Group Policy Central

I just got my hands on Jeremy Moskowitz (fellow Group Policy MVP) latest publication called “Group Policy – Fundamentals Security and the Managed Desktop” and as I found it to be a really great book for Group Policy I decided to do a review. This is an updated version of Jeremy previous Group Policy books that has been updated to cover the new Windows 7 and Windows Server 2003 R2 features but of course is still covers the stubbornly popular Windows XP. In read this book it quite apparent that Jeremy bring his experience to this book as it is full of many insightful real world examples and notes. What’s also refreshing about this book (unlike MSPress books) is that its covers solutions using both native tools and third-party tools.

• Chapter 1 – Group Policy Essentials
• Chapter 2 – Managing Group Policy with GPMC
• Chapter 3 – Group Policy Processing Behaviour Essentials
• Chapter 4 – Advanced Group Policy Processing
• Chapter 5 – Group Policy Preferences
• Chapter 6 – Managing Applications and Setting Using Group Policy
• Chapter 7 – Troubleshooting Security with Group Policy
• Chapter 8 – Implementing Security with Group Policy
• Chapter 9 – Profiles: Local, Roaming, and Mandatory
• Chapter 10 – Implementing a Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager
• Chapter 11 – The Managed Desktop, Part 2: Software Deployment via Group Policy
• Chapter 12 – Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, Deploying Printers, and Shadow Copies
• Appendix A – Group Policy Tools

The only bad thing I can say about this book is that it over 800 pages so its fairly heavy to keep on your person all the time BUT it also comes in digital format so you download it for your Kindle or for your iPad. Weather you are a novice or expert I thoroughly recommend that you purchase this book for your technical reference library as its a both a great primer beginners and and excellent references for the more advanced policy administrators. If your still not sure you can also click on the image above you can take a look an example chapter.

If you are after a copy of the book you you can go to www.gpanswers.com/book and get a personally signed copy you can of course order it from Amazon if you want.

ISBN-13: 978-0470581858

http://cmp.ly/1

In this weeks setting I look at a new Windows 7 setting that reverts the sort order of folders back to the old way it would sort files and folder the same as Windows 2000 (and earlier). This policy setting is called “Turn off numerical sorting in Windows Explorer and can be found under User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer.

As you can see from the “Numerical Sorting” example below the folder list will sort based on the numerical value of the folder name. This means that a single digit number will be ordered higher than a two or more digit number when sorting alphabetically.

Numerical Sorting (Setting Disabled or Not Configured)

If you take a look at the Literal Sorting example you can see that the number “10” is in position 2 because the sorting is treating the number as a literal text. You can get around this sorting problem by padding with zero’s however you need to add enough zero’s to match the same number of digits as the largest number.

Literal Sorting (Setting Enabled)	Literal Sorting with padded Zero’s (Setting Enable)

While it is unlikely that you will need to turn this on for all users in your organisation it is possible that you have some folder on your file server that have been created in such a ways that the new view method would cause a problem. Obviously in this case you would need to consider carefully if you just need to turn this on for selected users.

Last week I showed you how to exclude an individual users from having a Group Policy Object (GPO) applied and this time I will show you how to properly apply a GPO to an individual user or computer. As I previously mentioned it is always best to use a security groups with GPO filtering even if you are only going applying it to a single user or computer. This avoids ever have to go back and modify the GPO security filtering if you need to add more object to the policy in the future.

Note: Before I start I should point out a common mistake here is to remove “Authenticated Users” directory from the Security Filtering section on the Group Policy Object.

DONT DO THIS!!!

You should never do this as this however as this can cause “Inaccessible” (see image below) error messages on Group Policy Objects in the Group Policy Management Console for anyone who is not an Domain Administrator. This happens because you have removed the ability to for the user to read contents GPO but don’t worry this does not mean the policy will be applied to that user.

Step 1. Select the Group Policy Object in the Group Policy Management Console (GPMC) and the click on the “Delegation” tab and then click on the “Advanced” button.

Step 2. Select the “Authenticated Users” security group and then scroll down to the “Apply Group Policy” permission and un-tick the “Allow” security setting.

Note: That the “Allow” permission for “Read” still needs to remain ticked as this prevents the Inaccessible message as mentioned above.

Step 3. Now click on the “Add” button and select the group (recommended) that you want to have this policy apply. Then select the group (e.g. “Accounting Users”) and scroll the permission list down to the “Apply group policy” option and then tick the “Allow” permission.

This Group Policy will now only apply to users or computers that are a member of the Accounting Users security group. However you still need to remember that the user and/or computer still needs to located under the scope of the Group Policy Object for this policy to be applied.

(Wow… I have been doing this for 6 months now… how time flies… )

This weeks setting of the week is another old one however it is very important for any environment that is still running Windows XP SOE. The “Do not allow Windows Messenger to be run” will prevent any user from running Windows Messenger that comes out of the box with Windows XP. Now Windows Messenger 4.6 that comes with Windows XP is no longer supported but disabling the program should help avoid any confusion for user that also have Windows Live Messenger installed.

This is a user setting that can be found under User Configuration > Policies > Administrative Templates > Windows Components > Windows Messenger and while it does say it applied to Windows XP this in reality is only a Windows XP setting as there is no Windows Messenger in Windows Vista or above.

While most organisation already have this program removed from the SOE (see image below) this is a good safety net setting for anyone who has joined their non-SOE version of messenger to the domain.

Now to be clear this will only prevent the user running Windows Messenger and not the live of Windows Live Messenger or other third-party messenger programs.

This setting will not remove messenger from the computer but when the users clicks on the Windows Messenger link.

,

One of the common question I see on the forums from time to time is how to exclude a user and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I should stress this should be used sparingly and should always be done via group membership to avoid the administrative overhead of having to constantly update the security filtering on the GPO.

Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects.