02.05.10
Posted in General Stuff at 3:24 pm by Administrator
I had a question recently that I thought was worth blogging. The question was, “if I create a GPO using Windows 7, Server 2008 or similar newer platform”, then backup that GPO using XP or Server 2003, will it back up everything?”. The answer, not surprisingly, is “it depends”. GPMC Backup only backs up the “policy areas” that it knows about. For example, if I set some policy settings within Administrative Templates policy on Server 2008 and then backup that GPO using GPMC running on XP, those Admin. Template settings will be backed up just fine, because the Admin Templates policy area exists on both versions of Windows.
But lets say I create a GPO from GPMC using Windows 7, and set some GP Preferences settings or some of the new “Advanced Audit Configuration” options, then try to backup that GPO from XP or Server 2003’s GPMC. In that case, neither the GP Preferences nor the Audit settings will be backed up because those policy areas do not exist in XP or Server 2003 (from a GPMC perspective–its true that XP and Server 2003 can process GP Preferences settings, but they cannot manage them).
The bottom line is, as always, if you introduce newer versions of Windows into an environment and plan to leverage newer policy areas, its always best to manage GP from those newer versions of GPMC, since GPMC is backwards-compatible but not forwards-compatible!
Darren
Permalink
01.31.10
Posted in General Stuff at 12:54 am by Administrator
Just a quick note to remind folks that for the 5th year in a row my good friend Mark Minasi is hosting the Minasi Conference in Virginia this Spring. For those of you who are used to going to one of those big conferences, this is a much more “intimate” and, in some ways, more valuable type of technical conference. Mark being who he is, you will hear some of the Windows world’s smartest techies at this event. If you have budget for training this year, you should consider this conference. Not only are the topics usually great but its small enough for you to get much more interaction with the speakers than at your typical TechEd show. Check it out!
Darren
Permalink
01.02.10
Posted in General Stuff at 6:00 pm by Administrator
Despite once again having to fetch it from my spam folder, I did indeed get the coveted email from Microsoft yesterday indicating that I’d been made a Group Policy MVP for the 5th year in a row. Cool!
I am honored and happy to be an MVP for another year. I look forward to another year of community contributions!
Permalink
11.29.09
Posted in Group Policy Preferences at 7:48 pm by Administrator
I was playing around with some scenarios related to "item-level targeting" (ILT) in Group Policy Preferences and was reminded of a significant limitation in this newer as it relates to Resultant Set of Policy reporting. What I was doing was creating a GPO that contains some GP Preferences registry settings, and then using item-level targeting to control which machine groups got those registry settings. However, when I went into GPMC and ran a GP Results (RSoP) report against one of my test machine, it showed my test GPO in the "Applied GPOs" section of the report, even though I knew that it had not passed the item-level target filter.
This pecularity caused me to dredge up a distant memory about a limitation in the way GP Preferences interacts with RSoP–namely, RSoP is incapable of deciphering whether a machine has passed an item-level target. So, even though the registry setting was blocked from being processed by the machine because it was not in the correct group, RSoP saw no reason why the GPO should not apply, since it was linked and security group filtered (using normal security group filtering) in a way that told it that everything was good.
This could very easily bite you as you leverage GPP more, so I thought it would be useful to re-iterate it here for everyone’s benefit. In short, if you use ILT to control which policy settings apply to a computer or user, RSoP will not reflect whether the ILT filter passed or failed. It will only reflect the "normal" means of filtering through linking, security group filtering and WMI filters.
Darren
Permalink
11.20.09
Posted in sdm software at 10:24 am by Administrator
Well, I was very surprised and happy to receive an IM from a colleague this morning, directing me to http://windowsitpro.com/Windows/Articles/ArticleID/102984/pg/2/2.html, where I read that our SDM Software Group Policy Automation Engine won GOLD as Best Active Directory and Group Policy Product. This is really cool and a great acknowledgement of the work we’ve been doing. Its always nice to be recognized and especially to win in the Editor’s Choice category!
Cool!
Tags:
Group Policy, SDM Software
Permalink
11.02.09
Posted in Bugs at 8:31 am by Administrator
I found this issue recently–at first I thought it was just my environment, but have confirmed it on a couple of different environments. When you are on a Win 7 box (and probably R2 as well), in GPMC and viewing the setttings of a GPO that had previously been created and contains software restriction policies, you will get an error when GPMC tries to display those SRP settings. Specifically, the error looks like this:
|
Software Restriction Policies
Software Restriction Policies/Security Levels
Software Restriction Policies/Additional Rules |
| The following errors apply to all of the above settings: |
| An unknown error occurred while data was gathered for this extension. Details: Unable to cast object of type ‘System.String[]‘ to type ‘Microsoft.GroupPolicy.Reporting.Extensions.Registry.UnknownType’. |
From the looks of it, it appears to be a bug in the way the Win 7 GPMC object model is parsing these settings. I’ve reported it to MS but wanted to let everyone know about it so you don’t think you’re going crazy. Not surprisingly, if I open the GP Editor on this GPO, all of the SRP settings appear fine. This is only an issue with the GPMC reporting of settings.
Tags
Group Policy, Windows 7, Software Restriction Policies
Permalink
10.27.09
Posted in Cool New Products at 3:14 pm by Administrator
On my twitter site: http://twitter.com/grouppolicyguy
Permalink
10.23.09
Posted in General Stuff at 9:14 am by Administrator
As many folks probably know, Group Policy slow link detection prior to Windows Vista relied on a series of ICMP pings to determine link speed between the client and domain controller. This process was fairly inprecise and was fraught with issues because many folks have turned off ICMP on their internal networks to prevent malware that leverages this protocol from exploiting this. The end result was that you either had to disable slow link detection, or watch GP processing fail completely.
When Windows Vista and Server 2008 shipped, they introduced a completely new way of detecting slow links for Group Policy processing that no longer leverages ICMP. The process uses the Network Location Awareness (NLA) service to determine the link speed between client and DC, but the explanation of HOW that works has been relatively undocumented…until now. Mike Stephens at Microsoft has written a great blog that describes this process in great detail. Check it out!
Permalink
09.10.09
Posted in sdm software at 9:48 am by Administrator
OK folks, our Group Policy Automation Engine (GPAE), the only automation solution available on the market for reading and writing settings within GPOs, is one of the finalists in the Windows IT Pro Magazine Community Choice Awards, in the "Best AD and GP Product" category! We obviously think that the innovative nature of our product is head and shoulders above the competition, and we’d love your vote!!!
Head on over to http://www.surveymonkey.com/s.aspx?sm=8koDpFvpDvDy3ZZZGP9O4Q_3d_3d and vote for the "SDM Software Group Policy Automation Engine" before September 16th.
Permalink
08.12.09
Posted in Uncategorized at 8:40 pm by Administrator
HEY GPOGUY & SDM SOFTWARE FANS!! We need your help! Windows IT Pro Magazine is having their COMMUNITY AWARDS NOMINATIONS until this Friday, August 14th. If you like the freeware products we have on www.gpoguy.com and on www.sdmsoftware.com/freeware, please consider nominating your favorite SDM Software or GPOGUY freeware products in the BEST Active Directory and Group Policy PRODUCT category. Let’s show the world that FREEWARE is just as valuable as the commercial products costing thousands of dollars, that typically win these awards.
TO NOMINATE OUR PRODUCTS, GO TO http://windowsitpro.com/awards/CommunityChoice.html.
Remember to vote by this Friday, the 14th of August, 2009!!!!!
Permalink
« Previous entries Next Page » Next Page »
