I get a lot of questions about how to “lock down” workstations.

So, in the next series of tips, I’m going to give you some little strategic “base hits” for doing that.

Indeed, there’s s not a “magic bullet” toward true desktop lockdown. And, well, I also know SOME people tend to go “overboard” once they start tasting the sweet, sweet taste of “users not bothering them anymore.”

But, let’s (collectively) try not to go bananas as we implement some of these strategies. (What? People dealing with ‘Policy Control’ can sometimes go bananas once they start locking things down? Never!)

The Tip: Replacing your shell

So, in this first tip, I want to share a neat secret. Did you know you can “replace the shell” ? It’s true. You don’t NEED to use Explorer as your shell. How about “Calc” ?

Yep.. Login, and… Calc. Or Solitaire. Or, DogFoodMaker. That’s it. The only app running. Nothing else.

It’s possible.

Step 1: Choosing your shell

The policy is found under:

User | Policies | Administrative Templates | System | Custom User Interface

Enter in “c:\windows\system32\calc.exe” to try.

(I’m using hard coded paths, but you might want to use variables.)

Step 1A: A more useful shell

A more useful thing to do would be Internet Explorer, say, for cafeteria, library machines, and others.

Try entering in this (using quotes)
“C:\Program Files\Internet Explorer\iexplore.exe”

Step 2: Locking down your desktop a little bit

We want to make it so users cannot use task manager, or lock out the machine. Thankfully those options are located under:

User | Policies | Administrative Templates | System | CTL+ALT+DEL Options

You might also want to Turn off Windows hotkeys:

User | Administrative Templates | Windows Comp | Windows Explorer | ?Turn off Windows+X hotkeys?

Step 3: Lock down IE to your liking

There are a zillion options here. But some of my top favorites are

User | Administrative Templates | Windows Components | Internet Exp. | Browser Menus |

“File Menu: Disable open menu option”

and

“File menu: Disable closing the browser and Explorer windows”

Other areas to explore and control are the: Toolbars and Internet Control Panel sections.

Now, you’ve quickly taken a machine, and made it “IE only” and “pretty well locked down.”

It’s not perfect. Users could still get to, say, the command prompt by typing in
“c:\windows\system32\cmd.exe” into the browser window.

But you’re almost home now, and that’s a pretty good start. Do you have group policy tips, tricks and how to’s to share? Well then hit up the comments and make yourself heard!

Written by Jeremy Moskowitz of GPanswers.com

“Why isn’t Group Policy Working on this client?”
“Did You Check the DNS Configuration of the Client?”

One of the most frequently encountered problems with Windows 2000 and above is that things just ‘stop working’ when DNS gets out of whack. Specifically, if you’re not seeing Group Policy apply to your client machines, make sure their DNS client is pointing to a Domain Controller or other authoritative source for the domain. If it’s pointing to the wrong place or not pointing anywhere, Group Policy will simply not be downloaded.

As a colleague of mine likes to say, ‘Healthy DNS equals a healthy Active Directory.’

Moreover, in the age of Windows 2003/2008 with its multiple forests with cross-forest trusts, Group Policy could be applying from just about anywhere and everywhere. It’s more important than ever to verify that all DNS server pointers are designed properly and working as they should. For instance, if clients cannot access their ‘home’ Domain Controllers while leveraging a cross-forest trust, they won’t get Group Policy.

Finally, to put a fine point on it, DNS leverages only the fully qualified name. It’s not enough to verify that you can resolve a computer named xppro1 as opposed to xppro1.corp.com. The first is actually the NetBIOS name and not the fully qualified domain name. The second is the fully qualified domain name. If you find yourself in a DNS resolution situation where resolving the NetBIOS name will work, but the fully qualified name will not work, then you have a DNS problem that needs to be addressed.

Another Awesome GP Post by Jeremy from GPAnswers.com

I have been thinking about why administrators sometimes report "issues" with their
Group Policy system. As I thought about it, I decided to jot down some notes to share
with you and your team and managers. The result was five reasons people fail with
Group Policy, and I’m going to share them with you:

Reason #5: Not understanding how Windows 2000, Windows XP, Windows Vista,
and Windows Server 2008 are all different.
You started out with Windows 2000, but do you know all of the ways that Group Policy
applies differently to Windows XP? And, what about Windows Vista and 2008? Can you
be confident in explaining to the boss why settings don’t work exactly the same across these
operating systems?

Reason #4: Not using Group Policy Power to its fullest.
Did you know there are 18 categories of settings and options you can perform in the box for
Windows XP (and even more for Vista)? But what happens when you introduce the new
Group Policy Preferences? You get another 21 new CATEGORIES. If you’re not up to speed
here, you’re spinning your wheels; driving changes into your images, when you should be
doing it dynamically using Group Policy. Oh, and losing money each day you don’t implement these free new goodies.

Reason #3: Not knowing WHEN Group Policy applies.
This is a huge one. People throw their hands up in the air when it seems like Group Policy
isn’t working. But I bet it’s working fine; you just need to understand WHEN Group Policy
applies across different conditions and operating systems.

Reason #2: Not knowing how to find settings that do what you want.
How many policy settings are there? Hundreds? Thousands? Tens of thousands? Depends
on who you ask and how you classify them. There are 2400 policy settings for Vista in one
category (the Administrative Templates section), but what about the others? What process
are you using to figure out which settings you should use for your environment?

And the number 1 Reason: Not everyone is speaking the same "language."
This is my favorite one, because it’s not even a technical one. It’s just human nature. We’re
all too busy to figure out what our common "language" is going to be. If you’ve ever had a
co-worker say to you "Do me a favor and modify that Group Policy for me." You need to stop
and ask yourself: "What is he talking about? The GPO itself? The settings contained within
the GPO? Something else?" Having you AND your team be on the same page is simply
priceless.

It’s that "Human Broadband Connection" you only get when everyone on your team
is speaking a common language.

Thanks go to Jeremy from GPAnswers for this one!

What problems do you and your organization have with Group Policy? Who is using 2008 Policies? Let us know in the comments kiddies!

_TheGPOAdmiN_

Ok, here is the situation: you’ve got 1200 script files in a particular directory on your XP workstation, and you need to find any script that references “\\atl01\share” (queue Dennis Hopper voice), what do you do?!

Traditional convention is that you spend several hours opening each file in notepad and doing a “find”, or you might be able to cut it down to an hour or so if you opened several dozen of the files at a time in Notepad++ and did “find in all files”, or you could take about a half an hour and move the files over to a *NIX machine and use grep. I’ve got a better answer: BareGrep.exe from our friends at Bare metal Software. BareGrep is basically a GUI version of the *NIX grep command for Windows machines, and it works wonderfully.Much like BareTail (which I reviewed here), BareGrep is fully portable, meaning you can run it from a USB drive!

Here is a short list of some of the features in BareGrep:

• Regular expression text search (that’s inside the files)
• Wildcard and regular expression file search
• Files to find or search can be specified with a regular expression
• Multiple files can also be specified with the mouse
• Recursive directory search
• Frequently used text search patterns may be saved, named and edited
• Searching while you type, to find results quicker
• Capturing groups (using bracket characters ‘(’ and ‘)’ in a regex) extract strings from files
• Tabular presentation of search results
• Export/copy of search results in many formats
• Search files of any size (> 2GB)

Not only will this utility do all that, but it is usable from the commandline as well! What more could you want? Wait, what? You want… more features? Well you’re in luck, as BareGrep comes in two forms, the Free version (what we’ve covered so far), and the Registered version ($25 at the time of this review), which offers all of the features of the free version, as well as:

• Selecting a search result line shows that line in context in the file
• Tabs display files recently viewed
• Tabs may be positioned on any side of the window and oriented horizontally or vertically
• Lines containing particular strings can be highlighted to help you notice important text
• Highlight colors are fully customizable

Now I can’t even begin to cover the colossal amount of time that this utility has saved me, but I can tell you that it is well worth the price of admission. BareGrep can be downloaded here.

Written by Jeremy Moskowitz of GPanswers.com

Sunday, I went and saw the most amazing thing ever. Since I used to live in Delaware, and now live in Philadelphia, I finally decided to go out and see it for myself.

That’s right: the world championships of Punkin’ Chunkin.

For the uninitiated, Punkin’ Chunkin is a competition to see who can launch a pumpkin the farthest. The basic categories are: Centrifugal, Air Cannon, Catapult and Trebuchet. 72 machines in all in this year’s competition. Yowsa !

I took some pictures, and got one amazing video of (what I think was) the most interesting device there. You can check out my pictures and the one video here:

https://moskowitzinc.infusionsoft.com/link/94db4cc00/249f00

You can see the official website here, including rules and other videos. Or get

“Flying Pumpkins — the Movie!”

http://www.punkinchunkin.com/main.htm

The winning shot this year went more than 3,000+ feet — into the wind!

If you can’t have a good time at Pumpkin’ Chunkin — you can’t have a good time anywhere. You should go. It’s weird. It’s fun. It’s hurling pumpkins using machines. It’s like Mythbusters Live — with real people and real pumpkins!

C’mon !!

And, as usual, while I’m not thinking about work, I end up thinking about work.

The history of this thing is neat: it started out innocently enough. A couple of farmers in a field and a little bragging rights as “payment.” In other words, they started small.

And so can you. I know lots of people who are basically afraid of GPOs. And for good reason. They can be dangerous if not used properly. Kind of like hurling 12 pound pumpkins from a trebuchet or an air cannon. Used well, they’re both lots of fun!

So, here’s some advice if you’re just getting started with Group Policy (so you don’t blow your network apart like a blown-up pumpkin):

(1) Use an offline test network: Don’t think that the Group Policy Object action you WANT to have happen is always GOING to happen. Make sure it works FIRST in a test lab before bringing that GPO over into production.

(2) Read the Explain text: The policy settings’ explain text is your best friend. In recent years, it’s become more and more accurate. So, read first, test second.

(3) Have others validate your work: Just because it “looks right to you” doesn’t mean the “goal” has been attained. Have others double-check your work to make sure what you’re doing is accurate.

(4) Start small; don’t go overboard: This is the biggie. When people catch “GPO fever” it’s common for people to “go a little crazy” and go a little overboard.

PS: If you blow up your pumpkin as it comes out of your machine, they call it “Making Pie.” Don’t be the guy (or gal) who makes pie out of your network.

Written by Jeremy Moskowitz of GPanswers.com

This week, I’m taking a break from Group Policy stuff.

If you think these tips of the week, since they’re not GP-related
aren’t that useful, then let me know, and maybe this will be the first
and last issue like this.

But here goes. All about NOT GP stuff:

Tip #1: Encrypt Everything

I stumbled across a free piece of software absolutely everyone running XP laptops
should have. It’s called TrueCrypt and you can check it out at TrueCrypt.org.

I don’t need to explain that walking about and traveling with an unencrypted laptop
is like waving your credit cards around in plain sight. Just not smart.

If you’re running Vista Business or Ultimate, you’ve got access to BitLocker –
the “entire disk” encrypting technology.

Well, that’s what TrueCrypt does too.

Because it’s open source software, I was expecting, well,
a bunch of command lines and a script to make this all happen.

Nope. It’s all super easy, and performed in a very slick fashion.

In short, the software is VERY polished. It starts out by asking you how you want to perform
the encryption. You can carve out some space, do an entire partition, or the whole disk.

So, I just “went for it” and did the whole disk. Then, it forces you to select a password,
create an Emergency Rescue ISO, forces you to burn it, then VERIFY IT (so if you blow up mid- encryption, there’s a way to get out.)

So now (after 5 hours of letting it encrypt), every time I boot my laptop, I’m password protected. Even with the rescue CD, the bad guy would still need a password.

So.. Password + Your Own Rescue CD = ability to get files off the drive in case of emergency.

Nice.

So, if you can’t get BitLocker (because you don’t have one of the two editions of Vista that have it)
and you want something (free) that really seems to work.. try TrueCrypt.org.

And it works on Linux and Mac too. Wow.

Tip #2: Hire the right people

Recently, I had to find a new assistant. And that’s tricky for me, because I’m a geek, and not Mr. Awesome Interviewer guy. So I did what I thought I should do and interviewed a bunch of people and tought I had a match. I hired that new somebody.

Who promptly left me after only 4 days.

Ow. Okay.

Well, better to break up now than later, I guess. But I couldn’t help thinking there must be a better way for someone like me, who doesn’t know much about how to interview to ask the right questions.

So I found this firm called “Hire-Intelligence” (cute name.) And they were very helpful for me.

I was able to get little assessment exams which helped me understand where we might work well together, but even better — it gave me questions to ask the candidates based upon their unique answers.

So, I hired a new assistant, Diane, and I think it’s working out!

I’m guessing the best link to check it out woudl be this one:
http://www.hire-intelligence.com/trial-site1.html

Tip #3: Get smarter in ITIL

People sometimes ask me “my secret.”

I don’t have a secret. I’m just like you! I have a life, a job, and have to make
computers work when they break (see Tip #4 below.)

The only “secret” I have is that I read EVERYTHING
(PC Week to Wired Magazine to the magazines I write for)
and get to go to listen to smart people speak on stuff they really know.

And while I had some passing familiarity with ITIL, I didn’t really “get it.” Now I “got it.”

My good friend Jill Knapp from www.knapp-it.com does what I do for Group Policy — for ITIL.

And whew. My brain is full.

So, with a hearty recommendation, I would recommend Jill’s classes for either
ITIL v2 or ITIL v3 training. I wasn’t interested in passing any ITIL exams,
but I can’t imagine someone taking the class wouldn’t be able to pass them
after taking her sessions.

She only does private classes, so if you’re interested, you’ll have to contact her directly.
jill (at) knapp-it.com. Tell her I say Hi.

Tip #4: I’m trying something new

I’ve reached “that point.” You know “that point.” The point where Windows just
s-l—ow–s d-o–w-n to a crawl and won’t open your docs.

Here were the symptoms that finally made me say: “FDISK!”

In my case, I would walk up to my machine with 100% CPU utilized, unable to run task manager.

I wasn’t able to install Silverlight. And I wasn’t able to un-install Micorsoft Business Contact manager.

Meanwhile, Outlook 2007 would take about 10 minutes to download 1MB. Ow.
(Though Outlook 2007 was always like that for me, actually –
http://support.microsoft.com/kb/940226 and http://support.microsoft.com/?kbid=932086.)

So, it was time for a wipe and re-load.

Sure, you all have Ghost, etc and big SANs with your corporate install files.

And maybe someone to help repackage your applications into MSI files.

But I don’t.

Nobody likes the wipe and re-load. But, here I am. All day today, and likely all day tomorrow.

And maybe some more on Monday.

But this time, I’m doing something different as an experiment. I’m going to be using
Microsoft’s Application Virtualiztion client. This was previously known as Microsoft SoftGrid.

The idea is that with SoftGrid, er, App-V as it’s come to be recently nicknamed, you can
RUN applications without having to actually INSTALL them.

This is discussed in detail in the BLUE book
(www.GPanswers.com/books) and in some of my upcoming talks at WinConnections
(and, maybe coming soon as a bigger endeavor for you guys.)

Anyway.. the App-V 4.5 system was released, um.. yesterday. So, I installed the client piece on my new machine TODAY to get started. I was saddened to learn that it only works with 32-bit
clients, not 64-bit clients. Bah. But, okay. So, I’m back to 32-bits again on my laptop.

But, I’m hoping its worth it. The point of App-V is that the applications aren’t really “installed” on your machine, even though they “run” there. So, hopefully no more gunky build-up. No more pegged CPUs, and no more in-ability to install Silverlight or un-install Outlook Business Contact Manager.

The downside is, each application need to be processed, or sequenced first. (We have a whole
chapter on Softgrid Sequencing Secrets in the BLUE book.) And, I’m basically working
though my arsenal now (and working my arsenal off) sequencing my apps.)

But .. someone has done a percentage of the work for me. Over at
http://www.instantapp.net/ there are a bunch of freeware applications
that are pre-sequenced and ready to rock.

Well, they’d be ready to rock if you used the SoftGrid 4.2 client. Except I’m not.
I’m using the App-V 4.5 client. So, to “convert” you can run the existing project
thru the new sequencer and POP — out pops an App-V 4.5 compatible sequence
for me to use on my machine.

I’ve done it for several apps — like Firefox.. and whamo. Worked perfectly!

If you want to learn more about SoftGrid / App-V “on the road” check out my
article in WinIT Pro mag here: windowsitpro.com/articles/print.cfm?articleid=99397
or check out the BLUE book (www.GPanswers.com/books.)

Thanks to my pal Eric Johnson (who also helped with the SoftGrid chapters in the book)
for his help today too!

Well, that’s it for this week of non-GPO-specific stuff. Let me know what you think.

I have some survey questions here I’d really appreciate your input on if you have a moment.

Click here to participate:

http://www.surveymonkey.com/s.aspx?sm=4BBLNjICfDtcc6IeQm58oQ_3d_3d

Thanks team, and talk soon.

I get this question all the time:

“What happens if I apply Vista-specific settings to my XP machines?”

So, here’s the answer: If you have a “newer” policy setting, and it affects an “older” machine… (in general) NOTHING BAD HAPPENS.

Let’s figure out why.

Let’s take the case of a “newer” policy setting, say, “Remove Games link from Start Menu” which is a Vista-only function. XP doesn’t have a Games link to remove off the Start Menu.

So when you affect an XP machine with a Vista-specific policy setting, the interesting part is … something DOES happen.

But it happens under the hood, and we don’t really see it.

That “something” is that a registry entry gets punched in place which gives the edict to “Remove Games link from Start Menu” to Windows Explorer.

Except XP’s Windows Explorer doesn’t know what to do with this information. So it promptly ignores it.

What about the other direction? Can you take an “older” policy (say, for XP) setting and affect a newer” (Vista) machine?

Usually. Like “Prevent access to the control panel.” Works great since Windows 2000,and then XP and now Vista.

Not all XP policy settings are valid for Vista, however.

Why? Well, Vista shook some items up a bit, and some got lost in the shuffle.

How do you know if a policy setting is valid for a particular operating system? Use the GP Editor Filtering capabilities to determine if a setting is valid for a particular operating system. And also check the Explaintext and what’s known as the “Requirements” settings. You can see the “Requirements” indicator when you click on a policy setting and you’re using the “Extended” view (the default.)

Most policy settings will say something like: “At least Microsoft Windows XP” or “Windows Server 2003 family.”

So it’s not really true that “NOTHING” happens when you create a GPO which contains policy settings for “older” machines. Something does, indeed happen.

Except it’s basically ignored, because that operating system wouldn’t know what to do with the directions it just got.

Stay tuned to more group policy goondess from Jeremey over at GPAnswers.com!

And, I just want to put (quickly) to rest that I was trying to suggest that you should positively avoid it.

Au contrare.

I was simply suggesting that if you haven’t done your testing yet, then there IS a possible way to prevent it from being blasted upon your machines without your consent.

Okay, now with that behind us, let’s take a second to examine XP/SP3.

Not all of XP/SP3, just one little piece.

First, remember some years ago, how Microsoft drew a little line in the sand and said “Service packs won’t have new features.” Well, just in case you missed the updated memo — those days are over. As you’ll recall, XP/SP2 was like “XP 2.0.” And, even though XP/SP3 doesn’t bring a zillion things to the table like XP/SP2 did, it does bring one very interesting, and not-all-that-well-known tidbit to the mix.

The tidbit is already built into Vista clients, and is now backwardly-available for XP/SP3. This piece is the NAP client. NAP means Network Access Protection.

What the heck is NAP, anyway? Well, instead of talking about NAP directly, let’s check out an alternate situation that I’m sure a lot of us have had to deal with.

If you’ve ever had to put a child in public school (or a dog in doggy day care), you know that you need to get your kid (or “fur kid”) vaccinated first. Then, you need a certification of health that proves they’ve actually had the necessary vaccinations. Let’s say that when you introduce your kid to this one particular school on the first day, the Principal at the front door of the school looks at the vaccination report, and validates that the kid is really vaccinated (and is likely healthy enough not to infect others), and then permits your kid to come inside the building.

If your kid hasn’t been vaccinated, this school will cheerfully give you two options: walk down a specific hallway that has no kids that your child could possibly infect, and meet with the school nurse at the nurse’s office to get vaccinated immediately. Or stay outside. Your choice.

Why is introducing new creatures into the environment so harsh? Because we want to maintain a healthy environment for the betterment of everyone in the building. Now, it is perfectly true that just because every kid in the school has been vaccinated doesn’t actually guarantee there won’t be an outbreak. It just means that certain criteria have been met which meet the baseline of healthy.

Got the idea?

Well, that’s Network Access Protection, or NAP. NAP’s goal for your client machines is similar to the example with the unvaccinated kids above.

So, to make use of NAP, your XP clients (specifically, XP/SP3) and Vista clients (any flavor) have a little “agent” piece running upon them. Then, when they try to connect to the network, they need to “prove” how healthy they are (you can define the criteria.) Once proven healthy, they’re allowed on the regular network. If they’re NOT healthy enough, they must see the Nurse, er, the Remediation Servers to get updated.

What kinds of things might you want to check for? How about if the Firewall is turned on? Are they running Antivirus software? How about the latest version of the definitions? Do they have a registry key set to a specific value? Is software XYZ currently installed and the service running?

All sorts of stuff. Now, the bad news is that the NAP client that ships with XP/SP3 and Vista can’t do ALL of these things with the bits in the box. For some of these things you’ll need to do some NAP add-ons, so be prepared for that as your starting your exploration.

A quick note if you’re going to try to get smarter on this NAP thing on your own. The user interface for some of the Windows Server 2008 components will just say “Windows XP” when what they really should be saying is “Windows XP/SP3.” Again, that’s because the NAP agent isn’t available for anything LESS than XP/SP3. So, do keep that in mind as you’re reading and checking it all out.

Soooo.. how do I get smarter in this NAP thing?

If you like the idea of NAP, it’s a bit of a mountain to climb to get started.

One of my favorite places to get NAP-tastic is the Microsoft NAP blog here. Updated with NAP-o-rific information.

Also, if you have my new BLUE book, we have a whole chap for NAP. There’s a full end-to-end working example for you to try to get a feel for how it works.

http://www.GPanswers.com/books

This is a weekly spot brought to you by Jeremy M of GPAnswers.com

That’s right.

This.

Thursday.

Service packs are like “The Blob.” Without any superpowers, you can’t stop the delivery of the blob. And every couple of years or so, the blob comes back, in a newer, bigger form !

Now, you might like what the blob offers. For sure, the blob offers a lot of fixes.

But it offers them all at once.

And that might be good.

Or it might not be what you want at all.

Maybe you haven’t had sufficient time to test the blob. Maybe you want to go blob-less because you’re doing some other massive XP to Vista project or something.

If you’ve got WSUS or SMS / SCCM, then you’re pre-protected from the blob, because you have to manually decide to push the blob out.

But if you’re using good ol’ Windows Update for your clients, you might want to run Screaming out of the Theater and grab your fire extinguishers. So, if, like in the movie, you’re looking to freeze the blob, there are several ways (all contained within one download), and, of course, a Group Policy way to do it. Microsoft has a download just for you! It is called the Windows Service Pack Blocker Tool Kit… Isn’t that original?

And inside, you’ll find an ADM file called NoSPUpdate.ADM.

And inside that one ADM file, you’ll be adding one additional setting to GP.

It’s called: “Do not allow delivery of the service Pack through Windows Update or Automatic Updates.”

Again, if you’re using WSUS or SMS/SCCM the blob can’t come and get you. You’ve got a blob-free zone. It’s only for those of us without our Tin Foil hats on.

PS: Not too far away from me in Philadelphia is where they filmed “The Blob” with the famous scene of everyone running out of the theater. Want to re-enact? It’s 9.00 PM on Fri July 11th in Phoenixville, PA. Yep, you can run out of the theater during the Blobfest 2008 reenactment. And a scream contest and a tin-foil hat contest. And, its just one day after the XP/SP3 blob is scheduled to come and get you. (You knew there was a tie-in somewhere, right?)

Yesterday, I finished giving a private GP 2.0 Catch-up class. This company originally took my Essentials class several years ago. In the middle of the catch-up class one of the guys asked me

“Jeremy, now that we’ve been using GP a little while, and are really embracing GPOs, things are a little bit slower sometimes when new users log on.”

And my response might shock you.

I said “Awesome !”

He was a little taken back. And I know why. He thought he had a problem. But he doesn’t. He just missed a key point about how GP works.

Let’s imagine that you wanted to do something a little crazy. And, I know you wouldn’t really want to do what I’m about to describe; it’s just something for us to hang our hats on, okay? So, imagine you wanted to (yikes) re-ACL your entire hard drive. Yep. That’s the directive. Ouch.
Again, it’s just theoretical, so go with me here. So, in simple terms you have a handful of options:

• Use a startup-script which manually does the deed
• Manually run a script which does the deed on each machine

• Use GP to deliver the same set of instructions via the NTFS security node

They all do the same thing, right? Right. And the action they’re taking (the actual “thing” they’re doing) is kind of slow and painful ,right?

So is the GP engine the cause of this “slowdown?” No. It’s the “action” you’re doing. The theoretical re-ACL’ing of the hard drive.

So I was kind of excited when he said that sometimes things are slower because that means he’s actually DOING something with GP. So, I like to say that GP is a “Blame the message, not the messenger” technology.

A little later in the GP 2.0 Catch-up class I showed him how to bust apart Vista’s new logging mechanism and see — precisely — how long a “GP Cycle” takes. That way he can be really really sure how long GP was taking to process each step if he wanted to. Heck, it might not even be that anything he’s DOING with GP is even causing the slowdown!

But in any case, the next time you think “Hey, the computer is running a little slowly” embrace it. It means it’s working. (But also consider getting smarter in GP troubleshooting it too, to be 100% sure it’s working for you.)

Stay tuned for more Group Policy Goodness from Jeremy!

Now I will show you how you can add a map network drive to a computers on your network depending on what OU they are in. An OU is an Organizational Unit in your Active Directory or simply put a container to hold similar stuff.

Why do we put things into OU’s? To make our lives as Admin’s that much easier.

By grouping all of your Accounting users into one OU you can then assign a Group Policy to that OU. Now if there are 5000 people in one department or 5 it is the same amount of work to add a mapped drive (or any of the other GP tasks we will do) to there machines. You can nest OU’s in OU’s like seen above here with the Accounting OU. It holds an AR and an AP department. You can apply policies to all three OU’s at once or individually. You control how GP trickles down like permissions.

By having OU’s and group policy on your network users can have their mapped drives and other resources no matter where they are logging into on your domain.

Are you frightened? Don’t be this is pretty simple! Log into your AD machine and open up your Active Directory Users and Computers Console. It is located in the control panel under administrative tools.

Get in there right click on your OU choose properties and then the group policy tab. Depending on how your AD machine is set up you might have to click on a a button that says open Group Policy Management.

Once you are there you can create and link your Group Policy by right clicking on the OU like seen here.

You will be prompted for a name for this policy

Go ahead and name her anything you want. But try to be descriptive so when you have 300 policies later on you can differentiate!

Now you see your policy appear on the right… Simply right click and edit it.

Navigate down to The User Configuration folder and choose Windows Settings and then Scripts and finally Log-on. Hit the add button. Now you will need to point your GP to a script to run. Create a .bat file with the following line in it. Obviously changing the drive letter and the share name to your own.

net use i: \\AskheAdmin\newaccounting$

Save this file to your domain name under the SysVol folder and into the Scripts folder.

So if your domain name is AskTheAdmin.com it would go into

\SYSVOL\ASKTHEADMIN\SCRIPTS\

Save it as logon.bat and simply type logon.bat in the box below:

Hit OK and OK again. Make sure to close out of any open Group Policy windows. Then log the user into any Domain machine and watch the drive mount for you. Of course if the user does not have the proper rights to the drive you specified it won’t work!

If you want to do this to a machine that is not on AD stay tuned for more in our GP series.

_TheGroupThisAdmiN_

Think of group policy like your Bitch Underpaid Intern. Microsoft describes Group Policy as:

Group Policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory environment. This infrastructure consists of a Group Policy engine and multiple client-side extensions (CSEs) responsible for writing specific policy settings on target client computers.

Before we get into the lessons I wanted to tell you that most of my examples will be of Domains running Active Directory BUT you can still do a lot of these tasks on Windows 2000/XP Pro/Vista Business even if they are not part of a domain. You can use the Group Policy editor to connect to a local machine and set this up.

What do you want to see us write about? Now is the time to send me your Group Policy questions!

_TheInquiringAdmiN_

Karl,

I’m a bit new to Active Directory and I’m supporting a small office with a SBS 2003 file server, which is also a domain controller. I have the server working fine and I’ve created all of my domain accounts and file shares. I’m in the process of switching the users over to logging into the domain instead of directly into the PC. The first user I’ve set this up for can log in just fine, but every time they log in they don’t have internet access. In researching the problem, I’ve found that each time they log in, the internet explorer proxy is being set to 127.0.0.1. We don’t have a proxy so if they uncheck the user proxy box everything works fine until they log out/shutdown and then login again. I haven’t really touched any of the default policies so I’m wondering if this is some sort of default behavior and how I can disable it. I found your post about how to remove/limit someone’s internet access by creating a “no internet” policy. This appears to be happening by default for me and I’m hoping you can help me turn it off.

Thanks,

Jeff

Can you guess what follow up questions I asked Jeff? Don’t Be Shy Hit The Comment Button!

Karl Gechlik
_TheAdmiN_

Update:
aparently they have killed support for sbs 2003 without any service packs see the article here.

Make sure you are all service packed up!

Well, John we have just completed something very similar with the assistance of Microsoft’s addusers.exe command and l0phtcrack for password retrieval. Addusers.exe can be found on the windows 2000 Resource CD or from Microsoft.com. Using addusers.exe with the /d switch we were able to extract to a text file all of our local users, groups and descriptions. But we were unable to export passwords… Thats where l0phtcrack came in we ran this against our local server and recovered all 250 user passwords in under 24 hours.

Then after joining the machine to our freshly created domain we used the adduser.exe to import the user information from the text file we exported using the /c script. We then went in manually and set the passwords. You could also leave the option to require the user to change their password on the next logon. Below you will find the syntax for addusers.exe.

Adds, Writes, or Erases accounts as specified by a delimited file.

ADDUSERS {/c/d{:u}/e} filename [/s:x] [/?] [\\computernamedomainname] [/p:{lced}]

/? Display this help screen.
/c Create accounts specified in the file.
/d: Write current accounts to the specified file, opt. followed by {:u}.
/u Write current accounts to the specified file in Unicode text format.
/p: Set’s account creation options, followed by an comb. of {lced} l Users do not have to change passwords at next logon. c Users cannot change passwords. e Passwords never expire. (implies l option) d Accounts disabled.
/e Erase user accounts specified in the file.
/s:x Sets the separator character for the input/output file. Replace the x with the character to be used for separating fields. (e.g. /s:~)

Note: The separator character is a comma ‘,’ by default.
For detailed information please refer to the Resource Kit Help file.

_TheNetworkedAdmin_