Group Policy Central

According to my web tracking on this site at least 10% of you are now running IE9 (beta) that has just been released to the web. So for all you people on the cutting edge I have just implement some of the cool new Internet Explore 9 features on my web site so that you can pin this site to the task bar in Windows 7 and take advantage of the jump lists.

To pin your site to the taskbar simply drag the favicon from IE’s address bar and drop it onto your taskbar (See image below).

Now all you have to do to visit my site is click on the icon in the taskbar… How easy is that!!!

When you launch the site, notice how I have also customised the navigation button colour matched the web site colour.

The coolest new feature is the custom jump list tasks that I have configured so you can jump directly to the part of the site you visit the most.

I hope you enjoy these Internet Explorer 9 / Windows 7 integration enhancement and that it makes you experience on this web site all the more easier.

For more information on how to setup your own web site this way visit Pinned Sites: Windows 7 Desktop Integration with Internet Explorer 9

Recently, I have been working a lot with PowerShell to automate the creation of a full AD site OU structure (with Group Policy and all) along with all the necessary delegated permissions. One of the limitation of the out of the box AD PowerShell commands is there is no easy way (but apparently there is a really hard way) to delegate permission to Active Directory OU’s. Luckily Quest Software have helped a lot here and they have offered a set of FREE PowerShell commands for Active Directory called “ActiveRoles Management Shell for Active Directory” one of which is called Add-QADPermission which greatly simplifies the process of delegation security in AD.

The Add-QADPermission command can be used to add an DACL security descriptor permission to any AD object with a distinguished name such as users, computer or OU’s. Therefore you can use this to delegate permission to OU similarly to running a “Delegation of Control Wizard” in Active Directory Users and Computers console (see image below).

This wizard allows you to delegate some common tasks (see below) to your OU’s in you Active Directory however the permissions they apply are not straight forward simple permissions.

What I will show you how to do is how to perform some of the common delegation tasks that the “Delegation of Control Wizard” using a PowerShell command so you can automate the process for creating new OU’s in your environment. I know this is not strictly an Group Policy topic but it is one closely related and one I think many Group Policy admins will find useful.

The Command tasks I will show you are the one’s that I almost exclusively use when delegating permissions to Active Directory, they are:

• Create, delete and manage user accounts
  • and Groups
  • and Computers
• Reset user passwords and force password change at next logon
• Modify the membership of a group

Continue reading ‘Best Practice: How to delegate AD permission to Organisational Units using the PowerShell command Add-QADPermission’ »

Microsoft has now released to the public (download it here) the newest version of Internet Explorer 9 Beta to the public. If you want to know more about the new features in IE9 then i recommend that you check out http://www.beautyoftheweb.com/ to see some of the fantastic stuff that this browser enables. If the new functionality alone is not enough to get you to use it is just remember that it is now a Fully Hardware accelerated which makes it much faster than any other browser on the market!!!

With any new version IE there comes new features and with new features comes new group policy settings so below I go through the new policy settings and how you can get started right now with managing IE9 using Group Policy.

To get started you will need to download and install IE9 on whatever computer you are using Group Policy Management Console (a.k.a. GPMC) to edit your Group Policy settings as with anything to do with Group Policy it is normally best to make changes from a systems that has the newest software on it in your organisation.

WARNING: This software is still Beta so you are strongly recommended to isolate any testing you do with IE9 and Group Policy from your production environment.

Continue reading ‘Internet Explorer 9 (Beta) Group Policy Settings’ »

Homegroup is a new feature in Windows 7 that allows users on a small network to easily share all their files and printers with each other with a single share password. This greatly simplifies the process to securely share  information on a home network and it can include both domain and non-domain joined computers. As an IT administrator you may not want to encourage the use of this feature for your domain joined computers so there is an option to remove the Homegroup link from the Start Menu. This setting can be found under User Configuration > Policies > Administrative Templates > Start Menu and Taskbar and as a Homegroup is a Windows 7 feature this can obviously only be configured on Windows 7 computers.

Start Menu with Homegroup – Before	Start Menu with Homegroup – Before
Start Menu without Homegroup – Enabled	Customize Start Menu – Enabled

Note: This only removes the shortcut from menu so users can still configure a homegroup via the control panel.

For more information on this setting see http://gps.cloudapp.net/Default.aspx?PolicyID=4668

You might think that AD time sync in your organisation is something that just works out of the box but Sander Berkouwer has just done a post about what you need to do to setup time sync for Windows Server 2008 & R2. Apparently the default time sync server for Windows Server 2003 (time.windows.com) no long works so you need to make sure that you DC are configured with a valid time source.

Check out the whole article here The things that are better left unspoken : Active Directory Time Sync (broken by default)

Tip: One of the steps in the article is to configure the time server using the “w32tim” command on your PDC emulator. You can do this via Group Policy Preferences using the scheduled task option and then use Item-Level Targeting to only apply the command to the computer name of your PDC Emulator. By scheduling this command on a regular basis you can ensure that the time zone list of the server gets refreshed to the proper values periodically.