Group Policy
What happens if I apply Vista-specific Group Policy settings to my XP machines?
Aug 14th
I get this question all the time:
“What happens if I apply Vista-specific settings to my XP machines?”
So, here’s the answer: If you have a “newer” policy setting, and it affects an “older” machine… (in general) NOTHING BAD HAPPENS.
Let’s figure out why.
Let’s take the case of a “newer” policy setting, say, “Remove Games link from Start Menu” which is a Vista-only function. XP doesn’t have a Games link to remove off the Start Menu.
So when you affect an XP machine with a Vista-specific policy setting, the interesting part is … something DOES happen.
But it happens under the hood, and we don’t really see it.
That “something” is that a registry entry gets punched in place which gives the edict to “Remove Games link from Start Menu” to Windows Explorer.
Except XP’s Windows Explorer doesn’t know what to do with this information. So it promptly ignores it.
What about the other direction? Can you take an “older” policy (say, for XP) setting and affect a newer” (Vista) machine?
Usually. Like “Prevent access to the control panel.” Works great since Windows 2000,and then XP and now Vista.
Not all XP policy settings are valid for Vista, however.
Why? Well, Vista shook some items up a bit, and some got lost in the shuffle.
How do you know if a policy setting is valid for a particular operating system? Use the GP Editor Filtering capabilities to determine if a setting is valid for a particular operating system. And also check the Explaintext and what’s known as the “Requirements” settings. You can see the “Requirements” indicator when you click on a policy setting and you’re using the “Extended” view (the default.)
Most policy settings will say something like: “At least Microsoft Windows XP” or “Windows Server 2003 family.”
So it’s not really true that “NOTHING” happens when you create a GPO which contains policy settings for “older” machines. Something does, indeed happen.
Except it’s basically ignored, because that operating system wouldn’t know what to do with the directions it just got.
Stay tuned to more group policy goondess from Jeremey over at GPAnswers.com!
Group Policy Tip Of The Week: NAP the world
Jul 22nd
In my last Group Policy tip of the week for AskTheAdmin.com, I talked about XP/SP3.
And, I just want to put (quickly) to rest that I was trying to suggest that you should positively avoid it.
Au contrare.
I was simply suggesting that if you haven’t done your testing yet, then there IS a possible way to prevent it from being blasted upon your machines without your consent.
Okay, now with that behind us, let’s take a second to examine XP/SP3.
Not all of XP/SP3, just one little piece.
First, remember some years ago, how Microsoft drew a little line in the sand and said “Service packs won’t have new features.” Well, just in case you missed the updated memo — those days are over. As you’ll recall, XP/SP2 was like “XP 2.0.” And, even though XP/SP3 doesn’t bring a zillion things to the table like XP/SP2 did, it does bring one very interesting, and not-all-that-well-known tidbit to the mix.
The tidbit is already built into Vista clients, and is now backwardly-available for XP/SP3. This piece is the NAP client. NAP means Network Access Protection.
What the heck is NAP, anyway? Well, instead of talking about NAP directly, let’s check out an alternate situation that I’m sure a lot of us have had to deal with.
If you’ve ever had to put a child in public school (or a dog in doggy day care), you know that you need to get your kid (or “fur kid”) vaccinated first. Then, you need a certification of health that proves they’ve actually had the necessary vaccinations. Let’s say that when you introduce your kid to this one particular school on the first day, the Principal at the front door of the school looks at the vaccination report, and validates that the kid is really vaccinated (and is likely healthy enough not to infect others), and then permits your kid to come inside the building.
If your kid hasn’t been vaccinated, this school will cheerfully give you two options: walk down a specific hallway that has no kids that your child could possibly infect, and meet with the school nurse at the nurse’s office to get vaccinated immediately. Or stay outside. Your choice.
Why is introducing new creatures into the environment so harsh? Because we want to maintain a healthy environment for the betterment of everyone in the building. Now, it is perfectly true that just because every kid in the school has been vaccinated doesn’t actually guarantee there won’t be an outbreak. It just means that certain criteria have been met which meet the baseline of healthy.
Got the idea?
Well, that’s Network Access Protection, or NAP. NAP’s goal for your client machines is similar to the example with the unvaccinated kids above.
So, to make use of NAP, your XP clients (specifically, XP/SP3) and Vista clients (any flavor) have a little “agent” piece running upon them. Then, when they try to connect to the network, they need to “prove” how healthy they are (you can define the criteria.) Once proven healthy, they’re allowed on the regular network. If they’re NOT healthy enough, they must see the Nurse, er, the Remediation Servers to get updated.
What kinds of things might you want to check for? How about if the Firewall is turned on? Are they running Antivirus software? How about the latest version of the definitions? Do they have a registry key set to a specific value? Is software XYZ currently installed and the service running?
All sorts of stuff. Now, the bad news is that the NAP client that ships with XP/SP3 and Vista can’t do ALL of these things with the bits in the box. For some of these things you’ll need to do some NAP add-ons, so be prepared for that as your starting your exploration.
A quick note if you’re going to try to get smarter on this NAP thing on your own. The user interface for some of the Windows Server 2008 components will just say “Windows XP” when what they really should be saying is “Windows XP/SP3.” Again, that’s because the NAP agent isn’t available for anything LESS than XP/SP3. So, do keep that in mind as you’re reading and checking it all out.
Soooo.. how do I get smarter in this NAP thing?
If you like the idea of NAP, it’s a bit of a mountain to climb to get started.
One of my favorite places to get NAP-tastic is the Microsoft NAP blog here. Updated with NAP-o-rific information.
Also, if you have my new BLUE book, we have a whole chap for NAP. There’s a full end-to-end working example for you to try to get a feel for how it works.
http://www.GPanswers.com/books
This is a weekly spot brought to you by Jeremy M of GPAnswers.com
Stop the Blob AKA XP SP3.. Today… using Group Policy
Jul 10th
XP / SP3 is coming. On Thursday.
That’s right.
This.
Thursday.
AS IN TODAY.
Service packs are like “The Blob.” Without any superpowers, you can’t stop the delivery of the blob. And every couple of years or so, the blob comes back, in a newer, bigger form !
Now, you might like what the blob offers. For sure, the blob offers a lot of fixes.
But it offers them all at once.
And that might be good.
Or it might not be what you want at all.
Maybe you haven’t had sufficient time to test the blob. Maybe you want to go blob-less because you’re doing some other massive XP to Vista project or something.
If you’ve got WSUS or SMS / SCCM, then you’re pre-protected from the blob, because you have to manually decide to push the blob out.
But if you’re using good ol’ Windows Update for your clients, you might want to run Screaming out of the Theater and grab your fire extinguishers. So, if, like in the movie, you’re looking to freeze the blob, there are several ways (all contained within one download), and, of course, a Group Policy way to do it. Microsoft has a download just for you! It is called the Windows Service Pack Blocker Tool Kit… Isn’t that original?
The download is here: http://tinyurl.com/29yqdq
And inside, you’ll find an ADM file called NoSPUpdate.ADM.
And inside that one ADM file, you’ll be adding one additional setting to GP.
It’s called: “Do not allow delivery of the service Pack through Windows Update or Automatic Updates.”
Enable it, and Poof. You’ve frozen the blob. For a year anyway.
Again, if you’re using WSUS or SMS/SCCM the blob can’t come and get you. You’ve got a blob-free zone. It’s only for those of us without our Tin Foil hats on.
PS: Not too far away from me in Philadelphia is where they filmed “The Blob” with the famous scene of everyone running out of the theater. Want to re-enact? It’s 9.00 PM on Fri July 11th in Phoenixville, PA. Yep, you can run out of the theater during the Blobfest 2008 reenactment. And a scream contest and a tin-foil hat contest. And, its just one day after the XP/SP3 blob is scheduled to come and get you. (You knew there was a tie-in somewhere, right?)
Stay tuned for more Group Policy Goodness from Jeremy!
After using GP for a while, things are a little bit slower sometimes when new users log on. Why?
Jul 4th
Since so many of you have been asking for more and more Group Policy Goodness – we brought in Jeremy from GPanswers.com to pass along some of his expertise in the area. Check out his answer to this question below:
Yesterday, I finished giving a private GP 2.0 Catch-up class. This company originally took my Essentials class several years ago. In the middle of the catch-up class one of the guys asked me
“Jeremy, now that we’ve been using GP a little while, and are really embracing GPOs, things are a little bit slower sometimes when new users log on.”
And my response might shock you.
I said “Awesome !”
He was a little taken back. And I know why. He thought he had a problem. But he doesn’t. He just missed a key point about how GP works.
Let’s imagine that you wanted to do something a little crazy. And, I know you wouldn’t really want to do what I’m about to describe; it’s just something for us to hang our hats on, okay? So, imagine you wanted to (yikes) re-ACL your entire hard drive. Yep. That’s the directive. Ouch.
Again, it’s just theoretical, so go with me here. So, in simple terms you have a handful of options:
- Use a startup-script which manually does the deed
- Manually run a script which does the deed on each machine
or
- Use GP to deliver the same set of instructions via the NTFS security node
They all do the same thing, right? Right. And the action they’re taking (the actual “thing” they’re doing) is kind of slow and painful ,right?
So is the GP engine the cause of this “slowdown?” No. It’s the “action” you’re doing. The theoretical re-ACL’ing of the hard drive.
So I was kind of excited when he said that sometimes things are slower because that means he’s actually DOING something with GP. So, I like to say that GP is a “Blame the message, not the messenger” technology.
A little later in the GP 2.0 Catch-up class I showed him how to bust apart Vista’s new logging mechanism and see — precisely — how long a “GP Cycle” takes. That way he can be really really sure how long GP was taking to process each step if he wanted to. Heck, it might not even be that anything he’s DOING with GP is even causing the slowdown!
But in any case, the next time you think “Hey, the computer is running a little slowly” embrace it. It means it’s working. (But also consider getting smarter in GP troubleshooting it too, to be 100% sure it’s working for you.)
Stay tuned for more Group Policy Goodness from Jeremy!
Using group policy to map network drives.
Jun 18th
Yesterday we had a brief introduction to what Group Policy is and what it can do for you. Today we are going to actually make it do our work for us. Back in the day if you had to map a drive on several machines you did it via the Autoexec.bat or as a login script from your domain controller.
Now I will show you how you can add a map network drive to a computers on your network depending on what OU they are in. An OU is an Organizational Unit in your Active Directory or simply put a container to hold similar stuff.
Why do we put things into OU’s? To make our lives as Admin’s that much easier.
By grouping all of your Accounting users into one OU you can then assign a Group Policy to that OU. Now if there are 5000 people in one department or 5 it is the same amount of work to add a mapped drive (or any of the other GP tasks we will do) to there machines. You can nest OU’s in OU’s like seen above here with the Accounting OU. It holds an AR and an AP department. You can apply policies to all three OU’s at once or individually. You control how GP trickles down like permissions.
By having OU’s and group policy on your network users can have their mapped drives and other resources no matter where they are logging into on your domain.
Are you frightened? Don’t be this is pretty simple! Log into your AD machine and open up your Active Directory Users and Computers Console. It is located in the control panel under administrative tools.
Get in there right click on your OU choose properties and then the group policy tab. Depending on how your AD machine is set up you might have to click on a a button that says open Group Policy Management.
Once you are there you can create and link your Group Policy by right clicking on the OU like seen here.
You will be prompted for a name for this policy
Go ahead and name her anything you want. But try to be descriptive so when you have 300 policies later on you can differentiate!
Now you see your policy appear on the right… Simply right click and edit it.
Navigate down to The User Configuration folder and choose Windows Settings and then Scripts and finally Log-on. Hit the add button. Now you will need to point your GP to a script to run. Create a .bat file with the following line in it. Obviously changing the drive letter and the share name to your own.
net use i: \\AskheAdmin\newaccounting$
Save this file to your domain name under the SysVol folder and into the Scripts folder.
So if your domain name is AskTheAdmin.com it would go into
\SYSVOL\ASKTHEADMIN\SCRIPTS\
Save it as logon.bat and simply type logon.bat in the box below:
Hit OK and OK again. Make sure to close out of any open Group Policy windows. Then log the user into any Domain machine and watch the drive mount for you. Of course if the user does not have the proper rights to the drive you specified it won’t work!
If you want to do this to a machine that is not on AD stay tuned for more in our GP series.
_TheGroupThisAdmiN_
What is Group Policy and how can it help me?
Jun 18th
I am sure all you readers out there in Admin land have heard of Group Policy or GP/GPOs before. A lot of people know what it is but do not know how to use it well enough to make their lives easier. At the request of one of our loyal readers Bavat0r I have decided to create a series of posts starting with this brief introduction and guiding you through setting Group Policy up, utilizing it to install applications, map network drives and do pretty much anything you want it to. The possibilities are endless!
Think of group policy like your Bitch Underpaid Intern. Microsoft describes Group Policy as:
Group Policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory environment. This infrastructure consists of a Group Policy engine and multiple client-side extensions (CSEs) responsible for writing specific policy settings on target client computers.
Before we get into the lessons I wanted to tell you that most of my examples will be of Domains running Active Directory BUT you can still do a lot of these tasks on Windows 2000/XP Pro/Vista Business even if they are not part of a domain. You can use the Group Policy editor to connect to a local machine and set this up.
What do you want to see us write about? Now is the time to send me your Group Policy questions!
