More From TechEd – Tuesday Sessions

It’s Tuesday, so a perfect time to flashback to some sessions that looked interesting to me from Day 2 of  TechEd 2014. These are all available on Channel 9.

  • Effortless Migration from VMware to Windows Server 2012 R2 Hyper-V (DCIM-B412)
  • Best Practices for Integrating On-Premise Datacenters with Microsoft Azure IaaS (DCIM-B330)
  • Security and Microsoft Azure IaaS (DCIM-B385)
  • TWC: Data Privacy and Protection in the Cloud (OFC-B233)
  • Group Policy: Notes from the Field – Tips, Tricks and Troubleshooting (WIN-B328)
  • TWC: Social Engineering: Manipulations, Targeted Attacks, and IT Security (PCIT-B319)

Go forth and learn something today!

Handy Windows 7 GPO Policies

The official roll-out of Windows 7 has begun in my office.  We are doing a round of hardware refreshing for some end users and with that comes Windows 7 and Office 2010. Here are a couple handy GPO settings we’ve used to make our lives easier.

Verbose Startup and Shutdown – by default, Windows 7 will just display “please wait…” while it handles it’s startup and shutdown processes.  If you find the verbosity of Windows XP handy, likely displaying the name of software that’s being installed automatically, you’ll want to change use these policies.

Computer Configuration – Policies – Administrative Templates  – System – Verbose vs normal status messages = Enabled

Computer Configuration-Policies – Administrative Templates – System – Remove Boot / Shutdown / Logon / Logoff status messages = Disabled

Let Users Install Printers – Windows 7 increased security and UAC will prompt standard users for administrative credentials before adding a printer because the driver store is a protected area.  If running around to help every user who’s trying to add another network printer isn’t your cup of tea, try these policies to give the standard user a little bit more power.

Computer Configuration – Policies – Administrative Templates – Printers – Point and Print Restrictions = Disabled

User Configuration – Policies – Administrative Templates – Control Panel – Printers – Point and Print Restrictions = Disabled

Inside MDOP: AGPM 4.0

In case you missed the PacITPros meeting on December 7th, you missed out on some interesting vendor and technical presentations.  In addition to a presentation from BlueCat Networks and Hurricane Electric, I did a short demo of one of the MDOP tools – the Advanced Group Policy Manager 4.0.

This tool hooks right into the existing Group Policy Manager snap-in you know and love in your MMC and with the use of a designated archive server, extends the functionality to include better search features and change management.  No matter the size of your organization or the number of IT staff you share group policy tasks with, you can benefit from this tool.  Even if you are the only person who does anything with group policies, this tool will make your life easier.

First, the change control features take away much of the pain of keeping track of what was changed when and potentially by who.  Policies that are controlled by the system must be checked in and out for adjustments, which automatically creates a history record capturing the state of a policy at any given time.  These records can easily be reviewed for corporate compliance and policies can even be rolled back to previous states.

With new roles created within the tool, non-admininstrators (even regular domain users) can be granted the ability to review or edit policies… leaving the actual deployment and linking of the GPOs to system administrators.

The abililty to search and filter your view of policies is much improved.  You can search by name, state (checked in, checked out), even by variables such being updated “last month” or “last week”. 

Finally, you can easily import and export policies, even across forests.  No more manual recreation of the perfect policy just because you want to use it in your test lab environment or in another forest.

Finally, keep in mind that APGM 4.0 adds support for Windows Server 2008 R2 and Windows 7, as well as runs on Windows Server 2008 and Vista.  If you are supporting an environment with older versions of Windows Server, consider version 2.5 or 3.0 of the tool.  Not of all of the features are included, but if you are looking specifically for the change management aspects, those older versions may work for you until you upgrade your servers.

Out of the six tools in the Microsoft Desktop Optimization Pack, APGM isn’t one I’d overlook. 

To Map or Not To Map – There is a Checkbox!

At my office we’ve begun making several changes to how we manage the desktops and applications for our users and we are taking advantage of Group Policy preferences. We aren’t ready to deploy Windows 7 quite yet, but Windows XP machines can take advantage of Group Policy preferences with the addition of the client side extensions.

The preference we opted to start with was mapping drive letters, which was done with several log on scripts in the past. Everything seemed to be working just fine until a user who accessed the system remotely through our Terminal Services RemoteApp reported that one of the drive letters was missing. Turns out that particular drive mapping was misbehaving for several people on various computers.

I compared the troublesome mapping to one that was working correctly and found the only difference was a single check box for “Reconnect”.

The “update” action setting is supposed to create the mapping if it doesn’t exist, however that doesn’t seem to be working quite a expected. The reconnect check box saves the mapping in the user’s settings and attempts to restore it at each subsequent log on. I didn’t experiment further, but perhaps if I used the “replace” action setting for the mapping I wouldn’t have the issue at all, as that deletes and recreates the mapping every time.

Either way, the reconnect check box saved the day.


Control Outlook 2007 Junk Mail Settings via GPO

If you do a web search for setting up a Group Policy for controlling Outlook 2007 junk mail settings (specifically adding a global Safe Senders or Safe Recipients list) you’ll find a ton of links, spanning several years and pointing to posts, KB articles and other blogs. This is how I got it to work for me. And yes, you still need on extra registry key that’s not in the template settings.

Goal: Append a global list of “Safe Senders” to each users existing list in Outlook 2007.

Scenario: We have an Windows 2003 domain, Exchange 2003 and Outlook 2007 deployed on Windows XP.

  1. Create a file called “safesenders.txt” in a shared location that is accessible to all users.
  2. Access Group Policy Management Editor from a Vista or Windows 7 machine so Group Policy Preferences can be used.
  3. Install the administration templates for Office 2007. (These were already in our system from when a co-worker deployed Office 2007.)
  4. Create or edit a policy to control Microsoft Office or Outlook.
  5. Go to “User Configuration – Policies – Administrative Templates – Classic Administrative Templates – Microsoft Office Outlook 2007 – Tools Options… – Preferences – Junk E-mail”
  6. Disable “Overwrite or Append Junk Mail Import List”. If you enable this policy, the users existing personal list will be overwritten with the common list. (You’d think there would be something that let’s you select overwrite or append, but instead enable = overwrite, disable = append.)
  7. Enable “Specify path to Safe Senders list” and include the path to your common file.

  8. In the same GPO, go to “User Configuration – Preferences – Windows Settings – Registry”. (You don’t have to use the same GPO, but I did to keep things all together. Also, GPO processing happens faster if you have less of them overall.)
  9. Create a key under “HKEY_CURRENT_USER” for “Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail” with the value of “JunkMailImportLists”, dword=1

Once the policy is pushed out to your clients, you should see your additions to the safe senders in Outlook.

Reapplying a software assignment GPO to a single computer

At my office, we’ve found that assigning applications for installation using group policies has worked well for our relatively small number of desktops. While the out-of-the-box Active Directory GPO features lack comprehensive reporting tools and other refinements,they get the job done and save us about 100 trips to individual computers.

In general, software assignment is a pretty binary event. The software installs or it doesn’t. Once the software is installed successfully, the policy will not apply again unless it’s changed or set to reapply to all the machines affected by the policy.

But what if you need to reapply a policy to just one machine? For example, we had a machine with an incorrect group membership that result in the GPOs attempting to apply two different versions of the same software. Neither version worked correctly in the end, but the policies were considered “applied” and would not apply again, even after the damaged software was removed.

There is a place in the registry where a machine tracks all the software policies that have been applied – HKLM\Software\Microsoft\Windows\Current Version\Group Policy\AppMgmt.

You need to delete information from two different locations. First, the values for the software package under the AppMgmt key. The values are all in a GUID format, but you can find out the GUID of your application by looking for the Product code in the GPO intself. Find that in “Computer Configuration – Policies – Software Settings – Assigned Applications – (product name) – Deployment Information.”

After you delete the proper entry under AppMgmt, find the corresponding application within the AppMgmt tree. This one is easier to find because the application name is listed as one of the values. (The product ID value will also match the GUID you deleted in the first step.) Delete the whole key.

Once the keys are removed, run gupdate \force and then reboot. The software application GPO will apply again.

MSI Installer Error: What Advertised Application?

I ran into an interesting error message while reinstalling a custom piece of software on my Windows XP machine recently. The software processes small text files with a custom file extension and uses them to locate a particular document in our document management application. Users can also use the software to generate these custom files to share with others via email, etc.

The program is deployed using a Group Policy software assignment. My computer was handling the files properly from my desktop, but was not working as expected when accessing the same file if it was stored in SharePoint. I had tested the SharePoint functionality previously on another computer and it worked as expected. The MSI Installer includes the option to repair the application, so I attempted to run it again in order to see if that solved my problem. Instead of a successful run, I got the following error message:

“This advertised application will not be installed because it might be unsafe. Contact your administrator to change the installation user interface option of the package to basic.”

First, the application is “assigned” not “advertised” with the GPO. Second, I’m a local administrator on my machine, so I thought it was strange I was unable to run it. I pulled our DBA over (who wrote the program) and he confirmed that I should be seeing a “repair” option when the software is run after being installed once before.

A little searching brought us to this post, which recommending running the MSI installer from the command line using the /qb switch. We didn’t bother looking for the “product state value” as Soumitra Mondal suggests in his post, but it appears my PC was a bit confused about the install state of the application and reinstalling with that switch did the trick.