If you have followed this blog you would know that the Remote Server Admin Tools are an essential set of tools for managed Group Policy, Active Directory and almost all other core components of Windows Server. These tools can be installed on demand if you are running Windows Server. But if you wanted to do the remote management from a Windows Client OS then you needed to download and install the RSAT tool as a separate Windows Update package.
But as of Windows 10 Insider Preview build 17682 this has now changed and you can now optional install on demand RSAT tools in your Windows client OS.
The great thing about making it part of the Core OS is that it is now kept up to date whenever you receive a new OS version. This means you no longer have to seek out the latest and greatest GPMC version when managing Group Policy as you will always have the latest version installed.
Microsoft is also asking feedback on having RSAT as part of the OS so if you think it’s a great idea then definitely put your feedback in via http://aka.ms/rsatfeedback
Matt Call from Microsoft has just blog the different with describes the impact of no longer being able to customise the Windows Start menu using the Default Users Profile. In case you did not know you could previously set a users start menu by baking the layout into the Windows OS image default users profile by using a CopyProfile process. This has now been removed and his article goes into how to deal with the way to order the process to avoid issues. So check out his post at https://blogs.technet.microsoft.com/mattcall/2018/05/11/copyprofile-and-the-start-menu-wheres-my-start-menu/ .
If you want to see how to manage the Start Menu via Group Policy normally you can check out my post at https://www.grouppolicy.biz/2013/06/customising-windows-8-1-start-screen-layout-with-group-policy/
The latest version of the Windows 10 1803 security templates have been released to the public. These are the new Microsoft recommend guidance for securing Windows in an organisation. These settings are normally tighter than the Out of the Box settings, but are normally acceptable in a workplace environment. Historically these used to be available via the Microsoft Security Management Tool, however this has now been depreciated and the new template are only being released via a ZIP file. That being said it is a very comprehensive list of documents, settings and tools that can be used to help with you security settings.
Documentation: This folder has a number of reference documents about the settings including the changes since the last version. This is very handy for keeping track of what guidance has changed
- GPO Reports: These are HTML version of the Group Policy Backups that are provided in the ZIP. They have a full list of all the setting that are applied.
- GPOs: This is a backup of Group Policy Objects that you can import into your own environment that have all the security settings pre-configured. The is a real time saver as you don’t have to transcribe the setting from the documentation.
- Local Scripts: This contains some scripts that are used for undoing some security settings on computer that are non-domain joined. This is handy as non-domain joined computer sometimes need to be managed via local accounts and these scripts will remove these restrictions.
- Templates: These contain a few Group Policy ADMX files that are additional security settings that can be applied. Some of these are not traditional (a.k.a. Managed) Group Policy settings so they are not provide with the Out of the Box ADMX files that come with Windows. These include the Local Admin Password Service (a.k.a. LAPS) policy settings, some of the few remaining MSS security settings or the Microsoft Security Guidance Mitigations (e.g. disabling SMB1) settings.
- WMI Filters: This folder contains two WMI filters that can be imported in as GPO WMI Filter. These definitions are used for targeting Group Policy object explicitly to Internet Explore 11 and Windows 10.
Download the Security Baseline now for Windows 10 1803 now via https://blogs.technet.microsoft.com/secguide/2018/04/30/security-baseline-for-windows-10-april-2018-update-v1803-final/
Until recently it was not possible to set the default domain password length via GPMC to anything longer that 14 characters (see below). This limit was enforced via the UI but it was possible to set a password value longer manually if the user chose a longer password. Most likely the reason that this limit was enforced was that the LM Password hash limit for Windows 98 and NT 4 was 14 characters.
But good news, with the release of the latest version of GPMC for Windows 10 1803 Microsoft has now changed this UI limit value to 20 characters.
However, Microsoft still warns that:
“Older versions of Windows (such as Windows 98 and Windows NT 4.0) do not support passwords that are longer than 14 characters. Computers that run these older operating systems are unable to authenticate with computers or domains that use accounts that require long passwords.”.
So as always, test carefully before rolling out this setting and be sure that you do not have any legacy device still running on your domain before you set this option.
Another thing to be cautious of is that if an admin attempts to change this setting via an older version of GPMC then it will force the minimum length back to 14 characters. But this is just another reason why you should always have the latest version of GPMC installed in your environment.
So now you can go forth and force longer passwords for all… HORAA!!! But if you are going to increase the minimum password length consider also implementing some of the other current guidance and for the sake of the users sanity. For example it is now recommend by some that removing maximum password age and complexity (see https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach ) is actually more secure especially when you have a longer password that is more conducive to picking a phrase rather than just one word. In any case, the new raised minimum value as an option is welcome change…
Microsoft has now release the production version of the Remote Server Admin Tools. These are of course the essential tools that for managing Group Policy (and many other server functions). As I always remind you it is imperative that you always have the latest version of GPMC as this is the most current version of the Group Policy tools.
You can now download them now from https://www.microsoft.com/en-us/download/details.aspx?id=45520