I’m just about to expand my knowledge a bit around App-V. I haven’t done any hands-on yet, because I usually first focus on gathering all the useful resources available on the net, and then start reading these. By doing so, I found these fantastic videos on The Blogcast Repository.

Deployment Scenarios with App-V 4.5
Planning Considerations before Implementing App-V 4.5
The App-V Client (part 1)
The App-V Client Part 2- Deep Dive

By the way, if you are not familiar with The Blogcast Repository but like video based trainings, have a look at the Repository, there is lots of other Microsoft related Technology training material there.

As we move towards the end of the year I thought it’s a good time to do some housekeeping activities within the lab infrastructure in which we work on a daily basis. Throughout the year we often create test user and computer objects within Active Directory and of course sometimes we forget to delete them.

As I don’t want to reinvent a wheel again I searched the web and soon found a whole bunch of tools and scripts that would help me identifying unused user accounts. I decided that I wanted to use a script. I first found the Last Logon Dates scripts from Richard L. Mueller which are written in WSH. But then I found the Managing AD User Accounts with PowerShell article on WindowsITPro and decided to use the opportunity of using PowerShell to accomplish my task.

Unfortunately the administration console I use hasn’t been migrated to Windows 7 yet, so I installed PowerShell 2.0 onto that Windows Vista client and then installed the Quest AD cmdlets.

On PowerShell.com I found the following script that I modified a bit so that the output is written into an HTML file.

Get-QADUser -sizeLimit 0 | where {$_.lastlogontimestamp -lt (get-date).AddDays(-30)} | Select NAme,description,lastlogontimestamp | convertto-HTML | Out-File c:\temp\adlastloggedon.htm

I wanted to do the same to find old computers, but it appears that the Get-QADComputer cmdlet has a bug, as it doesn’t return any LastLogonTimestamp values and I found various comments that this was identified as a bug which should have been fixed by now, but either the bug is still there or I might be doing something wrong. However I found a “find old computer objects” script on the Microsoft TechNet Script Center Gallery it just has a bid more lines of code

Note that your Windows domain must be at Windows 2003 Domain Functional Level for updates to the llastLogontimeStamp to occur.

If you are looking for a command-line tool to find Old Computers in your domain, I recommend the OldCmp tool from Joe.

Related content:
The LastLogonTimeStamp Attribute” – “What it was designed for and how it works

One of the things to consider when deploying Windows 7 clients is to update the Central Store on your domain controllers. If you haven’t created a Central Store yet, I recommend you watch the video or read the documentation I have listed at the end of this post.

If you do have a Central Store already, updating it with the Windows 7 Group Policy Administrative templates is very straight forward. You simply copy the templates that are stored under C:\Windows\PolicyDefinitions on your Windows 7 client to the Central Store which is located at \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions (FQDN = fully qualified domain name)

A good alternative for copying the files manually is the Vista Central Store Creator Utility from Darren Mar-Elia which automates the whole process of creating and updating the Central Store.

 Related Content
Screencast: How-To Configure the Central ADMX Store
How to create a Central Store for Group Policy Administrative Templates in Window Vista
Group Policy Settings References for Windows and Windows Server

63EHNFN6ZWK8

The AppLocker Technical Documentation for Windows 7 and Windows Server 2008 R2 provides technical guidance about understanding how AppLocker works and how to effectively plan and deploy AppLocker policies.

The download contains two documents:

BETA – AppLocker Frequently Asked Questions.pdf
BETA – Planning and Deploying Windows AppLocker Policies.pdf

Download here

When creating objects in Active Directory you can set a flag that prevents accidental deletion of an object.

While this setting is visible in the UI by default when creating an Organizational Unit, for other objects like Users, Groups and Computers, this flag is not set by default and can only be set if the Advanced Features are enabled within the Active Directory Users and Computers Console.

So assume you would create some important user accounts that are used for critical back-end systems, you should consider enabling the “Protect object for accidental deletion” flag.

Once you have this flag set, anyone who would try to delete the user account would receive a message as shown below.

In the video below Brian Desmond and Laura talk about the new things that come with Windows Server 2008 R2 AD.

Group Policies and Group Policy Preferences are great technologies to manage your enterprise desktops. But what if you want to go beyond the features Microsoft has build into the Group Policy Management Console?

With PolicyPak you can consistently manage ANY application’s settings using the Windows native Group Policy technology. have a look at the PolicyPak introduction video below to learn what PolicyPak can do and how it works.

Learn more about PolicyPak and watch the video tutorials.

Other resources

Group Policy Preferences Overview

Microsoft Group Policy site

TechNet Magazine – Expanded Control with Group Policy Preferences

Group Policy Settings Reference for Windows Server 2008 and Windows Vista SP1

In preparation of doing some Group Policy related things, I decided to extend my Home Lab AD infrastructure running on Windows Server 2003, with  Windows Server 2008 and Windows Server 2008R2 domain controllers.

Because at some stage I want to get rid of the Windows 2003 Server I also moved the FSMO roles from the Windows 2003 domain controller to the Windows 2008 domain controller.

I used the steps described in the “Transferring FSMO roles” article. Additional information can also be found in the “How to view and transfer FSMO roles in Windows Server 2003” article.

By searching documentation on how to move FSMO roles, I found the FSMO Roles utility from dovestones software,, that simply shows you who owns the FSMO roles within your current AD infrastructure. 

Those who prefer scripts use the code described in “How to Find the FSMO Role Owners Using ADSI and WSH”.

Those interested in managing Active Directory with PowerShell, have a look at the Active Directory Power Shell Blog.

Here’s another video from GPanswers explaining how to restrict the use of certain devices within your managed environment.

Well as you might notice Group Policy management currently is my favorite topic. I’ve been doing GPOs since the year 2000, then for a long while due to my job role I haven’t been doing a lot with GPOs, but that didn’t matter since there wasn’t too much changing in that space except that with each OS release the number of GPO settings has been growing.

But since the introduction of Windows Vista, there have been some bigger changes around GPO management. One of these changes is the use of the Central ADMX Store. The Central ADMX Store plays an important role, so it is important understanding the concept.

Watch the video from TechNetEdge presented by John Baker. By the way on the gpoguy website you can find the free Vista Central Store Creator utility that helps automating this task.

Additional resources are the Microsoft KB article “How to create a Central Store for Group Policy Administrative Templates in Window Vista” or the podcast “TechNet Radio: Group Policy: Windows Vista, Longhorn Server, ADMX and the Central Store”.

Jeremy Moskowitz from GPanswers.com has posted 2 free GPUniversity videos. 

Default Group Policy Objects

Group Policy Backup and Restore

Interested in more ? Check out the Group Policy Online University.

In January 2009 Jeremy Moskovitz launched the Online University for Group Policy Management. I wrote about that earlier in my blog post “Online Group Policy University”.

In the past weeks Jeremy has put an additional great amount of effort in reworking the offerings, so that now you have the possibility of selecting and ordering individual Modules and and options. Additionally there are some very attractive payment options as well that might be interesting for those that don’t get their company paying it for them, but want to invest in their personal knowledge.

There are now 3 different GPO Online University options:

• Build your own
• Silver Package
• Gold Package

The Build your own package allows you to select the individual options that just fit for your needs. So for those that already have bought the GPO books from Jeremy and don’t think they need pre-configured hard drive labs, they can just order the training and documentation material (labs, videos, slides).

Interested ? Then click here and get straight to the GPO Online University starting page or if you don’t want to read the details (because you already did) and can’t wait to place an order, then go here.

Get the latest news around Group Policy Management, subscribe to the GPAnswers Newsletter

Enjoy

Today Jeremy Moskowitz has launched the Group Policy Online University. Taking into account that many companies in these days have restrictive travel and training policies, the Online University seems to be an excellent way how you can further extend your knowledge around Group Policy Management without the need to attend a live training e.g. you can attend the training at any time, from everywhere.

The only thing you need to do now is to convince your manager that it is worth the money

Yesterday evening I looked at some of the new features within Windows 7. So at some stage I wanted to see Applocker running. I spend about an hour reviewing my settings, checking GPO processing until I went back to the documentation, just to find out that little sentence at the very bottom of that page….. “At least one Windows Server 2008 R2 domain controller is required to host the Applocker rules“.

Once more… RTFM Windows 2008 R2 download in progress……

UPDATE 20.11.2009

Source:

http://www.infoworld.com/d/windows/dont-upgrade-windows-server-2008-r2-until-you-read-785?page=0,1

AppLocker: This is a new feature in Windows 7 and Windows Server 2008 R2 that replaces Software Restriction Policies. This features provides the ability to control how (or if) users can access .exe files, scripts, .msi files, and DLLs. You essentially define rules that can be assigned to users or security groups that are based on an applications digital signature, including the publisher, product name, file name, and/or file version. And the good news is that AppLocker’s Group Policy foundation requires no upgrade of domain controllers. Existing Windows Server 2003 and 2008 servers can host AppLocker policies.