If you have a lot of GPO’s in your environment then you know that the process of comparing GPO’s can be enormously time-consuming and difficult. Well fellow Group Policy MVP Darren Mar-Elia (a.k.a. GPOGUY) and CTO & Founder of SDM Software has just released a new version of the GPO Compare tool. This is a super cool tool allows you to quickly compare up to 4 Group Policy Object. The thing I really like about this tool is that it allow you to compare multiple LIVE GPO’s!!! Which is great for tracking changes of live GPO’s against a baseline settings.
For a tour of the product then take a look at the video below:
If you have ever had anything to do with Outlook in your organisation you will no doubt have some experience (pain) with the use of PST files. PST files are of course the main way users can store their email information on their local hard drive or network share (Network stored PST files don’t do it) thus avoiding the email mailbox size limits. Of course PST files have many problem and pose a nightmare for network admins when someone says they have either lost a PST file or worse it gets corrupt. While it is really easy for people to say lets just ban all PST files the reality of this is a lot more difficult…
With the new Archives feature in Exchange 2010 and its support for lower cost storage this has started to allow users to have bigger mailboxes. Office 365 even gives users a default mailbox size of 25gb (up to unlimited) depending on the plan the user it signed up for. Problem is that users could still have PST files even thought they might now have plenty of space in their mailbox…
Well Microsoft has just announced they have released a tool that allow admins to automatically crawl users computers and import PST files into Exchange Online or Exchange 2010.
So you might be wondering what this has to do with Group Policy… well… once you have completed the migration of the PST files you can then implement the Prevent users from adding new content to existing pst files policy setting to stop users ever, ever, ever, ever using PST file again….
Removable memory sticks are the back door for data in any organisation. BitLocker to Go can do some way to controlling this vector however you might want to simple close off all access to removable drives for all your users. So if you are running Windows 7 you will be glad to know there are a heap of Windows 7 GPO setting that allows you to control access to your removable devices.
Even better there is a deny execute access policy setting prevents your users the running on BYO applications such as Firefox Portable and even some malicious software via USB sticks.
While most of the device types seem obvious, the WPD Device allows you to control access “to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.”.
You can even configure the “Time (in seconds) to force reboot” which will enforce the change once it is applied to the computer.
These policy setting can be found under Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
Its the best thing to control access to USB storage device since the invention of the hot glue gun….
Today I experienced Serendipity with the error “Unable to find a default server with Active Directory Web Services running.” in PowerShell with Windows 7. This message was occurring when trying to create some new OU’s using the New-ADOrganizationalUnit command. Initially I thought it was due to not having the required Active Directory Powershell commands installed but then I realised that the “Import-Module ActiveDirectory” command was loading find so that couldn’t be the problem.
About this time I then noticed a new blog post http://jorgequestforknowledge.wordpress.com/2011/12/12/the-active-directory-web-service-adws/ about the new Active Directory Web Services (ADWS) feature with 2008 R2 which explained why I was getting this message. The environment I was dealing with was a Windows 2008 only domain environment meaning that there was no ADWS for PowerShell in Windows 7 to utilise. This article explained that both PowerShell and the the Active Directory Administrative Center (ADAC) in Windows 7/2008 R2 used the WS-* protocols and therefore needed a ADWS server somewhere in the domain to work. Not having an ADWS DC in the environment meant that these tools would not work…
So to get around this issues you will need to either need to spin up a Windows Server 2008 computer to run the commands or apply the necessary KB’s to some of the domain controllers your environment to enable ADWS.
Update: I just learnt that the AD PowerShell commands are only supported on Windows 7/2008 R2.
The moral of this story is that its always good practice to make sure that your server and client infrastructure are upgraded together due to the advantages of the tight integration the two product have with one another.
Jeffery Hicks (PowerShell MVP) has just recently written a power shell command call Get-GPOBackup to address and issues with managing GPO backups.
The GroupPolicy module from Microsoft offers a great deal of functionality from a command line. In terms of regular maintenance or administration it is pretty hard to beat, especially if you have 100s or 1000s of GPOs. When you have such a large number, backing them up is critical and easy to accomplish with the Backup-GPO cmdlet. However, if you want to restore or import from a backup, you have to resort to the graphical Group Policy Managment Console. I couldn’t find any way to manage GPO backups from PowerShell so I wrote my own.
If you have a lot of GPO’s in your environment then you know that the process of comparing GPO’s can be enormously time-consuming and difficult. Well fellow Group Policy MVP Darren Mar-Elia (a.k.a. GPOGUY) and CTO & Founder of SDM Software has just released a new version of the GPO Compare tool. This is a super cool tool allows you to quickly compare up to 4 Group Policy Object. The thing I really like about this tool is that it allow you to compare multiple LIVE GPO’s!!! Which is great for tracking changes of live GPO’s against a baseline settings.
