Group Policy Central

If you have ever had anything to do with Outlook in your organisation you will no doubt have some experience (pain) with the use of PST files. PST files are of course the main way users can store their email information on their local hard drive or network share (Network stored PST files don’t do it) thus avoiding the email mailbox size limits. Of course PST files have many problem and pose a nightmare for network admins when someone says they have either lost a PST file or worse it gets corrupt. While it is really easy for people to say lets just ban all PST files the reality of this is a lot more difficult…

With the new Archives feature in Exchange 2010 and its support for lower cost storage this has started to allow users to have bigger mailboxes. Office 365 even gives users a default mailbox size of 25gb (up to unlimited) depending on the plan the user it signed up for. Problem is that users could still have PST files even thought they might now have plenty of space in their mailbox…

Well Microsoft has just announced they have released a tool that allow admins to automatically crawl users computers and import PST files into Exchange Online or Exchange 2010.

Download http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28767

So you might be wondering what this has to do with Group Policy… well… once you have completed the migration of the PST files you can then implement the Prevent users from adding new content to existing pst files policy setting to stop users ever, ever, ever, ever using PST file again….

Removable memory sticks are the back door for data in any organisation. BitLocker to Go can do some way to controlling this vector however you might want to simple close off all access to removable drives for all your users. So if you are running Windows 7 you will be glad to know there are a heap of Windows 7 GPO setting that allows you to control access to your removable devices.

Even better there is a deny execute access policy setting prevents your users the running on BYO applications such as Firefox Portable and even some malicious software via USB sticks.

While most of the device types seem obvious, the WPD Device allows you to control access “to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.”.

You can even configure the “Time (in seconds) to force reboot” which will enforce the change once it is applied to the computer.

These policy setting can be found under Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.

Its the best thing to control access to USB storage device since the invention of the hot glue gun….

Today I experienced Serendipity with the error “Unable to find a default server with Active Directory Web Services running.” in PowerShell with Windows 7. This message was occurring when trying to create some new OU’s using the New-ADOrganizationalUnit command. Initially I thought it was due to not having the required Active Directory Powershell commands installed but then I realised that the “Import-Module ActiveDirectory” command was loading find so that couldn’t be the problem.

About this time I then noticed a new blog post http://jorgequestforknowledge.wordpress.com/2011/12/12/the-active-directory-web-service-adws/ about the new Active Directory Web Services (ADWS) feature with 2008 R2 which explained why I was getting this message. The environment I was dealing with was a Windows 2008 only domain environment meaning that there was no ADWS for PowerShell in Windows 7 to utilise. This article explained that both PowerShell and the the Active Directory Administrative Center (ADAC) in Windows 7/2008 R2 used the WS-* protocols and therefore needed a ADWS server somewhere in the domain to work. Not having an ADWS DC in the environment meant that these tools would not work…

So to get around this issues you will need to either need to spin up a Windows Server 2008 computer to run the commands or apply the necessary KB’s to some of the domain controllers your environment to enable ADWS.

Update: I just learnt that the AD PowerShell commands are only supported on Windows 7/2008 R2.

The moral of this story is that its always good practice to make sure that your server and client infrastructure are upgraded together due to the advantages of the tight integration the two product have with one another.

Related KB’s:

Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2003-based domain controllers

Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2008-based domain controllers

Note: ADWS was included with Windows Server 2008 Service Pack 2.

Jeffery Hicks (PowerShell MVP) has just recently written a power shell command call Get-GPOBackup to address and issues with managing GPO backups.

The GroupPolicy module from Microsoft offers a great deal of functionality from a command line. In terms of regular maintenance or administration it is pretty hard to beat, especially if you have 100s or 1000s of GPOs. When you have such a large number, backing them up is critical and easy to accomplish with the Backup-GPO cmdlet. However, if you want to restore or import from a backup, you have to resort to the graphical Group Policy Managment Console. I couldn’t find any way to manage GPO backups from PowerShell so I wrote my own.

Full explanation of the command can be found on his blog @ http://jdhitsolutions.com/blog/2011/05/get-gpo-backup/ as well as a link to download the command.

I just read an article that showed you how to set this really cool registry key that allows you to change how the drive letter is displayed in Windows Explorer. As this hack is only a registry key I thought I would do a quick how to deploy this this feature using Group Policy Preferences Registry Extension.

Below is an example of the options you have to show the drive letters:

After (Default)	None
Mixed (Local After, Network Before)	Before

The registry key that you use to configure this option is called “ShowDriveLettersFirst” and it can be applied in either the user or the machine.

Note: According to this Microsoft KB Article KB330193 it will only work as a Machine setting in Windows Vista.

ShowDriveLettersFirst

Key (User): HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Key (Machine): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Value: ShowDriveLettersFirst (REG_DWORD32)
Data: 0 (After)
Data: 1 (Mixed)
Data: 2 (None)
Data: 4 (Before)

Step 1. Edit a Group Policy Object that is targeted either to a user or a computer that you want to apply this setting.

Step 2. Create a New Registry Item using the above Registry details

Step 3. Click on the “Common” tab and tick “Remove” this item when it is no longer applied”. I would also put in a comment in the description field explaining the valid numbers and what they do for the setting so someone else looking at this policy know how to re-configure this option if needed.

Explanation: This will ensure the setting reverts to defaults if the computer no longer has this setting applied.

For more information on this registry key check out Microsoft KB330193 

Source GHacks: Windows Explorer: Display Drive Letters Before Drive Names (via LifeHacker: Show Drive Letters Before The Drive Name In Windows Explorer )