Posted on Thu, Aug 25, 2011
Group Policy has been a standard element of domain management since Windows 2000 Server over a decade ago. However, Group Policy hasn't always kept up with the changes in desktop operating systems, limiting the amount of control network administrators can maintain over client machines.
That all changed with the introduction of Group Policy Preferences, introduced with Windows 2008 Server. By using GPP technology, Windows 2008 Server allows much more extensive control of client systems than ever before. Essentially anything that can be configured through the Control Panel of the client system can now be controlled through a Group Policy Object. But GPP is not limited to just Control Panel options. Administrators can now install printers (both local and network), map network drives without using ancient DOS-based batch scripts, modify registry entries, install applications, and control folders and files all from a simple Group Policy interface. And best of all, each of these features can be easily targeted to specific users, computers, or groups through a simple to use GUI. Yes, you can now easily control which users are assigned which network drives or printers right from a Group Policy without having to use cumbersome and buggy logon scripts!
Unfortunately, because GPP was introduced with Windows 2008 Server, it does not support clients older than Windows Vista out of the box. However, there is a small patch available from Microsoft (http://www.microsoft.com/download/en/details.aspx?id=3628) which enables support for GPP on Windows XP SP2 and SP3 machines. This patch can be easily deployed across a network using any typical patch deployment software platform. My personal favorite tool for doing this is PDQDeploy (http://www.adminarsenal.com/pdq-deploy/main/), which is an excellent, free utility.
Group Policy Preferences completely revolutionize network administration and management for Windows-based networks. However, it is still extremely common to see older-style GPOs and custom logon scripts being used at companies of all sizes even today. This results in unnecessary instability and difficulty in management for many networks. If you're concerned that your network may not be utilizing the powerful new features of Windows 2008 Server such as GPP, Contact Us today and one of our engineers will be more than happy to review your network infrastructure with you.
Brian St. Marie - Sr. Systems Engineer
Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!
Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA
Posted on Thu, Aug 11, 2011
Oftentimes, users have a hard time adapting to new password policies on their network. Perhaps they are running an older version of Windows server or don't have a domain at all and use blank passwords or very simple passwords. Once they move to a Windows 2003 or 2008 network, they find their old passwords are no longer acceptable. Most times, users adapt and begin using more complex passwords, but sometimes users want to stick with their old password policy or modify the security level provided by the default Windows policy. Unfortunately, this is not as easy as it may seem.
In a standard Windows 2008 or 2003 domain, the password policy is pre-defined in the Default Domain Policy Group Policy Object. This policy is reasonably good for most configurations, though circumstances may vary from organization to organization. Unfortunately, while you can create new GPOs and configure password policy settings in them, they will have no effect. The only way to change the password policies of the domain is by editing the Default Domain Policy. In fact, even if you set the Default Domain Policy password options all to "Not Defined", the standard Active Directory defaults will remain; you must define all the values for any changes to take effect.
This has long been a limitation of Active Directory and newer versions of Windows have not adequately provided alternatives. In particular, some organizations wish to have multiple password policies, defining different restrictions and requirements for different sets of users. This has never been possible until Windows 2008.
While common sense would lead you to believe you could simply create new GPOs with custom password policies and assign those to the appropriate Organizational Units, this does not work. Instead, Microsoft has created an entirely new system specifically for multiple password policies. This system is is known as Fine Grained Password Policies. The basic process involves adding a new Active Directory object, known as a Password Settings Object (PSO), into a new container, known as the Password Settings Container (PSC). The steps necessary to do this are complex and involve using ADSIEdit to manually create the new objects. Microsoft provides a step-by-step explanation of the process (here)http://technet.microsoft.com/en-us/library/cc770842%28WS.10%29.aspx.
Brian St. Marie - Sr. Systems Engineer
Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!
Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA
Posted on Thu, Jan 27, 2011
Over the past few years, there have been a couple of reliable, handy and FREE tools that I wouldn’t leave the office without. I thought I would share a few of them.
SpecOps Remote Gpupdate
This software adds a set of tools to the Active Directory Users and Computers console that allows administrators to selectively perform remote Group Policy updates as well as restart and shutdown commands. This is very useful when deploying critical GPO’s across the domain.
AnalogX Port Mapper
Port mapper allows you to map any port on one computer to any port on another computer. It also lets you filter the incoming IP address for enhanced security. One great use for this program is assigning remote desktop ports without the need to change the RDP port in the Windows registry.
Malwarebytes
This is by far the most consistent anti-spyware software that I have ever used. The interface is very simple and the technology behind its detection and removal process is top notch. These guys seem to stay on top of their game in the spyware removal world.
EZ GPO
Using this custom GPO and software provided by Energy Star gives administrators the ability to centrally manage power settings on Windows XP and Windows 2000 operating systems. This is something that Microsoft did not develop for the Windows 2003 platform. You can deploy this FREE tool and save your company some serious coin on the power bill by ensuring that computers are set into standby when not in use.
Angry IP Scanner
IPScan is an awesome and simple network scanning utility. This is a great security tool because you can use it as port scanner as well as an IP scanner. It’s great for finding available IP addresses and tracking down nodes on the network. The output can be exported to an Excel document which also makes it useful for network audits.
Adam Jones - Systems Engineer
Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!
Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA
Posted on Thu, Jan 06, 2011
Automation is on the mind of every IT admin. It makes our jobs easier and our end users happy. One extremely useful form of automation on a network is the ability to deploy software packages using Group Policy.
Recently a customer came to us with a request to push Adobe Flash Player to all of their end user’s workstations. This particular software package is perfect for installing through GPO because it is available in a Windows Installer format (which is required for publishing in a GPO) and it is a quick installation process.
The first step is to create a share on your server that contains the MSI package required for installation. Since the GPO can be linked to OUs that contain computer objects OR user objects you will need to determine the object type to receive the policy. This is important because if you decide to link this policy to a computer container, you must ensure that you configure the security tab of your shared folder to include the security group that contains the COMPUTER accounts slated for the installation. For instance, give the “Domain Computers” group Read and Execute permissions on the folder. Now that your share is properly configured you can build your GPO.
From the Group Policy Editor, navigate to the container that holds your computer objects OU and create and link a new policy. Be sure to give this policy a meaningful name such as “Sales App Deployment” or something similarly clever. Now open your policy by choosing “Edit” and navigate to Computer Configuration > Software Settings > Software Installation. Right click in the blank space and choose New > Package. Browse to the UNC path of the network share that was created above and select your MSI package. Since we are deploying this application to computer objects you will only be given the option to “assign” the package. This means that once the policy has been updated on the target computers, the software package will be assigned (installed) on the next reboot.
If you happen to choose a user group for your deployment and you have configured the policy in the “User Configuration” section you will be presented with options to assign or publish. If you select the “publish” option, the application will be available for the users to install by going to Control Panel > Add Remove Programs in XP or Programs and Features in Windows Vista and Windows 7. Additionally, they will be given the option to install the application when opening an associated file type. If you select the “assign” option this means that the application will be installed during the next user logon process.
I hope you will consider using Group Policy the next time you need to deploy an application across your network. It can be a real time saver!
Adam Jones - Systems Engineer
Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!
Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA
Posted on Tue, Dec 21, 2010
Boston IT Consulting
Boston IT Consulting Discussing Restricted Group GPOs
Restricted Group GPOs give network administrators the power to centrally control and enforce local group membership on computers in your domain environment. Let’s say you need to assign a specific group of technical staff the ability to administer computers in a particular department. Creating a Restricted Group GPO will allow you to add this group of staff members to the Local Administrators group on all computer objects that reside in this department’s organizational unit. Because the accounts defined in your policy will override any previous settings on the computer this is also a useful way to ensure that the members of these groups are not modified by the local user. Since this policy replaces the default members, be sure to add the domain admins group and any other administrative accounts that your network requires on client computers.
To access the Restricted Groups node, navigate to the following path in any GPO:
Computer Configuration > Windows Settings > Security Settings > Restricted Groups
Note that when creating the group, you need to use the exact wording of the local group that you wish to modify. For example, when adding users to the local administrators group, create a restricted group titled exactly as Administrators in the right pane of the GPO window.
Adam Jones - Systems Engineer - Boston IT Consulting
Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!
Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA