If you plan to use the Microsoft App-V Stand-Alone Mode some Registry Settings are required for the Application Virtualization Client as described in detail on this App-V site here. But instead of setting these registry keys manually or through a custom script, you can also manage these settings through Group Policy.

First download the Microsoft Application Virtualization Administrative Template (ADM Template). The ADM Template provides configuration options for the App-V 4.5/4.6 Client settings such as Client Permissions, Client Interface behavior and Client Communication Settings.

Once you have added the ADM Template to your GPO object you can find them under the “Classic Administrative Templates (ADM)” branch as shown in the picture below.

Then configure the Group Policy Settings as shown below.   

Once the GPO is enabled run the command  gpupdate /force on the client to ensure that all GPO settings get applied. Then open the Registry Editor and validate that all settings are configured as described here

Now install your previously sequenced application through the generated MSI installation package. If all goes well, you should be able to launch your Virtual Application in Stand-Alone mode now.

Additional Resources:
Microsoft App-V 4.5 Client in Stand Alone Mode Whitepaper by Tim Mangan
App-V 4.6 Release Q & A
TechNet Virtual Lab: Learning to Configure App-V for Standalone Client Mode

This week Jeremy Moskowitz wrote about a Vista/Win7 GPO bug in his weekly newsletter you should know about if you are transitioning to Windows 7.

If you are a systems administrator dealing with Group Policies I strongly recommend to sign-up to Jeremy’s Newsletter.

If you use Vista as your GP management station, and are transitioning to Windows 7 policy definitions, be careful of this bug !

Just going through an AGPM Installation (Advanced Group Policy Management) where I had to choose an Account for the AGPM Service which can be the Local System Account or a domain user account. Instead of just clicking next next…. I found some good guidance in the Ask the Directory Services Team blog – AGPM Least Privilege Scenario article. Also read Locking down AGPM fit for least privilege.

Never heard of AGPM before ? Then watch this 4-5 minute Tour on Advanced Group Policy Management. And finally here’s a video provided by Kurt Roggen showing how to install the AGPM Server.

One of the things to consider when deploying Windows 7 clients is to update the Central Store on your domain controllers. If you haven’t created a Central Store yet, I recommend you watch the video or read the documentation I have listed at the end of this post.

If you do have a Central Store already, updating it with the Windows 7 Group Policy Administrative templates is very straight forward. You simply copy the templates that are stored under C:\Windows\PolicyDefinitions on your Windows 7 client to the Central Store which is located at \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions (FQDN = fully qualified domain name)

A good alternative for copying the files manually is the Vista Central Store Creator Utility from Darren Mar-Elia which automates the whole process of creating and updating the Central Store.

 Related Content
Screencast: How-To Configure the Central ADMX Store
How to create a Central Store for Group Policy Administrative Templates in Window Vista
Group Policy Settings References for Windows and Windows Server

63EHNFN6ZWK8

While I was preparing my home lab for some Group Policy tests i wanted to perform I got an error when generating a report in the Group Policy Management Console which is running on a Windows Server 2008 with Internet Explorer 8.

The error was: “An error occurred in the script in this page”

A search on the web indicated that this had to do with the Internet Explorer Security Settings, but when I opened the Internet Explorer Security settings I noticed that I could not change them since all buttons were grayed out.

But wait a minute, I’m the Administrator on this box, so why should I not be able to change these settings?. Another search on the web pointed me to the Internet Explorer 8 Enhanced Security Configuration which places the server and Internet Explorer in a configuration that decreases the exposure of servers to potential attacks.

To configure the Internet Explorer Enhanced Security Configuration you must open the Server Manager and start “Configure IE ESC” as shown in the screen shot below.

Then turn of IE ESC for Administrators.

Start Internet Explorer again, and you notice that you can now configure the Security Settings.

I then clicked on “Reset all zones to default level”. The next time I opened the Group Policy Manager, I could run the settings report without any error.

Resources:
Internet Explorer 8 Enhanced Security Configuration

Group Policies and Group Policy Preferences are great technologies to manage your enterprise desktops. But what if you want to go beyond the features Microsoft has build into the Group Policy Management Console?

With PolicyPak you can consistently manage ANY application’s settings using the Windows native Group Policy technology. have a look at the PolicyPak introduction video below to learn what PolicyPak can do and how it works.

Learn more about PolicyPak and watch the video tutorials.

Other resources

Group Policy Preferences Overview

Microsoft Group Policy site

TechNet Magazine – Expanded Control with Group Policy Preferences

Group Policy Settings Reference for Windows Server 2008 and Windows Vista SP1

In preparation of doing some Group Policy related things, I decided to extend my Home Lab AD infrastructure running on Windows Server 2003, with  Windows Server 2008 and Windows Server 2008R2 domain controllers.

Because at some stage I want to get rid of the Windows 2003 Server I also moved the FSMO roles from the Windows 2003 domain controller to the Windows 2008 domain controller.

I used the steps described in the “Transferring FSMO roles” article. Additional information can also be found in the “How to view and transfer FSMO roles in Windows Server 2003” article.

By searching documentation on how to move FSMO roles, I found the FSMO Roles utility from dovestones software,, that simply shows you who owns the FSMO roles within your current AD infrastructure. 

Those who prefer scripts use the code described in “How to Find the FSMO Role Owners Using ADSI and WSH”.

Here’s another video from GPanswers explaining how to restrict the use of certain devices within your managed environment.

Well as you might notice Group Policy management currently is my favorite topic. I’ve been doing GPOs since the year 2000, then for a long while due to my job role I haven’t been doing a lot with GPOs, but that didn’t matter since there wasn’t too much changing in that space except that with each OS release the number of GPO settings has been growing.

But since the introduction of Windows Vista, there have been some bigger changes around GPO management. One of these changes is the use of the Central ADMX Store. The Central ADMX Store plays an important role, so it is important understanding the concept.

Watch the video from TechNetEdge presented by John Baker. By the way on the gpoguy website you can find the free Vista Central Store Creator utility that helps automating this task.

Additional resources are the Microsoft KB article “How to create a Central Store for Group Policy Administrative Templates in Window Vista” or the podcast “TechNet Radio: Group Policy: Windows Vista, Longhorn Server, ADMX and the Central Store”.

Jeremy Moskowitz from GPanswers.com has posted 2 free GPUniversity videos. 

Default Group Policy Objects

Group Policy Backup and Restore

Interested in more ? Check out the Group Policy Online University.

In January 2009 Jeremy Moskovitz launched the Online University for Group Policy Management. I wrote about that earlier in my blog post “Online Group Policy University”.

In the past weeks Jeremy has put an additional great amount of effort in reworking the offerings, so that now you have the possibility of selecting and ordering individual Modules and and options. Additionally there are some very attractive payment options as well that might be interesting for those that don’t get their company paying it for them, but want to invest in their personal knowledge.

There are now 3 different GPO Online University options:

• Build your own
• Silver Package
• Gold Package

The Build your own package allows you to select the individual options that just fit for your needs. So for those that already have bought the GPO books from Jeremy and don’t think they need pre-configured hard drive labs, they can just order the training and documentation material (labs, videos, slides).

Interested ? Then click here and get straight to the GPO Online University starting page or if you don’t want to read the details (because you already did) and can’t wait to place an order, then go here.

Get the latest news around Group Policy Management, subscribe to the GPAnswers Newsletter

Enjoy

Windows 7 introduces a number of manageability improvements that can reduce total cost of ownership by helping to increase automation, improve user productivity, and provide flexible administrative control to meet compliance requirements. This paper provides an overview of each of these improvements.

Download the document here

Today Jeremy Moskowitz has launched the Group Policy Online University. Taking into account that many companies in these days have restrictive travel and training policies, the Online University seems to be an excellent way how you can further extend your knowledge around Group Policy Management without the need to attend a live training e.g. you can attend the training at any time, from everywhere.

The only thing you need to do now is to convince your manager that it is worth the money

Yesterday Microsoft released the Release Candidate for Internet Explorer 8 that of course contains a lot of new features that I am not going to rewrite here again, as others did so already.

Reading the IE8 product group blog 100 additional group policy settings are being introduced to extend manageability of IE8 through Group Policy Management. The updated Group Policy Reference including the new IE8 settings can be downloaded here and updated Group Policy Settings ADM files can be found here. Also worth reading is the IE8 Deployment Guide.

And finally for those that want to prevent IE8 being installed in an uncontrolled way throughout their infrastructure can consider using the IE8 blocker toolkit. The IE8 blocker toolkit provides 2 methods to prevent IE8 being automatically installed on your client devices. Method 1 consists of a batch file and Method 2 is a group policy adm template  that allows you to configure IE8 installation blocking through GPO.

.

Yesterday evening I looked at some of the new features within Windows 7. So at some stage I wanted to see Applocker running. I spend about an hour reviewing my settings, checking GPO processing until I went back to the documentation, just to find out that little sentence at the very bottom of that page….. “At least one Windows Server 2008 R2 domain controller is required to host the Applocker rules“.

Once more… RTFM Windows 2008 R2 download in progress……

UPDATE 20.11.2009

Source:

http://www.infoworld.com/d/windows/dont-upgrade-windows-server-2008-r2-until-you-read-785?page=0,1

AppLocker: This is a new feature in Windows 7 and Windows Server 2008 R2 that replaces Software Restriction Policies. This features provides the ability to control how (or if) users can access .exe files, scripts, .msi files, and DLLs. You essentially define rules that can be assigned to users or security groups that are based on an applications digital signature, including the publisher, product name, file name, and/or file version. And the good news is that AppLocker’s Group Policy foundation requires no upgrade of domain controllers. Existing Windows Server 2003 and 2008 servers can host AppLocker policies.