Group Policy Central

Even though Group Policy Preference have been out for a number of years (since Windows Server 2008) it is still a relatively unknown feature of group policy. Therefore this is the first of a few articles I am going to be writing about some of the basic features of Group Policy Preferences. So to start off with I am going to cover a few FAQ on what you need to do start using all the Group Policy Preference goodness.

Do I need to extend the schema to use Group Policy Preferences?

NO. There are no schema extensions required to support Group Policy Preferences as they work by only creating a folder called “Preference” under the User and/or Computer folder in the SYSVOL.

What are the minimum version of domain mode or domain controllers I need to support Group Policy Preferences?

Unofficially Windows 2000 Domain Mode with Windows 2000 DC’s will work fine. However officially it is what ever the minimum support OS and domain mode of Active Directory is at the time.

What software do I need to install to use Group Policy Preference?

To make it easy the table below outlines what software you need to install to enabled group policy preference on the client and to make changes to the

A new Windows Vista / 2008 Group Policy Preference client side extension hotfix rollup has been released. Below I have listed the details of the hotfix including a complete list of all issues it resolved.

KB977983 – Group Policy preferences client-side extension hotfix rollup for Windows Vista and Windows Server 2008

New Issues Resolved

• You cannot create a GPP folder when the target path is a Distributed File System (DFS) path.
• Item-Level Targeting for the security group does not recognize nested groups for computer objects.
• When you configure Item-Level Targeting for GPP to match a registry value, the match fails.
• The GPP data source name (DSN) requires a password if a username is specified in the DSN connection information. After you apply this hotfix rollup, you can use a blank password in the DSN connection information.
• You experience a significant delay when you log on to an Active Directory site that has a read-only domain controller (RODC). This issue occurs when you implement Item-Level Filtering for Lightweight Directory Access Protocol (LDAP) by using GPP.
• GPP cannot be deployed on a printer when the printer owner is not specified as "System" or "Administrators."
• When you configure Item-Level Targeting for GPP with Terminal Services, Item-Level Targeting fails.
• A memory leak occurs in the GPP client every time that Item-Level Targeting is processed.

Previous KB974266 Issues Resolved

• The Windows Event Log service crashes when the regional options preferences are set to English (United Kingdom).
• If the regional options preference is set to English (United Kingdom) or to anything other than United States, it cannot be applied. The regional options preference setting still shows United States.
  • Note A non-administrator user cannot log on to a domain from a computer that is running Windows Vista SP2, if the user’s locale information is set by using a Group Policy preference and set the regional options preference as English (United Kingdom).
• If you create or update a virtual private network (VPN) connection by using a Group Policy object, the connection does not bind to IP Version 4 (TCP/IPv4) or IP Version 6 (TCP/IPv6).
• A Lightweight Directory Access Protocol (LDAP) query that is used by item level targeting uses an incorrect base distinguish name.
• Group Policy Service (GPSVC) stops responding during the GPSVC shutdown process if third-party printer drivers are installed by Group Policy Preferences.
• The %GPTPATH% variable is not resolved correctly when Group Policy Preferences are processed.
• Group Policy Preferences stops responding when you try to configure the printer item for printers that use third-party drivers. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  973772 (http://support.microsoft.com/kb/973772/ ) Group Policy Preferences stops responding when you try to configure the printer item for printers that use third-party drivers on a Windows Vista or Windows Server 2008-based computer

Source http://blogs.technet.com/b/askds/

The below article shows you how to use Group Policy Preference to setup the registry keys on a computer so that it automatically logs onto when its turned on. While doing this is potentially huge security issue and not something I would generally recommend IT staff might want to implement on computers that are highly locked down and used for only a specific propose.

How to set a registry key using Group Policy Preferences

Before we begin I will show you how create the required registry keys using group policy preference. After this I will list the registry keys you need to use with the instruction below to configure automatic logon.

Step 1. Edit a Group Policy Object that is applied to the computers you want this setting applied.

WARNING: Make sure you have not applied this policy to any computers before you begin as this will obviously logon any computer that this policy is applied to automatically.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry

Step 3. In the Menu click on Action > New > Registry Item

Now you know how to configure a registry key setting using Group Policy Preferences you can create a new Registry Item for each registry key listed below.

Continue reading ‘Best Practice: How to use Group Policy Preference enable auto-logon’ »

The video of my Australian TechEd Group Policy Preferences session is now online and its in h264 so you will should be able to play it back you iPad, iPhone or any other HTML5 browser without the need for a plugin.

Description: This demo-heavy session illustrates how to use new features in Group Policy to do things that will make you and your management happy: compare settings across all domains, reduce complexity of your Group Policy environment, manage power for Windows 7 clients, and use GP Preferences to reduce logon scripts…

You might think that AD time sync in your organisation is something that just works out of the box but Sander Berkouwer has just done a post about what you need to do to setup time sync for Windows Server 2008 & R2. Apparently the default time sync server for Windows Server 2003 (time.windows.com) no long works so you need to make sure that you DC are configured with a valid time source.

Check out the whole article here The things that are better left unspoken : Active Directory Time Sync (broken by default)

Tip: One of the steps in the article is to configure the time server using the “w32tim” command on your PDC emulator. You can do this via Group Policy Preferences using the scheduled task option and then use Item-Level Targeting to only apply the command to the computer name of your PDC Emulator. By scheduling this command on a regular basis you can ensure that the time zone list of the server gets refreshed to the proper values periodically.