Here we are - Group Policy Preference Client Side Extensions are now available for download. This is a cool thing bringing lot’s of Group Policy Power to admins around the world!
The GPP CSEs are included in Windows Server 2008 RTM, but can now be downloaded for:
Windows XP SP2+ (32/64 bit)
Windows Server 2003 SP1+ (32/64 bit)
Windows Vista RTM+ (32/64 bit)
These are the links:
GPP CSEs for Windows Vista (KB943729)
GPP CSEs for Windows Vista x64 Edition (KB943729)
GPP CSEs for Windows Server 2003 (KB943729)
GPP CSEs for Windows Server 2003 x64 Edition (KB943729)
GPP CSEs for Windows XP (KB943729)
GPP CSEs for Windows XP x64 Edition (KB943729)
To get Group Policy Preferences on your network all you need is a single Windows Server 2008 as a management station in you existing Windows Server 2003 AD (or 2008 AD of course). When RSAT (Remote Server Administration Tools) is out there - very soon! - a Windows Vista SP1 will be enough to get this cool functionality in your domain!
But remember, no GP Preferences (GPP) without the CSEs - so go ahead and download them now 
.
Written by Jakob H. Heidelberg on February 26th, 2008 with comments disabled.
Read more articles on Client Side Extensions and GPO and download and group policies and group policy and group policy extensions and group policy preferences and microsoft.
I have to blog this right away - it will be part of a larger "GP Processing" article at some point though… But this is IMHO important stuff which needs to get out there quick 
I’ve heard the following sentence too many times (in one way or the other): "You can only assign Group Policy Objects to Site, Domain Level or OU’s"…
- but that’s only partly true! Normally in newsgroups, forums etc. this leaves the readers (eg. someone who asked a GP question or whatever) with the impression that you cannot "hit" members of a certain Security Group only (which leaves you with "Site/Domain/OU Filtering" and/or "WMI Filtering" as the only possible a choices available). But that’s simply not fair to the amazing Group Policy processing engine!
Even though "WMI Filtering" is pretty well-known these days (after WS2003 arrived), many people tend to forget the little - but extremely effective and flexible - thing called "Security Filtering" (even though it’s somewhat more "Basic" compared to WMI)…
Let’s talk about it for a minute or two if you are interested…
You can set this kind of filtering within the Group Policy Management Console (GPMC) on either the Scope tab:
- or the Delegation tab (a bit more Advanced):
As you can see, by DEFAULT all Group Policy Objects (GPO) include "Authenticated Users" with both Allow:"Read" and Allow:"Apply Group Policy" permissions set. Both of these permissions are needed for users and computers to take on (or process) a given GPO:
The thing about the very important "Authenticated Users" group is that it includes ALL User AND Computer accounts/objects within the AD domain (Domain Controllers too, right). So, by default a GPO applies to both computers and users (we are not going to talk about disabling GPO parts etc. now).
That’s the "technical" explanation why policies placed on
a) the Site applies to ALL users and computers within the Site (users site follows computer site, site follows IP address)
b) the Domain Level applies to ALL users and computers within the Domain
c) any given OU applies to ALL users and computers within that particular OU (and sub-OUs for that matter)
=> because the "Authenticated Users" security group is there by default. These default permissions on new GPOs are handled by something called "Security Descriptors", but more on that in some other blog or article.
So, we have Security permission on all of our GPOs (unfortunately not the GPO links, but that’s another talk) - leaving us with GREAT power to control to whom he particular GPO should be assigned (or ‘applied’). All we need to do is to change the default permissions and <Zaboooka!> we are in complete control.
First step is generally to remove the "Authenticated Users" group from the GPO in question. Click Remove (below Security Filtering section) on the Scope tab and click OK:
Click Add… and select the domain security group you want to "hit" - click OK when done:
And <poof>, this GPO will only apply to members of "The Sales Group" - or whatever group (or user, or computer object…) you selected:
Now all you need to do is to link the GPO to the Domain Level (or Site or OU if that’s better in your case) - but the Domain Level should be fine for most environments.
Now, you could turn this around and Exclude certain groups, users or computers - by setting Deny:"Apply Group Policy" instead. In some cases that might be the best choice - but as always with "deny" you have to watch out (manly because deny overwrites allow)!
Also note, that Security groups can include both user and computer accounts - we are maybe used to thinking that groups are for users only (in my experience most admins know the "Domain Users" group - but the "Domain Computers" group is not that well known)… But, with this in mind, you could make a group of computers instead of applying a WMI filter for instance (which is generally slower).
You could use other methods for setting permissions than the GPMC (like scripts) - but the GPMC is a wonderful tool for doing this easily - no sweat!
One way of automatically creating Security Groups from members of an OU is described in my article "Configuring Granular Password Settings in Windows Server 2008, Part 2" - these groups are referred to as Shadow Groups (cool, right). In some "filtering situations" that is nice to know…
Wow - that was nice getting it off my shoulders, and now I can refer to this blog entry whenever I get the question again - and so can you of course
.
Written by Jakob H. Heidelberg on January 24th, 2008 with comments disabled.
Read more articles on GPO and OU Filtering and Security Descriptors and Security Filtering and Shadow Groups and Site Filtering and WMI Filters and group policy.
With Windows Server 2008 (Codename Longhorn) you will notice a new container called “Starter GPOs” inside the GPMC (version 2.0 - BTW this version will also be available as a separate download for Windows Vista with SP1).
This new container can hold what I would call “templates” for creating new GPO’s - with the limitation that only Administrative Template settings are available. When creating new GPO’s you can choose to use a Starter GPO as the source (read: template) - which makes it easy and fast to create multiple GPO’s with the same baseline configuration.
But, the very cool thing is that you can now “export” those GPO templates (Starter GPO’s) to a Cabinet file (.CAB) and then import into another environment - completely independent of the source domain/forest! So, you can create the PERFECT Starter GPO and then bring it around the world, share it on the Internet (if legal?), deploy it on all systems you can get a hold on etc. etc.
When you ‘enable’ Starter GPO’s in the domain for the first time, a folder called “StarterGPOs” is created inside the SYSVOL folder (\\domain.com\SYSVOL\domain.com\StarterGPOs) - this is where all the “magic” is done… For each new Starter GPO you create, you will see a new folder below this StarterGPOs folder - each will have a unique GUID (just like normal group policies). So, when you create a new GPO with a Starter GPO as source a nice and simple COPY process is actually performed - the subfolders and files from the Starter GPO’s GUID folder is just copied into the \\domain.com\SYSVOL\domain.com\Policies\[SomeNewGUID] folder - and wupti, you are ready to deploy…
Well, it may not be the same as the Templates we got with AGPM (Advanced Group Policy Management from Desktop Optimization Pack) - but, even if you don’t have the required DOP license you still get a few cookies for “free”…
One last thing - remember to create a separate backup process for Starter GPO’s, as they are not backed up though the GPMC “Backup All” method you have for the regular GPO’s - the yhave a seperate backup procedure. So far there’s no script for backing up the Starter GPO’s, but I’m pretty sure it will show up (just like the “BackupAllGPOs.wsf script).
And don’t worry - if you should get an error like this:
“The overall error was: The system cannot find the path specified. Additional details follow”
&
“[Error] The backup configuration file [C:\xxx\Backup.xml] cannot be saved. The following error occurred: The system cannot find the path specified.”
when performing a backup of your Starter GPO’s you are probably testing the RC0 release… That build has a known bug which has been corrected already (RC1)!
But besides from this minor detail I say: Thumbs up for Starter GPO’s!
_
Written by Jakob H. Heidelberg on October 1st, 2007 with comments disabled.
Read more articles on Backup and GPO and Longhorn and Windows Server 2008 and administrative templates and agpm and baseline and cab and desktop optimization pack and dop and gpmc and guid and script and starter gpo and starter gpos and sysvol and template.
Microsoft just released a free tool to search for errors in Group Policy configuration - totally new and cool tool in the Best Practice Analyzer (BPA) series.
Download here:
GPDBPA for Windows XP
GPDBPA for Windows XP x64 Edition
GPDBPA for Windows Server 2003
GPDBPA for Windows Server 2003 x64 Edition
Read more here:
Microsoft KB 940122 article: “How to use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect and to analyze data”
Quote from KB article:
You can use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect data about an environment’s Group Policy configuration. For example, you can use this tool to analyze a Group Policy configuration for the following purposes:
• To search for common configuration errors
• To discover and to diagnose problems
• To collect data for archiving
The account that you use to run the tool must have the appropriate permissions to access both the Active Directory database on an environment’s domain controllers and the SYSVOL file structure that is maintained on those domain controllers. Additionally, the account must have local Administrator permissions on the Group Policy client.
There are two additional prerequisites for using the GPDBPA tool:
•The Microsoft .NET Framework version 1.1 or a later version must be installed on the computer on which the GPDBPA tool is installed.
•The Windows Management Instrumentation (WMI) service must be running on the environment’s domain controllers.
Written by Jakob H. Heidelberg on September 2nd, 2007 with comments disabled.
Read more articles on BPA and GPDBPA and GPO and best practice analyzer and download and group policies and windows.
I joined a session “Deep Dive into Microsoft Windows Vista Group Policy Changes and Troubleshooting” with Jeremy Moskowitz here in Orlando - and he was very good. He’s a funny guy and it seemed like everybody in the room just loved him. Thanx for the inspiration Jeremy - you put on a nice show.
After the session I joined him at the SpecOps booth (#914) and spoke to some of the other Group Policy Gurus, like Darren Mar-Elia, J. Peter Bruzzese and the SpecOps employees. SpecOps were really focused on sharing info on their SpecOps Deploy product - so why not help them here
Tomorrow I hope to catch Derek Melber - a ‘colleague’ from www.windowsecurity.com - he was busy preparing for his upcoming Group Policy sessions so he didn’t show today… I’ll try to get back with a report from those sessions when possible.
I have to mention that it turned out Peter Bruzzese not only mentions me, but also quotes me, in his new book “Tricks of the Microsoft Windows Vista Master” * - as a “Vista Master” - thanx for the honor!
* Book is published by Que Publishing
ISBN-13: 978-0-7897-3689-5
ISBN-10: 0-7897-3689-6
Amazon link here!
Written by Jakob H. Heidelberg on June 5th, 2007 with comments disabled.
Read more articles on Deployment and GPO and TechEd and group policies and orlando and specops.
