Group Policy Central

If you edit Group Policy on you local computer you will be glad to hear that Microsoft has just released the Remove Server Admin Tools update for Windows 7 Service Pack 1 which has an updated version of GPMC. This resolves the "The update does not apply to your system” error message if you had re-installed Windows 7 and loaded Service Pack 1 and then you tried to install RSAT.

Get it here http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d

Related Article: How to download and install the Group Policy Management Console (GPMC)

Even though Group Policy Preference have been out for a number of years (since Windows Server 2008) it is still a relatively unknown feature of group policy. Therefore this is the first of a few articles I am going to be writing about some of the basic features of Group Policy Preferences. So to start off with I am going to cover a few FAQ on what you need to do start using all the Group Policy Preference goodness.

Do I need to extend the schema to use Group Policy Preferences?

NO. There are no schema extensions required to support Group Policy Preferences as they work by only creating a folder called “Preference” under the User and/or Computer folder in the SYSVOL.

What are the minimum version of domain mode or domain controllers I need to support Group Policy Preferences?

Unofficially Windows 2000 Domain Mode with Windows 2000 DC’s will work fine. However officially it is what ever the minimum support OS and domain mode of Active Directory is at the time.

What software do I need to install to use Group Policy Preference?

To make it easy the table below outlines what software you need to install to enabled group policy preference on the client and to make changes to the

In my previous article In this article Best Practice:Active Directory Structure Guidelines – Part 1 I spoke about some of the guidelines I personally use when developing an Active Directory OU structure. In this next part I will discuss some guidelines I use when designing a Group Policy Object infrastructure.

Ideally you should make the the Active Directory OU and GPO design decision together to best ensure that you have the most efficient design possible. However if you have an existing OU structure designed a lot of these guidelines can still be applied to most existing environments.

As in Part 1 these are simply guidelines that I use and should not be taken as hard an fast rules. I quite often finding myself having to break these rules due to real world conflicts or just because one rule might conflict with the other rule. If you do find your self in a situation where you are not sure which path to take try to chose the option that will result in the least administrative effort in the long term.

Continue reading ‘Best Practice: Group Policy Design Guidelines – Part 2’ »

Sorry that this weeks setting of the week was a little late however as you can see I have been a little busy.

This weeks setting is called “Remote Properties from the Computer icon context menu” and can be found under User Configuration > Policies > Administrative Templates > Desktop. This setting might seem a little mundane compared some other setting however it could be very useful if you are in an environment where many of your users have admin access to their computers. Enabling this setting makes it much more difficult for users to remove their computer from the domain which they might want to do because of those pesky restrictive group policies.

Note: If you do enabled this option be sure not to apply it to specific IT staff so that they can still manage the computer account. You could do this by using using the Deny “Apply Group Policy” of the Advanced security setting of the policy.

Setting Enabled on Windows 7

Setting Enabled on Windows XP

Note that this does not prevent users from removing the computer from the domain as all you are doing is disabling the System Properties dialogue box that has the computer name tab (see image below) where domain membership is normally configured. While just disabling the UI is not a 100% effective it should at least stumble most users from changing this setting.

In case you were wondering, a user with admin access to their computer could still install either the Windows XP Support tools or the Remote Server Admin Tools (RSAT) to use the NETDOM JOIN and NETDOM REMOVE commands to change the computer domain membership.

One of the common task that Group Policy administrators need to do is download and install the Group Policy Management Console (GPMC) on their computer to allow them to make changes to Group Policy. This tool is by default not installed on Windows Server 2008 R2 or Windows 7. Below I first go through the Windows 7 and then the Windows Server 2008 R2 install procedure…

Windows 7

The install is slightly different for Windows 7 as the install file for the GPMC are not actually part of the Windows 7 installation so you first need to download and install the the Remote Server Administrator Tools (RSAT) on your computer.

Step 1. Downloads for either the 32bit or 64 bit of the RSAT for Windows 7 from the link below.

Update: RSAT now supports Windows 7 Service Pack 1…

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d

Step 2. Once you have download the RSAT Microsoft Update Standalone Package (.MSU) for your platform install it by simply double clicking on the file.

Step 3. You will then be prompted to install this update onto your computer

Step 4. Read the licence terms and click “I Accept” (if you accept the terms).

Step 5. Click Close

Now you could follow the rather lame text only instructions for installing the RSAT tools…

Or you can follow the nice instructions I have done below with text and IMAGE!!!

Step 1. Open Control Panel and type “features” in the search bar and click on “Turn Windows features on or off”.

Click 2. Expand “Remote Server Administration Tools”

Note: You can see the “Remote Server Administration Tools” in the Feature List after you install the MSU file.

New	Old

Step 3. Expand “Feature Administration Tools” and tick “Group Policy Management Tools” and click “OK”

Step 4. One its finished installing you can now go to the “Administrative Tools” and you will find the “Group Management Tools” is now listed.

Alternatively… I find a quicker way to launch the GPMC is to just click start and type “gpmc.msc” and press “Enter”

Windows Server 2008 R2

Thankfully its a LOT easier to install GPMC on Windows Server 2008 (and R2) and the install file for the Remote Server Administrator Tools are already on the drive.

Step 1. Open “Server Manager”

Step 2. Then click on the “Action” menu and then click “Add Features”

Step 3. Tick “Group Policy Management” and click “Next”

Step 4. Click “Install”

Step 5. Click “Close”

You can now run the Group Policy Management Console from within Server Manager (see below) or launch it as a standalone console the same as with Windows 7.

Happy group policy editing…