Group Policy Central

If you have are one of the many people who have checked out my Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) post you probably know that roaming profiles can be super useful feature to implement. However over the years roaming profiles have got a bit of a bad wrap as sometime things can and do go wrong. In these case the IT administrator is usually left with no other option than to reset the users profile to solve a issue with their account.

Tip: Make sure that the issue is related to the users roaming profile by testing another account with the same or similar privileges on the same computer. If the other computer account also has the same issues or if the issues seems to does not follow them to other computers then it is highly unlikely it is a roaming profile issue.

So lets assume you have troubleshoot this issue for many hours and you are at your wits end about to rip out your hair (if you have any) and have decided to reset the users profile… how do you do it?

In Windows XP days you could just delete the users local and roaming profile files and the next time the user logged on they would generate a new profile. However if you do this in Windows 7 you will find that this no longer works…

So what is the correct way to reset a roaming profile in Windows 7?

Step 1. Open Active Directory Users and Computers and to the profile tab of the user account you want to reset. Now take note of the roaming profile path….

Step 2. Reboot the users computer that is having issues and logon with an account that has local admin and is NOT the account you are tyring to fix.

Step 3. Open control panel and type “Advanced” in the search field then click on “View advanced system settings”

Step 4. Click on the “Advanced” tab and under User Profiles click the “Settings” button

Step 5. Now select the user you want to reset the profile and press the “Delete” button.

Step 6. Press “Yes”

And now the local copy of the roaming profile is deleted you also need to remove the network copy…

Note: If you have implemented folder redirection as per my Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) then the vast majority of the users information will not be part of the users roaming profile. This means other than a few program setting the users is unlikely to lose any work. The exception to this is the AppData folder however if you are trying to preserve this folder as well note you may be copying over the issues that are trying to fix.

WARNING: Always be careful you have everything backed up before deleting any users profile.

Step 7. Before you log off that computer go to the path you noted in step 1 and delete (or rename) the roaming profile for that users on the network.

Note: You many need to take ownership of the folder before it can be deleted.

Tip: To avoid having to take owner ship of the roaming profile be sure you have enabled the  Add the Administrator security group to roaming users profiles setting.

How to fix the “You have been logged on with a temporary profile” issue in Windows 7

So… that was the easy way… But what do you do if just deleted the users profile files and now the users is “logged on with temporary profile” like you did back in the Windows XP days….

Step 1. Reboot the computer again and logon as the local admin.

Step 2. Open Regedit and go following registry key path:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Step 3. Find the Profile that has the ProfileImagePath of the users you are fixing and delete that entire key.

Step 4. Log off and logon as the user you are trying to fix.

TIP: If this is successful make sure you get the use to log off straight away so the new profile is save to the network which will then propagate to any other computer when then log on.

Hopefully this will have fixed your roaming profile issues and the users is now back up and running with a minimum of fuss… Of course some of the users personal settings may have been lost but hopefully a well managed SOE should allow them to run all the essential programs with little to no additional set up.

Source: I found the registry key trick from this TechNet Forum article http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/5ec0b949-effa-4e30-ba09-dc948a4c7a8b

If you are looking at moving to Windows 7 or you are looking upgrading IE6 in your organisation you have probably discovered that a lot of your intranet web sites don’t work properly. Well apparently  80% of IE app compatibility issues are cause by website that do not have the <!DOCTYPE> header as the with IE8 (See below).

This problem is due to a bug in  IE6 that it ignores the <!DOCTYPE> if it is not on the first row and then default back to rendering the page in Quirks mode. The problem is that newer browsers do read this <!DOCTYPE> tag if it is not on the first line and it then starts to renders the page in standards mode as requested. So to address this issue Microsoft have released a hotfix for IE8 and include in IE9 a feature that lets you force pages to render in Quicks Mode thus ignoring the <!DOCTYPE> line.

A webpage is not displayed correctly in Internet Explorer when any of the following is true:

• You use Windows Internet Explorer 8 Standards mode to browse the webpage.
• You enable Compatibility View in Internet Explorer 7 to browse the webpage.

Additionally, if you do not have the permissions to implement the Meta tag or the HTTP header for browser emulation, you cannot force the browser to work in QUIRKS mode from the client-side.

Microsoft KB A webpage is not displayed correctly when you browse the webpage by using Internet Explorer 8 Standards mode or Compatibility View in Internet Explorer 7

Once you have the hotfix deployed or you have installed IE9 on your computers you can then use the policy  “Use Policy List of Quirks Mode sites” under Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\QuirksPolicyList to add specific sites to render as quirks mode.

This will now force your browser to render the page using IE5.5 (a.k.a. Quirks) mode so that the page now renders correctly.

TIP: If you are still having issues with your Intranet pages not working correctly one of the other big compatibility fixes you can try is to make sure that the page is properly placed in the “Intranet Zone”. For instructions on how to do this see my other post How to use Group Policy to configure Internet Explorer security zone sites .

Thanks to Chris Jackson “The App Compat Guy” for his TechEd 2011 video that had the details for me to write this article at  http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL315

In this screencast I show you how to use the Group Policy Preferences Shortcuts Extension to deploy shortcuts to a users desktop. This video also demonstrates how you can configure the shortcut to only apply once for the users and how you can configure them to automatically be cleaned up when no longer required.

Microsoft have just released the Silverlight 5 beta during the MIX 2011 summit in Las Vegas and one of the new features is Group Policy support. However this “Group Policy” support at the moment is more like a suggested way of configuration the program. What this really is that you can now control the running on Signed/Trusted Elevated applications from within the browser via a registry key.

For more on trusted in browser applications see http://timheuer.com/blog/archive/2011/04/13/whats-new-in-silverlight-5-a-guide.aspx#trustinbrowser

A new feature we are bringing is the ability to do some of the “trusted” features in Silverlight in the browser. This brings the current functionality of trusted applications in current form to be used in the browser context without having to be installed. This still requires the XAP to have the ElevatedPermissions security setting in the manifest as it would exist with out-of-browser applications as well as the XAP being signed (and the certificate in the user’s trusted publisher store).

 

Additionally the requirement would be that a registry key be set on the machine to enable this. This could be deployed via Group Policy or other desktop-management techniques.

Below I have listed this registry key and how you can use a Group Policy Preferences Registry Item to configure this setting in your organisation.

Allow Elevated Trust Apps In Browser

Key (Machine): HKLM\SOFTWARE\Microsoft\Silverlight\
Value: AllowElevatedTrustAppsInBrowser (REG_DWORD32)
Data: 0 (Disabled)
Data: 1 (Enabled)

Step 1. Edit a group policy object that targets all the computers in your organisation that you want to apply this setting.

Step 2. Navigate to “Computer Configuration > Preferences > Windows Settings” then right click on “Registry” and click on “New > Registry Item”

Step 3. Change the Action to “Replace” add the key path “SOFTWARE\Microsoft\Silverlight” type “AllowElevatedTrustAppsInBrowser” select the Value type to “REG_DWORD” and the value to “1”.

Step 4. Click on the common tab and tick “Remove this item when it is no longer applied” and add a description.

Done… the registry key should be now deployed to all your computers and they will be able to run Trusted (Signed) application in the web browser.

To see what other features are coming in Silverlight v5 go to http://www.microsoft.com/silverlight/future/

Originally this was just going to be a post showing you how to deploy the Windows InTune client to a computer using Group Policy however it turned out I think this article would be best suited to show you how to use some advanced techniques to deploy software via Group Policy. So even if you don’t want to specifically  deploy the InTune software client to your computers this article will still serve you as a good reference for Group Policy software deployment in general….

Tip #1: DONT! If at all possible do not deploy software this way… Group Policy software deployment has a number of restrictions that makes this one of the less desirable methods of software deployment. Some of the reasons why I would not recommend this deployment method are:

1. Lack or scheduling. When you deploy software to a computer using Group Policy it will only ever install/un-install on the next reboot of the computer. This makes it very difficult to schedule rollouts especially when deploying large software updates that would put immense load on the LAN when deploying to all the computers first thing in the morning when they are all turned on at the same time. Using something like SCCM is much better with it options for maintenance windows and Wake On LAN options…
2. MSI and ZAP Installer Only. The only supported applications formats are the more popular MSI installer and the lesser known ZAP package format. This is somewhat restrictive and again software deployment tools like SCCM are vasty superior as they support any sort of installation method.
3. Fixed Application Install Order. When you add application to the Group Policy Object they install onto the computer in the same order with no way of changing this order.
4. Nill Visibility. When you go to deploy software using Group Policy the configuration it pushed to the computers but there is never any feedback on weather the software has successfully installed. This lack of visibility could mean you think you have deployed something to all your computers successfully but in reality it has failed to install on many of the computers.
5. Poor Scoping. When you deploy software using Group Policy you can only specify a UNC path as the location to install the software from. If you have specified a single server in head office this would mean that all the workstation at remote sites will try and download and install over the WAN… Not good. I will make a few recommendation further on as to how to mitigate this however other deployment software tools (again like SCCM) handle this much more automatically which can reduce you admin overhead.

Now that I have sufficiently warned you about Group Policy Software Deployment I would also say there is one exception to this rule where and that is Agent software Deployment. Weather it is SCCM Agent or InTune or even a Anit-Virus software package GP Software deployment is good at deploying the same software package to a large number of computers.

And speaking of services that require agents…

Windows InTune is a new services that is offered by Microsoft that allows IT administrators to manage and monitor computers via a web based console. This service has been often referred to as SCCM in the cloud as it allows you to manage many workstations without the need for any server infrastructure.

For more information on Windows InTune visit http://www.windowsintune.com/

While there is no software to install on servers for the InTune to work it does require you deploy a management client to your workstations. This client software can be either installed manually but when you have 10+ computer in your organisation this can quickly become a management nightmare so Microsoft also provides a way to deploy the InTune client via Group Policy.

Configuring the application install files for Group Policy Deployment

Step 1: Go to Windows Intune website and download the InTune Client software.

Step 2: Right click on “Windows_Intune_Setup.zip” and select the “Extract All” option

Step 3: Extract the contents of the “Windows_Intune_Setup.exe” to the current folder by opening up a command prompt and  running “Windows_Intune_Setup.exe /extract .”.

Step 4: Copy the all the files (see below) to the software distribution file share in your organisation .

• Windows_Intune_Setup.exe
• Windows_Intune_X64.msi
• Windows_Intune_X86.msi
• WindowsIntune.accountcert

You have now setup the installation files for the InTune client (or other software) ready to be deployed in your organisation.

Tip #2: This location needs to have read permission for the “Domain Computers” group applied so that the computer can download and install the files.

Configuring the Group Policy Object for Software Deployment

Step 5: Edit a Group Policy Object that is applied to all the workstation that you want to deploy the InTune client.

Step 6: Navigate to “Computer Configuration > Policies > Software Settings > Software installation” then right click on “Software installation” then click on “New” then “Packages”

Step 7: Navigate to the path that you placed the installation files and select “Windows_Intune_X64.msi” then click “Open”

Tip #3: If you have x86 client repeat from step 7 with the additional steps in my other article How to prevent x86 (32bit) applications installing via Group Policy on Windows x64 to prevent the x86 version from being deployed to the x64 platforms.

Step 8: Click on “Advanced” and then click “OK”

Tip #4: Wait a few seconds while it reads the MSI…

Step 9: As this is a x64 version of the application I recommend that you Add “ x64” to the name of the program to distinguish what version you have deployed.

Step 10 (Optional): If you want to selectively deploy the client to the workstations click on the “Security” tab and click the “Advanced”.

Step 11 (Optional): Un-tick “Include inheritable permission from this object’s parent.

Step 12 (Optional): Click “Add”

Step 13 (Optional): Click “OK”

Step 14 (Optional): Click on “Authenticated Users” and click on “Remove”

Step 15 (Optional): Click “Add” and select the security group name (e.g. “InTune Computers”) that will be used to assign this application to specific computers.

Step 16 (Optional): Click on “OK”

Step 15: Accept all other default setting and click “OK”

You should now see something like the image below… The software will now install on the selected computer’s at the next reboot….

InTune Note: The client software that you downloaded from the InTune web site is customised for your computers so they will automatically appear in your InTune web console.

Tip #5: If you also have Verbose vs normal status messages enabled you will see the software being installed during computer start-up.

How to configure your Distribution Share for Group Policy Software Deployment

See Part 2 Best Practice: Configuring a Software Library for Group Policy Software Deployment