Group Policy Team Blog

How do I migrate PolicyMaker Items to Group Policy Preference Items?

PolicyMaker customers have been waiting for an easy way to migrate their PolicyMaker settings over to Group Policy Preference settings. The solution is finally here!! We have developed a commandline tool that you can run against your environment to find all of your PolicyMaker settings and convert them to Group Policy preference settings. Download the tool from the Microsoft download page.

For more information about the tool, Mike Stephens has put together a very comprehensive blog post covering the new tool and it's use on Ask the Directory Services Team.

MarkG
Group Policy Program Manager

Power Management in Group Policy – What do you do?

Green is the color of the decade, at least for the moment. What can you do from a Group Policy perspective? More than you might think. What do you do to manage power settings with Group Policy? Answer in the comments.

Before Al Gore warned about the plight of the polar bear, GP admins could configure power management with ADMX settings delivered for Vista. 

With Vista SP1 / Windows Server 2008, Group Policy delivered Group Policy Preferences. This introduced the ability to configure user settings as an admin with the underlying plumbing of policy.

And in Windows 7 / Windows Server 2008 R2, admins can configure power plans for Vista and beyond. So here’s the question: what do you do manage power? Do you configure power settings for XP using Group Policy Preferences? Respond if you do (or don’t!) in the comments.

Thanks for your feedback,

LiliaG, Group Policy PM

Video on TechNet Edge: Searching for settings in a GPO

Want to see what firewall ports you’ve configured on every GPO in your domain in under 10 seconds? Want to meet some Group Policy team members?

Wish Michael Kleef a happy birthday and watch Lindsay and I walk through the ”Search GPOs for any setting” PowerShell script she posted a few weeks ago. Get it with examples here and here.

Link here: http://edge.technet.com/Media/Using-PowerShell-to-manage-GPOs/

Let us know what other Group Policy walk-throughs you’d like to see us do in the comments either here on the Edge site.

Hope you like it,

LiliaG, Group Policy PM

SYSVOL migration from File Replication Services (FRS) to Distributed File System Replication (DFSR)

It’s come to my attention (in a blunt object kind of way) that you’ve been waiting to migrate from Windows XP to Windows 7, bypassing Windows Vista. In case you’ve done the same with your servers, you’ve got some fun work coming up (but lots of cool features, so it’s more than worth it).

Here’s a cool post from the AskDS (Directory Services Team) blog with links to new TechNet articles about migration from File Replication Services (Windows Server 2000 and Windows Server 2003) to Distributed File System Replication (Windows Server 2008).

“  Ned here. It's done, it's out, come get it, stop yelling at me! :-)

SYSVOL Replication Migration Guide: FRS to DFS Replication (TechNet Version)
SYSVOL Replication Migration Guide: FRS to DFS Replication (Word Doc Version)

Be sure to also run through some of these (possibly) useful accompanying pieces:

Verifying File Replication during the Windows Server 2008 DFSR SYSVOL Migration – Down and Dirty Style
DFSR SYSVOL Migration FAQ: Useful trivia that may save your follicles
KB968733 (hotfix for migration under certain RODC scenarios)
KB967326 (hotfix for migration under disjoint name space scenarios)

- Ned 'Yes, my middle name is DFSR' Pyle “

Thanks Ned!

- LiliaG, Group Policy PM

p.s. also from the AskDS blog: Venture into the life of an IT pro with this clever “8 bit” game, posted here: http://www.microsoft.com/click/serverquest/

Environment Variables in GP Preferences

There was a great question in the blog comments, I’m going to post the answer up here because I think the answer is cool.

Can a location (UNC) be set using both an environmental variable and a static entry?

I'll explain by example.  Let's say that there are shares named %username%Folder (FredFolder, SallyFolder, EricFolder, etc.).  Is there a way to set this as the location in a single GPP item for all users?  I've already determined that \\server\Users\%logonuser%Folder won't work.  Is there some syntax that can make this happen?

In fact, that is how you do it. The issue here is not of syntax, but more likely of placement. A potential problem in the above example is if the preference item was created under Computer Configuration; it should have been under User Configuration to be properly resolved.

Here are some examples:

The XML for this item is below: copy/paste that into an XML document (notepad file, save as .xml), drag that file into your Preference Folder Item’s window and you will have a preference item that updates a folder called “SimpleFolder” on every user’s desktop. Open up the item to verify this!

-

This configuration creates a folder on the Desktop using the logged on user’s name + the string “worksWell”. Here’s the XML:

To access these environment variables, just press F3 and you’ll see a window come up with all of your options. Remember to check the “Resolve variable” box at the bottom of the dialog.

To read more about creating folder preference items, read this TechNet article.

Hope this helps,

LiliaG, Group Policy PM

Thanks to:

Mark Gray, Group Policy PM and RajiveK, Group Policy Software Developer Engineer

Group Policy at Tech Ed 2009 keynote: Mark Russinovich demos Group Policy PowerShell cmdlets

During this morning’s keynote at TechEd 2009 in Los Angeles, technical fellow Mark Russinovich demonstrated the Set-GPRegistryValue cmdlet. He points out the power of scripting; a few lines created a GPO, configured a registry value, and linked it to an OU. A few changes would link that same GPO to any number of OUs, domains, etc.

When it's up, I'll post it. Group Policy in the keynote!

[EDITED] Watch it here : http://www.msteched.com/online/view.aspx?tid=6fc7b7da-2d2d-4e57-9acf-cf77890a1738 

If that link is troublesome for you, navigate to the 'keynote' talk from here: http://www.msteched.com/online/home.aspx

Watch it at the 52 minute mark until 56 minutes for the Group Policy - PowerShell bit, where he demos configuring IE8 specific settings using the Set-GPRegistryValue and New-GPLink. He talks about AppLocker beforehand, which is pretty interesting as well. There's a lot of great content in this keynote, I'm glad that Group Policy was included.

LiliaG, Group Policy PM

Group Policy on TechNet Edge

Watch Michael Kleef and I talk about what’s new in Group Policy in Windows 7 and Windows Server 2008 R2 on TechNet Edge. We’re on the front page today!

Go here: http://edge.technet.com/Media/Whats-New-in-Group-Policy/ to check it out.

The video’s a bit long (18 minutes) but it talks about some examples of using the PowreShell cmdlets and shows off some of the new ADMX settings available (including BitLocker and Advanced Audit Policy settings).

We’re planning a set of shorter videos that just cover one topic at a time and include an over-the-shoulder demo example. What would you like to see? Here are some of our suggestions:

• GP Preferences
• PowerShell cmdlets – GPMC styled
• Starter GPO’s
• Troubleshooting – using the Event Log, using trace logs

Cast your vote in the comments and look for more of our smiling faces on TechNet Edge soon.

LiliaG, Group Policy PM

Note: For some reason I roll my eyes a lot in the video, but I assure you I’m not being sarcastic! My voice was hoarse when we recorded it so I tried to emphasize important points with my facial expression, but I don’t think it translates that well. Let me know what you think in the comments.

Microsoft Management Summit 2009

I just got back from another great MMS in Las Vegas and I’d like to thank everyone who stopped by the booth, attended the Group Policy-related sessions, and asked great questions about Group Policy and AGPM (thanks to Chris for Tweeting about it!). I’m so glad to see that more and more people are using Group Policy Preferences.

Are you using Group Policy Preferences in your environment? Do you have an interesting example of targetting? A great drive mapping? Post your examples in the comments. (just copy and paste the relevant XML and/ or describe what you did)

For those of you who are curious about the specific blog posts I mentioned with script samples, here they are:

Drive Mapping with GP Preferences

Find any setting in every GPO (part 1, part 2) (PowerShell script)

Set a registry key (PowerShell cmdlet)

Backup all GPO’s modified in the last month (PowerShell script)

Troubleshooting using the Event Viewer

TechEd is right around the corner and we Group Policy folks will be there to keep talking about these topics, answer questions, and be our charming Group Policy selves. Come say hi to Michael, and be sure to ask him about his New Zealand accent.

LiliaG, Group Policy PM

Office 2007 SP2 Group Policy Administrative Templates Released

Go Office team! They just released the new Administrative Templates for Office 2007 SP2. From the download website:

“…This download includes updated Group Policy Administrative Template and Office Customization Tool OPA files; an updated Office Customization Tool; and ADMX and ADML versions of the Administrative Template files. This update assumes that you have updated your 2007 Office System applications with the 2007 Office System Service Pack 2 (SP2)…”

Download the goodness here

Michael Kleef, Program Manager

PowerShell Script with GP cmdlets: Registry setting, Link

 The following is a sample script that sets a Preference registry value in a GPO, then compares that same value to all of the GPO's linked in the same domain. If the value is not already set in a linked GPO, the new GPO is linked to that domain as well.

You can copy and paste the following text into a .ps1 file and run it, given a few modifications (the comments denote where you should replace my example names with your own GPO and domain names). The # symbols act like comments in the .ps1 file so you don't need to worry about them being run or printing out.

Hope this helps!

 LiliaG, Group Policy PM

## The following script sets a Preference registry value in a GPO, then compares that same value to all of the GPO's linked in the same domain
## it depends on being opened from the Active Directory provider shortcut to the PowerShell console, or navigating to that AD provider first

# necessary for any work with group policy cmdlets
import-module grouppolicy

# create new GPO. Replace "GPDEMO" with the name of your choice

new-GPO GPDEMO

# set the variable $key to the string value of the registry key to be set

$key = 'HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\InstallPath'

# set GP Pref Registry Value

Set-GPPrefRegistryValue -Name GPDEMO -Context User -Key $key -ValueName (Default) -Value "C:\ProgramFiles(x86)\Adobe\Reader8.0\Reader" -Type String -Action Create

#get all GPO's linked in the domain you choose
#first step is to get the domain object you want

#Replace <your domain here> with the NetBIOS, DNS, SID, or Distinguished Name of the domain

$domain = get-ADDomain -Identity <your domain here>

# enter "get-ADDomain -?" for help

# the next step gets all the GPO's currently linked to that domain and extends the attributes to include the GUID of those GPO's

# the second portion of this line is important for parsing the resulting list of GPOs, do not skip it! You must get the " -properties Name " in order to refer to the GPO's by their GUID.

$GPOList = $domain.AppliedGroupPolicies | %{Get-ADObject $_ -Properties Name}

# sets up the variable to be compared against the other GPO's in the domain

$preference = get-GPPrefRegistryValue -Name GPDEMO -Context User -Key $key -ValueName (Default)

# warning: this does not check to see if there are other GPO's linked to the domain, this loop will break if there is only one GPO linked in the domain

# loop through

$i = 0
$redundantSetting = 0

while ($i -lt $GPOList.count) {

$CompareGPO = get-GPO -GUID $GPOList[$i].Name

# report out equality

if (($preference.Value).equals($comparePref.Value))
  {
    "Equal!"
     $redundantSetting++
  } else {
     "Not Equal!"
  }

# reset the loop

$comparePref = 0
$i++
}

# if none of the GPO's linked to the domain have the setting, link this new GPO. Otherwise, do not link it.

if ($redundantSetting -gt 0)
  {
     new-GPLink GPDEMO -Target $domain
  } else {
    "Not linking a redundant GPO"
  }

Now, when I detect a redundant setting, I just print something out to the screen. You can do something more interesting, like write to a file, trigger another script, send an email, etc. In fact, I hope you do! Let me know what you do with this script, how you improve it, if/how you use it, or if it causes you any trouble.

Passwords in Group Policy Preferences (updated)

Have you ever wanted to configure a preference item to include a specific user name and password? You can do so in several types of preference items, but you should first consider the security ramifications of embedding a user name and password in a preference item.

Are passwords in preference items secure?
A password in a preference item is stored in SYSVOL in the GPO containing that preference item. To obscure the password from casual users, it is not stored as clear text in the XML source code of the preference item. However, the password is not secured. Because the password is stored in SYSVOL, all authenticated users have read access to it. Additionally, it can be read by the client in transit if the user has the necessary permissions.

Because passwords in preference items are not secured, we recommend that you carefully consider the security ramifications when deciding whether to store passwords in preference items. If you choose to use this feature, we recommend that you consider creating dedicated accounts for use with it and that you do not store administrative passwords in preference items.

Where can you use passwords?
You can use passwords in the following types of preference items:

• Local User preference items: When you create or modify a local user account, you can specify both a user name and a password for the account.
• Data Source preference items: If a user name and password are required to access the data source, you can provide them in the preference item. If you do so, end users to whom the preference item applies can access the data source regardless of their own permissions, but only if the specified account has the necessary permissions.
• Mapped Drive preference items: You can specify the user name and password to be used to connect to a mapped drive. If you do so, end users to whom the preference item applies can access the mapped drive regardless of their own permissions, but only if the specified account has the necessary permissions.
• Scheduled Task or Immediate Task preference items: You can configure a scheduled task to run under the security context of a specified user (allowing the task to run regardless of whether that user is logged on), by selecting the “Run as” check box and providing a user name and password.
• Service preference items: You can modify which account the service runs under by selecting “Local System account” or by selecting “This account” and specifying a user name and password.

For the user name in a Data Source, Mapped Drive, Scheduled Task, Immediate Task, or Service preference item, you can specify a local user account on multiple computers using the format .\UserName, or a domain account using the DomainName\UserName format.

So, yes, you can configure some types of preference items to include a user name and password, but because the password is merely obscured rather than secured, you should carefully evaluate the security ramifications for your situation to determine whether it is appropriate to use this feature.  

Linda Moore
Technical Writer, Group Policy

(Reposted and updated on 22 April 2009)

Check a setting in all GPO's continued (scripts, firewall, GP Preferences and more)

 I mentioned this in the last post, here are some more examples.  To download the script, check the 'Attachments' link by clicking on this post's title and then scrolling to the bottom. Quick refresher:

This script’s usage is as follows:

SearchGPOsForSetting.ps1 [–IsComputerConfiguration] <Boolean> [-Extension] <String> [-Where] <String> [-Is] <String> [[-Return] <String>] [[-DomainName] <String>]

[-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAction <ActionPreference>] [-ErrorVariable <String>] [-WarningVariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>]

Notes: In order to get all the inputs correct you may have to open up the XML once of a GPO that has the setting you want to search for.  DomainName is an optional parameter (if you do not specify a domain, it will use the domain of the current context).

Let’s look at some more examples!

Check a setting in all GPO's (Security, ADMX, and more)

This script’s usage is as follows:

SearchGPOsForSetting.ps1 [–IsComputerConfiguration] <Boolean> [-Extension] <String> [-Where] <String> [-Is] <String> [[-Return] <String>] [[-DomainName] <String>]

[-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAction <ActionPreference>] [-ErrorVariable <String>] [-WarningVariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>]

Let’s look at some examples!

Example 1: Security Setting

                If you peek at the XML report of this particular GPO you see the following:

<ExtensionData>

            <Extension xmlns:q2="http://www.microsoft.com/GroupPolicy/Settings/Security" xsi:type="q2:SecuritySettings">               

                <q2:Account>

                    <q2:Name>LockoutDuration</q2:Name>

                    <q2:SettingNumber>20</q2:SettingNumber>

                    <q2:Type>Account Lockout</q2:Type>               

                                                </q2:Account>

            </Extension>

</ExtensionData>

Example 2: ADMX setting

      Looking at the xml:

<ExtensionData>

            <Extension xmlns:q4="http://www.microsoft.com/GroupPolicy/Settings/Registry" xsi:type="q4:RegistrySettings">

                <q4:Policy>

                    <q4:Name>Turn off Windows Startup Sound</q4:Name>

                    <q4:State>Enabled</q4:State>

                    <q4:Explain>

                        Turn off the Windows Startup sound and prevent its customization in the Sound item of Control Panel.

                        The Microsoft Windows Startup sound is heard during system startup and cold startup and can be turned on or off in the

                        Sound item of Control Panel.

                        … /more xml

Then you would run this script in the following way:

More examples to come, let me know what you think so far!

 Lindsay Harris, Group Policy Software Developer

PolicyMaker Migration Tool: Resetting release expectations

Some time ago Michael blogged about a migration tool we were building for PolicyMaker Profiles, which was the precursor to what is now Group Policy Preferences. He had set expectations that this was going to be released by the end of the calendar year 2008, depending on test feedback. Unfortunately, and as you're acutely aware if you're affected by this, this didnt occur to plan. We have seen quite a few comments recently on this topic and wanted to respond with more information.

The good news is that we believe we have addressed the issue that prevented the release and plan to be able to release this shortly. We will be in touch again once we have a more solid ETA to deliver.

Our apologies for the delay.

Mark Gray, Program Manager

Set a registry key value from the command line using Group Policy PowerShell cmdlets

The scene: You want to set a registry key of a 3rd party application but you don’t want to write a custom ADMX file just to be able to configure it. Or you have some registry keys you set in logon scripts and you want to use the update interval of Group Policy to make sure that value sticks. Or you want to set 50 registry keys and you don’t want to do it all manually. Any of these scenarios lead to using the set-GPRegistryValue PowerShell cmdlet that ships as part of the Windows Server 2008 R2 GPMC. Here’s the step by step:

How To: Configure a registry key value in a GPO from the PowerShell commandline

1. Open the PowerShell prompt

There are 2 options for this. The standard PowerShell prompt and the shortcut to the Active Directory Provider.

The PowerShell prompt needs to opened with elevated permissions in order to run any of the cmdlets, just as it requires administrative privilege to do any administration of GPO’s through the GPMC. 

The shortcut to the Active Directory provider is located in the Start Menu, or just search for “Active Directory” from the Run prompt.

2. Import-module grouppolicy –verbose [note: this may be “add-module” in the beta build]

-Verbose allows you to see all of the available GP cmdlets that are available.  You can also get this list via the get-command cmdlet:

Get-command *-GP*

These 25 cmdlets are available on any machine with the Windows Server 2008 R2 GPMC (that includes Windows 7 client machine with the GPMC installed through RSAT). (If this errors, you probably have not added Group Policy as a feature on your server, or you have not installed the GPMC on your client machine). If you don’t want the full printout, just drop the –verbose flag. This import-module line must be present at the start of any PowerShell script using the GP cmdlets and the start of any PowerShell console session. It is not automatically loaded.

3. Set a registry key value using the Group Policy set-GPRegistryValue cmdlet

Here it is, now let’s walk through it

Set-GPRegistryValue -Name <name of gpo> –Key “HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\InstallPath” -ValueName "(Default)" -Value "C:\ProgramFiles(x86)\Adobe\Reader8.0\Reader" -Type String

To reference the help for this cmdlet, say : get-help set-GPRegistryValue, or set-GPRegistryValue -? . This will help you understand what is required, what each of the parameters is expecting, and what you are doing.

First up, refer to the GPO by its display name or its GUID with the appropriate parameter (-Name or –GUID).

Set-GPRegistryValue -Name <name of gpo> –Key “HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\InstallPath” -ValueName "(Default)" -Value "C:\ProgramFiles(x86)\Adobe\Reader8.0\Reader" -Type String

The rest of the parameters correspond to the fields of regedit.

Key refers to the key name (right-click on the node in the left-hand panel of regedit and select “copy key name”)

ValueName refers to “Name” (first column in the right-hand panel). This is the name of the value you are setting (get it? Value Name = name of the value). If you are setting the (Default) value, this name is either “” or “(Default)”  case insensitive.

Type refers to “Type”.  As in data type. Friendly English words are acceptable here, like “string” instead of “reg_sz”.

Value refers to “Data”.  The value you want to set. You cannot say “enable” or “disable”, you have to use the actual value to be written into the registry. This cmdlet is writing to the registry. This is not a parser, you have to know what you want.

Why the disparity? There are lots of ways to refer to registry values  (registry keys or registry settings or settings or policy settings or…), so we created a nomenclature that would make the most sense.

But once you do it, that’s it: you just set a registry value in a GPO without having to create your own ADMX file.

So here goes, once more for good measure:

Set-GPRegistryValue -Name <name of gpo> –Key “HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\InstallPath” -ValueName "(Default)" -Value "C:\ProgramFiles(x86)\Adobe\Reader8.0\Reader" -Type String

Note: For further experimentation, there are some intricacies here with “Remove” , which has a different result than the –Disable flag. This is all explained in the help.

Go! Experiment! Impress your friends and family with your new-found power. Be the PowerShell expert with your Group Policy friends (I dare you).

Lilia Gutnik, Group Policy PM