We had a question a couple of days ago about the usage of ADMX template formats in Windows XP/Server 2003 environments. Essentially the question was:
“…What’s the supported or recommended way of getting W2k8 ADMX templates applying in a W2k3 domain with or with no W2k8 DCs. What I’ve done in test is, created a central store in the /Sysvol/domain/policies folder on the 2k3 DC (PDC) and created and edited a GPO using GPMC from the W2k8 member server applying to a W2k8 machine and it seems to work just fine. Is this the right way to do it?…”
The answer is Yes. Again this is one of those things that confuse people. The template format has nothing to do with the policy file that’s created. Its just used to create the policy by the administrative tool itself. In the case of GPMC on Windows XP and Windows Server 2003 and previous – this tool used the ADM file format. These ADM files were copied into every policy object on the SYSVOL, which represents about 4MB of duplicated bloat per policy. This was one of the areas that caused major problems with an issue called SYSVOL bloat.
In Vista and Server 2008 this template format changed to ADMX. This was a complete change towards a new XML based format that aimed to eliminate SYSVOL bloat. It doesn’t copy itself into every policy object but relies on a central or local store of these templates (Note that even in the newer tools you can still import custom ADM files for stuff like Office etc).
In the question above, the person wanted to know if copying the local store, located under c:/windows/policydefinitions, could be copied into a Windows Server 2003 domain environment as the central store and referenced by the newer admin tools. Again the domain functional mode has little to do with Group Policy. I talked about that one before. The things that we care about are the administrative tools and the client support for the policy functions. So of course it can.
Here’s the confusion-reducing scoop – Group Policy as a platform only relies on two main factors. Active Directory to store metadata about the policy objects and to allow client discoverability for the location of the policy files. The other is the SYSVOL to store the policy files. So at its core that’s LDAP and SMB file shares. Specific extensions on top of the policy platform may require certain domain functionality but that’s very specific to that extension. Examples are the new Wireless policy and BitLocker extensions in Vista SP1. They require schema updates – not GP itself. So if you don't currently use them then you don't have to update schema.
So provided you’re using Windows Vista SP1 with RSAT or Windows Server 2008 to administer the policies you get all the benefits to manage downlevel clients. That means eliminating SYSVOL bloat. That means all the joys of Group Policy Preferences. Honestly – it amazes us the amount of IT Pros that still haven’t discovered GPP…especially with the power it has to practically eliminate logon scripts!
As a last point – IT Pros also ask us when we will be producing an updated GPMC version for Windows XP to support all the new stuff. The answer is that we are not producing any updated GPMC versions for Windows XP and Server 2003. All the new administrative work is being done on the newer platforms. So get moving ahead! There are some really good benefits in the newer tools and very low impact to your current environment. You only need a single Windows Vista SP1 machine to start!
I actually wrote this post awhile ago on my blog and forgot to cross post this to the GP blog. Bad me...though I have updated it recently with new information! :)
Essentially its the minimum permissions you need to run AGPM without Domain Admins access given to the service account...
Hope this helps!
Michael Kleef, Program Manager, GP
PowerShell! The name alone should get you excited. Wait until you see all the cool stuff you can do with PowerShell in the Windows Server 2008 R2 and Windows 7 release of the Group Policy management tools. For those of you who have yet to learn PowerShell, hopefully this will help motivate you. You will be able to…
a) Add PowerShell scripts to logon/logoff and startup/shutdown
b) Use cmdlets to do a lot of what you’ve been using the GPMC UI or GPMC Sample Scripts for (creating new GPO’s, linking, making backups…)
<drumroll please…>
c) Configure GPO registry settings from the PowerShell commandline
Holy cow! If you aren’t excited, it’s only because you don’t know what the word cmdlet is yet, but you can find out!
Here’s how:
Don Jones is a great writer for people of every level:
Here are some of his great reasons to use PowerShell with some cool tricks you can use right away for troubleshooting and management:
http://technet.microsoft.com/en-us/magazine/cc160873.aspx
Check this out from the article:
- Get-Command retrieves a list of all available cmdlets.
- Get-Help displays help information about cmdlets and concepts.
- Get-WMIObject retrieves management information by using WMI.
- Get-EventLog retrieves Windows event logs.
- Get-Process retrieves a single or list of active processes.
- Get-Service retrieves a Windows service.
- Get-Content reads in text files, treating each line as a child object.
- Add-Content appends content to a text file.
- Copy-Item copies files, folders, and other objects.
- Get-Acl retrieves access control lists (ACLs).
For a complete list of cmdlets that ship with Windows PowerShell, go to windowssdk.msdn.microsoft.com/en-us/library/ms714408.aspx.
Here, he’s showing you how to build a software inventory tool using WMI cmdlets in a 6 minute video with accompanying article:
http://blogs.technet.com/tnmag/archive/2008/10/21/windows-powershell-building-your-own-software-inventory-tool.aspx
The Scripting Guys are hilarious and helpful. This is some of the stuff I liked that they wrote:
Get-Service; a quick way to get your hands dirty with something you can use right away
http://www.microsoft.com/technet/scriptcenter/topics/msh/cmdlets/get-service.mspx
Format-List; how to make your results useful to you
http://www.microsoft.com/technet/scriptcenter/topics/msh/cmdlets/format-list.mspx
This is their archive of Windows PowerShell Tips:
http://www.microsoft.com/technet/scriptcenter/resources/pstips/archive.mspx
Let me know what resources you like in the comments, I can always learn more. Keep looking to this blog for more details on GP’s new cmdlets…
Hope this helps,
Lilia Gutnik
Group Policy, PM
I just blogged about this very question over on my blog. Essentially the question we hear a lot is do I need to update Schema/Active Directory/Servers/functional modes etc to support a new client OS version. I wont revisit that
Sometimes theres a need to separate policies for specific OS functions but not to "update" them. Which begs the question then....
When do I need to separate policies?
When Vista came along it introduced new functions that radically changed how some things were managed. Examples of this, though not exhaustively listed are:
1. Firewall
2. IPSEC
3. Wireless config
4. Auditing
In these instances you really need to separate out the policies as older settings that were designed for XP/2003 can have an unpredicatable effect on Vista/2008 and it can be difficult to diagnose the overlap in the application of settings. Think about IPSEC being applied to the client through both the older method of IPSEC policy and Vista's newer method!
The best practice here is to make sure you separate out your XP/2003 policies from your Vista ones. You can use WMI filters (assuming you have no Windows 2000 left in your network) or ACL's with groups (Read/Apply method) or even separating into different OU's.
Michael Kleef
Program Manager
Everyone has their own troubleshooting quick checks; here are some that you may know well, and others you haven’t tried yet.
Logon/Logoff
Some policies applied only after the second logon, not after the first logon. What’s the deal?
Anything that is set to run synchronously won’t run until after the second logon. Example of this include scripts that are set to run synchronously and Software Installation policy. Note that Software Installation policy can run asynchronously also, but behaves differently in that mode.
For more on this, check out: http://grouppolicy.editme.com/ClientSideProcessing, the “Forced into Foreground” section.
Linked / Enabled
I set up a perfect GPO, why do I not see any of the expected results?
Check to make sure that it is…
a) Linked
Notice how SalesGPO is linked to the domain; you can tell because it has that icon next to it. Even the most elegant GPO is useless until it’s linked to something.
b) Enabled.
If the Computer side of the GPO is disabled, and your setting is relevant to the Local Machine, the setting will not take effect. The drop down pictured here is where that can go wrong, so make sure to check the status drop down of the details tab.
c) Applicable (passes through the right filters and permissions).
Check the scope tab to make sure the GPO isn’t being filtered out because of permissions or WMI Filters.
Gpupdate
Yes, I know it may seem obvious, but sometimes it’s that next gpupdate –force that can make the difference. Why does the second gpupdate work when the first one doesn’t?It’s possible that your link was too slow the first time you tried a gpupdate; several CSE’s (for example: folder redirection, software installation, and scripts) do not process over a slow link.
For the complete list, go here: http://grouppolicy.editme.com/SlowLinks.
Preferences – Targeting
GP Preferences has a really clean UI experience to set up targeting for a Preference item, why is my Preference item not showing up?
Make sure the targeting makes sense; check the and’s and or’s to make sure you’re not creating an impossible requirement. Can one machine be in 2 IP ranges at the same time? Did you hard code a user name when you meant to use a variable?
Helpful Tool: GPLogView (download it!)
GPLogview is a downloadable tool that you can use to export GP event data from the system and operational log and output into txt, HTML, or an XML file. Note that it works with Vista and above, not XP or Windows Server 2003. You can use it to filter the event log by Activity ID (all the events that correlate to one specific GPupdate) with the –a flag.
You can also set it up to run in monitor mode and watch events of a GPUpdate in real time with the –m flag. The command “gplogview.exe –m” opens the channel to read from the event log, then, in a separate command window, do a gpupdate and watch the gplogview window scroll through the events as they happen.
Or (this is my personal favorite) pipe out the event log into a color-coded HTML file with –h (for HTML) –o (output) <filename>. Each color corresponds to an Activity ID, so it’s easy to visually pick out what you are looking for.
Hope this brief refresher helps save you some time!
Lilia Gutnik, Program Manager
We had a great customer question today on AGPM 3.0 that would probably interest quite a few of you using AGPM.
"...A customer imports some GPOs [into AGPM] in order to change control them. Some of the GPOs have Deny permission for particular users’ that have administrative rights or similar. After changing the GPOs with AGPM methods (check out, check in) he uses “Deploy” to roll out the changes. At this point the Deny ACEs get deleted. Why are the Deny ACE's being stripped?..."
Its important to understand that AGPM is intended to be the central change control application for GP. We dont actually want ACE's being preserved from whats there - we actually want AGPM to be in control.
Anyway I checked this out myself and found that AGPM 3.0 only will preserve the Deny ACE for "Apply". This means that if you have custom security filtering on a specific group or user that you want specifically excluded from having policy applied to it we will ensure that it doesnt get applied by preserving this permission. We dont however preserve all individual the Deny permissions.
Why are you doing this?
This is by design in AGPM 3.0. Heres the interesting things you may not have considered:
-
There are two parts to the GP ACL. Theres the Security Filtering and the Administrative Delegation (AGPM calls this Production Delegation). One is an application of policy the other is the administration of policy though they actually appear in the same list
-
Remember the Deny ACE overrides everything
-
We need both Read and Apply to get policy to apply. If we don’t have either one we effectively stop policy applying for that object
-
Read is also required in order to administer policy – it’s the only common permission to both the application and administration of policy
So AGPM 3.0 we now have the ability for it to control the administrative (production) delegation that gets applied to the policy object and we override (and rewrite) the security descriptors for the GPO. This can ensure that every GPO is stamped with an ACL that mandates the control of that GPO belongs to AGPM - so you provide access to those that need it within AGPM, not within GPMC.
The other part of this is the Security Filtering and its important we preserve any explicit controls an admin has made to prevent a user having a policy apply to them - including a Deny...which leads to the next question...
So why is the Read being stripped then? Isnt it Read and Apply that both should be being preserved for the Deny?
Remember, we need Read and Apply. If we dont have either one of these then the policy wont apply to us. There is a downside though if we did this. Think for example if we set a Deny ACE on Domain Admins for a specific policy for Read and Apply (Security Filtering) and preserved the ACE of Deny for Read. That would combine with our production delegation from AGPM and suddenly the Domain Admin wouldn’t be able to Read that policy in order to be able to administer it.
By only preserving the Deny ACE for Apply, we effectively preserve the desired outcome for Security Filtering (that is: We stop that policy processing) but we also preserve the correct desired outcome for administration.
Hope this helps to clarify!
Michael Kleef
Program Manager - AGPM
How to: use F5-F6-F7-F8 to control what settings you want pushed out, lock down the Advanced tab with a preference setting to act like policy
Last time I talked about how to use F5-F8 keys to use the glanularity that we love so much about Preferences. Now, time for an example of using GP Preferences, then creating a policy that takes advantage of the fine-tuned nature of Preferences and locks it down with Poliy. Say you only want to push out a Preference that configured the Phishing filter settings in the Advanced tab in IE7. Create a new IE7 Preference item, navigate over to the Advanced tab: there are all the settings you could manage. Try lighting them all up; F5 turns them all green, F8 turns them all red. End up with F8 for now, keeping them all ignored (Red), as you’re only looking to set up one setting. F6 and F7 are sensitive to the most recently touched setting, so be precise with what you want. Select the check box for turn on automatic website checking, now press F6. Green circles! Just that setting now has green circles, and all the rest are red. You can flip back and forth here with F7 to set it to red again, F6 to bring it back, etc. If you select another setting, F6 and F7 will be concentrated on that new setting. There! Now you have configured a setting and controlled that exactly the one you specified will be paid attention to.
Now we can build on this using Policy as well. This will keep our Preference settings and lock them down so that users cannot make changes to it. So you’re setting a user preference (that you wouldn’t be able to dictate with policy), but enforcing it to be unchangeable like policy. In the example above, we set one setting in the Advanced tab of IE7. That’s the Preference part. Do a gpupdate and you’ll see that setting is now set, but users can change it back to whatever they want, a true preference.
Now find the Policy setting that says “Do not let users change Advanced Tab in IE”. Gpupdate again, and you’ll see that the Advanced tab is greyed out, preventing the User from changing anything, but the setting within that is what was described in the Preference. The Preference setting is now locked in and unchangeable, like Policy! Sweet.
Hope this helps,
Lilia Gutnik
Program Manager
We have stated a number of times through a number of forums that its not a great practice to muck around with the Default Domain Policy and the Default Domain Controllers Policy. In fact its actually a really bad practice...same goes with the SYSVOL. Just dont screw around with it.
We recommend if you want to apply policy specifically at the domain level or to your DC's that you create your own policies and put them side by side and dont touch the preexisting ones.
So what happens if you have done this and now want to restore the default policies back?
Theres a tool called DCGPOFix. All this does is restore the Default GPO's back to their defaults. For Windows 2000 you can download it. For Windows Server 2003 and 2008 its built in - so dont download and install the older one. There are a couple of issues here and here that you need to be aware of.
What happens if Ive trashed SYSVOL?
To (basically) recreate SYSVOL:
1. The best idea is to recreate it from another DC - like this article says.
2. Then assuming its in the default location, restore the security descriptors using this method and restart FRS. Look to this article for assistance
3. Verify its all working with Ultrasound which you can get here
Err...my SYSVOL is a little more trashed than that??
Im sorry to hear that. Heres the advanced Information to recreate SYSVOL.
If that basic guide doesnt work properly or you dont have a DC to get it from, you will need to do a manual recreation. This isnt easy and is considered last resort information. Heres the guide for it. Essentially this will follow you through a manual step by step guide on how to setup everything in it and get FRS working again. Note that this is FRS, not the newer DFS-R replicator. If you are using DFS-R to replicate SYSVOL - DO NOT use this method as you will likely wreck your SYSVOL. Once it has been switched it has to stay that way.
Hope this helps. Good luck.
Michael Kleef
Program Manager
I set a Preference setting, but it didn’t work. The answer? Probably F5-F6-F7-F8.
GP Preferences has a ton of compelling reasons to use it; the functionality allows admins to configure settings that are difficult to impossible to achieve through policy (deploying shortcuts, setting up drive maps, managing devices…) and the configuration UI is eerily familiar to what the user’s UI looks like to configure the same settings. Pretty easy to figure out where everything is when you already know the layout, right? The subtlety, however, is in knowing when you have actually set the configurations to be captured in the preference item and set to be applied with F5-F8 keys, indicated by the red or green icons.
This is my favorite example of the sweet UI and the subtle differences. These are the Internet settings options I see as a user for IE7:
And these are the same two tabs in Preferences. Notice the only difference in the Preference dialogs vs. the user is the right-most Common tab (where all of the interesting targeting and special behavior rules can be set up).
The other difference is the red dashed line or green circles that hover around the configuration options. What does this mean? Why is it there? And more importantly…how am I supposed to use it?
Look at all those options you can adjust in the Advanced Tab; that’s a lot of granularity and a lot of work to get exactly right. Instead of forcing admins to modify every single setting when they configure an IE option, Preferences offers the ability to pick and choose which setting choices the admin wants to be pushed out. Those that are red underlined (or have a red circle next to them) are going to be ignored. Those that are underlined with a green solid line (or next to a green circle) are going to be noted, captured in the GPO, and enforced on the target user or computer. So I can make a Preference item that only captures three or four settings out of a whole menu of settings. Cool, right?
To ensure you aren’t pushing out unwanted settings, settings are ignored by default; this is indicated with red-dashed-underlined or a red circle icon. This is true of the home page, for example (you can see the red dashed line in the image above). If you do not consciously make the choice to have these settings captured, they will be ignored. No green line/circle, no configuration. This is what causes most people to have issues with Preferences; they go through all the work of configuring the settings they want, set up targeting, link the GPO, gpupdate…nothing changes. The GPO applied in the report, but what happened? The settings were still set to be ignored, so nothing was pushed out.
The mechanism to specify or ignore settings is controlled by the F5 – F6 – F7 – F8 keys. They are grouped in pairs by outside keys (F5, F8) and inner; (F6, F7). The outer keys manage all the settings at once; F5 makes everything count, all the settings get green-underlined. F8 sets them all to be ignored, red-dashed-underline. F6 and F7 work on individual settings; F6 will light up one setting at a time, F7 will set one setting to be ignored. Here’s a diagram, hopefully it doesn’t make it more confusing. I’ll write up some examples for the next blog post, hope this helps so far!
Lilia Gutnik
Program Manager
To keep you in the loop, many of you have asked whether we intend to provide support for PolicyMaker Preferences and migrate to Windows Server 2008's Group Policy Preferences.
I can confirm we are currently testing a tool that will be able to perform this migration. We are pleased with the quality of the tool and are currently completing testing passes before release. At this time we can provide an indicative release date of a mid to late Q4 CY08 release though this depends on feedback from the testing group. We will be providing more information nearer to the release on this blog in the coming weeks to keep you updated as to the progress.
Michael Kleef
Program Manager
Awhile ago we had a customer call come in. The customer had a major problem in Windows Server 2008. When they tried to map drives through a script it didnt work.
The customer had initially applied a Login script as a start up script and then changed the GPO settings to a login script under User Configuration. These GPOs were applied at the domain level. I know youre thinking already...they didnt modify the Default Domain Policy right? Dunno but I hope not! (For those of you that dont know, its not a best practise to modify the default domain policies. Its always a better thing to create your own policies and link them)
Anyway, on any Windows Server 2008 Terminal Server box, when the user logged on, first two drives were showing disconnected. On any other machine, no drives are mapped.
When someone manually runs the script, it gives an error "The Local Device Name is already in use". Odd...
The support person found that after initially checking the configuration of the GPO, while browsing through the script, found that there is an extra back slash at the end of the share path, like \\servername\share\ instead of \\servername\share
Once the customer removed the backslash and refreshed the GPO on the Windows Server 2003, Vista and Windows XP machines he had it applied successfully but not on the Windows Server 2008 TS, Domain Controllers and Exchange Servers. A quick reboot on one of them confirmed that all was good.
Who would of thought? A simple backslash!
Michael Kleef
Program Manager
As noted on the Microsoft Desktop Optimization Pack (MDOP) blog announcing the latest MDOP release, AGPM 3.0 has RTM'd. For those customers licensed for MDOP, this means you'll have it in your hands around the first week of October 2008 via the MVLS site.
New features in AGPM 3.0 are:
|
New feature |
Description |
|
Full x64 support |
Both the client and server components fully support x64 architecture and operating systems. There is a 64 & 32 bit version of both the client and server. Wow64 is not be supported. This means that a 64-bit version of AGPM must be installed on a 64-bit version of the host Operating System and a 32-bit version of AGPM must be installed on a 32-bit version of AGPM. Communication between different bitness client and server is fully supported. This means that a 64-bit AGPM client can communicate with a 32-bit AGPM server and a 32-bit AGPM client can communicate with a 64-bit AGPM server. |
|
Windows Vista SP1 & Windows Server 2008 |
Significant changes have been made to the GPMC in these OSs and AGPM depends on the GPMC interfaces extensively. Therefore this version of AGPM is only installable on Windows Vista SP1 with Remote Server Administration Toolkit (RSAT) or Windows Server 2008. Windows Vista SP1 does not have the GPMC integrated into the operating system. The GPMC needs to be installed on Windows Vista SP1 through an optional tool called RSAT prior to installing either the client or server.
Note: Although version 2.5 will still be available for customers who do not plan to upgrade to these operating systems, version 3.0 client or service will not communicate with the version 2.5 client or service. |
|
Customizable permissions |
Version 3.0 allows the permissions deployed to a GPO in production to be customized. The default permissions are the same as version 2.5, however, custom permissions can be configured for each domain. The permissions configured on the “Production Delegation” tab will replace any permission already on a production GPO when it is controlled or deployed from the AGPM server. Applying the above permissions to the production GPO when taken into AGPM control will prevent changes to production GPOs from outside of AGPM as soon as a GPO is controlled. |
|
More robust change tracking |
The AGPM history has been changed to track more changes made to GPOs such as when/who made a request, when/who Approved/Rejected the request, when/who made changes to AGPM delegation, etc. |
|
Purge Historical data |
This version gives the AGPM administrator the ability to purge old data by specifying on the AGPM Server tab how many historical versions to retain. Purging old data deletes the data (GPO backup) from the archive so this data is no longer be accessible. The information about the historical action is, however, retained in the history and an entry is recorded in the history that data was purged. This means that if a checked in GPO from 6 months ago was purged, reports, etc. cannot be run against it but the history view still shows that a check-in was performed. |
|
Group Policy Preferences Support |
This version fully supports the new Group Policy Preferences (GPP) functionality added to Windows Server 2008. |
|
General UI improvements |
Changes have been made to field names and ordering to better describe the information contained in the field. Additionally the order in which the fields are displayed has been changed to make more pertinent information easier to find. |
|
Localization |
Localized in 11 additional languages. |
Shortly Ill be doing a small screencast to show you what AGPM 3.0 can do and how it can help deliver improved change management and auditing to your Group Policy environment. More to come!
Michael Kleef
Program Manager - AGPM
Have you ever wanted to configure a preference item to include a specific user name and password? You can do so in several types of preference items, but if you are working in a high-security environment you should first consider the security ramifications of embedding a user name and password in a preference item.
Where can you use passwords?
- Local User preference items: When you create or modify a local user account, you can specify both a user name and a password for the account.
- Data Source preference items: If a user name and password are required to access the data source, you can provide them in the preference item. If you do so, end users to whom the preference item applies can access the data source regardless of their own permissions, but only if the specified account has the necessary permissions.
- Mapped Drive preference items: You can specify the user name and password to be used to connect to a mapped drive. If you do so, end users to whom the preference item applies can access the mapped drive regardless of their own permissions, but only if the specified account has the necessary permissions.
- Scheduled Task or Immediate Task preference items: You can configure a scheduled task to run under the security context of a specified user (allowing the task to run regardless of whether that user is logged on), by selecting the Run as check box and providing a user name and password.
- Service preference items: You can modify which account the service runs under by selecting Local System account or by selecting This account and specifying a user name and password.
For the user name in a Data Source, Mapped Drive, Scheduled Task, Immediate Task, or Service preference item, you can specify a local user account on multiple computers using the format .\UserName, or a domain account using the DomainName\UserName format.
Are passwords in preference items secure?
Passwords in Group Policy preference items are protected using 256-bit AES encryption. In the XML source code of a preference item, the password does not appear as clear text; it is encrypted. The client reads the XML, decrypts the password, and implements the configuration.
Although passwords in Group Policy preference items are encrypted, they are not completely secure and therefore are not appropriate for situations requiring high security. Consider the security requirements of your situation, and use discretion when deciding whether to include passwords in preference items.
Linda Moore
Technical Writer, Group Policy
The Group Policy team at Microsoft would like to hear from you about how you currently manage your servers and server-based applications and how you’d like manage them in the future. Please take this anonymous online survey at http://www.surveymonkey.com/s.aspx?sm=9rTLNIcDd2kuU8addj0iUw_3d_3d by July 15th and help shape the future of server manageability!
Thanks so much!
The Group Policy Team
The Group Policy preference extension is designed to allow developers to extend the Application preference item. For those applications that are currently unsupported by Group Policy preferences, you can create your own property sheet extension for the Application preference item.
And we have added some instructions for how to do this in MSDN. For more information check out the topic, "About Group Policy Preferences", http://msdn.microsoft.com/en-us/library/cc512161(VS.85).aspx.
Judith Herman, Group Policy Programming Writer
