More From TechEd – Tuesday Sessions

It’s Tuesday, so a perfect time to flashback to some sessions that looked interesting to me from Day 2 of  TechEd 2014. These are all available on Channel 9.

  • Effortless Migration from VMware to Windows Server 2012 R2 Hyper-V (DCIM-B412)
  • Best Practices for Integrating On-Premise Datacenters with Microsoft Azure IaaS (DCIM-B330)
  • Security and Microsoft Azure IaaS (DCIM-B385)
  • TWC: Data Privacy and Protection in the Cloud (OFC-B233)
  • Group Policy: Notes from the Field – Tips, Tricks and Troubleshooting (WIN-B328)
  • TWC: Social Engineering: Manipulations, Targeted Attacks, and IT Security (PCIT-B319)

Go forth and learn something today!


Handy Windows 7 GPO Policies

The official roll-out of Windows 7 has begun in my office.  We are doing a round of hardware refreshing for some end users and with that comes Windows 7 and Office 2010. Here are a couple handy GPO settings we’ve used to make our lives easier.

Verbose Startup and Shutdown – by default, Windows 7 will just display “please wait…” while it handles it’s startup and shutdown processes.  If you find the verbosity of Windows XP handy, likely displaying the name of software that’s being installed automatically, you’ll want to change use these policies.

Computer Configuration – Policies – Administrative Templates  – System – Verbose vs normal status messages = Enabled

Computer Configuration-Policies – Administrative Templates – System – Remove Boot / Shutdown / Logon / Logoff status messages = Disabled

Let Users Install Printers – Windows 7 increased security and UAC will prompt standard users for administrative credentials before adding a printer because the driver store is a protected area.  If running around to help every user who’s trying to add another network printer isn’t your cup of tea, try these policies to give the standard user a little bit more power.

Computer Configuration – Policies – Administrative Templates – Printers – Point and Print Restrictions = Disabled

User Configuration – Policies – Administrative Templates – Control Panel – Printers – Point and Print Restrictions = Disabled

Inside MDOP: AGPM 4.0

In case you missed the PacITPros meeting on December 7th, you missed out on some interesting vendor and technical presentations.  In addition to a presentation from BlueCat Networks and Hurricane Electric, I did a short demo of one of the MDOP tools – the Advanced Group Policy Manager 4.0.

This tool hooks right into the existing Group Policy Manager snap-in you know and love in your MMC and with the use of a designated archive server, extends the functionality to include better search features and change management.  No matter the size of your organization or the number of IT staff you share group policy tasks with, you can benefit from this tool.  Even if you are the only person who does anything with group policies, this tool will make your life easier.

First, the change control features take away much of the pain of keeping track of what was changed when and potentially by who.  Policies that are controlled by the system must be checked in and out for adjustments, which automatically creates a history record capturing the state of a policy at any given time.  These records can easily be reviewed for corporate compliance and policies can even be rolled back to previous states.

With new roles created within the tool, non-admininstrators (even regular domain users) can be granted the ability to review or edit policies… leaving the actual deployment and linking of the GPOs to system administrators.

The abililty to search and filter your view of policies is much improved.  You can search by name, state (checked in, checked out), even by variables such being updated “last month” or “last week”. 

Finally, you can easily import and export policies, even across forests.  No more manual recreation of the perfect policy just because you want to use it in your test lab environment or in another forest.

Finally, keep in mind that APGM 4.0 adds support for Windows Server 2008 R2 and Windows 7, as well as runs on Windows Server 2008 and Vista.  If you are supporting an environment with older versions of Windows Server, consider version 2.5 or 3.0 of the tool.  Not of all of the features are included, but if you are looking specifically for the change management aspects, those older versions may work for you until you upgrade your servers.

Out of the six tools in the Microsoft Desktop Optimization Pack, APGM isn’t one I’d overlook. 

To Map or Not To Map – There is a Checkbox!

At my office we’ve begun making several changes to how we manage the desktops and applications for our users and we are taking advantage of Group Policy preferences. We aren’t ready to deploy Windows 7 quite yet, but Windows XP machines can take advantage of Group Policy preferences with the addition of the client side extensions.

The preference we opted to start with was mapping drive letters, which was done with several log on scripts in the past. Everything seemed to be working just fine until a user who accessed the system remotely through our Terminal Services RemoteApp reported that one of the drive letters was missing. Turns out that particular drive mapping was misbehaving for several people on various computers.

I compared the troublesome mapping to one that was working correctly and found the only difference was a single check box for “Reconnect”.

The “update” action setting is supposed to create the mapping if it doesn’t exist, however that doesn’t seem to be working quite a expected. The reconnect check box saves the mapping in the user’s settings and attempts to restore it at each subsequent log on. I didn’t experiment further, but perhaps if I used the “replace” action setting for the mapping I wouldn’t have the issue at all, as that deletes and recreates the mapping every time.

Either way, the reconnect check box saved the day.


Control Outlook 2007 Junk Mail Settings via GPO

If you do a web search for setting up a Group Policy for controlling Outlook 2007 junk mail settings (specifically adding a global Safe Senders or Safe Recipients list) you’ll find a ton of links, spanning several years and pointing to posts, KB articles and other blogs. This is how I got it to work for me. And yes, you still need on extra registry key that’s not in the template settings.

Goal: Append a global list of “Safe Senders” to each users existing list in Outlook 2007.

Scenario: We have an Windows 2003 domain, Exchange 2003 and Outlook 2007 deployed on Windows XP.

  1. Create a file called “safesenders.txt” in a shared location that is accessible to all users.
  2. Access Group Policy Management Editor from a Vista or Windows 7 machine so Group Policy Preferences can be used.
  3. Install the administration templates for Office 2007. (These were already in our system from when a co-worker deployed Office 2007.)
  4. Create or edit a policy to control Microsoft Office or Outlook.
  5. Go to “User Configuration – Policies – Administrative Templates – Classic Administrative Templates – Microsoft Office Outlook 2007 – Tools Options… – Preferences – Junk E-mail”
  6. Disable “Overwrite or Append Junk Mail Import List”. If you enable this policy, the users existing personal list will be overwritten with the common list. (You’d think there would be something that let’s you select overwrite or append, but instead enable = overwrite, disable = append.)
  7. Enable “Specify path to Safe Senders list” and include the path to your common file.

  8. In the same GPO, go to “User Configuration – Preferences – Windows Settings – Registry”. (You don’t have to use the same GPO, but I did to keep things all together. Also, GPO processing happens faster if you have less of them overall.)
  9. Create a key under “HKEY_CURRENT_USER” for “Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail” with the value of “JunkMailImportLists”, dword=1

Once the policy is pushed out to your clients, you should see your additions to the safe senders in Outlook.

Reapplying a software assignment GPO to a single computer

At my office, we’ve found that assigning applications for installation using group policies has worked well for our relatively small number of desktops. While the out-of-the-box Active Directory GPO features lack comprehensive reporting tools and other refinements,they get the job done and save us about 100 trips to individual computers.

In general, software assignment is a pretty binary event. The software installs or it doesn’t. Once the software is installed successfully, the policy will not apply again unless it’s changed or set to reapply to all the machines affected by the policy.

But what if you need to reapply a policy to just one machine? For example, we had a machine with an incorrect group membership that result in the GPOs attempting to apply two different versions of the same software. Neither version worked correctly in the end, but the policies were considered “applied” and would not apply again, even after the damaged software was removed.

There is a place in the registry where a machine tracks all the software policies that have been applied – HKLM\Software\Microsoft\Windows\Current Version\Group Policy\AppMgmt.

You need to delete information from two different locations. First, the values for the software package under the AppMgmt key. The values are all in a GUID format, but you can find out the GUID of your application by looking for the Product code in the GPO intself. Find that in “Computer Configuration – Policies – Software Settings – Assigned Applications – (product name) – Deployment Information.”

After you delete the proper entry under AppMgmt, find the corresponding application within the AppMgmt tree. This one is easier to find because the application name is listed as one of the values. (The product ID value will also match the GUID you deleted in the first step.) Delete the whole key.

Once the keys are removed, run gupdate \force and then reboot. The software application GPO will apply again.

MSI Installer Error: What Advertised Application?

I ran into an interesting error message while reinstalling a custom piece of software on my Windows XP machine recently. The software processes small text files with a custom file extension and uses them to locate a particular document in our document management application. Users can also use the software to generate these custom files to share with others via email, etc.

The program is deployed using a Group Policy software assignment. My computer was handling the files properly from my desktop, but was not working as expected when accessing the same file if it was stored in SharePoint. I had tested the SharePoint functionality previously on another computer and it worked as expected. The MSI Installer includes the option to repair the application, so I attempted to run it again in order to see if that solved my problem. Instead of a successful run, I got the following error message:

“This advertised application will not be installed because it might be unsafe. Contact your administrator to change the installation user interface option of the package to basic.”

First, the application is “assigned” not “advertised” with the GPO. Second, I’m a local administrator on my machine, so I thought it was strange I was unable to run it. I pulled our DBA over (who wrote the program) and he confirmed that I should be seeing a “repair” option when the software is run after being installed once before.

A little searching brought us to this post, which recommending running the MSI installer from the command line using the /qb switch. We didn’t bother looking for the “product state value” as Soumitra Mondal suggests in his post, but it appears my PC was a bit confused about the install state of the application and reinstalling with that switch did the trick.

My 2010 Reading List: So Far

It’s unfortunate that I feel like I’m starting the year already behind on my “tech” reading list. Here’s a quick list of I have within arms reach.

In addition to books, I’ve downloaded several whitepapers onto my Kindle for those free moments on the subway:

TS RemoteApp, Group Policies, Internet Explorer Zones

It wouldn’t be work if we didn’t have more than one different, yet similar, things going on in the office at any given time. The disaster recovery user testing is drawing to a close and I’ll be the first to admit that opening it up to users has certainly been a learning experience. (More on that later.)

Meanwhile, in an attempt to phase out our Citrix Remote Access farm, we’ve started to “soft-launch” our production version of Windows 2008 Terminal Services using Terminal Services Web Access and RemoteApp. Two applications we are publishing as remote applications are our financial system and our timecard system. We succeeding in getting both these applications mostly running in our disaster recovery lab last month, but our production version of Terminal Services is a different animal.

In the disaster lab, I didn’t configure any special group policies that affected Internet Explorer or any other functions. The setup was just by the basic configuration wizards for Terminal Services, TS Gateway and RemoteApp. Our production version of Terminal Services was set up “by the book” (particularly this book) with lots of security customizations added on with group policies. I’m all for tightening things down until people squeal and then loosening things up as needed and my co-worker had done just that with this installation.

Today, I tested out the timecard application that requires a Java plug-in. The plug-in automatically initializes on our regular desktop machines without issue. On the Terminal Server, which is running the Enhanced Security Configuration, the name of server hosting time timecard web page must be part of the “Intranet” security zone in IE.

Easy fix… except I don’t have access to the “Tools – Internet Options” pages in Internet Explorer with my regular user account. That’s a group policy setting. Or rather, 3 group policy settings. Because the options available in group policy have grown as each new OS has been introduced, there are several places you can enable, disable and tweak various aspects of what IE menus are available to users. It took me several visits to our Terminal Services policies to restore access to the “security” tab of Internet Options.

Sure enough, once I added the proper web server to the Intranet list, the plug-in initialized. But we don’t want to have to explain this to each and every user when they access remote applications for the first time. So next up was getting those setting to automatically configured for each new user.

Our first stop was Group Policy Preferences, which allows for configuration of much of the Internet Options tabs, but not any of the lists for Intranet, Trusted or Restricted sites – how frustrating. But those are simply registry keys, which can be added “a la carte” with Group Policy Preferences as well. The end seems near.

A quick search yields this MSDN article, Adding Sites to the Enhanced Security Configuration Zones. We ended up adding registry keys for both the regular non-ESC domains and the ESC domains because our testing showed that my user account put zone additions in the regular domain area and my co-worker’s went in the EscDomain registry area. (The dword hex of 1 means “Intranet zone”, use 2 for “Trusted” sites.)

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\timecard]

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\timecard]

We didn’t experiment further with the “Domain” vs “EscDomain” mystery, instead just added registry keys to cover all our bases for the time being. Now the only thing left is to decide if we want to take away those IE Options pages that I added back in for testing. Jury is still out on that one.

Getting Busy(er) with Group Policy Perferences

Spent the afternoon away from the office yesterday attending a seminar hosted by BeyondTrust. They had Derek Melber, an MVP for Group Policy, presenting on Enterprise Security and Standardization. It a was great presentation and served to remind me about all the features I was missing out on by not getting around to taking advantage of Group Policy Preferences.

Because you know how it goes. You spend a few thousand company dollars attended TechEd or another conference along the same lines and spend the week in awe of all the things you want to do when you get back to the office. And then you return to a world of help desk calls, a backlog of emails, and series of small fires and – well, you just slip back into the old grind.

I was determined to not let this slide again. Today I got into the office, banged out a few help desk tickets and set myself up a shiny new VM with Vista SP1 and the RSAT tools. Then I popped over to my WSUS server to hunt down the required XP Client Side Extensions. (They are a “feature pack”, which is not something I usually have WSUS sync for, so I needed to make that adjustment.) Then I approved that update for all my XP workstations for the next update cycle.

On Monday, I hope to be able to start putting together some new GPOs that will replace my logon scripts. Assuming there aren’t any fires smoldering, of course.