Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

Group Policy Blog, by the "GPOGUY"-- Darren Mar-Elia

www.gpoguy.com www.sdmsoftware.com

As many of you know, I've started a Group Policy Management Solutions company called SDM Software. I've decided to transition my blog over to there, since it makes sense for me in the long run. So, if you are currently reading or subscribing to my blog posts, make sure you update your links to point to the new location.


Thanks for reading!

Issue with Win2003, SP2 & custom ADMs

One of the folks on my gptalk mailing list reported an issue with the new Windows 2003 SP2 and custom ADMs. Apparently if these custom ADMs are not terminated with a carriage return/line feed character, they will throw an Error 51: “Unexpected keyword.”  when editing a GPO that contains one of these. I haven't tested this yet but be aware of it.



SDM Software & Special Operations Software announce strategic partnership

As I've mentioned here before,my company, SDM Software, is focused on making Group Policy a lot easier for folks to manage. Given the criticality of Group Policy as a security and desktop lockdown technology, making sure its healthy and functional has ramifications for the security posture of an organization as well as regulatory compliance aspects. But Group Policy can do a lot more, especially when smart vendors come along and extend its capabilities into new areas. This is exactly what the folks at Special Operations Software in Sweden have been doing for the last few years with their SpecOps Deploy, SpecOps Inventory and SpecOps Password Policy products, the latter of which allows you to have granularity account policy within a given domain, without having to wait for Longhorn.

 As a result of the work they've been doing and the synergies between what they are doing and what SDM Software is up to, our two company announced today, a plan to work together to ensure that our products and theirs integrate well and that SDM Software can report on and help troubleshoot Group Policy processing issues with SpecOps' Group Policy extensions.

I've known SpecOps' CTO, Thorbjörn Sjövold, and CEO Robert Lundh since we first met a few years back at IT Forum in Copenhagen. Since then, SpecOps have been doing some very cool stuff to make Group Policy THE configuration management technology for Windows. I'm really happy to announce this partnership and really look forward to some cool stuff coming from us in the near future.

Learn about Longhorn

The Windows IT Pro folks, whom I write for on occasion, are doing a Longhorn Roadshow this Spring to help folks get up to speed on the new server platform. There's also a cool contest where you test your skills about Longhorn to win a trip to Mexico. Here's some more info:

"Windows Server "Longhorn" ChampFest Launches
IT pros can test their skills about the upcoming Windows Server "Longhorn" release and possibly win a trip to Mexico by entering the ChampFest contest launched by Windows IT Pro magazine. "Longhorn" ChampFest tests IT pros' knowledge about virtualization, Terminal Services, security, and IIS through a series of short online quizzes.

IT pros who succeed in the online contest will compete in another round of quizzes at the Windows Server "Longhorn" Roadshows visiting 16 cities this spring. Winners of the district finals will get an expenses-paid trip to compete in the ChampFest Finals at the Microsoft Windows Server "Longhorn" event later in 2007. The grand prize winner will receive an all-expenses paid trip to Cancun for six days.

To take the online quizzes and learn more about the Windows Server "Longhorn" roadshows, go here to get more details!

Attendees of the Windows Server "Longhorn" roadshow series kicking off in New York on April 3 will receive a copy of Windows Server "Longhorn" Beta 3, courtesy of Microsoft. Depending on the exact Beta 3 release date, attendees for earlier shows will get Beta 3 via mail delivery after the show. Attendees to shows later in the series will be able to leave the event with the code in hand.

The roadshow event offers an under-the-hood look at Windows Server "Longhorn" virtualization, deployment, Terminal Services, security, and IIS 7.0, among other topics. Attendees can choose from three tracks of content. Speakers include Michael Otey, Alessandro Perilli, and Michael Campbell. Registration for the event is $99, which includes breakfast, lunch, and refreshments; a full day of content, including presentations and demos; T-shirt and attendee bag.

The Longhorn roadshow tour will hit the following cities: New York (April 5), Chicago (April 10), Atlanta (April 12), Anaheim (April 17), Santa Clara (April 19), Denver (April 24), Boston (May 2), Detroit (May 8), Dallas (May 10), Minneapolis (May 15), Seattle (May 22), Phoenix (May 24), St. Louis (May 31), Washington, DC (June 12), Houston (June 14), and Philadelphia (June 19).

new EFS assistant tool for better management of GP-based EFS

I thought this was pretty cool: http://blogs.technet.com/billcan/archive/2007/03/10/beta-version-of-tool-for-enforcing-efs-encryption-is-shipping-next-week.aspx

 Essentially a better tool for enforcing EFS encryption for your mobile users. EFS is Encrypted File System, which essentially encrypts business critical files to prevent against unauthorized access should the mobile device find itself lost or in the hands of evil-doers and competitors.

"The Internet as Crutch" or "How the Internet breeds laziness and just plain poor manners"

I suppose its no great revelation to anyone that the Internet is now THE source for information gathering and information dissemination in our society. And its well documented how folks have been able to use the Internet for all sorts of good things, like learning more about their medical conditions or finding old friends. And, of course, the excesses of the Internet age are well documented--the fact that because the Internet is so widely accessible, there is little, if any, real vetting of material that appears online. Good and bad are equally represented. What I haven't seen as widely written about is how access to all this information and to the purveyors of the information has resulted in a certain laziness and just plain lack of good manners when it comes to communicating across this medium. I suppose that the anonymity that the Internet allows us all to have (or perceived anonymity anyway) helps to contribute to the sense that you can really say or do whatever you want online without fear of any real reprisal. That part of it, is really just too bad, and I got to experience first hand this last weekend.

 It should come as no surprise that I get a lot of questions about Group Policy. After working with the technology for almost 10 years and having been answering questions in one form or another online since the bad old days of NT 3.50 and the International Windows NT User Group mailing list (IWNTUG) where I first encountered folks like Sean Daily and Mark Russinovich, I try to answer as many of the questions as I get. But these days, especially, that is pretty tough. Its why I created my GPTalk mailing list so that folks with questions about Group Policy can get them answered by other smart folks (there are lots out there!). But if I am able to answer questions directly, I usually expect that the questioner has done at least the minimum amount of work to determine whether or not what they're asking has already been accomplished and documented elsewhere. I think we all know how to use Google and can get a lot of information out of it that can answer many of the questions out there.

Unfortunately, I've seen that on a lot of lists that I post or lurk on, many folks don't even bother to take that basic step of trying to find the answer themselves first--instead opting to take the easier path and just ask someone else to do the search work for them. Some questions are legitimately hard and require some collective brainpower to solve. Others are pretty much "Google-made" and really just end up wasting bandwidth asking again.

It was with that background that I got an email directly to my email address (Gotta love that) asking what I thought was a very basic question. It wasn't even necessarily a GP question, but had to do with determining how to shutdown a PC at a given time.  Now, this guy, I'll call him "Skippy", because he was from Australia Big Smile, prefaced his question by saying that he knew a lot about PCs but not much about Group Policy and that he had a problem with his kid, who was playing some computer game 50 hours a week. Well, I did manage to find the time to respond to him by suggesting that Task Scheduler was the way to go and that all bets were off, using any method, if his son were administrator-equiv. on the box.

So, then about 10 days go by and I get the following email from Skippy, again out of the blue after I had sent my initial response to him a day after his question:

"Thanks for not replying to my email pri*k"

There were several things about this response that irked me. The first was that he didn't bother to assume that maybe I did respond and he simply missed it. The second was that old lazy Skippy felt that I somehow owed him a response. I guess that means I can send him a bill for my time now Indifferent! Truly, this kind of guy really bums me out, because it underscores how the Internet can sometimes bring out the laziest and nastiest in people. Too bad. I really do like answering folks' questions and will continue to do it, but this guy has reduced my enthusiasm for it by just a little...

Good article on remote GP updates
Here's a good article written by Jakob Heidelberg, on remotely triggering Group Policy refreshes, which covers my rgprefresh tool, as well as SpecOps' cool GPUpdate utility and a few other methods. Check it out.
Windows-Unix Interoperability Roadshow

The folks at Windows IT Pro Magazine are once again sponsoring the TechXWorld roadshow for Windows & Linux interoperability. This time, I'll be presenting on the Systems Management track, which includes three main areas:

  • heteregeneous systems monitoring
  • heterogeneous Group Policy for configuration management
  • emerging standards for cross-platform systems management, including WS-Management and the Service Modeling Language, or SML

The roadshow will be in 3 cities at the beginning of May. Check it out at http://www.techxworld.com/registration/


more on the Jim Gray search

The search for Jim Gray, and his boat, is still underway. No luck yet, but there is an amazing array of smart folks from all over helping with the search. To get a fascinating glimpse into the efforts being made, check out this blog.

I really hope they find something

Search for Jim Gray

I just read this terrible news on the front page of the San Francisco Chronicle today, about the search for Jim Gray off the coast of Northern California. For those of you that don't know who Jim is, he has been one of the luminaries in the computer science field for a long time--winning the Turing award in 1998 for his work in databases and OLTP. Jim also started Microsoft's Bay Area Research Center in San Francisco a few years ago. I got a chance to meet him a few times when I worked at Charles Schwab. In each case, it was always a treat, as he was usually working on some fascinating project. The first time we met, he was helping the SQL Server team improve the product's scalability through the Terra Server project (he later extended that project to include astronomical objects). I truly hope they find Jim safe and sound and my thoughts go out to his family.


What were they thinking??--the Office product team strikes again

In a previous post, I talked about the changes that MS made to Office 2007 for deployment via Group Policy. Since I wrote that post, they have pulled the article I referenced so that it is now only available via the cached Google copy. I also went ahead and tried using this method myself--creating an Office 2007 distribution point and customizing it with a config.xml file. All I can say is that once again, the Office product group has made decisions that seem to completely disregard the world around them, in favor of who knows what invisible force that drives them. They have completely made a mess of GP-based deployment of Office--a mode which I know many, many administrators have used for deployment of this behemoth package in the past. It is truly sad what they have done to this. Several people have asked me how to make this work and I just have no good answer for them. Here's what I did, in the hopes that it helps others.

What I simply wanted to do is take my version of Vista Ultimate 2007 and deploy just Outlook, Powerpoint, Word & Excel to a computer (note that per-user deployments of Office 2007 are no longer supported). Of course, I also wanted to plug in my product id so users wouldn't have to enter it. So I modified the config.xml file that came with Office and put it in my distribution point and then rebooted my test client to pick it up. Well, the first time I logged in, after Office 2007 showed that it was installing on the reboot, I indeed had a new Office 2007 program group in my Start Menu but, ironically, it contained shortcuts to all of the applications I had excluded! So, I clicked on one of the shortcuts and it launched this Office Configuration utility, which proceeded to churn away for a while. When I came back to my test system, I was no longer logged in. It had presumably rebooted or logged me out after doing its thing. When I next logged in, only the applications I had expected to find were finally there, with one exception. Despite the fact that my config.xml was excluding Access, it was indeed showing up on the Start Menu. So, it almost worked...Stick out tongue

I've also heard other reports that if you deploy Office 2007 via GP to a system that already has Office 2003, that it will not upgrade that 2003 install but instead will install side-by-side with the older version...yea, that makes sense. Most people want to use two versions of Office...

Needless to say, this is much worse than the way it used to be in Office 2003. My advice--if you use Group Policy to deploy Office today, don't plan on using it to deploy Office 2007.

Just in case you're curious, here is the config.xml I used to customize my Office 2007 installation. The PIDKEY element is where you enter your Product ID. According to the docs, its not supposed to pick up your Company Name but in my case, it did. And, its the OptionState elements where you specify which apps you want (or don't want). The id tags that I use below come from the setup.xml file that exists in the same directory as the Office MSI. However, as you can see below,they are not altogether intuitive. For example, XDOCSFiles is InfoPath! Go figure...


- <Configuration Product="Ultimater">
 <Display Level="full" CompletionNotice="yes" SuppressModal="no" AcceptEula="no" /> 
 <Logging Type="standard" Path="%temp%" Template="Microsoft Office Ultimate Setup(*).txt" /> 
  <PIDKEY Value="#####-#####-#####-#####-#####" />
  <USERNAME Value="User" />
  <COMPANYNAME Value="SDM Software" />
 <INSTALLLOCATION Value="%programfiles%\Microsoft Office" /> 
 <LIS CACHEACTION="CacheOnly" /> 
 <SOURCELIST Value="\\server1\share\Office12;\\server2\share\Office12" /> 
 <DistributionPoint Location="\\server\share\Office12" /> 
  <OptionState Id="AccessFiles" State="absent" Children="force" />
  <OptionState Id="GrooveFiles" State="absent" Children="force" />
  <OptionState Id="PubPrimary" State="absent" Children="force" />
  <OptionState Id="OneNoteFiles" State="absent" Children="force" />
  <OptionState Id="XDOCSFiles" State="absent" Children="force" />
 <Setting Id="Reboot" Value="IfNeeded" /> 
 <Command Path="msiexec.exe" Args="/i \\server\share\my.msi" QuietArg="/q" ChainPosition="after" Execute="install" /> 
Directory Experts Conference a-comin'

Hey folks--if you have an interest in AD, MIIS, or all things Microsoft identity related, you should really check out the upcoming Directory Experts Conference, put on by NetPro annually. It is a truly special event, gathering some of the topic AD experts from around the world--usually to some place near Vegas (my favorite conference city Big Smile) for a techno-smackdown. Its usually fun too, although rumors of Joe and Dean's non-attendance have put a slight damper on the affair. Another cool part about the show is that you can go to the DEC Wiki and provide feedback on the planned session content in real time. Very cool. Check it out!


Vista logon script issues revisited, again

In an earlier post I talked about some issues with UAC interfering with GP logon scripts in Vista, and I referenced an MS-TechNet article that describes how you can work around it by using a special script called "launchapp.wsf" that adds the logon script to a scheduled task rather than running it directly. Well, in that article, they gave a screenshot (see below) of how that would work, but after testing it myself I realized that their screenshot is incorrect.

The problem with it is that, if you just enter "logon.bat" as your parameters, the client is not going to find logon.bat unless its in its local path. Most people keep their logon scripts in the SYSVOL part of the GPO, so you'll have to put the full path to that file in the "Script Parameters" dialog above for this to work. For example, here's a path to my logon.bat script file in one of my GPOs: \\cpandl.com\SysVol\cpandl.com\Policies\{BC13169A-DB63-4D53-A39D-83D826D8A03C}\User\Scripts\Logon\logon.bat

 I've emailed MS to let them know that they probably need to update their article, but in the meantime, this does work when you get all the params correct.


Re-Up'd for another year
Happy New Year everyone! I hope you all didn't feel as bad as I did this morning after staying up way too late and partying just a little too much. But on the up side, I was greeted to a nice email in my inbox this morning informing me that I was re-up'd as a Group Policy MVP for another year. MVP status is cool but the best part about it is going to the MVP Summit and hanging out with the other MVPs that I don't get to see very often. Oh, and there's the free Microsoft software we get too--that's not too bad either. Smile
Very cool-- a few seconds of fame

This is really cool. My friend Sean Deuby at Intel sent me this one.




More Posts Next page »