Group Policy Central

If you have have been using the some what simple hack I mentioned to make Group Policy Preference work with Internet Explorer 9 you will be relieved to know that Microsoft have now fixed an official hotfix to make this work.

You can get read the full Microsoft Kb article at http://support.microsoft.com/kb/2530309 .

However you should take special attention at the two notes:

This update does not re-write the version information for existing settings. Instead, you must define a new set of Internet Explorer settings in a new or existing Group Policy Object.

Meaning you will need to re-created the Group Policy Preference before the policy will apply to a computer running IE9.

This update does not create a new Internet Explorer 9 UI item. However, when define new Group Policy Preferences settings, and you select the Internet Explorer 8 option, this setting now applies both to Internet Explorer 8 and to Internet Explorer 9

This means that you will NOT see an Internet Explorer 9 option in the Internet Settings menu (see image below), however using the IE8 option will work with IE9.

If we take a closer look at the “InternetSettings.xml” after the hotfix has been applied shows the maximum version number is now set to “10.0.0.0” where previously this version was “9.0.0.0”. However you existing Internet Explorer Preferences will remain unaffected…

Thanks to Mark Feetham [MSFT] for leaving a comment on my previous blog post about this new hotfix.

Download it now from http://support.microsoft.com/kb/2530309

Microsoft have just released another two a few more Group Policy related hotfixes’. Below is the description of each issue that it resolves and link to the related KB Article.

GetGPOList function does not return all GPOs in Windows 7 or in Windows Server 2008 R2

Consider the following scenario:

• You have a computer that is running Windows 7 or Windows Server 2008 R2.
• You use the LocalSystem account to run a service on the computer.
• The service calls the GetGPOList function to query all Group Policy objects (GPO) that are applied on a computer.
• The Authenticated Users group is removed from the access control list (ACL) in an applied GPO.

In this scenario, the GetGPOList function does not return all applied GPOs. The function returns only GPOs that have the Authenticated Usersgroup in the ACL of the GPO.

When you use a GPO for application deployment in Windows 7 or in Windows Server 2008 R2, the deployment fails

In an Active Directory Domain Services (AD DS) environment, you cannot use a Group Policy Object (GPO) to deploy applications for installation on client computers that are running Windows 7 or Windows Server 2008 R2. When you try to apply the GPO, you receive an error message that resembles the following:

• Windows failed to apply the Software Installation settings

Group Policy logon scripts do not run in Windows 7 or in Windows Server 2008 R2

Consider the following scenario in an Active Directory domain environment:

• You deploy logon scripts by using Group Policy.
• You set logon scripts to run synchronously.
• You try to log on to a client computer that is running Windows 7 or Windows Server 2008 R2.

In this scenario, the logon scripts do not run before the logon process.

A user who has administrator permission can delete printers on a computer that is running Windows 7 or Windows Server 2008 R2 after you deploy the "Prevent deletion of printers" Group Policy

Consider the following scenario:

• You deploy the Prevent deletion of printers Group Policy in your environment.
• You have a client computer that is running Windows 7 or Windows Server 2008 R2.
• A user who has administrator permission logs on to the client computer.

In this scenario, the user can still delete printers in Devices and Printers unexpectedly.

Microsoft has just released a new hotfix to address an issue with slow logon performance when you use AppData folder redirection.

Consider the following scenario in a network environment:

• You configure users to use roaming profiles to log on to a client computer that is running Windows 7 or Windows Server 2008 R2.
• You redirect the %AppData%\Roaming folder to a network share.
• You enable the Do not automatically make redirected folders available offline Group Policy setting on the client computer.
• You enable both of the following Group Policy settings for the %AppData%\Roaming folder:
  • Administratively assigned offline files
  • Turn on economical application of administratively assigned Offline Files
    

  This configuration specifies that only new files or folders in the %AppData%\Roaming folder are synchronized during the logon process.

In this scenario, the users encounter slow logon behavior on the client computer.

In addition to this hotfix you will also need to make some registry changes which of course you can easily deploy this using the Group Policy Preferences Registry Extension. 

Link http://support.microsoft.com/kb/981830

Microsoft today  announced (after what seems to be a very long time) they have RTM’d Windows 7 / Windows Server 2008 R2 Service Pack 1 and it will be released to the public on February 22nd.

Update: Service Pack 1 is now available for download for TechNet and MSDN subscribers.

Previously I had listed the hotfixes in the beta version of the service pack, so I have again combed through the hotfix list for you convenience and I have updated the list to include the release candidate hotfixes. While this is not the final list of hotfixes Ned Pyle [MSFT] says “it’s very doubtful that the lists below will be altered much” so you can pretty much take the following list as final. In any case I will review the list when the final list of fixes is out but for now here is the list of issues.

Updated: The final list of hotfixes is now out ( Here ) and after a quick look they appear to be the same as expected.

If you have anything to do with supporting group policy in your organisation then I recommend that you at least take a look at the articles to see if you have encountered any of the problem described.

You can also see the complete list of Active Directory Hotfix’s at Ask the Directory Services Team blog posting SP1 and Directory Services: What’s New .