In this series of six parts, I will show you how to prevent and solve Group Policy problems. In this first part, I will outline why communication with your users is important.

Group Policy is a great tool that can make your life a lot easier as a systems administrator. But, what do you do when computers or users aren’t getting the correct policies? In this series, we’ll take a look at things you can do to prevent problems, common problems people have with Group Policy, and steps you can take to troubleshoot misbehaving Group Policy.

“An ounce of prevention is worth a pound of cure.” — Benjamin Franklin. Those words definitely ring true for deploying new Group Policy settings. There are a number of things you can do before deploying changes that may cost you some time up front, but will definitely save you time and grief down the road.

(more…)

In this article you will learn how to create Group Policy Objects (GPOs) by leveraging the power of Windows Management Instrumentation (WMI).

The traditional method for scoping Group Policy Objects (GPOs) in Windows Server 2008 Active Directory is to perform the following actions:

• Ensure that the GPO is linked to the appropriate Active Directory object (for instance, site, domain, OU)
• Use security filtering to ensure that the GPO affects only specified user and/or computer accounts

Security filtering a GPO

What many Windows systems administrators do not know (or may not want to know due to the learning curve involved) is that we can also use Windows Management Instrumentation (WMI) filtering to dynamically scope Group Policy.

(more…)

This article introduces Group Policy Preferences, explains how they differ from Group Policy settings, compares Preferences to logon scripts, and covers a few Group Policy Preferences gotchas.

The introduction of Group Policy Preferences into Group Policy seems to have quite a few people confused. I think that confusion has been compounded by all of the people who skipped Windows Vista, stayed with Windows XP, and are just now starting to implement Windows 7 on the desktop.

Group Policy Preferences

(more…)

In this final part of this four part series we’ll look at Local GPO which is a bit of a hidden gem in SCM and round off the look at SCM with a summary.

LocalGPO in SCM v2

LocalGPO is included with SCM but there’s no dependency between the two programs. Once you’ve installed SCM there’s an option on the Start Menu to also install LocalGPO. The traditional role of LocalGPO is to control workgroup computers where centralized AD deployment of GPOs isn’t an option but in SCM v2 there’s also a new GPOPack feature that works with Microsoft Deployment Toolkit (MDT) 2010.

LocalGPO lets you export the current configuration of a reference computer as a GPO object provided you’re a local administrator and the export folder already exists:

LocalGPO.wsf /Path:c:\GPOBackup /Export

LocalGPO also allows you to apply settings from a GPO backup file type to the local PC:

LocalGPO.wsf /Path:c:\GPOBackup\{12345678-9ABC-DEFG-1234-56789ABCDEFG}

(more…)

In this third part of four we’ll learn how to add settings to a baseline, we’ll examine the new User Interface innovations in SCMv2 and how to Compare and Merge baselines.

Adding settings to a baseline in SCM v2

There will be times when a particular baseline is missing a setting that you’d like to include, remember that the baselines only include security settings where Microsoft has best practice guidance. In SCMv1 you had to import a Setting Pack which gave you ALL the GPO settings for a product and you then had to delete the settings you didn’t want.

SCM v2 has a great new feature which is much better, the Add a Setting command lets you pick the relevant product, in which group within the baseline you’d like to add the setting(s) and a comprehensive list of all the settings. You can also search and filter the list of available settings.

Adding settings to your custom baseline has never been easier.

(more…)

In this first part of four posts we’ll examine what SCM v2 is and why it’s such an important tool for sysadmins and we’ll cover installation options as well as introduce the main console.

This review was written on SCM v2 beta, the beta period has ended and SCM v2 is now available for download here. Note that the release date on the download page is incorrect, this is the final RTW (Release To Web) version of SCM v2.

Foreword

Group Policy is one of the most powerful tools in a sysadmin’s arsenal, not only for making sure users don’t get themselves into too much trouble but also to establish security standards across client and server machines.

For quite some years Microsoft have produced security guidance for Group Policy, what settings to use and how to configure them but most administrators don’t have time to trawl through lots of documentation. To make it easier for busy administrators to make well informed decisions when building Group Policy Objects (GPOs) Microsoft published the free tool Security Compliance Manager (SCM) v1 in early 2010.

(more…)

Rate this tool: (6 votes, average: 4.50 out of 5)

 Loading ...

Submit a free admin tool | Free admin tools index | Browse free admin tools

This post describes how to configure Group Policy Loopback Processing and explains the difference between Replace Mode and Merge Mode.

In my last post, I outlined in what cases Group Policy Loopback Processing can be helpful. Let’s have a look at the configuration.

Loopback processing is configured in the Group Policy Management Console in Computer Configuration / Policies / Administrative Templates / System / Group Policy / User Group Policy loopback processing mode – Set to “Enabled” and set the Mode to either Merge or Replace.

(more…)

Group Policy Loopback Processing allows you to associate user policies with computer objects. Learn how you can use this feature.

Group Policy Loopback Processing is one of the hidden gems that can make your life as a systems administrator much easier. This article explains for what you can use this feature and in the next post you will learn how to configure Group Policy Loopback Processing.

Group Policy Loopback Processing

How user and computer Group Policy Objects are applied

Before I can explain Loopback Processing, let’s start with quick a refresher on how a Windows computer processes Group Policy.  There are two types of policies: computer policies and user policies.

(more…)

Group Policy Preferences for Internet Explorer 9 are not (yet?) supported. This post describes the workaround.

When I first read that Group Policy Preferences can’t be used for Internet Explorer 9, I thought that was just a misunderstanding. How could it be that such an important feature is not supported for Microsoft’s latest web browser? Group Policy and Group Policy Preferences are one of the major reasons why many organizations stick with Internet Explorer even though good browser alternatives are now available.

(more…)

Group Policy Search is a free online tool from Microsoft that allows you to find Group Policy settings easily.

When I discovered the power of the System Policies in Windows NT 4, I wondered why Microsoft didn’t offer a search tool that allows to me find all policies easily. I had to wait only 15 years until I stumbled across the Group Policy Search service. This Azure application has been available for a few months. I wonder how the release of this tool could have escaped my notice, considering that I read quite a few IT news items every day.

(more…)

This article explains how to set a default screen saver with settings that will be compatible with changes in Windows 7 and with your existing Windows XP and Vista clients.

In my initial testing of Windows 7, I was a little disturbed to find that a default install of Windows 7 Enterprise did not include a default screen saver when a user would log in. I was also a little miffed that logon.scr (known as the “Windows XP” screen saver in Windows XP and “Windows Logo” screen saver in Windows Vista) was also nowhere to be found when I searched the file system.

If a user logs into Windows 7 and has logon.scr set as a forced screen saver in Group Policy, his default screen saver will be set to (None) and, because it is a Group Policy, the user will be unable to change this setting.

(more…)

In some environments, it is necessary to prevent not only Windows from shutting down the computer but users as well. For instance, kiosk computers in public places and workgroup computers where some workstations provide network storage or network printers should not be shut down by end users. The same applies to servers where not all admins are allowed to initiate restarts.

Disallow shutdowns without logon

By default, Windows desktops can be shut down by anyone without the need to log on by pressing CTRL+ALT+DEL and then clicking the red power button in the lower right corner (Vista and Windows 7). While this feature can be useful in some situations, it might cause problems in public places such as student computer rooms or kiosk computers. Note that for obvious reasons this is not possible with Windows server versions.

(more…)

This article explains how to turn automatic reboots triggered by Windows Update.

If Windows ever rebooted your PC during your lunch break while an important task was still running or you forgot to save data in an open application, then you understand the full extent of this problem. Modern applications are able to prevent Windows from rebooting, but this doesn’t always work.

In my view, a computer should never ever automatically restart without explicit confirmation from the user. If security measures can destroy the work of users, then the bad guys have already won. No Windows update is important enough to delete a whole morning’s work of your boss.

And if a new dangerous computer worm is really threatening your PCs, then network-wide restarts have to be managed and controlled by humans, not computers.

(more…)

To come straight to the point, there are not many new Group Policy features in Windows 7 and Windows Server 2008 R2. The important enhancements were introduced with Windows Vista and Windows Server 2008: Group Policy ADMX and ADML templates, Group Policy central store, Network Location Awareness, Group Policy Preferences, Group Policy Starter objects and Group Policy event logging. Some of these are absolute killer features, and should have been a good reason for many organizations to embrace Vista. Of course, Windows 7 will also come with these improvements. There are also new features in Windows 7, and as an admin you should learn about these changes even though they are not breathtaking.

It is interesting to note that Microsoft lists some of the above mentioned features as new in Windows 7. Somehow, they are expressing this way that Windows 7 is basically Windows Vista which is one of the main reasons why Windows 7 is a great operating system. But let’s see what is really new in Windows 7 Group Policy.

Windows PowerShell Cmdlets for Group Policy

I think, the new PowerShell Group Policy cmdlets are the most important enhancement in Windows 7 and Windows Server 2008 R2. You could already manage Group Policy before Windows 7 with PowerShell. A more convenient option are the free cmdlets from SDM Software. You should also check out their Group Policy Automation Engine, which supports scripting of many more policy areas.

(more…)

Submitted by Mathivanan – Blog: http://blogs.manageengine.com/desktopcentral/ Desktop Central provides a set of free Windows tools that Windows Administrators might require on a day-to-day basis. It has a set of ten tools, viz: Remote Task Manager Tool, Wake on LAN, Software Inventory Tool, Remote Command Prompt Tool, GPO Update, Shutdown/Restart Tool, Join/Unjoin Computer Tool,  Currently Logged On User, Hard Disk Space Detector Tool, and Local Users/Groups List Tool. This is very handy as it can be performed on multiple computers simultaneously. These tools are made available from the Desktop Central family and is provided as a separate download, which is absolutely free to use.

(more…)

Rate this tool: (15 votes, average: 4.40 out of 5)

 Loading ...

Submit a free admin tool | Free admin tools index | Browse free admin tools