Group Policy Central

Just found out about a few more hot fixes that Microsoft recently released for Group Policy.

KB979621 A removable storage device is disabled when you enable a Group Policy to deny write access or to deny read access to the device on a computer that is running Windows Vista or Windows Server 2008

Fixes an issues with removable storage devices being totally disabled when you configure the “Deny write” option for removable devices. This will happen when configure the option and shutdown the computer. You will also get the following error message “The device is disabled. (Code 22)” when you go to the properties of the device.  This applies to the following types of devices:

• CD and DVD
• Floppy Drives
• Removable Disks
• Tape Drives
• WPD Devices

For more info see http://support.microsoft.com/?kbid=979621

KB980628 The “Load a specific theme” Group Policy setting is not applied correctly on a computer that is running Windows 7 or Windows Server 2008 R2

Fixes a problem with specifying a them to load when you also enable the Prevent changing desktop background option. For more info see http://support.microsoft.com/?kbid=980628

KB979731 Some Group Policy preferences are not applied successfully on computers that are running Windows 7 or Windows Server 2008 R2

For more info see http://support.microsoft.com/?kbid=980628

KB981877 You cannot open an HTML GPO report that is created by the German version of Windows Server 2008 R2 or of Windows 7

This hot fixe resolves a problem creating a HTML report with a German version of GPMC. For more info see http://support.microsoft.com/kb/981877 

Thanks to Aaron Parker for the heads up on the KB981877

Last week Microsoft released a few new Group Policy hot fixes for Windows 7 and Windows Server 2008 R2, below is a link to each KB article and my own short description hotfix.

KB981054 The Group Policy preference settings for the “Terminal Session” item-level targeting item are not applied in Windows 7 or in Windows Server 2008 R2.”

This is a fix for a really cool feature of Group Policy Preferences which allow IT administrator to target settings based on the IP address of the RDP client. For more info see http://support.microsoft.com/kb/981054 

KB981177 You can still unpin a program from the taskbar unexpectedly when you enable the “Do not allow pinning programs to the Taskbar” Group Policy on a computer that is running Windows 7 or Windows Server 2008 R2.

This hot fix is just a minor UI bug. For more info see http://support.microsoft.com/kb/981177 

KB981265 You cannot create a software installation Group Policy setting on a read-only domain controller in Windows Server 2008 R2.

This fixes a problem with GPMC trying to make a policy change against a read-only domain controller when someone tries to create and “assigned” software deployment. For more info see http://support.microsoft.com/kb/981265 

KB981750 Error message occurs when you use GPMC to view a software restriction Group Policy setting in Windows 7 and in Windows Server 2008 R2: “An error has occurred while collecting data for Software Restriction Policies”.

This fixes the following error message when you error message when you access Computer Configuration > Windows Setting > Security Settings > Software Restriction Policies due to a bug in GPMC calling an incorrect function when reading multiple string type registry key. For more info see http://support.microsoft.com/kb/981750 

Hope you find these users but as always make sure you thoroughly test any hotfix before you deploy them into production.

I used to think that it was not possible to set IP address information via Group Policy however I did some checking this week and was pleased to find that there was a way to configure your computers DNS Server addresses. Unfortunately this setting only applies to Windows XP, however lots of people still use XP so it is still somewhat relevant. This setting is simple called “DNS Servers” and can be found under Computer Configuration > Administrative Template > Network > DNS Client.

Figure 1.

To configure this setting simple check Enabled and type each IP address of the DNS Servers with a space between them.

While DNS Server settings are normally configured via DHCP this option can be really handy when you have two separate Active Directory forests on the same LAN. This is common where two companies have physically merged but still run separate AD’s forests connected to the same network. Now for name resolution you can setup DNS forwarders from forest A to forest B however this does not work for dynamic DNS registrations of the computer names.

Note: When this setting is applied its a little bit tricky to confirm that it has actually applied as both the network properties (see figure 2.) and even and ipconfig /all will show the manually configured IP DNS setting (see figure 3.). However if you do a NSLOOKUP (also see figure 3.) you will notice that the DNS server that it uses is the DNS Server that is configured in the Group Policy or alternatively you can just rely upon an rsop.msc report.

Figure 2.

Figure 3.

Not strictly a Group Policy video but it does relate heavy to my Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) blog post.

Anjli is a program manager on the Windows team.  Adam Bomb  met with her recently to talk about offline folders and folder redirection in Windows. She talked about how the technologies work, when they should be used, and some of the ways we’ve improved the performance from previous releases. for more info, check out the whitepaper "Choosing an Appropriate User State Virtualization Solution" The Windows team blog also has some good posts on User State Virtualization here and here.
For more video goodness, there’s a 3 part series on user state scenarios located here.

One of the problem that face IT Administrators today is keeping up with all the security updates you need to deploy to your computers to keep them secure. This is even more exacerbated by the very large number of security updates associate with running multiple browsers. Also having multiple browsers on network could mean that you have totally patched one browser using your patch management system only to have user use a different type of browser that is completely un-patches. Another reason IT Administrators might want to block running third-party browsers is the lack of group policy support which makes it very difficult for administrators configured the browser to corporate standards (e.g. home page and/or security settings). Luckily Windows 7 comes with a new feature that prevent the user from running a particular executable called AppLocker which can be used to block all but authorised internet browsers.

AppLocker is a new feature in Windows 7 that allows system administrators to block a particular executable from running on a computer. This is a enhanced version of Software Restriction Policy which did a similar thing in Windows XP/Vista, but it can only block programs based on either a file name, path or file hash. The AppLocker feature takes it a step further and allows administrators block executables based on its digital signature. The benefit of basing this on a digital signature is that you can block programs based on a combination of the version, program name or even vendor name. This means that even if the vendor updates the program with a new version (which happens often with browsers) the AppLocker rules will still apply greatly saving administrative overhead. You can also set the rule based on the program version which means you can set a minimum supported versions that is allowed to run. Another advantage is that AppLocker applies to any program that runs on a computer meaning that no matter where the program is being run from (e.g. USB Memory stick) it will prevent it from running.

Note: You can also use this tutorial to block the running of any other program weather it be from a third-party or even from Microsoft. In this example I show you how to block running Google Chrome on any of your computers in your network however you can just as easily apply the same process to any other browser (e.g. Firefox, Safari).

Step 1. Edit the Group Policy Object that is targeted to the computer you want to apply this policy. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies and then click on “Configure rule enforcement”

Step 2. Under Executable rules tick “Configured” and select the “Enforce rules” option from the pop-down menu then click “OK”.

Step 3. Right click on “Executable Rules” and click on “Create New Rule..”

Step 4. Click “Next”

Step 5. Select “Deny” and then click “Next”

Step 6. Select “Publisher” condition and click “Next”

Note: The “Path” and “File hash” option are the same condition as was available in a software restriction policy that was in Windows XP and Vista.

Step 7. Click on “Browse”

Step 8. Select the “chrome.exe” executable file and click “Open”

Note: Again I have used Chrome as an example you can easily select the executable of any other browsers (including Internet Explorer) here as well if you want to block multiple browsers.

Step 9. In this example we are just going to accept the defaults and click “Next”.

Optional: If you wanted to just block a particular version of browser (or program) or just any version below a certain number tick “Use custom values” and then enter the version number in the “File version” field and select “And Below” from the pop-down menu.

 Step 10: Click “Next”

Step 11: Click “Create”

Step 12: You will now be prompted to create some default rules that ensure that you don’t accidently stop Windows from working. Click “Yes” to this if you don’t already have these rules created.

Step 13 (Optional): If you also want this AppLocker rule to apply computer administrators then right-click on the “BUILTIN\Administrators” rule and click “Delete”

Step 14 (Optional): Click “Yes”

You AppLocker Rules are now setup and should now look like this…

Now there is one more thing you need to do to enable AppLocker on the computer…

Step 15. In the same Group Policy Object you were just editing navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services and double click on the “Application Identity” service.

Note: This is the process that scan’s all the file before they are executed to check the name, hash or signature of the executable before it is run. If this is not turned on then AppLocker will simple now work.

Step 16: Tick “Define this policy setting” and tick “Automatic” then click “OK”

The services section should now look like this…

Your all done… Now when the user tries to run an un-approved browser (or program) they will be presented to this dialogue box…

Now if you want to make sure you have covered all the bases below is a an image of the AppLocker rules configured with a few more denied browsers…