Group Policy Central

One of the changes with Windows 8 and Group Policy was that the Internet Explorer Maintenance section of GPMC was removed from under Windows Settings (see Interesting Change to Group Policy in Server 2012/Windows 8). However people have been noticing that the same Internet Explorer Maintenance option is removed from GPMC when they now install IE 10 on Windows 7 / Serve 2008 R2 (See image below).

So if you still use the Internet Explorer Maintenance section in Group Policy be aware that you will lose access to the ability to edit these policy setting if you update to IE10.

Alternatively you can simply reset the Internet Explorer Maintenance settings (see How to remove imported Internet Explorer Group Policy Settings) and just use the standard Group Policy Administrative Templates or Group Policy preferences. In which case you will also want to read my other post about controlling IE Site Zone mappings using preferences How to configuring IE Site Zone mapping using group policy without locking out the user 

TIP: I have not verified this but some people say that un-installing IE10 will restore the Internet Explore Maintenance option in GPMC

Warning: Some people are having issues with just removing IE10. So if you are having issues check out the comment in Darren Mar-Elia blog post WARNING: Installing IE 10 on your Windows 7 Workstation Removes IE Maintenance Policy from Group Policy

Thanks to a tip off from fellow MVP Darren Mar-Elia about fairly common issues with Folder Redirection in Windows 7. In short there is a pretty significant issue in Folder Redirection if configured incorrectly that could result in a loss of data for users. There is a mitigation of this issues however this is broken in Windows 7 Service Pack 1. This form post on the SDM Software web site goes into some very specific details about the problem but  below I am going to attempt to summaries the problem and fix for the issue so you can get Folder Redirection working more reliably in your organisation…

Folder Redirection Problem

You have Windows 7 with folder redirection enabled with the “Move contents to new location” option enabled and you then configure a new UNC path for redirection. This NEW path is simply a variation of the path the server that actually points to the exact same location. e.g. \\servername\share to \\DFSNAME\Share . Then when the computer tries to moves the contents of folder to the new (same) location it deletes what it thinks is the old (same) location and thus the users files are deleted. This is BAD! (I hope you have a recent backup)

How to prevent the Folder Redirection from deleting files on move

So to prevent this from happening in Windows there is a Group Policy setting called Verify old and new Folder Redirection targets point to the same share before redirecting that checks if the new and old locations are the same before moving the files. In theory if it detects the source and destination are the same it only move the registry pointer to the new location on the server and leaves all the files in place… However… In Windows 7 Service Pack 1 this option is broken…. BOTHER!!!

Side Note: As pointed out in the forum post it is CRAZY that this is NOT the default behaviour as if you do not configure this option you could inadvertently delete user data. So… Even if this problem does not affect you I would still be seriously be considering enabling this option for your environment.

How to fix the Verify Old and New Folder redirection option

Thankfully earlier this month Microsoft released a KB that fixes this issue https://support.microsoft.com/kb/2799904 . So you can now implement Folder Redirection in your environment configured in a way that will not result in a loss of data…. Phew…

So what does all this mean… ?

1. If you have folder redirection enable, it is (in my opinion) MANDATORY to enable the Verify old and new Folder Redirection targets point to the same share before redirecting option to prevent the possibility of losing user data.

Thanks again to Darren for the tip… and I hope this helps in your environment in avoiding the issues with using  folder redirection.

2. But you also need to apply KB2799904 to fix the Verify Old and New Folder Redirection Target option if you are running Windows 7 Service Pack 1

Internet Explorer 10 has been out for a while now if you are using Windows 8 however Microsoft has only just released IE 10 for Windows 7. So If you are not contemplating upgrading to Windows 8 but do want the goodness of the improved HTML 5 support of IE 10 then it might be a good time to check out the TechNet article with all the new Group Policy settings at http://technet.microsoft.com/en-us/library/hh846775.aspx

As always it is best to edit your Group Policy objects using the most recent version of the operating system (Windows 8 / 2012). However if you are not able to install Windows 8 or Server 2012 in your environment to edit your GPO’s all is not lost… The ADMX files are updates on any computer that you have Internet Explorer 10 installed meaning that you can still edit the Internet Explorer 10 Administrative template setting from a Windows 7 and Server 2008 R2 computer if you also have the Group Policy Management Console Installed.

However the Internet Explorer Group Policy preference are not as easily updated and you will still need to using a Windows 8/2012 computer to edit the IE 10 Preferences settings.

Update: I can confirm that the XML registry hack I previously posted at http://www.grouppolicy.biz/2011/03/how-to-enable-group-policy-preferences-support-for-ie9/ does still work with the IE 8 GPP setting if you set the MAX version to 11. However do this AT YOUR OWN RISK.

Removable memory sticks are the back door for data in any organisation. BitLocker to Go can do some way to controlling this vector however you might want to simple close off all access to removable drives for all your users. So if you are running Windows 7 you will be glad to know there are a heap of Windows 7 GPO setting that allows you to control access to your removable devices.

Even better there is a deny execute access policy setting prevents your users the running on BYO applications such as Firefox Portable and even some malicious software via USB sticks.

While most of the device types seem obvious, the WPD Device allows you to control access “to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.”.

You can even configure the “Time (in seconds) to force reboot” which will enforce the change once it is applied to the computer.

These policy setting can be found under Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.

Its the best thing to control access to USB storage device since the invention of the hot glue gun….

Today I experienced Serendipity with the error “Unable to find a default server with Active Directory Web Services running.” in PowerShell with Windows 7. This message was occurring when trying to create some new OU’s using the New-ADOrganizationalUnit command. Initially I thought it was due to not having the required Active Directory Powershell commands installed but then I realised that the “Import-Module ActiveDirectory” command was loading find so that couldn’t be the problem.

About this time I then noticed a new blog post http://jorgequestforknowledge.wordpress.com/2011/12/12/the-active-directory-web-service-adws/ about the new Active Directory Web Services (ADWS) feature with 2008 R2 which explained why I was getting this message. The environment I was dealing with was a Windows 2008 only domain environment meaning that there was no ADWS for PowerShell in Windows 7 to utilise. This article explained that both PowerShell and the the Active Directory Administrative Center (ADAC) in Windows 7/2008 R2 used the WS-* protocols and therefore needed a ADWS server somewhere in the domain to work. Not having an ADWS DC in the environment meant that these tools would not work…

So to get around this issues you will need to either need to spin up a Windows Server 2008 computer to run the commands or apply the necessary KB’s to some of the domain controllers your environment to enable ADWS.

Update: I just learnt that the AD PowerShell commands are only supported on Windows 7/2008 R2.

The moral of this story is that its always good practice to make sure that your server and client infrastructure are upgraded together due to the advantages of the tight integration the two product have with one another.

Related KB’s:

Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2003-based domain controllers

Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2008-based domain controllers

Note: ADWS was included with Windows Server 2008 Service Pack 2.