Since the release of Windows 7 and Server 2008-R2 we have about 3000 Group Policy Settings available to centrally configure and manage Windows clients and servers. Though some among us might have worked with GPO settings from the early days on, knowing about the existence of each and every available setting is nearly impossible. It still happens to me that while I am configuring a specific GPO setting, I do come across other GPOs I didn’t knew of yet.

Have we not all been in a situation once, where we wondered whether a certain system configuration item could be managed via a GPO setting? So what would you do? Open the Group Policy Management Console and browse through the settings until you find the setting you’ve been looking for? Yes, that is possible approach and sometimes the quickest if you know in which area the setting is most likely stored. Another approach is to download the Group Policy Settings Reference for Windows and Windows Server spreadsheet and search through the Excel sheet.

Now here’s another nice solution that allows you to search for Group Policy settings without opening the GPMC or an Excel sheet. All you need is Windows 7 and Internet Access.

Open Internet Explorer and go to http://gps.cloudapp.net/ (Group Policy Search)

In the Settings Menu select “Add Search Connector”.

Download the Search Connector configuration file.

Select “Add” to install the Search Connector. 

Select Group Policy Search and type a word within the search bar.

Happy GPO Setting searching!

I just read this very interesting article “Why Win32_Product is Bad News!” and if you’re a Desktop Systems Administrator I strongly recommend to the read that article as well. To simulate what Darren is writing about, simply open an elevated command prompt (on a Test system) and type WMIC, once WMIC has started type Product and confirm with Enter.

All installed Products will be listed. Now open the Windows Event Viewer. (Eventvwr.msc) and open the Applications log. As shown in the picture below that simply query caused all installed applications to be reconfigured.

Today I’ve received a signed copy of Jeremy Moskowitz latest Book “Group Policy – Fundamentals, Security and the Managed Desktop”, so instead of using my laptop I guess I’ll be holding a real book in my hands this weekend.

Jeremy also published 3 FREE chapters:

Bonus Chapter 1 - Scripting Group Policy Operations with Windows PowerShell (co-written with PowerShell MVP Jeff Hicks.)
Bonus Chapter 2 - Advanced Group Policy Management (AGPMv4)
Bonus Chapter 3 - Full Lockdown with Windows SteadyState

………. order this book, it’s worth the money, I have the previous published GPO books and they have been extremely useful so far.

Microsoft published the Office 2010 Administrative Template files (ADM, ADMX/ADML) and Office Customization Tool. Get it from here

Reading my e-mails near the end of my vacation I received a link to this great web based GPO Search Tool. The tool is quite self explaining, so if you’re dealing with Group Policies have a look here

Managing ActiveX Components within an enterprise sometimes can be a pain. Users with standard user privileges by default can’t install ActiveX components, hence whenever a larger group of users require an ActiveX component you usually end up creating a software package and distribute it via Software Distribution or you provide them with temporary Administrative rights. But if the clients are running Windows Vista or Windows 7 there is another solution available I noticed many people aren’t aware of, hence that’s why I am writing this article.

The Solution is the Windows ActiveX Installer Service. Using the Windows ActiveX Installer Service allows Enterprise Administrators to manage the deployment of ActiveX controls through Group Policy Settings. On Windows Vista the ActiveX Installer Service is not installed by default but can be added as a feature. On Windows 7 the Service is installed by default.

Configuring the ActiveX Installer Service through Group Policy can be done in two ways. Either by specifying the ActiveX Control installation URL or by configuring trusted sites. I am going to use the first option to demonstrate the configuration and behavior of the ActiveX Installer Service.

Most of you will be familiar with the Microsoft Connect, MSDN Subscriber Download or TechNet subscriber download Site that uses the File Transfer Manager for downloading content. When trying to download content from one of the above mentioned web sites for the first time with a standard user you will be prompted with a message as shown in the picture below.

But as soon as you allow the Add-on to be installed, you will be prompted to provide a user name and password of a user that has administrative privileges to allow the installation to continue. 

This is what would happen in an enterprise environment where users access a website that requires the installation of an ActiveX control. So let’s create a Group Policy that allows the installation of the Microsoft File Transfer Manager through the ActiveX Installer Service.

First we need to know the URL that points to the ActiveX Control installation file, which is usually a CAB file but can be an OCX or DLL file as well. To find out the URL of the Microsoft File Transfer Manager I open the web site’s source and search for the word “CODEBASE”.

Now that I know the location that points to the CAB file, I open the Group Policy Management Console and create a new GPO called GPO_ActiveX_Management. Within the new created GPO I navigate to the ActiveX Installer Service which is located under Computer Configuration, Policies, Administrative Templates, Windows Components.

I then enable the "Approved Installation Sites for ActiveX Controls” setting and add the Site name https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab and set the Installation control value to 2,1,1,0.

To ensure that the GPO settings is applied to my client I run GPUPDATE at the command prompt. Now when i launch the website again that tries to install the Microsoft File Transfer Manager there is no User Account Control prompt anymore, this because i have now configured this site as an approved site to install an ActiveX control.

When opening the Services list within the Microsoft Management Console, I can see that the Service has been started and looking at the Windows Application log I can see that the URL was identified as a secure location.

So after a few seconds, the Microsoft File Transfer Manager is successfully installed without having to provide administrative privileges.

If you’re interested in using the ActiveX Installer Service in your environment I recommend that you also read the below referenced articles.

Additional Resources
The ActiveX Installer Service in Windows Vista
Microsoft TechNet – ActiveX Installer Service
NirSoft – ActiveXHelper

This is an excellent article written by Darren Mar-Elia author of gpoguy.com and founder of sdmsoftware. The article provides guidance for optimizing Group Policy Performance. Read the entire article here

Windows 7 introduces some improvements for Folder Redirection and User Profiles. If you are planning to use these technologies make sure to read the What’s New in Folder Redirection and User Profiles document.

If you are preparing for a Windows 7 deployment and use GPO based startup and logon scripts you should be aware of the default processing behavior in Windows 7. Read the details here

Source: Ask the Directory Services Team blog

Being generally interested in Group Policy Management I was more than happy to stumble upon this blog today called the Group Policy Center – A very nice blog with News, Tutorials, Tips and Tricks about Microsoft Windows Group Policy.

If you plan to use the Microsoft App-V Stand-Alone Mode some Registry Settings are required for the Application Virtualization Client as described in detail on this App-V site here. But instead of setting these registry keys manually or through a custom script, you can also manage these settings through Group Policy.

First download the Microsoft Application Virtualization Administrative Template (ADM Template). The ADM Template provides configuration options for the App-V 4.5/4.6 Client settings such as Client Permissions, Client Interface behavior and Client Communication Settings.

Once you have added the ADM Template to your GPO object you can find them under the “Classic Administrative Templates (ADM)” branch as shown in the picture below.

Then configure the Group Policy Settings as shown below.   

Once the GPO is enabled run the command  gpupdate /force on the client to ensure that all GPO settings get applied. Then open the Registry Editor and validate that all settings are configured as described here

Now install your previously sequenced application through the generated MSI installation package. If all goes well, you should be able to launch your Virtual Application in Stand-Alone mode now.

Additional Resources:
Microsoft App-V 4.5 Client in Stand Alone Mode Whitepaper by Tim Mangan
App-V 4.6 Release Q & A
TechNet Virtual Lab: Learning to Configure App-V for Standalone Client Mode

This week Jeremy Moskowitz wrote about a Vista/Win7 GPO bug in his weekly newsletter you should know about if you are transitioning to Windows 7.

If you are a systems administrator dealing with Group Policies I strongly recommend to sign-up to Jeremy’s Newsletter.

If you use Vista as your GP management station, and are transitioning to Windows 7 policy definitions, be careful of this bug !

Just going through an AGPM Installation (Advanced Group Policy Management) where I had to choose an Account for the AGPM Service which can be the Local System Account or a domain user account. Instead of just clicking next next…. I found some good guidance in the Ask the Directory Services Team blog – AGPM Least Privilege Scenario article. Also read Locking down AGPM fit for least privilege.

Never heard of AGPM before ? Then watch this 4-5 minute Tour on Advanced Group Policy Management. And finally here’s a video provided by Kurt Roggen showing how to install the AGPM Server.

One of the things to consider when deploying Windows 7 clients is to update the Central Store on your domain controllers. If you haven’t created a Central Store yet, I recommend you watch the video or read the documentation I have listed at the end of this post.

If you do have a Central Store already, updating it with the Windows 7 Group Policy Administrative templates is very straight forward. You simply copy the templates that are stored under C:\Windows\PolicyDefinitions on your Windows 7 client to the Central Store which is located at \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions (FQDN = fully qualified domain name)

A good alternative for copying the files manually is the Vista Central Store Creator Utility from Darren Mar-Elia which automates the whole process of creating and updating the Central Store.

 Related Content
Screencast: How-To Configure the Central ADMX Store
How to create a Central Store for Group Policy Administrative Templates in Window Vista
Group Policy Settings References for Windows and Windows Server

63EHNFN6ZWK8

While I was preparing my home lab for some Group Policy tests i wanted to perform I got an error when generating a report in the Group Policy Management Console which is running on a Windows Server 2008 with Internet Explorer 8.

The error was: “An error occurred in the script in this page”

A search on the web indicated that this had to do with the Internet Explorer Security Settings, but when I opened the Internet Explorer Security settings I noticed that I could not change them since all buttons were grayed out.

But wait a minute, I’m the Administrator on this box, so why should I not be able to change these settings?. Another search on the web pointed me to the Internet Explorer 8 Enhanced Security Configuration which places the server and Internet Explorer in a configuration that decreases the exposure of servers to potential attacks.

To configure the Internet Explorer Enhanced Security Configuration you must open the Server Manager and start “Configure IE ESC” as shown in the screen shot below.

Then turn of IE ESC for Administrators.

Start Internet Explorer again, and you notice that you can now configure the Security Settings.

I then clicked on “Reset all zones to default level”. The next time I opened the Group Policy Manager, I could run the settings report without any error.

Resources:
Internet Explorer 8 Enhanced Security Configuration