Group Policy Central

A new Windows Vista / 2008 Group Policy Preference client side extension hotfix rollup has been released. Below I have listed the details of the hotfix including a complete list of all issues it resolved.

KB977983 – Group Policy preferences client-side extension hotfix rollup for Windows Vista and Windows Server 2008

New Issues Resolved

• You cannot create a GPP folder when the target path is a Distributed File System (DFS) path.
• Item-Level Targeting for the security group does not recognize nested groups for computer objects.
• When you configure Item-Level Targeting for GPP to match a registry value, the match fails.
• The GPP data source name (DSN) requires a password if a username is specified in the DSN connection information. After you apply this hotfix rollup, you can use a blank password in the DSN connection information.
• You experience a significant delay when you log on to an Active Directory site that has a read-only domain controller (RODC). This issue occurs when you implement Item-Level Filtering for Lightweight Directory Access Protocol (LDAP) by using GPP.
• GPP cannot be deployed on a printer when the printer owner is not specified as "System" or "Administrators."
• When you configure Item-Level Targeting for GPP with Terminal Services, Item-Level Targeting fails.
• A memory leak occurs in the GPP client every time that Item-Level Targeting is processed.

Previous KB974266 Issues Resolved

• The Windows Event Log service crashes when the regional options preferences are set to English (United Kingdom).
• If the regional options preference is set to English (United Kingdom) or to anything other than United States, it cannot be applied. The regional options preference setting still shows United States.
  • Note A non-administrator user cannot log on to a domain from a computer that is running Windows Vista SP2, if the user’s locale information is set by using a Group Policy preference and set the regional options preference as English (United Kingdom).
• If you create or update a virtual private network (VPN) connection by using a Group Policy object, the connection does not bind to IP Version 4 (TCP/IPv4) or IP Version 6 (TCP/IPv6).
• A Lightweight Directory Access Protocol (LDAP) query that is used by item level targeting uses an incorrect base distinguish name.
• Group Policy Service (GPSVC) stops responding during the GPSVC shutdown process if third-party printer drivers are installed by Group Policy Preferences.
• The %GPTPATH% variable is not resolved correctly when Group Policy Preferences are processed.
• Group Policy Preferences stops responding when you try to configure the printer item for printers that use third-party drivers. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  973772 (http://support.microsoft.com/kb/973772/ ) Group Policy Preferences stops responding when you try to configure the printer item for printers that use third-party drivers on a Windows Vista or Windows Server 2008-based computer

Source http://blogs.technet.com/b/askds/

Microsoft have now released hotfix (KB980356) to resolve an issues with configuring a scheduled task described as “Incorrect start dates are displayed for the scheduled tasks that are deployed by Group Policy preferences in Windows Server 2008 or in Windows Vista”. This issues results a problem with the schedule task being configured to run on the wrong date (e.g. a day early) due to the way “the Group Policy preferences engine handles the date incorrectly”.

For more information check on the issue and for a link to the download go to KB980356

Source Aug. 27 – Sep. 2 Hot-Fix KB articles Weekly Release – Windows 6/7 – The Hot Blog – Site Home – TechNet Blogs

In the July 29 to August 12th Hot-fix release for Windows 6/7 there have been a number of Group Policy related hotfixes released. As far as I can tell none of these hotfixes are listed as being in Windows 7 Service Pack 1 that is currently in beta (see The complete list of Group Policy Hotfix’s in Windows 7/2008 R2 Service Pack 1) so if you are experiencing any of the above hotfixes it will be some time before you will be able to deploy them as part of a service pack.

• KB2250489 You cannot turn off the screen saver in the Windows Mobility Center when the "Prevent changing wallpaper" Group Policy setting is enabled on a computer that is running Windows Vista SP2
• KB2261826 You cannot find a network drive in the "Browse For Folder" dialog box in the GPMC MMC snap-in on a computer that is running Windows Server 2008 or Windows Vista
• KB2096902 Virtual machines in a VDI environment are not rolled back as expected if the disconnected Remote Desktop connections on the virtual machines are stopped by Group Policy
• KB2254754 You experience a GPO report-generation issue in the GPMC window when you try to generate the report in a localized version of Windows 7 or of Windows Server 2008 R2
• KB2258620 You cannot find the "Find Now," "Stop," and "Clear All" buttons in the GPMC snap-in on a computer that is running Windows 7 or Windows Server 2008 R2
• KB2275315 You cannot read the GPO in the SYSVOL directory in Windows 7 or in Windows Server 2008 R2 if you enable the "Deny write" permission of the GPO
• KB2284538 Apply once and do not reapply Group Policy setting is never applied after the first GPO deployment fails on a client computer that is running Windows 7 or Windows Server 2008 R2

Source: Jul. 29 – Aug. 12 Hot-Fix KB articles Weekly Release – Windows 6/7 – The Hot Blog – Site Home – TechNet Blogs

I was recently approached to do a book review on “Least Privilege Security for Windows 7,Vista and XP by Russell Smith” published by Packt Publishing. This book is a comprehensive guide at showing how to configure your Windows environment so that your users can operate without administrator permissions. While most administrators realise that giving administrators access to the end users is really poor practice and can lead to many security issues it is quite often a permission that some users require to do their job for whatever reason.

Its good to see that this book is quite comprehensive in the number of areas of technology as I firmly believe that you really need to take a multi-prong approach when it comes to security. Here is a list of the just some of technologies that this book talks about to achieve a Least Privilege Security:

• Program Compatibility Wizard
• Applications Compatibility Wizard
• User Account Control
• Group Policy Software Deployment
• Internet Explorer Add-on Management
• Troubleshooting Remote Users
• Configuring Windows Firewall
• Software Restrictions Policies and AppLocker
• Microsoft Deployment Toolkit
• CD Burning
• ActiveX Controls
• Changing system time and time zones
• Power Management
• Managing networks
• Standard Users Analyzer
• Applications Compatibility Toolkit
• Logon Scripts
• Remote Desktop Services
• App-V
• Med-V

In quite a lot of chapters Russell goes into detail step by step instructions explain how to use the above technologies.  But what I really like is that he also takes the time to talk about how to approach the Cultural and Political challenges in implementing this security model as this is normally the hardest part achieving a secure environment.

Configuring security is something that organisation rarely spend much time thinking about and even more rarely do anything about. Having this book in your library will at least give you the knowledge that is required to start to configure your Windows system to be more secure. I would definitely recommend this book as a reference to anyone in an organisation who is responsible for designing and/or making changes to their Windows environment.

As a special offer Packt Publishing are also letting people download preview chapter of this book by download here Chapter No. 3 – Solving Least privilege Problems with the Application Compatibility Toolkit 

Packt Publishing have also announced discount for purchases of two or more so you could use this offer to get a discount when you buy another book from their catalogue (See new-discounts-launched-purchases-multiple-books for details).

You can either purchase the paper and/or PDF (for convenient iPad reading) version of this book right now from: Least Privilege Security for Windows 7,Vista and XP by Russell Smith

Just a single new hot fix has come out this week that affects group policy…

981704 The file name of an ADM file is displayed incorrectly in the GPMC report in Windows Vista or in Windows Server 2008

This hotfix resolves a problem with a GPO report in the Group Policy Management Console showing as “Extra Registry Settings” if you have imported a ADM file and then moved it to another location. For more info see http://support.microsoft.com/kb/981704