Group Policy Central

I mentioned last week a few new Group Policy related Knowledge base articles that were just released / updated. Well Scott Goad from one of my favourite blogs (Ask the Directory Service Team) just published a round up of all the Active Directory KB articles from 6th Feb to 19th Feb . So for your convenience I have extracted the relevant GP related KB articles and listed them below.

KB977611 – After you apply a GPO to redirect a folder to a new network share, the redirected folder is empty on client computers that are running Windows Vista or Windows Server 2008

KB976033 – "Terminal Session" targeting item does not work for a Group Policy preferences setting on a client computer that is running Windows Server 2008 or Windows Vista

KB2493933 – FIX: The "Validate server certificate" option is enabled on a computer that is running Windows Vista or Windows Server 2008 when you disable this option by using a Group Policy object

KB2460922 – Group Policy preference item-level targeting does not work for 64-bit versions of Windows 7

KB2301288 – A Remote Desktop Services session is disconnected automatically if you apply the "Interactive logon: smart card removal behavior" Group Policy setting in Windows Server 2008 R2 or in Windows 7

Microsoft have recently released a couple of hotfixes relating to Group Policy. As you are probably aware there are a number of Group Policy related hotfixes in Windows 7 / Windows Server 2008 R2 Service Pack 1 which is about to be released (on Feb 22nd 2011) however these two particular patches are listed as being required even for Service Pack 1.

I do note that KB981704 has been out for a while and seems to have been just updated to reflect that it is still required for Service Pack 1.

KB981704 – The file name of an ADM file is displayed incorrectly in the GPMC report in Windows Vista, in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2.

KB2460922 – Group Policy preference item-level targeting does not work for 64-bit versions of Windows 7

Microsoft recently released KB978098 which explains an issues with folder redirection when using the Advanced folder redirection setting (see image below). The advanced setting of this policy is used when you want to redirect users to different locations based on security group location. This is a very helpful if you have a large number of users in the same site and you don’t want to store all their redirected folder to the same location similar to how Exchange Administrator distribute users amongst multiple mailbox databases.

Issue:

This issues is not with the size of the data in the redirection folder ( as the name might suggest ) but the actual number of security groups you have used in the policy. The good news is that the number of groups you need to have configured before this becomes an issues is A LOT so this is likely only going to affect the large organisations.

Depending on the OS that you are editing the policy on it can change the number of groups you can use to configured before this issues occurs.

Windows Vista or Later =  670 (approx) Security Groups

Windows Server 2003 = 230 (approx) Security Groups

Problem

The problem occurs when the the fdeploy(?).ini file under Policies\GUID\User\Documents & Settings folder in the SYSVOL exceeds 32,767 characters due to the large number of GUID’s listed in the file (see below).

Workaround

Option 1: The workaround in the KB is to split the Group Policy Object up so that each policy has fewer groups/redirected folders.

Option 2: If you have only edited the policy in Windows XP / 2003 then you can open then Group Policy Object with Windows Vista (or greater) as it will be “converted to a newer … .ini file format” that “lets you redirect more folders”.

Disclaimer

This information is to be used at your own risk and make sure you read the KB yourself and you test any changes in thoroughly before making changes in your environment.

Source: Errors when you have a large "Folder Redirection" policy settings file in Windows Vista, in Windows 7, in Windows Server 2008, or in Windows Server 2008 R2

I have decided to start posting about some specific group policy related KB’s that I have found useful in my time. I will make these posting whenever I come across them so they I will only post them on a semi regular basis.

This KB Focus is KB274274 which talks about a problem you will encounter if you are trying to deploy a machine targeted application from install source that is on a server in another Forest that you have an external trust configured. The problem is that all authentication traffic that goes via an external domain trust is only NTLM based, however computer account authentication is only Kerberos based. This will present as a access denied in the event log whenever the computer tries to install an application no matter how much permission you try to apply to the source files. What’s even more confusing about this problem is when you are logged on as a user you will probably be able to access the file share fine which makes this all the more confusing to troubleshoot.

Unfortunately if you are in this situation you are pretty much left with no alternative other than to move the file share to a serve that is located in the same forest as the computer to install the software as “this behaviour is by design”.  While it is not mentioned in the article you might be able to get away with enabling guest access on the file server however this would require some pretty serious security relaxations which is why it is definitely not recommended.