Here we are - Group Policy Preference Client Side Extensions are now available for download. This is a cool thing bringing lot’s of Group Policy Power to admins around the world!
The GPP CSEs are included in Windows Server 2008 RTM, but can now be downloaded for:
Windows XP SP2+ (32/64 bit)
Windows Server 2003 SP1+ (32/64 bit)
Windows Vista RTM+ (32/64 bit)
These are the links:
GPP CSEs for Windows Vista (KB943729)
GPP CSEs for Windows Vista x64 Edition (KB943729)
GPP CSEs for Windows Server 2003 (KB943729)
GPP CSEs for Windows Server 2003 x64 Edition (KB943729)
GPP CSEs for Windows XP (KB943729)
GPP CSEs for Windows XP x64 Edition (KB943729)
To get Group Policy Preferences on your network all you need is a single Windows Server 2008 as a management station in you existing Windows Server 2003 AD (or 2008 AD of course). When RSAT (Remote Server Administration Tools) is out there - very soon! - a Windows Vista SP1 will be enough to get this cool functionality in your domain!
But remember, no GP Preferences (GPP) without the CSEs - so go ahead and download them now 
.
Written by Jakob H. Heidelberg on February 26th, 2008 with comments disabled.
Read more articles on Client Side Extensions and GPO and download and group policies and group policy and group policy extensions and group policy preferences and microsoft.
If you have ever tried defining the Security Options policy setting called: "Interactive logon: Message text for users attempting to log on", you may have had some difficulties formatting the message the way you wanted it. This blog is about "how to" workaround a minor bug in the GPEDIT tool…
The issue:
First things first - the Group Policy setting is located here:
"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\"
The value is a Multi-String registry value that allows you to make multiple lines in the message. The message pops up right after a users hits Ctrl+Alt+Del as a general warning to the user before actually logging on. But, unfortunately the formatting isn’t as perfect as it could be.
What happens is, that carriage returns are lost after formatting this "pre-logon message" with GPEDIT, imagine you would want a message like this (see Figure 3):
—>
I don’t know why this should be so hard? Jump next line please…
Let’s do a comma, and continue the line…
Line number 4 is ready, but let’s jump line 5 & 6 now…
Line 7 finishes up this story!
<—
Such a message would end up as (see Figure 5):
—>
I don’t know why this should be so hard? Jump next line please…
Let’s do a comma, and continue the line…
Line number 4 is ready, but let’s jump line 5 & 6 now…
Line 7 finishes up this story!
<—
So, basically the problem is: line feeds/carriage returns/empty lines disappear completely!
You can actually see this within the GPEDIT GUI, but only if you hit "Apply" before "OK" - if you just hit "OK" after typing in your message you cannot see that it’s actually changed by GPEDIT (so you think the formatting is working as it should). I tested this behavior with GPEDIT on Windows XP SP2 (local policy), Windows Server 2003 SP1 (domain policy), Windows Vista SP Pre-RC (local policy) and Windows Server 2008 RC1 (domain policy).
Figure 1 - I typed in my message with the format I wanted:
Figure 2 - I clicked Apply, and the formatting was changed:
If I had just click OK I wouldn’t have noticed the change - anyway it’s a bit annoying, right?
Solution/Workaround:
The solution I came up with is to modify the policy file directly/manually using Notepad. The file is located here:
"\\DOMAIN.local\SYSVOL\DOMAIN.local\Policies\{GPO-GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
Within that file we have the relevant registry value, called "LegalNoticeText":
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,I don’t know why this should be so hard? Jump next line please…," ",Let’s do a comma"," and continue the line…,Line number 4 is ready"," but let’s jump line 5 & 6 now…," "," ",Line 7 finishes up this story!
Notice the " " (<quote><space><quote>) sequences, which are the same as empty lines.
This is the relevant line from a working GptTempl.inf file (the correct syntax written manually), and it actually works great:
Figure 3 - Pre-logon message on a Windows Server 2003 SP1 Domain Controller:
Figure 4 - The above inserted GptTmpl.inf line also works for Windows XP SP2 in the same domain:
So, this proves that the INI file can actually be correctly formatted so clients (tested w/WS2003 SP1 and XP SP2 in a domain) can show the message perfectly. Please notice that the behavior is similar with local policies, but my testing has been focused on domain environments so far.
If you try to modify the working policy setting using GPEDIT again - after changing just a tiny bit (or just hitting OK to an existing setting) within the GPO the formatting/syntax is ruined again unfortunately (when GPO is saved by GPEDIT)! Look here what came out of it when I tested it:
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,I don’t know why this should be so hard? Jump next line please…,Let’s do a comma"," and continue the line…,Line number 4 is ready"," but let’s jump line 5 & 6 now…,Line 7 finishes up this story!
Notice the " " (<quote><space><quote>) sequences are gone! This gives a wrong result (no empty lines) when clients get the pre-logon message.
Figure 5 - The formatting is lost (or wrong) when GPEDIT does the job:
Please notice, if you’re testing this you will have to define an additional policy setting for it to work, namely the "Interactive logon: Message title for users attempting to log on" setting.
Figure 6 - The title must be set for pre-logon message to appear
Conclusion
So, my conclusion is that (existing version of) GPEDIT doesn’t modify the GptTmpl.inf file properly (or the registry for local policies for that matter) - for this particular value at least… My best guess is that it doesn’t handle the quotes (") correctly, but I can’t be 100% sure. A bug report has been made for Microsoft - so hopefully it will be fixed before the final release of Windows Server 2008 and the Remote Server Administration Tools (RSAT).
However, as mentioned you can make it work with a workaround like this: Just perform the GptTmpl.inf (below SYSVOL) editing manually, make a backup of the file when it’s perfect - and never touch that GPO with GPEDIT again… Until Microsoft releases an updated version of GPEDIT anyway.
Related KB articles out there:
KB 330618
KB 238149
Technet article
.
Written by Jakob H. Heidelberg on November 30th, 2007 with comments disabled.
Read more articles on RSAT and Security and Windows Server 2008 and Windows Vista and Windows XP and gpedit and gpedit.msc and group policies and group policy and microsoft and sysvol and windows server 2003.
It’s exciting, fantastic, amazing, wonderful and totally cool - Microsoft has FINALLY announced what is going to happen with the PolicyMaker stuff they got when taking over DesktopStandards… It’s going to be released with Windows Server 2008 as many of us had hoped for!
This is just GREAT I can tell you - and it will available to the public with the RC1 release of Windows Server 2008, maybe even before as a separate Beta program I’m told…
Microsoft decided to call it “Group Policy Preferences” or just “GP Preferences”. So, what can we do with this you ask? Well, here’s some of it:
- Map network drives
- Set Environment variables
- Copy Files to clients
- Create and update INI files
- Modify registry settings on the clients (REG_SZ, REG_DWORD, REG_BINARY, REG_MULTI_SZ, and REG_EXPAND_SZ )
- Create Shortcuts (URL/File/Shell)
- Open Database Connectivity (ODBC)
- Control Devices
- Set Folder Options
- Define File Associations
- Tweak Internet Settings
- Handle Local Users and Groups (change passwords, add/remove from groups, disable users etc.)
- Set Network Options (like VPN or Dial-Up connections)
- Configure Power Options (Windows XP)
- Map Printers (even TCP/IP printers)
- Set Regional Options
- Create Scheduled Tasks
- Set properties on Services
- Tweak the Start Menu
- and so on….
As you can see, it’s quite impressive and something that will make companies around the world turn to Windows Server 2008 ASAP… I think and hope anyway!
The client part, a necessary extension which must be installed on the client, will be ready for Windows XP/2003/Vista - and in both x86 and x64 editions. Windows Server 2008 already includes the CSE (Client Side Extension).
There’s SO much to tell, and SO little time… But, a Whitepaper is ready (a REALLY nice of the kind) thank you Microsoft!
Download the whitepaper here:
An Overview of Group Policy Preferences
Written by Jakob H. Heidelberg on November 13th, 2007 with comments disabled.
Read more articles on DesktopStandards and Longhorn and PolicyMaker and Windows Server 2008 and gp preferences and group policies and group policy extensions and group policy preferences and microsoft and whitepaper.
Microsoft just released a free tool to search for errors in Group Policy configuration - totally new and cool tool in the Best Practice Analyzer (BPA) series.
Download here:
GPDBPA for Windows XP
GPDBPA for Windows XP x64 Edition
GPDBPA for Windows Server 2003
GPDBPA for Windows Server 2003 x64 Edition
Read more here:
Microsoft KB 940122 article: “How to use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect and to analyze data”
Quote from KB article:
You can use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect data about an environment’s Group Policy configuration. For example, you can use this tool to analyze a Group Policy configuration for the following purposes:
• To search for common configuration errors
• To discover and to diagnose problems
• To collect data for archiving
The account that you use to run the tool must have the appropriate permissions to access both the Active Directory database on an environment’s domain controllers and the SYSVOL file structure that is maintained on those domain controllers. Additionally, the account must have local Administrator permissions on the Group Policy client.
There are two additional prerequisites for using the GPDBPA tool:
•The Microsoft .NET Framework version 1.1 or a later version must be installed on the computer on which the GPDBPA tool is installed.
•The Windows Management Instrumentation (WMI) service must be running on the environment’s domain controllers.
Written by Jakob H. Heidelberg on September 2nd, 2007 with comments disabled.
Read more articles on BPA and GPDBPA and GPO and best practice analyzer and download and group policies and windows.
I joined a session “Deep Dive into Microsoft Windows Vista Group Policy Changes and Troubleshooting” with Jeremy Moskowitz here in Orlando - and he was very good. He’s a funny guy and it seemed like everybody in the room just loved him. Thanx for the inspiration Jeremy - you put on a nice show.
After the session I joined him at the SpecOps booth (#914) and spoke to some of the other Group Policy Gurus, like Darren Mar-Elia, J. Peter Bruzzese and the SpecOps employees. SpecOps were really focused on sharing info on their SpecOps Deploy product - so why not help them here
Tomorrow I hope to catch Derek Melber - a ‘colleague’ from www.windowsecurity.com - he was busy preparing for his upcoming Group Policy sessions so he didn’t show today… I’ll try to get back with a report from those sessions when possible.
I have to mention that it turned out Peter Bruzzese not only mentions me, but also quotes me, in his new book “Tricks of the Microsoft Windows Vista Master” * - as a “Vista Master” - thanx for the honor!
* Book is published by Que Publishing
ISBN-13: 978-0-7897-3689-5
ISBN-10: 0-7897-3689-6
Amazon link here!
Written by Jakob H. Heidelberg on June 5th, 2007 with comments disabled.
Read more articles on Deployment and GPO and TechEd and group policies and orlando and specops.
