Group Policy Central

Advanced Group Policy Management (AGPM) allows organisation to implement change control and versioning to their Active Directory Group Policies. This allows multiple people to edit Group Policy Object (GPO) with their changes going live the instant the change is made. Any changes to a GPO needs to be check-in, deployed then approved before ever making it to production. This product effectively sits between Active Directory (AD) and Group Policy Administrator so that they never directly need to modify a GPO. To prevent circumventing AGPM a proper implementation should include the removal of all edit/modify permission from all GPO’s for everyone except say the service account and the built-in Administrator domain account.

This guide is loosely based on the steps in the AGPM_40_Step-by-Step_Guide.pdf that comes with ADPM v4 installation files however this version is better (of course) because I have added images for most of the steps along the way.

Scenario. In this example and administrator will install the AGPM Server and Client. Then the users Alan will have Full Control delegated and user John will have only Reviewer/Editor access. John will then create a new Managed GPO and make a change to it and then deploy it for use in production. Alan will then review the GPO and Approve the change. Then Alan will “Manage” an existing unmanaged GPO.

Stage 1. Installing AGPM Client. 

It is best you install the Microsoft Advance Group Policy Management Client on any computer in your organisation that has the the Group Policy Management Console (GPMC) installed.

Step 1. Start the Advanced Group Policy Management – Client install.

Step 2. At Welcome dialog box, click Next.

Step 3. Tick I accept the license terms and click Next

Step 4. Confirm the install patch and click Next

Step 5. Type the IP or DNS Name of the AGPM server and click Next

 

Step 6. Leave all the languages selected and click Next

 

Step 7. Click Install

Step 7a. Optional – Click on the Details button to see the components that will be installed.

Wait

Step 8. Click Finish to exit the Setup Wizard.

Stage 2. Installing AGPM Server

 

Step 1. Start the Advanced Group Policy Management – Server install.

Step 2. Click Next

Step 3. Tick I accept license terms and then click Next

Step 4. Confirm the Application path and click Next

6. Confirm the Archive Path and click Next

7. Enter the AGPM Service Account details. This account needs to have full access to all GPO that you want to manage using AGPM then click Next

 

8. Enter the Archive Owner account (e.g. Contoso\Alan ) this account is the first Full Control administrator in AGPM that is used to delegate permission to other users then click Next

 

9. Confirm the Port (this needs to be the same as step 5 in the Install Client stage) and click Next

10. Leave all the languages selected and click Next

 

Step 11. Click Install

Step 11a. Optional – Click on the Details button to see the components that will be installed.

Wait

Step 12. Click Finish

Stage 3. Now you can configure AGPM client via Group Policy to automatically connect to the AGPM server. In this example I modify the Default Domain Policy so that it would apply to all Servers and Workstations.

 

Step 1. Edit the Default Domain Policy using the Group Policy Management Editor (GPME) and navigate to Users Configuration > Policies > Administrative Templates > Windows Components > AGPM then edit the AGPM: Specify default AGPM Server (all domains)

Step 2. Tick Enable and then type the name/IP address then :Port number of the AGPM Server in the text field then click OK

(Hopefully this is the last non-managed GPO change you ever make again)

Stage 4. Now you need Delegate permission to John to be able to Review/Edit GPO’s.

 

Step 1. Open GPMC on a computer that you have installed the AGPM client on.

Step 2. Navigate and click on Change Control option and then the Domain Delegation tab then click Add

Step 3. Select the user John and then select the Editor from the role field then click OK

John now has Reviewer/Edit access to AGPM (that was easy!).

Stage 5. Creating a New Controlled GPO

 

Now you are going to logon as John and create a fresh new Controlled GPO to have it then approved by Alan.

Step 1. Logon as John to a computer that has GPMC and the AGPM client

Step 2. Open GPMC and right click on Change Control and then click on New Controlled GPO…

Step 3. Fill in the submission field so that an email will be sent to the AGPM administrator to review the New Controlled GPO Request then click Submit

Step 4. Click Close

Note: In this example I don’t have a mail serve configured so the sending the of the email failed.

Step 5. Click on the Pending Tab. You can now see the Pending request waiting for approval.

Now we will approve the New Controlled GPO request.

Step 6. Logon as Alan to a computer that has GPMC and the AGPM client

Step 7. Open GPMC and right click on Change Control then click on the Pending tab and the right click on the pending request and click on Approve…

Step 8. Add a comment before you confirm the Approval action then click Yes

Step 9. Wait for it to Approve and then click Close

Note: It is this stage that Alan can link the GPO manually to the Organisational Unit (OU).

Stage 6. Making changes to GPO

 

Now John will check-out and edit a GPO from the Archive and then Alan will approve the GPO once John has finished his changes.

Step 1. Logon as John to a computer that has GPMC and the AGPM client

Step 2. Open GPMC and click on Change Control and then then Controlled tab then right click on the GPO you want to edit and click the Check Out… option.

Step 3. Now enter a comment for the GPO when that describes the change you are about to make then click OK

Step 4. Then click Close

Step 5. Go back to the GPO in the Controlled tab and right click on it and click Edit

Step 6. Now edit the GPO using the Group Policy Management Editor with the changes you want to make. Then when you are finished just close the GPME.

Step 7. Right click on the GPO and then click on Check In…

Step 8. Enter a description of the change when you want to assign with the check in and then click OK

Step 9. Click Close

Step 10. Right click on the GPO and click Deploy…

Step 11. Fill out the comment field describing the change for the person who is to review the change then click Submit

Note: this is a good spot to put in your own Change Reference Number.

Step 12. Click Close

Step 13. Now logged on Alan open the GPMC and open the Pending Tab then right click on the GPO and then click on History

Step 14. Here you can review the modifications and check-in/out history of the GPO

Step 16. You can also right click on the GPO and then go to Differences and then click on HTML Report.

Note: This will give you a HTML report highlighting all the changes that have been done to the GPO. This way you can easily review just the setting that have been changed if it is a GPO that has numerous settings configured. Highlighted section show the options that have changed.

Step 17. Once you are satisfied with the change right click on the GPO and click Approve…

Step 18. Again. Add a comment to the GPO to be associated with the approval and then click Yes

Step 19. Click Close

Stage 7. Converting Uncontrolled GPO’s to Controlled

 

Step 1. Logon as Alan to a computer that has GPMC and the AGPM client

Step 2. Open GPMC and click on Change Control and then then Uncontrolled tab then right click on the GPO you want to “Control” and then click on Control…

Step 3. Add a comment to the GPO as its initial comment then click OK

This Group Policy is now controlled

Hopefully this has given you enough of an introduction to AGPM to get it installed and start to perform basic changes and approvals to GPO setting …

One of the great new feature with Group Policy Preferences is the ability to map printers based on a various number of criteria such as group membership, AD Site or even IP Address range to name a few. This allows for some powerful senarios such as being able to map all the printers physically near a user based on the computers IP address. Note: This assumes that the networking team allocates the same subnets to certain computers near each other (e.g. a building or floor) but I have found this is often the case.

One of the problems that occur when you map printers with Group Policy Preferences is that if the user has a roaming profile configured and they then logon to a computer that is located in another area they will have all also have their old printers from the previous area. Now user might not really notice these printer mapping building up over time but they can soon amass a large number of mappings that makes their computer run slow to logon.

Question? So how do you map all the printers in one location but not have them follow you to another location if you are using a roaming profile?

Answer? Is a two step solution which I will go through below. There is also an optional third step that address the problem maintaining default printer mappings once a user gets back to their normal location.

Step 1. The first part is just to create a simple printer mapping that maps the printer targeted by the IP address of the users current computer.

Figure1. Create New Shared Printer

The images belo shows the printer “\\server\printer1” being mapped for the users that logon to a computer that is in the 10.1.1.0/24 subnet. It is important to note that we are talking about the IP address range of the computer that you want to map the printer not the IP address range of the printer server or the printer NIC itself.

Figure 2. Target setting to only be mapped for computers between 10.1.1.0 to 10.1.1.255

Figure 3. Resulting printer mapping

Step 2. The second step is to delete the printer mapping if the IP address of the printer does not fall within the IP address range that you want the printer to be mapped. To do this we start by copying the existing printer mapping that we made in step 1. This avoids making any typo’s in either the printer queue name of the IP addresses.

Figure 4. Copying the existing printer mapping made in step 1.

Figure 5. Paste the setting into an unused part of the pane

Figure 6. Both printer mapping entries

Now we make the changes to the action on the second printer mapping targeting so that it will remove the printer mapping when the user logs onto a computer in another area.

Figure 7. Open the properties of the second printer

Figure 8. Change the Action to “Delete”

Figure 9. Go back to the targeting and change it to an “Is Not” between “10.1.1.0” and “10.1.1.255”

Figure 10. New target rule

Figure 11. Two printer entries to map and then clean up the printer queues for a user based on their location.

Step 3. Maintaining Default Printer Mappings

You have now configured dynamic printer mapping for your user based on location of the user. However this solution does have one problem/annoyance, user normally like to set a default printer. If a user was to logon to a workstation in another location then return to their normal desk their default printer will have been reset as it will have been removed. To get around this problem we have to add another rult to the targeting on the Delete printer option so it does NOT delete if the printer is configured as the default printer. To do this we check the registry location that the default printer is saved and test to see if the printer we are deleting is the default printer.

So go back to the targeting option for the Delete printer action and add another test that will check to see if the printer is the default printer.

Figure 12. Add a new Item of type “Registry Match”

Figure 13. Configured Registry Match Setting

Change the Match Type to “Match value data” and the Value data match type to “Substring match” as the value we are looking for will contain other information as well that we don’t care about. Make sure the Hive is set to “HKEY_CURRENT_USER” and the Key Path is set to “Software\Microsoft\Windows NT\CurrentVersion\Windows”. The Value name “Device” is where in the registry the default printer information is saved. We then set the Substring to “\\server\printer1” which is the UNC path to the printer queue. Note: The substring value has to be exactly the same as the value set in the Path for the printer mapping.

There, now you know how to use Group Policy Preferences to map and remove network for users based on their physical location while avoiding the build up of mapping if your user have roaming profiles while still preserving their default printer.

Microsoft has just released a new TechNet Subscription discount code for any IT Pro that wants to evaluate and test Microsoft software. This is a great way to get your hands on and test Microsoft software for a business to make sure its the right solution for your needs.

If you are a Group Policy Administrator this is a great way you can download and evaluate Advanced Group Policy Management (AGPM) 4.0 which can be found under the Servers > Desktop Optimization Pack package.

Check out Keith Combs’ blog for more details and the discount code.

Source: Keith Combs’ Blahg : New TechNet Subscription 28% discount with promo code TNITE06

The setting of the week this time highlights the one and ONLY power management policy that has been around since Windows 2000. The “Prompt for password on resume from hibernate / suspend” can be found under User Configuration > Administrative Templates > System > Power Management. Until Windows Vista came along this was the only power management setting that could be deployed via group policy so many people had to resort to many third party tools to manage power plans in windows via Group Policy.

Note: For more information about configuring power plans using group policy see my other article HERE.

None the less this is still a very important setting that most SOE’s I have seen have enabled to ensure that users are prompted for a password whenever their computers wake from hibernate or suspend .

Not having this enabled could allow a uses to configured the laptop to auto-login during resume. As you can imagine this is not very good as a bad guy could steal a laptop while it is hibernating/sleeping and then power it on and have access to all the data with no effort.

Recommended Configuration: Enabled

Logon Scripts!!! I hear you yelling at me about why I am doing a tutorial about logon scripts when Group Policy Preferences is supposed to allow me to stop using my logon scripts. Well in a utopian world there would be no logon scripts to maintain however there are still some situations that you might have to execute a program at logon. One example I recently saw on the Group Policy Forums was a person who wanted a way to delay the launching of the browser so as to not add additional delay to the users logon to what was already a slow computer. Somewhat similar to the Delay Start option for services that was introduced in Windows 7.

Prerequisites: This is a Windows Vista+ configuration as Windows XP has a more limited scheduling engine. If you really want to do this via Windows XP (sucks to be you) you could run the script with some delay/timeout third party tool in it and just have it run from the users “Startup” start menu folder…

Step 1. In a Group Policy Object (GPO) that you have targeted at all the users (or most of them) that you want the delayed start program/action to run on go to “Users Configuration” > “Preferences” > “Scheduled Task” then go “Action” > “New” > “Scheduled Task (Windows Vista and later)”. Then type the display name of the script in the “Name” field (see image 1) and click on the “Triggers” tab.

Note: In this example we are just going to be running a command prompt so the Name is “CMD.exe”.

Image 1: Scheduled Task Properties

Step 2. On the Triggers tab click the “New” button”. Change the “Begin the task” drop down option to “At log on” and then tick “Delay task for:” and configure the delay from the pop down menu (see image 2). Then click “OK”

Note: Unfortunately this option does not seem to be user configurable so for the use of a logon script “30 seconds” and “1 minute” are the only practical options.

Image 2: New Trigger

Step 3. You should now have the trigger configured for your event that looks like the image below (see image 3). Now click on the “Actions” tab.

Image 3: Configured Trigger

Step 3. In the “Actions” tab click on the “New” button and then configure the action you want to take. Again in this example we are just going to be running a command prompt so configure the “Action” to “Start a program” (see image 4).

Note: You can also use this option to send and e-mail or even display a pop-up message to the users. Very handy if you used to use the “net send” program in Windows XP before Service Pack 2 as it was disabled due to security issues.

Image 4: New Action

Step 4. Configure the “Program/Script” to run to “C:\Windows\system32\cmd.exe” then click “OK” (see image 5).

Image 5: New Action

Step 5. Click “OK” (see image 6)

Image 6: Actions Tab

Now you are done. The task is scheduled and it will be pushed out to all your users at the new Group Policy refresh. (see image 7).

Note: If you don’t want this to apply to all your user accounts you can also use Group Policy Preferences targeting options to refine the targeting.

Image 7: Scheduled Tasks

Below is the view of the scheduled task as configured on the computer (see image 8,9 & 10).

Note: The settings tab are greyed out because it is being controlled by Group Policy.

Image 8: Scheduled Tasks General Tab

Image 9: Scheduled Tasks Triggers Tab

Image 10: Scheduled Tasks Actions Tab