ability to communicate with the remote computer which isn’t always available in every environment. Even if I don’t have physical access to or the ability to remote control the computer, I can have the end user email me the output of gpresult.exe for troubleshooting. I’ve even known people to stick a script on the computer that the user just has to click on to get the output without any pesky command line typing. RSoP Logging also gives the same output as RSoP planning, so it can be a little hard to look at. The output of gpresult.exe is much easier to look at and search.

Next steps

So now you know you have a problem and you have enough information to hopefully track it down. First, did the GPO apply? And, if it wasn’t, was it denied? You can get some of this in the Event Log, but it is usually easier to check your gpresult.exe output since both pieces of information should be there. If it didn’t apply or got denied, check the Event Log for more information about why the GPO didn’t apply or was denied. The potential number of possible possibilities you’ll see there are too great to discuss here, but you should get something good enough to search for online to resolve the problem. The typical causes are things like the Security Filtering, link not being enabled, GPO Status may have user or computer disabled, and issues with WMI filtering.

If the GPO did apply, but you’re missing settings, try a gpupdate.exe just to see if the client hasn’t refreshed. You’ll also want to refer to the gpresult.exe output here too. You may have a system on a slow link, a setting that isn’t applicable to the current OS, another setting taking precedence, loopback processing that is disabling the setting, or client side extension (usually Group Policy Preferences or third-party products) problems. If the output from gpresult.exe doesn’t tell you where the problem is, the Event Log should.

In the next post I will discuss Group Policy Active Directory problems.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)
• Troubleshooting Group Policy – Part 1: User communication (0)

So you’ve got computers or users with Group Policy problems. Where do you start? Troubleshooting any problem is usually a process of elimination. A lot of people want to run directly to the Event Log of the computer having the problem. Before jumping on the first computer where Group Policy is not applied, I suggest asking a few questions first so you can eliminate possible causes. A little detective work up front can make tracking down the actual problem much easier and may save you some time digging through logs.

Is this a local system or a remote (probably VPN-connected) system?

Some policies behave differently depending on whether a user/computer is connected directly to a LAN or remotely over a slower connection. For a remote user, the computer may have identified the connection as a slow link and may not be enforcing all settings properly. Additionally, some settings like Folder Redirection and scripts only run during a reboot and may require pre-logon VPN access to network resources like file servers or they won’t run. If the user is connected remotely, you may need to recommend that they connect to the VPN prior to logging into AD so their policy can process.

Were any changes made to Group Policy recently?

So this is probably the biggest no-brainer of all of the questions. If someone made a change, did the reported problem matched the change that was made? Was the change tested before it was rolled out to everyone?

Are there other cases where Group Policy is not applied?

If the issue is isolated to one person or one computer, you may be looking at an individual client issue. Do you have some users/computers getting the policy and others that aren’t? You may be looking at a clients that haven’t refreshed yet or a possibly even an AD issue.

If it is a subset, is there something unique about them?

Do any of the users/computer have anything in common that may relate to the problem they are having? Are all of the users/computers located at a specific AD Site? Are all of the computers running the same OS? Are all of the computers on the same subnet? Are they in the same building? Are all the users assigned to the same file server?

Does the user have Admin rights?

I haven’t seen it a lot, but a user with Admin rights can cause problems for Group Policy processing. Did the user change the assigned DNS servers? If you can’t get to the DCs, you can’t process Group Policy. Did the user go into the Registry Editor and make changes to any of the Registry keys related to Group Policy? Did the user make changes to the local firewall? Has the user installed any other kind of application that could be interfering with Group Policy?

Is the computer having hardware problems?

A bad stick of memory or a failing hard drive can play all sorts of tricks on a computer. I can’t say I’ve personally seen Group Policy processing issues because of hardware problems, but I have had someone try to blame a problem on Group Policy that ended up being a bad stick of memory.

Can you replicate the problem?

If someone else logs into the computer, do they have the same issue? If the user logs into another computer, does that person still have the same problem? If you drop a test user or test computer into the same OU and refresh the policy, are the Group Policy settings applied correctly?

Are there any outages known to IT?

This is another no brainer… If you’re having replication issues between your DCs that you or someone else is trying to resolve, it makes no sense to spend time troubleshooting Group Policy problems until the replication issues are resolved. If there are network issues that are disabling clients’ access to DCs, those network issues need to be resolved first.

Have IT infrastructure changes been made recently?

Was a file or print server replaced? Were any DCs upgraded or replaced recently? Has any network hardware like switches or firewalls been replaced/upgraded recently? All of these can potentially cause issues with Group Policy processing.

At this point, you are hopefully armed with enough information to help you track down the source of the problem if Group Policy settings were not applied. In my upcoming articles, I’ll discuss what you can do on the client and server side to track down and resolve your problem.

In my next post I will cover Group Policy problems that are related to client issues.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)
• Troubleshooting Group Policy – Part 1: User communication (0)

I can’t stress enough how important it is to test out your new Group Policy settings before you start pushing them out to end users. How do you know they will work correctly in the real world if you haven’t tested them in a controlled lab setting first?

Creating a Group Policy test environment

In larger environments, IT departments may have a Test Active Directory Forest just for testing things like Group Policy. Unless you’re applying Group Policy to thousands or tens of thousands of computers, that may be overkill for your organization. Here’s what I typically do to test:

In my Active Directory (AD) organization, I like to keep a “Test” Organizational Unit (OU) that mimics a typical OU for a department. In that OU, I keep the same sub-OU layout, a few test user accounts, and test computers (usually virtual machines) where I can put any of my test Group Policy before I make it available to end users.

Within the Group Policy Management Console (GPMC), it is very easy to make copies of Group Policy Objects (GPOs) by going to the Group Policy Objects container in the Group Policy Management Console (GPMC), right-click on the GPO, choose Copy, and then right-click again, and choose Paste. I usually make a copy of the original GPO and include “TEST” in the name and link it inside of my Test OU. This gives me an OU where I can make changes to my policy without causing problems for existing users or computers.

GPMC with Test GPOs

Should I use physical computers for testing Group Policy or virtual machines? Personally, I prefer to test with VM’s. Why? If you mess up and lock down a computer to the point that it becomes unusable, you may have to re-image the computer. With a VM, you can rely on snapshots to go back in time without having to spend time or effort fixing the problem. Just be aware that if you decide to use Microsoft Virtual PC, the Undo Disks functionality is limited to rolling back to the last state of the VM. If you’re running Hyper-V, that is typically my choice for VM testing. If not, you can either spend the money for VMware Workstation or get VirtualBox for free.

Test real world scenarios

When you test your new policies, ensure that you’re also testing against computers and/or users that had the old policies applied and that have been in use by real people. In a lab setup, operating systems have this habit of having cleanly applied images that have never been used. User accounts and the files and settings that account have access to are pristine and haven’t been customized or changed. Some user policies can be affected by previous settings in the user’s profile. The biggest place where this happens is Folder Redirection. You’ll want to make sure that the settings that you’re changing take both new logons and existing logons into consideration. A good way to do this is to have some users that can test your changes when you’re almost ready to roll them out to everyone.

Stage changes

Depending on the change you’re making, you may not want to roll it out to every user or computer at the same time. For major changes, I usually like to drop a few user and/or computer objects into the Test OU and allow those objects to run for a few days. In addition to being a good way to test how the change works in the real world, it gives me the chance to see if anything is going to break or cause problems for end users before the change is rolled out to everyone. It is much easier to deal with a few unhappy customers that are having problems than a lot!

“Dog food” your Group Policy

As an IT department, I highly recommend “eating your own dog food.” From a Group Policy perspective, that means that you should have the same GPO’s applied to your day-to-day user account and computer that all of the other users in the organization are getting. It should also mean that new policies should get applied to you first. The quickest way to see how a Group Policy change will impact end users is to use it yourself every day. How do you know that a particular script makes logons slow if it doesn’t apply to you every day? How do you know that the screensaver timeout is too low unless you’re constantly having to log back in because you have the setting, too? How do you know that disabling certain settings hamper a user’s ability to work unless you have to deal with the same issue?

Resultant Set of Policy (Planning)

I’m mentioning the RSoP in Planning mode last because I personally have never gotten much usage out of it. In Active Directory Users and Computers, you can right-click on a User or Computer object, click All Tasks, and click Resultant Set of Policy (Planning) to see how policies will apply to users and computers. RSoP Planning will let you pick a user and computer and then select options like Site, slow network, Loopback mode, group memberships, and WMI filters to see what policies will be applied to a user and computer.

RSoP Planning Wizard

The problem? The output that you’re given makes it impossible to see the results of your policies. You’ll have to manually dig through everything. It is probably quicker to have a VM, drop it into your Test OU, and just test out the policies yourself to see if you’re getting the results you want. The gpresults.exe tool (which we’ll get to in a later article) gives much easier to read results.

RSoP Planning Results

In the next part of this series I will outline how you can identify a Group Policy problem.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 1: User communication (0)

Group Policy is a great tool that can make your life a lot easier as a systems administrator. But, what do you do when computers or users aren’t getting the correct policies? In this series, we’ll take a look at things you can do to prevent problems, common problems people have with Group Policy, and steps you can take to troubleshoot misbehaving Group Policy.

“An ounce of prevention is worth a pound of cure.” — Benjamin Franklin. Those words definitely ring true for deploying new Group Policy settings. There are a number of things you can do before deploying changes that may cost you some time up front, but will definitely save you time and grief down the road.

Know your customer

How well do you know the business processes of the group that will be getting your Group Policy changes? If you’re planning on implementing Group Policy for the first time or making significant changes, these changes can potentially have ramifications on the business operations of the group that will be receiving the policy.

Take screensaver settings for example. Turning on the screensaver and locking the computer after 15 minutes may be perfectly reasonable in an office setting, but could cause major problems on a warehouse or factory floor where employees need to constantly see something on a screen, but don’t necessarily interact with the keyboard or mouse. On the other hand, 15 minutes could be way too high for a computer in a public location like a reception or customer service desk where someone could potentially walk in off the street and start using a computer that has been idle for a few minutes.

Engage your customer and find out how their department operates. Do they have software they use that no other department uses that could be affected by what you do? Are there things their employees are doing on their computers that they want stopped like setting personal wallpapers? Are the settings that you’re planning to implement going to cause problems for their business operations? Asking a few questions up front can potentially prevent things from breaking because of the unforeseen consequences of changes.

Communicating changes

If you’re making a change that is going to be noticed by your customers, you may need to prepare them for that. I helped someone roll out a company logo wallpaper and screensaver to around a hundred computers over a weekend. The change had been requested by the owner of the company to standardize their computers. Unfortunately, the change wasn’t communicated to the employees. On Monday morning, things were crazy for the lone IT person. Numerous employees logged support requests and several even complained to the company owner about the change. Ultimately, the policy change was left in place; but, a quick email from the owner about the change before it was made would have eliminated a lot of confusion from the employees and support requests to IT.

Even if the change isn’t necessarily going to be noticed by the typical user, you still need to let someone know that a change is taking place. Most Group Policy changes are fairly silent when they occur; the average user probably won’t know that something has been changed even if they are having problems. Having a few insiders in the office that are aware of the change can be very helpful once end users start encountering problems and may give you the opportunity to tweak the policy before the problem spreads to other users.

In my next post I will give some tips of how to test Group Policy deployments.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

The traditional method for scoping Group Policy Objects (GPOs) in Windows Server 2008 Active Directory is to perform the following actions:

• Ensure that the GPO is linked to the appropriate Active Directory object (for instance, site, domain, OU)
• Use security filtering to ensure that the GPO affects only specified user and/or computer accounts

Security filtering a GPO

What many Windows systems administrators do not know (or may not want to know due to the learning curve involved) is that we can also use Windows Management Instrumentation (WMI) filtering to dynamically scope Group Policy.

WMI is extremely powerful in GPO application because we can target systems based upon hardware and software attributes such as CPU architecture, operating system, free disk space, BIOS version, and so forth.

It should be noted that because your WMI filters are parsed during every Group Policy refresh, WMI filters in GPOs are best reserved for time-limited scenarios to avoid undue performance impact on your domain controllers.

For instance, you may want to deploy a GPO with a WMI filter that scopes the policy for Windows 7 clients that have a particular hotfix applied in order to undo the installation. After your machines have ingested and processed the GPO, you can simply unlink the WMI filter or disable the GPO entirely.

Creating a WMI filter

To build your first WMI filter, fire up the Group Policy Management Console and expand your domain to expose the WMI Filters container. Next, right-click WMI Filters and select New from the shortcut menu.

Creating a New WMI Filter

In the New WMI Filter dialog box, add a name and (optionally) a description for your new WMI filter. Next, we can build the actual WMI Query Language (WML) query by clicking Add.

New WMI filter

WMI filters consist of two components: (a) the WMI namespace; and (b) the WQL query. The vast majority of Windows systems administration-related WMI classes are contained within the root\CIMv2 namespace.

If you have used the Structured Query Language (SQL) before, then you will be instantly comfortable with the basic syntax of the WQL language. If not, then you have a bit of a learning curve in front of you.

Please check out the following links for some useful assistance in writing WQL:

• WMI Filtering using GPMC
• Scriptomatic 2.0 Utility
• WMI Administrative Tools

In the following example screenshot, my WQL query targets domain systems that run Windows XP Professional.

A WQL query

Note that a single WMI filter can consist of more than one WQL query statement. Once you’ve saved your work, your new filter(s) will appear in the WMI Filters node in Group Policy Management Console.

NOTE: Active Directory replication ensures that both your WMI filters as well as your GPOs are available on all domain controllers.

Linking a WMI filter to a GPO

To link a WMI filter to a GPO using the GPMC, view the properties of the target GPO. Next, open the WMI Filtering drop-down list, which is now populated with any previously created WMI filters. Select the appropriate filter from the list—once you propagate the GPO to your domain, you are finished!

Linking a WMI filter to a GPO

You are probably familiar with the old carpenter’s aphorism “Measure twice, cut once.” This truism is especially relevant for us Windows systems administrators with respect to Group Policy application.

We are faced with the frightening question: How can we know in advance if our WMI filter works? Well, to that end I would like to point you to a nifty free utility by the GPO Guy called the WMI Filter Validation Utility.

The way this tool works is simple: we first have it analyze our GPO infrastructure and report metadata concerning any linked and unlinked WMI filters. This interface is shown in the next screen capture.

The WMI Filter Validator

We can then test a WMI filter by right-clicking its entry in the tool’s interface and selecting Validate from the shortcut menu. This launches a wizard whereby we can target a specific domain member computer.

Validating a WMI filter

We must remember that a WMI filter is essentially a Boolean True/False test in order for Active Directory to determine whether to apply a given GPO to a given computer. The WMI Filter Validation Utility works wonderfully to test this equation in advance.

WMI validation results

Conclusion

At this point you should have a solid idea as to what WMI filters are and how we can use them to dynamically scope our GPOs. You also know how to test WMI filter application prior to GPO deployment.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

The introduction of Group Policy Preferences into Group Policy seems to have quite a few people confused. I think that confusion has been compounded by all of the people who skipped Windows Vista, stayed with Windows XP, and are just now starting to implement Windows 7 on the desktop.

Group Policy Preferences

So what’s all the excitement about anyway? Assuming you’re one of those organizations that skipped Windows Vista, you’ve probably been living in the Windows XP Group Policy Management Console (GPMC) for a while. The first time you fire up the GPMC in Windows 7 and edit a Group Policy Object (GPO), you probably notice a new section under both Computer Configuration and User Configuration. In addition to Policies, you now have Preferences. What are these new “Preferences” and what do they have to do with Policies? First, let’s start by talking about Group Policy.

Group Policy introduction

Group Policy is a way for you to control most of the settings and configurations that exist for a computer or for any user that can log into the computer. Screensaver settings? There’s a Policy for that. Logon/logoff scripts? There’s a Policy for that too! Just about any setting or change you can make by hand can be made in a Group Policy. If you’re using Active Directory and are hand-configuring options for every computer and/or user that you support, or hand-mapping drive letters or printers, or even doing something simple like changing the wallpaper, you should seriously consider putting some of that effort toward learning how to use Group Policy so that your computers and users can be configured automatically.

Group Policy

Adding the computer to Active Directory gives you the ability to edit these Policies at the Domain level and assign them to computer and user objects in AD. So what do you need to do to start managing Group Policy for your Windows 7 and Windows 2008 R2 systems? Install the latest GPMC and start editing.

Group Policy Preferences

Group Policy Preferences was originally a product called PolicyMaker from Desktop Standard. Microsoft acquired Desktop Standard back in 2006 and, starting with Windows Server 2008, began integrating PolicyMaker into Windows. Windows Server 2008, Windows 7, and Windows Server 2008 R2 already have what they need to use Preferences out of the box. If you still have Windows XP, Vista, or Server 2003, the Client Side Extension (CSE) that will allow you to use Preferences is available as a download. Still running Windows 2000? Sorry, there’s no CSE download for Windows 2000.

Assuming you’re using AD, have the latest GPMC, and are running the latest Windows OS or have installed the CSE for the older version of Windows, here are some of the things you can do with Group Policy Preferences:

• Create and make changes to environment variables
• Copy files to the local file system
• Create/delete folders on the file system
• Make changes to .ini files
• Modify the Registry
• Create/modify/delete network shares
• Map network drives
• Create/modify/delete shortcuts
• Create ODBC entries
• Make changes to devices in the Device Manager
• Make changes to file associations
• Create and make changes to local user accounts
• Create and make changes to local groups
• Create VPN and dial-up connections
• Manage user application settings (requires plug-in written for the application)
• Modify power options
• Manage local printers
• Map network printers
• Manage scheduled tasks
• Manage services
• Manage Regional Options
• Make changes to Start Menu settings
• Make changes to some IE settings

Group Policy Preferences – Settings

Group Policy Preferences vs. logon scripts

If you’re experienced with Group Policy, you’re probably noticing that a lot of the options mentioned above are also available in the Policy area of a GPO or can be managed by logon scripts. One of the great things about Windows is there’s always more than one way to do something. If you or your IT shop’s expertise is in scripting, you don’t need to reinvent the wheel and start from scratch if you already have infrastructure that is working for you. But what if you don’t have all of those scripts already written? Preferences are a great way to accomplish the same goal without having to spend a lot of time or money learning something completely new.

Scripting isn’t something you can usually learn overnight. It’s a big hurdle for a lot of people. It’s also something that doesn’t usually have a standard. Ask three people to write a script to map a few drives based on group membership, fix permissions on a folder, and make a registry edit, and you’re probably going to end up with three wildly different scripts. Is that bad? Not necessarily, but if your scripts have a thousand lines of code (or more), you probably sweat every time someone makes an edit. One misplaced character or typo and the whole thing can stop working. And you do have every line of those scripts documented in the event that the person who wrote them is unavailable, right?

Preferences also follow the same refresh rules for Group Policy (every 90 minutes with a random offset of up to 30 minutes). With scripts, they only run at system startup/shutdown and user logon/logoff. Group Policy Preferences also have built-in logging to the Windows Event Log, another area where scripts can lag behind unless the scripts are very robust.

Group Policy Preferences vs. Group Policy settings

How do Group Policy Preferences compare to comparable Group Policy settings? The biggest difference between the two is enforcement. With a Policy, settings are enforced; in most cases, the user interface is either grayed out or gone completely so that the user can’t change the setting. With Preferences, the setting is applied once and can be changed later by the user. One caveat: if you’re using Replace a lot in your Preferences, your users are probably going to figure out that if they make a change to certain settings, those settings are going to change back in an hour or so when Policy refreshes for the computer.

Preferences also aren’t limited by the need for ADM or AMDX files. If you have an application that requires a license file to be copied to the computer, all you need to do is configure a Preference to copy the file. If you need to set an option that is stored in the Registry, such as the network name for a database server, you can browse the local Registry and create a Preference with the setting. Preferences don’t require your applications to have any awareness of Group Policy. As long as the configuration can be edited in the Registry, be made by copying a file over, you can use Preferences.

Group Policy Preferences gotchas

Policies are stored in a separate Policy area of the Registry. If you remove a setting in Policy, it will revert back to the original setting on the computer (or in the user’s account). With Preferences, the setting will stay unless you explicitly create a Preference that deletes it.

Mapping printers? Make sure you set the options for the Point and Print Restrictions for either the Computer (at Computer Configuration > Policies > Administrative Templates > Printers) or the User (at User Configuration > Policies > Administrative Templates > Control Panel > Printers). If you don’t, your printer mappings will fail if the computer is unable to copy print drivers to the local system.

Make sure the Client Side Extension for Group Policy Preferences is installed for XP, Vista, and 2003. If the CSE isn’t installed, those versions of Windows will completely ignore the settings in your Preferences when processing Group Policy.

Replace mode isn’t necessarily your friend. I’ve been burned by Replace mode several times. I can’t underscore enough that you should use Replace sparingly. Replace usually has the effect of running a Delete and then a Create. For example, if you map printers with the Replace option, Group Policy will delete the connection and reconnect to the printer. That may not sound like a big deal, but if your user wants that printer to be his/her default, you’ll have problems. Every time the Replace command runs, the user will lose that printer as the default if they have other printers on the system. I’ve also found that using Replace when you’re creating a local user account causes that user account’s SID to be regenerated.

If user options aren’t working correctly, you might need to check the “Run in logged-on user’s security context (user policy option).” Preferences run as the System account. Preferences that use network resources, such as mapping printers or network drives, need the user’s privileges to run properly. Checking this box ensures that the proper credentials are used.

Copying files? Check your network share permissions. If the local computer is getting the file, you’ll need to make sure that the Domain Computer has at least read access to the network share. The same is true if the user’s security context will be copying the file; make sure the user has at least read access.

Last, but not least, Microsoft maintains a list of currently available hotfixes for Group Policy. There is a section specifically for Preferences that may be of help if you’re having issues with a specific feature.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

LocalGPO in SCM v2

LocalGPO is included with SCM but there’s no dependency between the two programs. Once you’ve installed SCM there’s an option on the Start Menu to also install LocalGPO. The traditional role of LocalGPO is to control workgroup computers where centralized AD deployment of GPOs isn’t an option but in SCM v2 there’s also a new GPOPack feature that works with Microsoft Deployment Toolkit (MDT) 2010.

LocalGPO lets you export the current configuration of a reference computer as a GPO object provided you’re a local administrator and the export folder already exists:

LocalGPO.wsf /Path:c:\GPOBackup /Export

LocalGPO also allows you to apply settings from a GPO backup file type to the local PC:

LocalGPO.wsf /Path:c:\GPOBackup\{12345678-9ABC-DEFG-1234-56789ABCDEFG}

The GUID in italics is the identification of the GPO you want to apply.

The only drawback with LocalGPO in SCM v1 was the fact that you had to install LocalGPO on each machine where you’d like to use it and whilst it’s a quick installation this wasn’t very flexible.

Thus was born the new GPOPack option for LocalGPO which packs the executable and the baseline into a single self-extracting file which can be applied without any prior installation. Whilst you can use this in many situations it works very well as part of a task sequence in Microsoft Deployment Toolkit (MDT) 2010 to apply your security settings to a machine directly after installation with just a single line of code in a script.

If you don’t want to type out (and potentially misspell) long GUID folder names you can name the GPO Pack with a friendly name, be aware that this means you won’t be able to import the GPO object in the GPMC. When applying a GPOPack in a script point to the GPOPack.wsf file that’s created by the GPOPack option like this:

C:\GPObackup\{12345678-9ABC-DEFG-1234-56789ABCDEFG }\GPOPack.wsf /path:C:\GPOBackups\{12345678-9ABC-DEFG-1234-56789ABCDEFG } /silent

You can also use LocalGPO to monitor workgroup computers in your environment for configuration drift, simply export their current settings and then compare them in SCM v2 against your company sanctioned baseline.

LocalGPO is a very versatile tool and the new GPOPack option opens up additional possibilities.

SCM v2 beta in summary

Everyone knows that both servers and client computers need to be locked down in a business environment, each successive version of Windows have added more versatile GPO options to achieve just that. But with the proliferation of GPO settings comes the difficulty in selecting the right settings and the appropriate level of lock down. Too locked down and users are hindered in their work and productivity suffers, too open leads to an insecure environment.

SCM v2 is an awesome tool that helps any administrator with these challenges which should bode well for its popularity. The new GPO Import functionality is great and the GPOPack in LocalGPO is really cool but most importantly the interface is much easier to work with.

SCMv2 is an excellent product that belongs in every sysadmins toolbox, especially considering it’s free.

Resources

Microsoft Solution Accelerators Security & Compliance blog

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

Adding settings to a baseline in SCM v2

There will be times when a particular baseline is missing a setting that you’d like to include, remember that the baselines only include security settings where Microsoft has best practice guidance. In SCMv1 you had to import a Setting Pack which gave you ALL the GPO settings for a product and you then had to delete the settings you didn’t want.

SCM v2 has a great new feature which is much better, the Add a Setting command lets you pick the relevant product, in which group within the baseline you’d like to add the setting(s) and a comprehensive list of all the settings. You can also search and filter the list of available settings.

Adding settings to your custom baseline has never been easier.

This feature is fueled by a new Settings Library than stores every configuration option that SCM knows about, in every product that SCM v2 covers. Today that includes Windows XP SP3 to Windows 7 and Office 2007/2010, and IE 7 to 9 on the client side, as well as Windows Server 2003 SP2 to Windows Server 2008 R2 SP1 on the server side. New settings will be included in the Library as Service Packs are released and you can check your library version in the About dialog.

The settings grid in SCM v2

A characteristic of using SCM v1 was that there was a lot of scrolling up and down through lists of settings, two innovations in SCM v2 will make this a bit easier.

If you select the Advanced view in SCM v2 (I hope this will be become the default or the only option in the released version) a breadcrumb bar lets you filter down in a baseline settings hierarchy. By clicking each button you’re shown only the settings that are available at that level. To jump back up to the top simply click the red cross at the end of the button row.

Once you’ve drilled down to a particular list of settings they’re grouped by horizontal bars that you can expand or collapse which makes it a lot easier to work with long lists of items. If you’re browsing a signed baseline there’s a link offering to create a modifiable copy on each page. This new way of working with settings soon becomes second nature; the UI was inspired by Windows Intune according to Jeff Sigman, Senior Software Design Engineer with the SCM team.

The thing I love about SCM though is how great a teaching tool it is. Every best practice setting is described in detail, not only what the setting does but what threat it’s designed for and how different settings mitigate the risk. If you prefer to read documents the old Word documents are still included in each baseline.

Use SCM to teach any junior admin about the power of GPO, IT security in general and why we use certain settings.

Merging and comparing baselines in SCM v2

When you’ve imported a GPO from your own environment (see part 1) and you’d like to see how it compares to the official guidance click Compare and select the two baselines. The results are presented in two views; a summary shows the number of settings that are different and lists unique settings in each baseline. The values tab on the other hand displays each individual setting and their configuration in each baseline.

Tag: Comparing two baselines is dead easy in SCM v2.

Sometimes you want to combine two baselines, the Merge feature allows you to pick the source and then point to a target baseline. The wizard then shows you the items that will change, with an option to deselect items that you don’t want to merge as well as which settings only exist in one baseline or the other and if there are settings that are identical in both baselines. If you want to delete settings from a baseline you can now select multiple items in one go; SCM v1 forced you to delete each setting one at a time.

If you’re in the US you might be familiar with the United States Government Configuration Baselines (USGCB) format, used mostly in governmental departments, SCM v2 is more reliable in its import of these files.

SCM v2 can also export baselines in the National Institute of Standards and Technology (NIST) format Security Content Automation Protocol (SCAP) format.

In the final part of this series we’ll look at LocalGPO, a command line companion tool to SCM and a new feature it offers for desktop deployment.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

This review was written on SCM v2 beta, the beta period has ended and SCM v2 is now available for download here. Note that the release date on the download page is incorrect, this is the final RTW (Release To Web) version of SCM v2.

Foreword

Group Policy is one of the most powerful tools in a sysadmin’s arsenal, not only for making sure users don’t get themselves into too much trouble but also to establish security standards across client and server machines.

For quite some years Microsoft have produced security guidance for Group Policy, what settings to use and how to configure them but most administrators don’t have time to trawl through lots of documentation. To make it easier for busy administrators to make well informed decisions when building Group Policy Objects (GPOs) Microsoft published the free tool Security Compliance Manager (SCM) v1 in early 2010.

This tool contained baselines for various products with best practice security settings and the ability to export a customized baseline as a GPO. The one glaring omission in v1 however was that it didn’t allow you to import your current GPO security settings and compare them to Microsoft’s recommendations, SCM v2 remedies this as well as adding some other great features, in this three part article we’ll examine why this tool should be in every admin’s toolkit.

The one thing that shines through in the SCM v2 is the real world feedback that’s obviously gone into the design: Jeff Sigman, Senior Software Design Engineer with the SCM team at Microsoft agrees. “Everything we did in SCM v2 was because of direct customer feedback. We did a number of surveys and interviews throughout the development cycle of SCM v1 and then again after SCM v1 was released publicly. The results were quite clear; SCM v1 had three areas which needed improvement: GPO Import, User interface facelift and SQL database flexibility.”

Installation of SCMv2

Installation is mostly a “click-next affair” but as mentioned above, unlike SCMv1 you have the option of pointing to an already installed local instance of SQL Server / SQL Server Express. SCM v1 always had to install its own copy of SQL Server Express.

If you have SCMv1 or SCMv2 CTP (which preceded the beta) the installer will automatically upgrade it, with all data preserved. This beta also contained 10 baselines that installed directly after SCM is installed, this takes a couple of minutes.

Being able to choose which SQL database to use makes SCM v2 more flexible than its predecessor.

The SCMv2 Console

Since SCM can be used in a few different ways the welcome screen is a handy tool. It has a whole heap of links for various topics that leads to in-depth information on parts of the program.

On the left is the Baseline Library with all your installed baselines, sorted by product. The main area in the middle displays information about the part of a baseline that’s currently selected whereas the right hand Action pane has context sensitive task links.

The SCM console has a simple layout and is easy to navigate.

A downloaded baseline from Microsoft is signed with a digital signature so when you want to create a custom baseline based on an “official” one you have to duplicate it to create an unsigned, modifiable copy. If you want to work with other baselines than the 10 included in the beta package go to Tools – Check for Baselines, during the installation you can let SCM create copies automatically so you can start customizing immediately.

In the next part of this series we’ll examine the new GPO Import functionality in SCM v2 as well as see how Microsoft actually creates a baseline and the different classification in the new baseline format.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

In my last post, I outlined in what cases Group Policy Loopback Processing can be helpful. Let’s have a look at the configuration.

Loopback processing is configured in the Group Policy Management Console in Computer Configuration / Policies / Administrative Templates / System / Group Policy / User Group Policy loopback processing mode – Set to “Enabled” and set the Mode to either Merge or Replace.

Loopback processing allows you to assign user policies to a computer and then control how those policies are applied to any user when he/she logs in to that computer. It allows you to either completely replace (Replace Mode) the user policies that have been assigned to the user or supplement them (Merge Mode) with additional policies.

Group Policy Loopback Processing – Replace Mode

As the name implies, Replace Mode replaces the policy that is assigned to the user. In the Computer Configuration, set the loopback processing mode to Replace. Next, assign user policies to the computer in addition to the computer polices, you would normally assign. When the computer starts, it will process the computer policies. When the user logs in, instead of processing the GPO’s assigned to the user, the computer will apply the user policies that are assigned to the computer object.

GMPC – Group Policy Loopback Processing – Replace Mode

Where can Replace Mode be useful? Personally, I use it on file, print, and other servers that non-admin users don’t typically access via the console or Remote Desktop. When someone with admin rights logs in via the console or Remote Desktop, they only have the default policy or any other policy that I assign.

This can be very handy if you’re redirecting folders, mapping printers, or assigning software with Group Policy; you don’t want unwanted drivers or software showing up on your production server that now has to be maintained or removed.

Replace Mode can also be useful if you maintain kiosks or training computers so that you have full control over all of the settings a user receives when he/she logs in. Replace mode really shines in larger Active Directory implementations where you may not have the ability to modify Group Policy assigned to users that work in departments you support.

Group Policy Loopback Processing – Merge Mode

Merge Mode supplements the policy that is assigned to the user instead of completely replacing it like in Replace Mode. In the Computer Configuration, set the loopback processing mode to Merge. Next, assign user policies to the computer in addition to the computer polices, you would normally assign. When the computer starts, it will process the assigned computer policies. When the user logs in, the computer will process the user policies assigned to the user as it normally would and then processes the user policies that have been assigned to the computer object.

GPMC – Group Policy Loopback Processing – Merge Mode

Merge Mode can be useful if you need to make additions to a policy or override a policy that a user receives when he/she logs in to a computer. For example, let’s say you have a group of computers that are made available to employees visiting your office. The employees need to receive their normal level of access (mapped drives, redirected folders, etc.), but also need to receive access to a network printer in your office. With Merge Mode, you can add a script or Group Policy Preference that maps the printer for anyone logging into that computer.

Merge Mode can also be useful for overriding things like screensaver settings. Let’s say, you have a reception desk that needs to have a very low screensaver timeout, but your company normally assigns a 20-30 minute timeout. With Merge mode, you can assign a different screensaver timeout to your reception desk computers while allowing employees that intermittently work at the reception desk to have the normal company screensaver timeout when working at their normal computer.

Gotchas and other things to consider

Group Policy loopback processing doesn’t save you from Enforced GPO’s. Enforced GPO’s are a great way for an Enterprise or Domain admin to ensure that enterprise-wide standards are maintained by admins that have been delegated access to manage Domain or OU level policies.

You can look for Site GPO’s in the GPMC: Go to Sites, right-click and choose Add Sites…, check the name of your site and click OK. This will let you see if there are any Enforced policies at the Site level. Enforced polices should have a lock in the bottom right-hand corner to signify that they are Enforced. You should also be able to see the list of GPO’s for an OU in the GPMC by clicking on an OU and clicking the Group Policy Inheritance tab. Policies that are Enforced will show “(Enforced)”.

If in doubt, Replace Mode is the better option if you need full control over the environment the user is logging in to. I’ve seen people do some pretty crazy things with Group Policy, including, but not limited to setting 1 minute screensaver timeouts, completely blocking any meaningful access to My Computer (usually when it isn’t justified), and even putting hundreds of icons on the Desktop and Start Menu to “help” employees find things on the network. If you’re maintaining a training lab, kiosks, or anything else where you need a significant amount of control over the user environment, you’re probably better off using Replace Mode.

Permissions of network resources are always a big gotcha with Group Policy. You can have a perfectly written policy; but, if the user doesn’t have permission to use the network resource that you’ve assigned with your loopback policy, you’ll end up with slow logons and errors when the user tries to use the computer. If you’re mapping a network drive, network printer, or redirecting folders for a user with a Merged or Replaced policy, make sure that the user logging in to the computer will have the ability to access the network resource in the policy.

Loopback Replace Mode can cause problems with Cross-Forest Trusts. Like many problems with Trusts, this can usually be tied to network connectivity issues. Make sure that the user’s originating Forest Domain Controllers are accessible to the computer they are trying to log in to.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

Group Policy Loopback Processing is one of the hidden gems that can make your life as a systems administrator much easier. This article explains for what you can use this feature and in the next post you will learn how to configure Group Policy Loopback Processing.

Group Policy Loopback Processing

How user and computer Group Policy Objects are applied

Before I can explain Loopback Processing, let’s start with quick a refresher on how a Windows computer processes Group Policy.  There are two types of policies: computer policies and user policies.

When the computer starts, it processes all of the computer policies that are assigned to the computer object from AD in this order: local (you can see these on a client by running gpedit.msc), site, domain, OU, and child OU. Last, the computer runs all of the startup scripts that were assigned to it in Group Policy.

When a user logs in to the computer, the computer pulls all of the policies assigned to that user object. The user policies are processed in this order: local, site, domain, OU, and child OU. Last, the user logon scripts are run.

There are some exceptions to the order that GPO’s are processed, but this should give you a basic overview of how a computer processes the policies assigned to it and any user that logs in to the computer.

When you need Group Policy Loopback Processing

Group Policy Loopback Processing comes into play if you want to assign user policies to computer objects. This feature is especially useful in large organizations.

If you have a single Site and a small Domain, you probably have full control over all Group Policy settings in the Domain including the ability to create and make changes to computer and user policies. However, if you have a large Active Directory with multiple Domains and multiple Sites, you may have only have the ability to manage the GPO’s for a single Domain or even individual Organizational Units (OU’s).

Group Policy Loopback Processing is helpful if you don’t have control over the Group Policy that is assigned to user accounts, but do have control over the policy that is assigned to the computers in your facility.

You can also use it to make sure that all employees in a specific physical location have access to a specific printer that is only available in that location. Another typical usage scenario are kiosks. Group Policy Processing allows you to work with different user policies depending on if they log on to the kiosk computer or a common workstation.

These are all everyday situations where Loopback Processing can help you regardless if you have a few hundred objects or tens of thousands in your Active Directory. In my next post, I will explain how to configure Group Policy Loopback Processing.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

When I first read that Group Policy Preferences can’t be used for Internet Explorer 9, I thought that was just a misunderstanding. How could it be that such an important feature is not supported for Microsoft’s latest web browser? Group Policy and Group Policy Preferences are one of the major reasons why many organizations stick with Internet Explorer even though good browser alternatives are now available.

But after installing the latest updates on Windows Server 2008 R2, I see that Group Policy Preferences are still only available for Internet Explorer 6-8. I don’t know what is behind this. Is Microsoft giving up on Group Policy Preferences for Internet Explorer altogether, or will there be an update? A forum entry by MVP Alan Burchill seems to indicate there will be no such update. However, the following workaround allows you to keep working with Group Policy Preferences for Internet Explorer 9.

1. Configure an Internet Explorer 8 setting in Group Policy Preferences. For instance, you can preset IE’s homepage to http://4sysops.com (highly recommended ). Don’t forget to hit F6 after you entered the homepage.
   
2. Navigate to Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) and double-click Logon or Logoff. Next, click "Show Files."
   
3. Navigate up to the User folders.
   
4. Navigate down to the Preferences\InternetSettings folders.
   
5. Edit (right-click) the InternetSettings files.
6. Search for "max=9.0.0.0" in the text and replace it with "max=9.1.0.0". Save the file.
   

Note that this workaround won’t make the "Internet Explorer 9" option appear when you add a new Internet Setting in Group Policy editor. You have to configure Internet Explorer 8 policy settings, which will also be used for Internet Explorer 9. Also note that you have to repeat the procedure described here whenever you create a new Group Policy Object.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

When I discovered the power of the System Policies in Windows NT 4, I wondered why Microsoft didn’t offer a search tool that allows to me find all policies easily. I had to wait only 15 years until I stumbled across the Group Policy Search service. This Azure application has been available for a few months. I wonder how the release of this tool could have escaped my notice, considering that I read quite a few IT news items every day.

Thus far, the only ways I knew to search for Group Policies were through filters in the Group Policy editor, in the Group Policy Settings Reference, or in Google. None of the three options is really effective. Group Policy Search is certainly a more powerful tool if you try to find a policy to control a certain Windows function. The tool searches in all relevant fields: Policy, Category Path, Supported On, Registry Key, Value, and the Group Policy description. The main difference from searching in the Excel sheet of the Group Policy Reference is that you can combine several search terms, which makes it much easier to find the right policy.

Group Policy Search also highlights the hits. What I like most is that it jumps to the location in the Policy Tree in the navigation pane on the left hand side. This helps to find related policies. This Policy Tree is different from the one you know in the Group Policy Editor. If you know where to find the setting in Windows, you will easily find the corresponding Group Policy by navigating through the Policy Tree. You can also switch to the Registry View if you are a Registry hacker.

The Filter function allows you to limit your search to certain applications, say Internet Explorer settings. The Copy function copies the selected path, for example the Registry path, to the clipboard; this feature did not work in Chrome, but I had no problems in Internet Explorer.

Under Settings, you will find a Search Provider for Internet Explorer (search box in the upper right corner) and a Search Connector for Windows 7.

As useful as this Group Policy Search service is, I still would prefer if Microsoft integrated a comparable powerful search function right into gpedit.

I have added Group Policy Search to the 4sysops list of free online tools for Windows admins.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

In my initial testing of Windows 7, I was a little disturbed to find that a default install of Windows 7 Enterprise did not include a default screen saver when a user would log in. I was also a little miffed that logon.scr (known as the “Windows XP” screen saver in Windows XP and “Windows Logo” screen saver in Windows Vista) was also nowhere to be found when I searched the file system.

If a user logs into Windows 7 and has logon.scr set as a forced screen saver in Group Policy, his default screen saver will be set to (None) and, because it is a Group Policy, the user will be unable to change this setting.

In many environments, securing logon sessions is very important… especially if you have to deal with HIPAA, FERPA, or any of the other myriad of government regulations (or jumpy Information Security departments) that are out there. If a user were to leave his office with his workstation unlocked and the door wide open, a malicious person would have access to everything that the unwitting user left open: files, applications, e-mail, etc. If you’re still using logon.scr as your default forced screen saver and you’ve started deploying Windows 7, you have users out there without a default screen saver.

So, back to basics: setting a default screen saver with settings that will be compatible with changes in Windows 7 and with your existing Windows XP and Vista clients. First off, start with a Group Policy Object (GPO) that is linked to the OU where your user accounts are located in Active Directory. This can be either a new GPO or an existing GPO that may already have other settings you want applied to all of your users. Next, go to Policy > User Configuration > Administrative Templates > Control Panel > Personalization. Here are the policies you’re looking for:

From the user’s perspective, the options for setting the screen saver, the wait time, and whether to display the logon screen will be set and grayed out. This policy change will update during a regular Group Policy refresh cycle.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

Disallow shutdowns without logon

By default, Windows desktops can be shut down by anyone without the need to log on by pressing CTRL+ALT+DEL and then clicking the red power button in the lower right corner (Vista and Windows 7). While this feature can be useful in some situations, it might cause problems in public places such as student computer rooms or kiosk computers. Note that for obvious reasons this is not possible with Windows server versions.

To ensure that nobody can shut down a Windows desktop computer without logging on, you can use this Group Policy setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Shutdown: Allow system to be shut down without having to log on.

Remove access to the Shut Down command in the Start Menu

If you want to prevent users who are able to log on to a computer from accessing the Shut Down command in the Start Menu, you can use this Group Policy setting: User Configuration\Administrative Templates\Start Menu and Taskbar\ Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands.

Note that this setting won’t stop users from restarting using third-party tools or the Windows shutdown command line tool. Thus, you can’t stop computer-savvy users that way. But perhaps this is just what you want; to allow only those users who know what they are doing to shut down and restart their computers.

Remove the shutdown right

If you really want to control who can shut down Windows desktops or servers, then you need another Group Policy setting.

To remove the shutdown privilege, configure this setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system. This option allows you to assign the shutdown right to certain user groups. It is the most secure one because it can’t be circumvented with third-party tools. Hence, it is also a way to prevent overly keen newbie admins from rebooting every time a Windows server acts a little stubborn.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

If Windows ever rebooted your PC during your lunch break while an important task was still running or you forgot to save data in an open application, then you understand the full extent of this problem. Modern applications are able to prevent Windows from rebooting, but this doesn’t always work.

In my view, a computer should never ever automatically restart without explicit confirmation from the user. If security measures can destroy the work of users, then the bad guys have already won. No Windows update is important enough to delete a whole morning’s work of your boss.

And if a new dangerous computer worm is really threatening your PCs, then network-wide restarts have to be managed and controlled by humans, not computers.

There are two ways to turn off automatic Windows Update reboots. You can let users choose when to install updates or you can disable auto-restarts.

Let users choose when to install Windows updates

You can configure Automatic Updates to only automatically download the latest update but let users choose when to install them. This configuration can be set through the Control Panel applet Windows Update (type Windows Update at the Start Search prompt) or through Group Policy (Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates).

Windows will then inform users about new available updates. If a user doesn’t install them right away, Windows will do so when the user shuts down the computer. The disadvantage of this method is that this also prevents the installation of updates that don’t require a restart if the user ignores the message from Windows Update.

However, there is a Group Policy setting for allowing the installation of these unproblematic updates: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Allow Automatic Updates immediate installation. If this setting is enabled, Windows Updates automatically installs updates that neither interrupt Windows services nor restart Windows.

Turn off automatic reboots

But the best option is simply to turn off automatic reboots with this Group Policy setting: Computer Configuration\Administrative Templates\Windows Components\Windows Update\No auto-restart with logged on users for scheduled automatic update installations. I recommend using this setting network-wide because it will reduce the number of angry help desk calls significantly.

I only covered the three Windows Update settings that I consider most important. I recommend also having a look at the other Group Policy settings at Computer Configuration\Administrative Templates\Windows Components\Windows Update. You might find something that is worthwhile configuring in your environment.

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

It is interesting to note that Microsoft lists some of the above mentioned features as new in Windows 7. Somehow, they are expressing this way that Windows 7 is basically Windows Vista which is one of the main reasons why Windows 7 is a great operating system. But let’s see what is really new in Windows 7 Group Policy.

Windows PowerShell Cmdlets for Group Policy

I think, the new PowerShell Group Policy cmdlets are the most important enhancement in Windows 7 and Windows Server 2008 R2. You could already manage Group Policy before Windows 7 with PowerShell. A more convenient option are the free cmdlets from SDM Software. You should also check out their Group Policy Automation Engine, which supports scripting of many more policy areas.

SDM Software’s cmdlets were more or less the model for those you can now find in Windows 7. The biggest advantage of this new Windows 7 feature is that the cmdlets are now integrated in the OS. Basically, you can perform all Group Policy management tasks on the command line or in a script: Create, remove, backup and import Group Policy Objects (GPOs), manage associations of GPOs with Active Directory containers, setting inheritance flags and permissions on Active Directory organizational units, configure registry-based policy settings and Group Policy Preferences Registry settings, and manage Start GPOs (pre-defined GPO templates).

I suppose, the vast majority of sys admins will continue managing Group Policy with GUI tools. However, there are certainly cases when you need a feature that your GUI tools lack. Then, you have no other choice than to write your own tool (script) and that’s where the new cmdlets come in. That’s why I consider cmdlets as some kind of API. Typically, tasks where you can use these new cmdlets involve the manipulation of multiple GPOs or links to GPOs.

More information about this new feature can be found in this Technet article.

New Group Policy settings

Every new Windows version introduces new Group Policy settings. Windows 7 and Windows Server 2008 R2 are no exception here. All in all, Group Policy now supports approximately 3,000 different settings, in which 300 of them are new. Most of them are for new Windows 7 features such as BitLocker to Go, Applocker. Internet Explorer 8 alone has more than 140 new Group Policy settings. (How many new Group Policy settings has Firefox 3.5?). Please check out the new Group Policy Settings Reference which includes all new Windows 7 and Windows Server 2008 R2 settings.

New user interface for ADMX Migrator

I already reviewed ADMX Migrator more than two years ago. As its name indicates, the main purpose of the tool is to convert ADM templates to the new ADMX format that was introduced with Vista. However, the tool also allows you to create new ADMX templates with an easy-to-use GUI. There will be a new version for Windows 7 with a new user interface. I wasn’t able to find a download for the tool, so I suppose it has not been released yet. The Silverlight video here demonstrate the new user interface. Most noticeable is that the tabs from ADMX Migrator 1.3 are gone. I might write more about this topic as soon as I can get my hands on the new ADMX Migrator.

Okay, that’s it already. All the other new features that are often mentioned in reviews and documentations are Vista features.

Windows 7 – All 4sysops reviews

Windows Server 2008 R2 – All 4sysops reviews

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)

Remote Task Manager Tool

Utility to view the processes running in a remote computer along with its details like, Process ID, Memory Usage, Session ID, Priority, etc. It also provides an option to select the parameters to view. Apart from just viewing the processes, the administrators can also terminate a process.

Wake on LAN Tool

Utility to boot computers in the network (LAN) from remote. It allows the administrators to boot multiple computers simultaneously. The Administrator has to just specify the IP Address, MAC Address and the Subnet Mask of the computers to wake them up.

Software Inventory Tool

Utility to retrieve the details of the software installed in the computers of a Windows Domain. The Software details include Software Name, Version, Manufacturer and Usage statistics. The software details can be exported as txt and csv formats.

Remote Command Prompt Tool

Free tool to open a command prompt of a remote computer and execute a command. The remote computer can be in the domain or a workgroup. The administrator has to specify a credential that has necessary privileges to execute the commands. The computer can be either specified manually or selected by speciying the Domain Controller.

GPO Update Tool

Utility to perform a GPO Update in the computers of a Windows Domain. GPOs are used to send configuration instructions to user and computer objects in the Windows Active Directory. By default, the GPO updates happen periodically, every 90 minutes. This utility helps the Administrators to perform a GPO Update on-demand on multiple domain computers simultaneously.

Shutdown / Restart Tool

Utility to shutdown or restart the computers of a Windows Domain. The Administrator can specify a common credential to perform this operation on multiple computers and can select the computers by specifying the Domain Controller.

Join/Unjoin Computer Tool

Utility to move a computer from one domain to another or from a domian to a workgroup or from a workgroup to a domain. It also provides the ability to restart the computer after this operation. The status of the operation is also displayed at the bottom of the window.

Currently Logged On User

Utility to retrieve the details of the users logged on to a remote computer. The Administrator can specify a common credential to perform this operation on multiple computers and can select the computers by specifying the Domain Controller.

Hard Disk Space Monitor Tool

Utility to retrieve the information about the Hard Disk like Partition/Drives, Volume Name, Total Size, Free Space, and File System. The Administrator can specify a common credential to perform this operation on multiple computers and can select the computers by specifying the Domain Controller.The results can be exported to a CSV or Text format for a later reference.

Local Users/Groups Tool

Tool to get the information about local users and groups in the remote computers. The user details include, Computer Name, User Name, Full Name, Caption, Status, etc. The group details include, Computer Name, Group Name, Caption, Description, and Status. The Administrator can specify a common credential to perform this operation on multiple computers and can select the computers by specifying the Domain Controller.The results can be exported to a CSV or Text format for a later reference.

Network Share Browser Tool

Tool to get the information about the files, folders and Active Sessions of the shares in a remote computer. The results can be exported to a CSV or Text format for a later reference.

Desktop Central Free Windows Tools

• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)
• Troubleshooting Group Policy – Part 3: Group Policy not applied? (0)
• Troubleshooting Group Policy – Part 2: Test and deploy (1)