The GPOGUY-- Group Policy Blog

Win7 issue reporting on Software Restriction Policies

Mon, 02 Nov 2009 08:31:54 -0800

I found this issue recently--at first I thought it was just my environment, but have confirmed it on a couple of different environments. When you are on a Win 7 box (and probably R2 as well), in GPMC and viewing the setttings of a GPO that had previously been created and contains software restriction policies, you will get an error when GPMC tries to display those SRP settings. Specifically, the error looks like this:

Software Restriction Policies
Software Restriction Policies/Security Levels
Software Restriction Policies/Additional Rules

The following errors apply to all of the above settings:

An unknown error occurred while data was gathered for this extension. Details: Unable to cast object of type 'System.String[]' to type 'Microsoft.GroupPolicy.Reporting.Extensions.Registry.UnknownType'.

From the looks of it, it appears to be a bug in the way the Win 7 GPMC object model is parsing these settings. I've reported it to MS but wanted to let everyone know about it so you don't think you're going crazy. Not surprisingly, if I open the GP Editor on this GPO, all of the SRP settings appear fine. This is only an issue with the GPMC reporting of settings.

Cool new tool for comparing IE Zone Security Settings

Tue, 27 Oct 2009 15:14:05 -0800

On my twitter site: http://twitter.com/grouppolicyguy

Group Policy Slow Link Detection in Vista and beyond

Fri, 23 Oct 2009 09:14:54 -0800

As many folks probably know, Group Policy slow link detection prior to Windows Vista relied on a series of ICMP pings to determine link speed between the client and domain controller. This process was fairly inprecise and was fraught with issues because many folks have turned off ICMP on their internal networks to prevent malware that leverages this protocol from exploiting this. The end result was that you either had to disable slow link detection, or watch GP processing fail completely.

When Windows Vista and Server 2008 shipped, they introduced a completely new way of detecting slow links for Group Policy processing that no longer leverages ICMP. The process uses the Network Location Awareness (NLA) service to determine the link speed between client and DC, but the explanation of HOW that works has been relatively undocumented...until now. Mike Stephens at Microsoft has written a great blog that describes this process in great detail. Check it out!

Vote for SDM Software's GPExpert Group Policy Automation Engine!!!

Thu, 10 Sep 2009 09:48:22 -0800

OK folks, our Group Policy Automation Engine (GPAE), the only automation solution available on the market for reading and writing settings within GPOs, is one of the finalists in the Windows IT Pro Magazine Community Choice Awards, in the "Best AD and GP Product" category! We obviously think that the innovative nature of our product is head and shoulders above the competition, and we'd love your vote!!!

Head on over to http://www.surveymonkey.com/s.aspx?sm=8koDpFvpDvDy3ZZZGP9O4Q_3d_3d and vote for the "SDM Software Group Policy Automation Engine" before September 16th.

Nominate Our GP Products for a Community Award!

Wed, 12 Aug 2009 20:40:07 -0800

HEY GPOGUY & SDM SOFTWARE FANS!! We need your help! Windows IT Pro Magazine is having their COMMUNITY AWARDS NOMINATIONS until this Friday, August 14th. If you like the freeware products we have on www.gpoguy.com and on www.sdmsoftware.com/freeware, please consider nominating your favorite SDM Software or GPOGUY freeware products in the BEST Active Directory and Group Policy PRODUCT category. Let's show the world that FREEWARE is just as valuable as the commercial products costing thousands of dollars, that typically win these awards.

TO NOMINATE OUR PRODUCTS, GO TO http://windowsitpro.com/awards/CommunityChoice.html.

Remember to vote by this Friday, the 14th of August, 2009!!!!!

Network World covers ActiveX Killbits and SDM Software!

Mon, 20 Jul 2009 20:17:17 -0800

I thought this was cool. John Fontana over at Network World did a nice article on the challenges around the recent Microsoft zero-day vulnerabilities and SDM Software and yours truly got a nice mention on Page 2! Cool!

Darren

ActiveX Killbits and Group Policy

Thu, 16 Jul 2009 09:35:19 -0800

Recently, Microsoft announced a zero-day vulnerability in IE's ActiveX video control, that required folks to react quickly to prevent exploits of this vulnerability. One of the possible routes for preventing this was to disable the affected ActiveX control in IE using so-called "Killbits" in the registry. This technique is described in general within a Microsoft KB article and specifically for this vulnerability within this document. Essentially, Killbits are a set of registry entries that must be enabled on a per-computer basis (i.e. within HKEY_LOCAL_MACHINE in the registry) that sets a flag on the GUIDs related to the given ActiveX Control. In the case of the recent video control vulnerability, there were something like 45 GUIDs requiring registry updates.

Someone asked me yesterday if Group Policy might not be a good way to push out these kinds of Killbits changes. And, not surprisingly, my answer was a solid, "YES!". Centralized registry change control, is, after all, the bread and butter of Group Policy for many enterprises. In this case, there are really two ways to skin this using Group Policy. The most obvious way is to create a custom ADM file (or ADMX for Vista/2008 environments) that hard codes the registry values in question. You can then add that ADM to a GPO in your AD environment and use it to target computer objects in AD for delivery of the Killbits values. Of course, the downside to that approach is that for any new ActiveX vulnerability that comes along, you have to create a new/modified ADM file with the new GUIDs.

Probably the easier way to handle this is to leverage our good friend, the Group Policy Preferences (GPP) feature that Microsoft introduced with Server 2008. Remember that you don't need to have Server 2008 running in your environment to use GPP, but just need to have deployed the GPP Client Side Extensions (CSEs) to your XP, Vista and 2003 systems, and then you just need one Vista, SP1 or Server 2008 machine with GPMC installed to create and manage GPP settings. GPP includes a Registry extension (under either Computer or User Configuration\Preferences\Windows Settings\Registry) that lets you deploy "free-form" registry settings. One of the cool features of this Registry extension is the "Registry Wizard". The Wizard is designed to let you pick a bunch of existing registry values from the registry on a local or remote machine, and those are captured into policy without you having to manually enter anything! So, for example, you could apply the KillBits "Fix-it" package that Microsoft typically provides, to a test machine, and then use the Registry Wizard to capture those into a GPO, and push them out to all of your desktop machines. The following screen-shot shows an example of how this works with GPP and the Registry Wizard:

When you use the registry wizard in GPP to capture these registry entries, they are defined with a GPP Action type of "Update". This means that if these registry values exist already, they will be modified to conform to the KillBits value you specify. If they don't exist, they will be created.

GPP provides a great mechanism for managing ActiveX Killbits settings, because they are centrally visible and manageable within the GP UI and you can use Group Policy's built-in targeting mechanisms and even the more granular GPP Item-Level Targeting, to make sure all of the machines on your network receive the settings.

And of course, if you need to be able to automate reading or writing of these GPP Killbits registry settings, you can do that very easily with our GPExpert(r) Group Policy Automation Engine and Powershell!

Microsoft releases PolicyMaker to GP Preferences Migration Tool

Fri, 19 Jun 2009 13:58:40 -0800

For those of you waiting patiently to migrate your PolicyMaker settings to the new GP Preferences format, your wait is over! You can now download the migration tool here! And here's a good blog post on how it all works.

Darren

Tags:

Group Policy, Group Policy Preferences, PolicyMaker

What's Happening in the GP World???

Wed, 17 Jun 2009 15:27:58 -0800

Hey Folks. Sorry for the long delay in between postings. Lots going on in Group Policy land and in my own life that has been keeping me busy! But, now that I have some time, I wanted to blog about a few things of note, in no particular order:

Thanks to Mike Kline for posting a nice review of SDM Software's GPO Compare tool, which lets you graphically compare two GPOs for settings differences
Just a quick note to let you know that I posted a new tool up at GPOGUY.COM a couple of weeks back. Its a new Powershell v1 snap-in that does two things. The first is a cmdlet called Get-SDMGPOVersion which lets you retrieve and show differences between GPO version numbers on a given DC, designed to spot AD and SYSVOL replication inconsistencies within GPOs. I would call it a Powershell version of GPOTool.exe. The 2nd cmdlet in the snap-in is called Invoke-SDMTouchGPO. This is basically a "touch" command for GPOs. What it does is, for a given GPO, it increments the per-computer or per-user version numbers for the GPO. This tricks clients into thinking that "something" has changed within that GPO, and thus will trigger a refresh of the settings within that GPO. Or more specifically, it will trigger a full reprocessing of policy for a given client that is impacted by that GPO that was touched. This came up in a thread that I participated in on the ActiveDir.Org mailling list, and I thought it was worth putting something together. You can download it for free at the GPOGUY.COM Free Tools Site.
Working with the folks at Windows IT Pro Magazine, I've created a one-day Group Policy Troubleshooting webinar next Thursday, June 25th. You can get more information and register for it at the link I just provided. It should be a good session--its a 3 part training session that covers GP internals and GP processing basics, troubleshooting tools and techniques and then advanced topics in GP troubleshooting. I'll be on hand afterwards to answer questions during each session, as well! Check it out and see you there!
Finally, I wanted to just call attention to some cool stuff Microsoft did recently in anticipation of the Windows 7 release. As you know, I've been a big advocate of enabling automation of Group Policy automation, primarily through Powershell. Our SDM Software Group Policy Automation Engine was the first product on the market to let you read and write GP settings using Powershell, when it shipped a couple of years ago. Recently the Applocker feature team within Microsoft (Applocker is the new replacement for Software Restriction Policies in Windows 7) announced availability of Powershell cmdlets for getting and setting Applocker policies within a GPO! This is all good stuff and provide a nice complement to what the GP Product team is doing with Powershell and registry settings in Win7. Check it out here: http://blogs.msdn.com/powershell/archive/2009/06/02/getting-started-with-applocker-management-using-powershell.aspx.

Well, enjoy those tidbits and I hope to be back blogging soon!

Darren

Russinovich demos Group Policy cmdlets at TechEd

Wed, 13 May 2009 18:01:02 -0800

I thought this was cool: http://blogs.technet.com/grouppolicy/archive/2009/05/12/group-policy-at-tech-ed-2009-mark-russinovich-demos-group-policy-powershell-cmdlets.aspx

Mark demo'd Microsoft's upcoming Group Policy PowerShell cmdlets that will ship with Windows 7 and Server 2008 R2. I think its cool primarily because it validates the work we have done at SDM Software over the last couple of years to provide automation for Group Policy, with both our free GPMC cmdlets and our commercial Group Policy Automation Engine. Microsoft is providing something like 25 cmdlets in Windows 7 and Server 2008, R2, that will provide much of the same functionality as our free GPMC cmdlets. In addition, they are providing a set of what I call "teaser" cmdlets for automating a small portion of GP settings. Specifically, they will be provide a set of cmdlets to get and set registry policy (i.e. Administrative Templates but without the ADM or ADMX view of the world) and also registry settings through Group Policy Preferences Registry extension.

The cool part about this is that it gets people thinking about how they can automate the auditing and management of GP settings using Powershell. And when they run out of capabilities with the built-in cmdlets, well our GP Automation Engine will be waiting in the wings to provide the ability to script reading and writing of not just Admin. Template policy, but also Security policy, Software Installation, Folder Redirection, IE Maintenance, Scripts policy and all of GP Preferences.

Going to MMS?

Wed, 22 Apr 2009 11:15:33 -0800

If you're planning on being at the Microsoft Management Summit next week, I'll be presenting a Group Policy Troubleshooting session there on Wednesday morning. Stop by and say hi or attend the session or the Birds of a Feather I'll be doing that evening at around 5:30pm!

Darren

Tags: Microsoft Management Summit, Group Policy Troubleshooting

SBS 2008 Group Policy Webinar for Microsoft Partners!

Tue, 14 Apr 2009 15:50:21 -0800

Just a quick note to let those of you who are Microsoft partners know that I'm going to be giving a webinar on using Group Policy in Small Business Server (SBS) 2008 on April 24th. Here's the info on the webinar if you want to register to attend!

Date: 4/24/2009 (Friday)

Time: 9:00-10:00am (PDT)

5W/50 Series - Managing your Desktops using Group Policy in SBS 2008

In this session we’ll look at the new features available in Group Policy in SBS 2008 that enable you to have improved control over your user’s desktop experience and security. We’ll look at the new Group Policy Preferences features that provide capabilities such as USB device control, point-and-click drive and printer mapping and control over your computers’ power usage.

Registration:

https://training.partner.microsoft.com/plc/details.aspx?publisher=12&delivery=259635

See you there!

Darren

Tags:

Group Policy, SBS Server 2008

SDM Software Ships new Group Policy Automation Engine

Mon, 30 Mar 2009 05:36:12 -0800

As I mentioned in a previous post, SDM Software was close to shipping the next version of our GPExpert Scripting Toolkit product, and that has happened! Today we announced the release of the GPExpert(r) Group Policy Automation Engine 2.0. This newly branded and updated product provides a host of improvements and additions over the previous version, most notably the addition of support for Group Policy Preferences automation! Now you can automate almost any aspect of Group Policy management from Powershell or .Net. And not only can you automation the modification of GPO settings, but you can also automate the reading and auditing of settings across GPOs, something that is an incredibly manual process to perform today.

So visit the website and download an evaluation copy today and let us know what you think!

Darren

Tags:

Group Policy, SDM Software, Powershell

GPMC Cmdlets Update

Thu, 12 Mar 2009 14:58:30 -0800

Just a quick shout-out to let folks know that I posted an update to our SDM Software GPMC Cmdlets on our freeware page. This is version 1.3 and primarily just fixes some bugs including an issue when you tried to get, add or remove site-based GPO links. Enjoy!

Tags:

Group Policy, GPMC, Powershell, SDM Software

Automating GP Preferences

Thu, 26 Feb 2009 14:47:19 -0800

In a recent posting on the Activedir.org mailing list, I happened to mention that we're getting ready to release v. 2.0 of our GPExpert(r) Scripting Toolkit. The Toolkit is actually getting a new name, but I won't spoil the surprise for now. However, the key feature we've added to it is support for the new Group Policy Preferences (GPP) settings! This is pretty exciting because this now means that you can use PowerShell or .Net to automate the reading and writing of all of the GP Preference settings across GPOs. And even more exciting is the fact that we are also supporting the ability to do Item-Level Targeting through the Toolkit as well. This means that you can not only define GP Preferences settings but also target them using any of the many different ILT criteria. And if that weren't exciting enough (I know, I'm easily geeked out!) how about the fact that you can run GPP scripts on XP or Server 2003 in addition to Vista and 2008. That's right, even though you can't normally edit GPP settings on anything other than Vista, SP1 or Server 2008, the Toolkit's GPP support has no such limitation. So you can read and write GPP settings from any platform from XP on up! Double-cool.

As an example of how this comes in handy, we recently worked on a customer GPO consolidation/migration where they were consolidating a large number of GPOs spread across 3 forests into a single forest. They had not used GPP prior to the new deployment but did have another product in place for delivering drive and printer mappings (Scriptlogic's Desktop Authority product in this case). We were able to use the new Toolkit with support for GPP to automate the process of converting their dozens of drive and printer mappings into GPP settings within a couple of GPOs. Cool!

Lets look at how you can write a PowerShell script to create a drive mapping policy that targets a particular user group:

=======================================================

#connect to the GPO

$gpo = Get-SDMgpobject -gpoName "gpo://cpandl.com/Marketing Drive Mappings Policy" -openByName

# now, connect to the GPP drive maps container

$driveMapSetting = $gpo.GetObject("User Configuration/Preferences/Windows settings/Drive Maps")

# define a new drive mapping

$map = $driveMapSetting.Settings.AddNew("P Drive")

# and set its properties

$map.Put("Action",[GPOSDK.EAction]"Update")

$map.Put("Drive Letter","P")

$map.Put("Location","\\MktgServer1\public")

$map.put("Reconnect", $true);

$map.Put("Label as", "Marketing Public Drive");

# save it!

$map.Save()

# now create a group-based ILT filter

$iilt = $gpo.CreateILTargetingList()

$itm = $iilt.CreateIILTargeting([GPOSDK.Providers.ILTargetingType]"FilterGroup");

$itm.Put("Group","Marketing Users")

$itm.Put("UserInGroup", $true)

$iilt.Add($itm)

# and apply my new ILT to the drive mapping

$map.put("Item-level targeting", $iilt)

$map.Save()

=======================================================

Pretty cool, huh? Well, I think so :) Now imagine that you can do this across any of the numerous settings within GPP and you'll see why I'm excited about this new release of the Toolkit! I will be blogging when we get the bits out there. Right now we're working on a big, thick user guide with a ton of examples of how you can use the Toolkit and PowerShell to automate any number of GP management tasks. Stay tuned....

Tags:

Group Policy, PowerShell, Group Policy Preferences, GPExpert Scripting Toolkit, Group Policy Automation