Group Policy Central

If you have ever had anything to do with Outlook in your organisation you will no doubt have some experience (pain) with the use of PST files. PST files are of course the main way users can store their email information on their local hard drive or network share (Network stored PST files don’t do it) thus avoiding the email mailbox size limits. Of course PST files have many problem and pose a nightmare for network admins when someone says they have either lost a PST file or worse it gets corrupt. While it is really easy for people to say lets just ban all PST files the reality of this is a lot more difficult…

With the new Archives feature in Exchange 2010 and its support for lower cost storage this has started to allow users to have bigger mailboxes. Office 365 even gives users a default mailbox size of 25gb (up to unlimited) depending on the plan the user it signed up for. Problem is that users could still have PST files even thought they might now have plenty of space in their mailbox…

Well Microsoft has just announced they have released a tool that allow admins to automatically crawl users computers and import PST files into Exchange Online or Exchange 2010.

Download http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28767

So you might be wondering what this has to do with Group Policy… well… once you have completed the migration of the PST files you can then implement the Prevent users from adding new content to existing pst files policy setting to stop users ever, ever, ever, ever using PST file again….

Microsoft has just released Security Compliance Manager v2.5 beta https://connect.microsoft.com/site715/program2682 along with a heap of new security baseline for you to use to compare against your environment. In case you are not familiar with SCM then it is a great product from Microsoft that consolidates all the best practice for their software with in-depth explanation for each setting.

Notably this new version has security baselines for Exchange Server 2010 and 2007. These baseline are also customised for the specific role of the server. Also interesting is the baseline settings not only include group policy computer settings but also Powershell command to configured aspects of the product that are not as simply to make as a registry key change.

As you can see from the image below the PowerShell script to perform the required configuration is listed in the detail pain…

As yet I can only assume you need to copy the PS command and make you own script for you to run again your exchange server. Still better than nothing… and the software is still beta so we are likely to see more improvements soon… 

One of the most common complaints I hear about Group Policy is that it make the log on slow… Well.. I have been using the Windows Developer Preview of Windows 8 for a while now and I have only just discovered a cool new feature that might just help address this issue.

When you run a GPRESULT report on a computer you will now show the the time it take to process the individual components of Group Policy so you can much more easily determine what is making your computer run “SLOW”… If you notice under the “Component Status” section of the GPResult report it now lists the “Time Taken” to process the core Group Policy Infrastructure and each of the extensions. Now you can tell if it is actually group policy and/or one of the many, many,  many, many…. many… setting you apply to your computer that is slowing down your computer start up…

TIP: Clicking on the blue date time will give you the “Processing Details” window.

Microsoft has just released a report (see AppLocker Deployment at Microsoft)  describing the process they used to implementation of AppLocker via Group Policy. This was done to so that Microsoft would maintaining compliance with the U.S. Digital Millennium Copyright Act (DMCA) by preventing all their computers from running P2P software.

The report shows that after they fully rolled out the AppLocker policy setting the number of P2P cases dropped to nearly 0%. It was also interesting that the report noted that there was not a single support call regarding AppLocker for all 200,000 computers when the settings were rolled out.

Not a single support call for an AppLocker-related problem has occurred.

This document focus’s more on the process for testing and deployment of AppLocker in a large environment rather than the exact technical steps. I assume what made this a lot easier for Microsoft is that the most popular BitTorrent clients uTorrent is a digitally signed program. This makes it a lot easier for AppLocker to identify the application as it only need to look at the digital signature to determine if the program should be blocked. Meaning that they do not have to constantly update the Group Policy setting with a new hash value whenever a new version of the client is released.

Personally I certainly think BitTorrent software has a legitimate and legal place. For example check out The Tunnel Movie which was a full length movie that was released freely using BitTorrent. Rather ironically Windows has its P2P service built-in called Background Intelligent Transfer Service (BITS) which is used for distributing software updates to computers efficiently over WAN and LAN links.

However this is still good case study at the process you need to take to rollout AppLocker to prevent users from running particular programs that say may not be a secure version. e.g. Adobe Reader v9 see http://blog.stealthpuppy.com/virtualisation/dont-virtualize-adobe-reader-x/).

If you are interested for instructions for using AppLocker then check out my other blog post Best Practice: How to configure AppLocker Group Policy in Windows 7 to block third-party browsers

So I am stuck in hospital for the new few days (I’m fine) but luckily I have my laptop with so I am going to watch more of the BUILD sessions videos to see what titbits I can find out about Windows 8.

If you have not already read my other post about what it new in Windows 8 then also check out What is new in Windows 8

Here we go…

• On 3G devices network operators will be  able to have their own Metro style app automatically deployed to allow users to purchase, top-up and check their network usage.
• WiFi direct will work with Network Virtualisation so you will be able to pair with a device and with an access point at the same time..
• Devices will be able to establish WiFi direct connections using the proximity sensor… So just tap two device together and they will be paired..
• Windows Update will change its behaviour based on the network you are connected. Down not download updates via “costed” (i.e. 3G) network connection.
• You can prevent dual homing of a computer via Group Policy (e.g. turn off WiFi when connected to Ethernet)
• Windows 8 can be notified about usage plan alerts via SMS messages from the network carrier. It then intercepts and parses these SMS’s and displays the information to the use in the carriers Metro app.
• Windows 8 will have a class (standard) driver for 3G devices…. If the device firmware is class driver compliant then you will not need to install a third-party driver to make the device to work.
• WiFi Auto Power save… This has been moved to the device and therefore has less power overhead…
• WiFi will now connect to the network in about 1 seconds when resuming from sleep. Down from about 8 or 9 seconds from Windows 7.
• WiFi device will be responsible to look for network patterns that are Push Notification for that computer. If it finds something it will then wake up Windows 8 to action the incoming notification.
• Windows will go out and download printer drivers for printers that have Metro style drivers published on the App Store.
• Windows 8 will automatically install any printers on your home network. But is still controlled on a corporate network.
• You can play and HTML5 Video, HTML 5 Audio and Photos to a Play To device e.g. TV.
• NFC enabled devices can be used to share information such as interesting web sites…
• Will support (at least) 640 Logical Processors
• Will support (at least) 4tb RAM
• Virtualisation Support Stats
• 160 Logical Processors
• 1024 Active VM’s
• 32 Virtual Processors per VM
• 1024 Virtual Processors per Host
• 512gb per VM
• 2TB Ram per host
• NUMA support will work within a Virtual Guest
• 25% performance improvement on file servers
• Remote FX now support WAN, USB and Multitouch