Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

Group Policy Blog, by the "GPOGUY"-- Darren Mar-Elia

www.gpoguy.com www.sdmsoftware.com
Deploying Office 2007 in Group Policy Software Installation

For those of you really on the bleeding edge, you may have already discovered some changes in the way customize and deploy Office 2007 via the GP Software Installation feature. This article details the steps you need to take, but I thought it would be worthwhile to highlight some of the key differences:

  •  When you create an installation point on a server for Office 2007, there is no longer the notion of the Administrative Installation using the setup /a option. For O2K7, you simply copy the contents of the CD to the distribution point and you're done.
  • To customize which apps get installed by the user or computer during GP processing, you used to create a transform file (.mst) using the Office Custom Installation Wizard. Transforms go away in O2K7. Instead there is a config.xml file you need to customize and place in the same folder where you installation files are. This XML file controls what gets installed on the client. It has very limited configuration options so don't be surprised about what you can't do here.
  • You can only deploy Office 2007 via GP on a per-computer basis. Per user deployments simply fail. I haven't investigated why this is, but I suspect it may have something to do with UAC limitations. More on this when I do some more research.

All in all, I'm not clear why the Office 2007 GP support is so crappy, but I hope to dig in a little deeper when I get some time and find out what's up.

The first GP Product is finally out!

As I've mentioned in previous posts, I've started a software company called SDM Software. Well, I've just shipped my first little product! Boy it feels good! The product, called GPHealth Reporter essentially reports on the details related to GP processing on a given local or remote system. You can use it to gather overall health of GP processing, and it can also save that information to a report, PDF or Excel. You can also use the tool to trigger a remote GP refresh against the machine you're focused on. You can download a free 10-day trial copy of the product and check it out.

Anyway, it feels good to get the first one out. Check it out and let me know what you think!

 

Vista Group Policy log viewer tool released

Microsoft has released a command-line tool called GPLogview.exe (http://go.microsoft.com/fwlink/?LinkId=75004 ) that lets you create reports of the Group Policy Operational log that now ships with Vista. For more info on this log, check out an earlier blog post I did on the subject. Essentially this tool lets you grab GP related events out of the Operational log and dump them into text, HTML or XML files for further analysis. 

  

Follow up to Vista logon script issues

After bringing up the logon script issues on Vista that I previously blogged on with the Microsoft Group Policy Folks, they pointed me to the following document:

http://technet2.microsoft.com/WindowsVista/en/library/5ae8da2a-878e-48db-a3c1-4be6ac7cf7631033.mspx

 This document talks about using some of the GP features in Vista and there is a section in there entitled, "Group Policy Scripts can fail due to User Account Control" which describes the workaround to this problem. It appears to be a timing issue with respect to when the script runs compared to when the desktop is available. It is related to UAC as well. In that document, in Appendix A, there is a WSH script that you can run, that calls your logon script using a Scheduled Task, which helps delay when your logon script runs until the desktop is fully available (at least that's my assumption).  So, if you having problems with logon scripts in Vista, this is the solution!

Logon script issues with Vista?

I've started to hear murmurs on my GPTalk mailing list about people having problems running GPO-based logon scripts against Vista systems. In one circumstance, Jeremy Moskowitz was having problems running a batch file that mapped network drives. It seems that while the drive mapping completed successfully, the drive was unavailable until the next logon. In another circumstance, which I've heard repeated a few times now, .vbs based logon scripts failed to run at all. The issue appears related to the User Account Control (UAC) feature in Vista because when UAC is disabled, the script runs fine. However, in my own testing and for some others, both batch files and .vbs scripts that did network drive mapping ran fine against Vista RTM systems. So, its not clear yet whether there is one issue here or just a series of issues that might be causing this. Stay tuned as I get more info and post a Comment here if you're having issues with Vista running logon scripts.

 

 

"Sid the Wonder Cat"

Lately I seem to be blogging about things other than Group Policy. I promise I'll get back to that soon. But, this past weekend I had to deal with something that was extremely hard. I had to put down our cat--Sid. Sid was an amazing animal in every way-- gentle and tiny and quiet. But she could also be rambunctious and fun and loved to roll around in dirt (she was an indoor cat but we would take her out for "walks"). She was almost 20 years old and so we got to enjoy her for much longer than most people do. That also made it that much harder when I had to take her in. She had chronic renal failure, which essentially means that her kidneys failed. She was diagnosed with it over 2 years ago, so it took a while for it to degenerate to the point that it had on Saturday. I got to spend the last night with her, which was a wonderful thing. It was first time I ever had to deal with that as a pet owner, and I'm 42. That made it even harder. I try to keep reminding myself that she was very sick and in pain, but the bottom line is that I just miss her and I always will. We had a special connection and she did a lot for me. The most important thing she did is that she taught me to like cats. Before she came into my life, I was not a cat person. Sid changed that quickly. Sid was the opposite of what you hear about most cats. She craved affection and was not aloof at all (if she knew you). She loved cream cheese, and whenever she heard the cream cheese container open, she would come running for her share. And she liked muffins, and liked to lick the cantaloupe after we had finished. And she would always wait until her mom finished eating, and Sid knew she was done, before she gently moved in on her mom's plate for the leftovers. We spoiled her shamelessly and were happy for it. In her younger days, she was very animated. She used to go into these modes where she would race from one part of the house to another, for no apparent reason (we called it "squirrel-nut kitty" mode). She also used to play volleyball...yes, that's right volleyball. We would crinkle up pieces of paper and toss them at her and she would raise up on her hind legs and bat them back with her front paws. She was Olympic material for sure Smile. She was also wicked-smart. She seemed to be able to do things and "know" things that you would only expect from humans. She was truly amazing.

 Anyway, I will miss her terribly and am a better person because of her. And I hope that she is playing volleyball in cat heaven right now. Her mom hopes she's running through grass in heaven now.

 Here is Sid:

Sid the Wonder Cat

Glass is cool

Well, after only hearing about it and worshiping it from afar, I finally got Aero Glass to work on my desktop Vista system. And I have to say, the eye candy is cool. I'm sure that the novetly and excitement will wear off shortly, but for now, Glass is pretty darn spanky. Now, I won't tell you all the hoops I had to jump through to get my system running on it, but one interesting anecdote is this. I was running RC1 when I upgraded my video card to a model that would run Glass. I expected that after installing the video card and rebooting, that Vista would figure out my newfound power and "Glass-ify" me automatically. No such luck. It was only after an upgrade to RC2 (when is that RTM version showing up on MSDN anyway?) that I was in bliss. Wonder if there is a way to do that without an upgrade? A "Glass Button" that I can press? Maybe in RTM...

 

ADMX Migrator/editor tool is released

On the heels of Vista's RTM, Microsoft has released a free download that will be useful to many administrators. As I've blogged about previously, Vista ships with a new Administrative Template format---called ADMX. These XML-based templates are very different than what folks are used to with ADMs and if you want to take full advantage of the new ADMX format, including using the "Central Store" to store and manage these files, then you'll want to have all of your ADMs in the new ADMX format. Microsoft now has a tool that allows you to convert custom ADMs that you've created to ADMX format, as well as create new ADMX files from scratch. You can download it at http://www.microsoft.com/downloads/details.aspx?FamilyID=0f1eec3d-10c4-4b5f-9625-97c2f731090c&DisplayLang=en

 Cool.

 

Vegas--yuck

I spent last week in Vegas speaking at the WinConnections conference on Group Policy and ADAM-related topics. After attending umpteen million conferences in Sin City, I've finally decided that I truly hate the place. It wouldn't be so bad if everything there wasn't so darn expensive. I mean, I could understand it if it were some Carribean island, or New York City. But, come on, its Vegas--home of the tacky and tasteless. And, yet I still had to pay 7.50 for a coffee and scone at the Starbucks. How is that? This wasn't even at the Bellagio. This was the Mandalay Bay.

The worst part (for me) is the cigarette smoke everywhere. Sorry to all you smokers out there but, having lived in a place that long ago banned all indoor smoking, it was pretty hard to take. The other interesting phenomenon there is the sheer size of the place. You can truly walk miles and still never go outside. Indeed I arrived on Monday and by Thursday realized that I hadn't seen natural light since I had arrived! 

In any case, this is my desperate plea to all conference organizers to forever shun Vegas in the future. I'm sure it won't happen, but a guy can dream.

MS Desktop Optimization Pack to include some GP stuff

Microsoft has announced their Vista Desktop Optimization Pack--an add-on product that will include technology from recent acquisitions, Softricity, Winternals and DesktopStandard. From the descriptions, it looks like they'll be including DesktopStandard's GPOVault product into the pack, which was a GP version control and change management product integrated into GPMC. That's a good thing, since GP change control is something everyone should be practicing. The unfortunate side-effect of this is that the free version of GPOVault, I'm told, is no longer available from DesktopStandard. On the Winternals side, from the description it appears that they'll be including the excellent Recovery Manager product into the Pack. This is a great product for recovering dead or unbootable systems. It has saved my bacon on a couple of occasions.

 It will be interesting to see what MS does with DesktopStandard's other GP products.

Cool heterogeneous systems road show

Back in my IT days (you know, 4 years ago Smile), I spent quite a few years working at a big financial services company. I was known as the "Microsoft" guy in a company that prided itself on using as little Microsoft technology as possible. I lived in a sea of mainframe, Java and Unix/Linux stuff and I got quite used to making it all work together. I think many of you are probably in the same boat as I was and appreciate any and all attempts by vendors to make life easier to integrate. To that end, I just found out about a cool roadshow that's coming to 4 cities in the U.S. in late October and early November, being run by the folks at Windows IT Pro Magazine that presents a number of sessions related to this very topic. The Roadshow is called Tech X World (www.techxworld.com) and will feature some interesting tracks and presentations by some familiar names, including Gil Kirkpatrick of Netpro. Some of the highlights:

 1. OS Interoperability - Dustin Puryear will present the OS interoperability track including user mgmt and file/print sharing, application compat and scripting.
2. Directory and Security Integration -- Gil Kirkpatrick will talk about directory and security integration including single sign-on, identity and access management, LDAP and interop among directories.
3. Data Interoperability -- Randy Dyess will speak on data interoperability including heterogeneous database replication, enterprise reporting and data integration for relational databases.
4. Virtualization -- Mike Otey will discuss virtualization -- understanding the technologies and products, managing your virtual environment, availability, backup and recovery, etc.

There's also going to be a panel with folks from IBM and Microsoft, talking about how important it is to work together! That should be worth the price of admission right there Smile. Check it out!

 

 

Disabling UAC in Vista

If you're using Windows Vista and have found the new User Account Control elevation prompts annoying, you can easily disable the prompts by adjusting the Group Policy settings under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: ...

 However, you can also apparently completely turn off UAC if you just find the notion of not running as administrator unless you need to, annoying. If you open the User Accounts Control Panel, you'll see an option that says "Turn User Account Control on or off". If you click that link, you can completely enable or disable UAC. Note however, that changing this setting requires a reboot. Also, one other thing I noticed is that changing this setting seems to wipe all browser state (e.g. cookies and passwords) when I logged back in. This is probably because the IE Protected Mode state that is enabled when UAC is enabled writes this kind of data to virtualized file system and registry locations, which obviously go away when UAC is disabled. That's my guess anyway.

DesktopStandard acquired by Microsoft

For those of you who know DesktopStandard--the Group Policy extension folks that I've been working with for the past 6 months, you'll be interested to know that they have been acquired by Microsoft, announced today here: http://www.desktopstandard.com/PressReleases/02Oct2006.aspx.

 The cool part about this is that some of the really smart folks at DesktopStandard will be going to MS to help improve Group Policy in the future. This is great news for all of us who use GP! They have truly been one of the innovators in GP for the last few years.

 And, in case you're wondering, no, I'm not going to MS :-). As I've mentioned in previous posts, I'm starting my own software company, SDM Software, focused on, what else, Group Policy tools!

 Another cool part of this announcement is that the product formerly known as DesktopStandard PolicyMaker for Application Security is being spun out into a new, separate company, called BeyondTrust. PolicyMaker for Application Security is a cool GP extension that allows you to run a Least-Privileged User environment using Group Policy to control what processes can be elevated. This product provides capabilities in Windows that the UAC feature in Vista *should*, but won't provide.

 Anyway, exciting times all around. Best of luck to all the DesktopStandard folks. Its been a pleasure working with them.

 

GP Logging in Vista

As Vista nears release, its worthwhile to look at some of the big changes coming in that OS around Group Policy. One of the biggest changes, from a troubleshooting perspective, is the use of the new "Crimson" event logging system to improve GP logging. Namely, the userenv.log file that we all knew and hated for its cryptic content goes away in Vista. In its place is the Group Policy Operational Log. The Operational log is found within the Applications and Services node of the new Event Viewer, under Microsoft, Windows, Group Policy. The Operational Log basically contains all of the previous data found in userenv.log, enabled by default so you don't have to fiddle with registry tweaks to enable it. It provides excruciating levels of detail on every step of GP processing and even includes some new data that you would have previously had to derive from userenv, like time spent processing a given policy area. In addition to the Operational Log, there are basic, high-level events generated by the GP engine. These are akin to the events you would find today in XP or 2003 in the Application event log. But in Vista, these high-level events have been moved to the System log and have a event source of "GroupPolicy". These are the so-called admin logs and are also enabled by default.

The one thing that has not changed in Vista is the existence of CSE-specific logs;logs generated by the various CSEs that ship with the OS. Many of you may know that I have a custom ADM file on my website that allows you to enable the various logging that is found in XP, 2000 and 2003. Well, in an effort to teach myself about the next ADMX template files that replace ADM in Vista, and to bring the gpolog.adm file up-to-date for the new OS, I've created what may be the first custom ADMX file in the wild (certainly my first) that enables CSE logging on Vista. Check it out at www.gpoguy.com/gpolog.htm

Moving forward

As I mentioned in a previous blog post, I am in the process of starting a new software company, focused on Windows management solutions, and to start with, Group Policy management solutions. Well, I finally have the new web site up and running, and you can register for a whitepaper on using the Software Installation feature in Group Policy, around which my first product will focus. Check it out and let me know what you think:

http://www.sdmsoftware.com