Group Policy (April 27, 2005)
Posted: May 20, 2005
Please note: Portions of this transcript have been edited for clarity
Introduction
[MSFT] Carolyn (Moderator):
Welcome to today’s chat about Group Policy. We will answer as many questions as we can today and post a transcript of the upper window within a few days at https://www.microsoft.com/technet/community/chats/trans/default.mspx
We are pleased to welcome our experts for today. I will have them introduce themselves now.
[MSFT] MarkWill (Expert):
Hi - my name is Mark Williams and I am a Program Manager on the Group Policy team.
[MSFT] MDennis (Expert):
I'm Michael Dennis - Lead Program Manager for Group Policy
[MSFT] dpower (Expert):
I'm David Power, Program Manager on the Group Policy team.
[MSFT] JUDITHH (Expert):
I'm Judith Herman, Group Policy technical writer. I've worked on Group Policy since Windows 2000.
[MSFT] Seva (Expert):
Hi, My name is Seva Titov. I'm with Group Policy Test Team.
[MSFT] jkaiser (Expert):
Hi, I'm John Kaiser, lead tech writer on the Group Policy user assistance team.
[MSFT] JLeznek (Expert):
Hello! I'm Jason Leznek, Product Manager for Group Policy at Microsoft. Thank you for joining us!
[MSFT] mrepass (Expert):
Hello, my name is Mike Repass. I've recently joined the team as a test engineer - coming from a background in system administration.
Shaji [MSFT] UShaji (Expert):
Hi, I am Shaji. I am developer on Group Policy team.
[MSFT] thottams (Expert):
Hello, I am Thottam Sriram from GP test team.
Carolyn_[MS] (Moderator):
...and myself, your moderator for the chat: Carolyn. I am a technical editor for Windows Server User Assistance, working on security.
Start of Chat
[MSFT] jkaiser (Expert):
Q: What is the deal to fix the never-ending truncated messages pop-up???? I heard if you upgrade the server 2003 to SP1 they go away, but that is not going to happen here for some time? Any other way, and don't say to use the GPMC because it happens there too.
A: There are fixes available today. See this KB article https://support.microsoft.com/Default.aspx?id=842933
[MSFT] MarkWill (Expert):
Q: Would someone please tell me some of the best resources for a beginning system administrator to get training?
A: I assume you mean in relation to Group Policy, specifically. The following 14-part Web cast should be of interest. https://www.microsoft.com/events/series/grouppolicy.mspx
[MSFT] mrepass (Expert):
Q: Hey can anyone help me in how to get "Additional domain controller for an existing domain" screen in an upgraded Windows 2000 server?
A: Hi Danish, is this machine already joined to a domain? Has your domain-membership status changed as a result of the upgrade? Do you mean the screen in dcpromo when you're promoting a new member server?
[MSFT] jkaiser (Expert):
Q: From what I gather most AD based GPO security policies actually Tattoo the registry, is that true??
A: Depending on your configuration. Check out this page for a full explanation: https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/ed6131df-efca-4337-9594-583e19ca3b76.mspx
[MSFT] MDennis (Expert):
Q: What is the best way for me to report a bug found in XP SP2 Group Policy application?
A: Bugs should be reported to our Product Support group (PSS) - what is the bug?
[MSFT] JLeznek (Expert):
Q: The bug: We have a proxy, upgrade a client to SP2 via image/sus/whatever and "make proxy settings per computer" setting causes IE and anything that uses system proxy settings to hang. Apps that point manually to the proxy PAC file are fine.
A: You should contact PSS to verify it is a bug and see how it can be troubleshooted.
[MSFT] jkaiser (Expert):
Q: Resources for sample GPO layouts of theoretical ADs? (i.e., small business, med business, large corporation? I'm interested less in a "best practices" essay or overview, and more in an example of how AD OUs and groups might be laid out).
A: Check out the OU structure and the sample GPOs in this "common scenarios" document. https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/csws2003.mspx
[MSFT] MDennis (Expert):
Q: What are some new features for Windows Server 2003 compared to Windows 2000 Server?
A: There are a few WMI Filters, RSoP infra, better event logging (no event ID 1000), delegation of GP Results/Modeling along with many hundreds of new settings... https://www.microsoft.com/grouppolicy details here https://www.microsoft.com/windowsserver2003/techinfo/overview/gpintro.mspx
[MSFT] Seva (Expert):
Q: What kind of tools are you planning on providing for comparing two GPOs, something more elegant than XML or Windiff??
A: There is no direct support for comparing two GPO. What you can do is you can use GPMC to generate report (HTML or XML form). Then you can compare the reports using XmlDiff or Windiff. However this doesn't work in many cases. I think a third-party tool called NetIQ Group Policy Administrator has support for GPO comparison. You might want to look at it. Also you can compare ADM files using ADMX tool.
Shaji [MSFT] UShaji (Expert):
Q: Is there a reason for the Default Domain & Default Domain Controller policies to have the same GUID, do you see this as a potential issue when you have several child domains, and you edit them?? If this a potential issue when will it be fixed??
A: There is no issue with the GUID of the default GPOs having the same GUID. All the places GPOs are used (like links etc.) or in the APIs , GPOs identified by the tuple of . So it should work fine even when you edit child domain default GPOs, etc.
[MSFT] MDennis (Expert):
Q: Does MS offer any best practices on how to structure Active Directory OUs to best deploy GPOs?
A: Sure, look here https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b44ba1b5-9f85-4bee-84c9-1994921658cd.mspx
[MSFT] jkaiser (Expert):
Q: Does MS offer any best practices on how to structure Active Directory OUs to best deploy GPOs?
A:https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/csws2003.mspx
Check out this link. It includes a sample GPO structure, prepackaged GPOs, and associated documentation.
[MSFT] mrepass (Expert):
Q: I am not able to get the screen of "DOMAIN CONTROLLER TYPE" while running dcpromo.exe in an upgraded Windows 2000 server
A: Thanks for your questions Danish, best of luck in your troubleshooting. As I mentioned, the deployment planning guide might be a good starting place. Thanks.
[MSFT] Seva (Expert):
Q: When you implement redirection of my documents and desktop folders, when changes are made to reverse the setting, is there something else that needs to be done to push the change?
A: Folder Redirection setting has option "Redirect back to userprofile on policy removal". If you set this option when you authored FR setting, then unlink or remove GPO, the folder will be redirected back. So the answer to your question would be - you don't have to do anything, if you use this option. However if you didn't originally set this option, then the folders will remain in the same location after policy removal. If you still want the folders to return back to local machine, you have to re-configure FR policies to move folders into user profile.
[MSFT] MDennis (Expert):
Q: The current GPO Auditing is severely lacking, namely if you want to find out the WWWW Who, When, Where, What of GPO's we cannot determine them that easily without digging through a lot of UserEnv, Debug or Diagnostic logs...How do you plan on improving??
A: You may want to look at some of the ResKit tools like GPMonitor if those aren't up to what you need. Take a look at https://www.GPTF.org
for a good list of 3rd party tools. Here is a link to the ResKit https://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
[MSFT] MarkWill (Expert):
Q: Is it true that Group Policy is controlled by the PDC emulator role?
A: Not quite. Clients can pull Group Policy from any domain controller. Where I suspect you have read about the role of the PDC Emulator DC is that - by default - the administrative tools (GPEdit and GPMC) connect to that DC. However, that is not a requirement and it is possible to connect to any domain controller from these tools if that is preferred.
[MSFT] Seva (Expert):
Q: Is it true that Group Policy is controller by the PDC emulator role?
A: Small addition to Mark answer. The setting Mark talked about is User Config -> Administrative Templates -> System -> Group Policy -> Group Policy Domain Controller Selection.
[MSFT] mrepass (Expert):
misora> Yes in the past I've had good luck using psexec with gpupdate.
[MSFT] JUDITHH (Expert):
Q: In our organization we have disabled some of the options in Outlook and other applications. Some of the more innovative employees have created a registry script to remove the policy keys that are being pushed out in the domain. Can this be detected?
A: First, we recommend to not make your users administrators or power users. If you want to keep them administrators, you can up the Group Policy refresh rate. Then set the policy that forces the administrative templates (registry settings) to be reapplied each Group Policy refresh.
[MSFT] MDennis (Expert):
Q: The current GPO linking delegation is severely limited, how can you make the delegation of GPO linking more granular?? Currently if you give an SA linking rights they can link any GPO in environment which can be disastrous....how do you plan on addressing?
A: Assuming that you've already given the SA rights to an OU then you can also restrict access for that SA to only a select set of GPOs by creating a group and assigning that group creator owner rights to just a few GPOs and ensure they are not in the GPCO group.
[MSFT] MDennis (Expert):
Q: Good morning everybody, I've got an urgent question. We have a few consultants in our office to install and train our people on a software package, but the install is requiring a SQL login and password. Our IT team has tried all the passwords they know of.
A: This is a Group Policy chat so this is not appropriate question for us. Try Product Support... :)
[MSFT] dpower (Expert):
Q: What is a good way to troubleshoot the following error: Security policies were propagated with warning. 0x4b8 : An extended error has occurred.
A: You might start with 324383 Troubleshooting SCECLI 1202 Events
https://support.microsoft.com/?id=324383
[MSFT] MDennis (Expert):
Q: How can you guarantee the GPOs were actually received and applied at the client, we would like to do this remotely on W2k & XP workstations/servers, we are aware of the UserEnv, Debug logging, etc., but we are looking for something more elegant....
A: Try GPMonitor in the ResKit, it might help with this. "guarantee" is an interesting word in this case. RSoP (GPResults) will tell you what GP did to the client. https://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
[MSFT] JLeznek (Expert):
Q: Can I apply Group Policy settings to different users on a machine without an AD controller?
A: Local policies apply to all users logging into the machine.
[MSFT] MDennis (Expert):
Q: My other computer is very slow on the internet when I am in regular mode, but when I go into safe mode with networking it is as fast as this computer. How do I fix it?
A: This is a Group Policy chat, and this is not related to GP in anyway, sorry...
[MSFT] MarkWill (Expert):
Q: Are there any issues with group policies not replicating to vmware virtual servers running on the same server?
A: We are not aware of any issues - have you seen some problems in this scenario?
[MSFT] JUDITHH (Expert):
Q: Is there a way to run clients in an offline mode so that they don't always have to be connected to the domain controller? I'd like to have a central domain controller without having a connection to the server at all times. Distributed-offline AD
A: If your machine is joined to a domain, Group Policy will not apply when offline. But it will not remove any policies either.
Shaji [MSFT] UShaji (Expert):
Q: Is there a way to detect (feedback) when a Group Policy is applied to a machine or a user account?
A: On the client machine, you can tell that a policy change happened by registering for notification. RegisterGPNotification API is documented in MSDN. Is that what you are looking for?
[MSFT] Seva (Expert):
Q: Regarding software installation: Are there any plans to change the requirement for a reboot/logon to process software installation?
A: Unfortunately Software Installation can only be applied during computer reboot or user logon. There are many technical problems which prohibit installation during background policy processing. Currently there are no plans to support it for this reason.
[MSFT] MDennis (Expert):
Q: One applies one or more patches (MSP) to an administrative installation of an MSI package, and then deploys the patched MSI via GP. Is this a supported method of deploying MSI packages? Q2: Is this a recommended method?
A: Yes, try this for more info - https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/3ddda5bf-cf67-4408-b68c-7e1fcb5e47ee.mspx
or here for more broad info https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/3ddb5bec-a454-4e9b-a6e7-397ee7c4ea3a.mspx
[MSFT] JLeznek (Expert):
Q: is there a walkthrough for software deployment in Windows 2003 environment?
A: Yes, try this for more info - https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/3ddda5bf-cf67-4408-b68c-7e1fcb5e47ee.mspx
or here for more broad info https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/3ddb5bec-a454-4e9b-a6e7-397ee7c4ea3a.mspx
Shaji [MSFT] UShaji (Expert):
Q: What is the best method for dumping GPOs and rights assignments of those GPOs for auditors?
A: You should try GPMC reporting and see whether it fits your needs. GPMC reporting does skip over a few of the IE settings. The ones that it skips are documented in GPMC relnotes.
[MSFT] jkaiser (Expert):
Q: How do I set a policy to lower security settings in Access 2003 ?
A: Look in the Access 2003 ADM file. There is a policy named Security Level, located in Tools\Macro\Security. For the updated adm file, see https://office.microsoft.com/en-us/assistance/HA011513601033.aspx
[MSFT] dpower (Expert):
Q: I've tried the KB324383... I'm still not quite sure what is going on. It says the following: Error 1168: Element not found. Some user rights are not defined in SecEdit. Error 1168: Element not found. Error configuring S-1-5-32-544.
A: I think the best next step would be to contact the support team. They'll likely have a methodical way to step through your issue.
[MSFT] Seva (Expert):
Q: (Cont.) ...as the component states are overwritten by the AAS advertisement of Package A upon User B's login. Any plans to improve this process to allow only a repair of the missing components?
A: Unfortunately there are no plans to change this scenario. I understand that this is not the best way to install software for multiple users. Computer assigned package would of course be a better choice, if at all applicable for your environment. Using SMS you can optimize this scenario. If you have SMS already deployed in your organization, you should look into this.
[MSFT] MDennis (Expert):
Q: I gotta say... AD is getting pretty out dated... Are there any plans to move the AD database to SQL server?
A: Not that we're aware of - though I'd have to argue with it being outdated :) You may want to follow up with the AD team...
[MSFT] mrepass (Expert):
Q: I'll look into that thanks. I just want a way to detect which computers/users keep getting updated so I can detect which users are undoing the policies. Would RegisterGPNotification work for this purpose?
A: To cut right to the issue, you might want to enable auditing on the keys themselves and analyze the logs. That might give you some insights into how the keys are being modified as well.
Shaji [MSFT] UShaji (Expert):
Q: Are there any plans to provided detailed documentation about the attributes of a "packageRegistration" object publicly available, so that one can programmatically create software packages within a GPO?
A: packageRegistration is documented here in MSDN. https://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/c_packageregistration.asp
There are no current plans to provide more detailed documentation as of this time.
[MSFT] dpower (Expert):
Q: Looking for a way to disable wireless products on laptops, even when they are no longer connected to the domain.
A: I'm not aware of a Group Policy setting to do this. You should send this request in to www.WindowsServerFeedback.com
[MSFT] JLeznek (Expert):
Q: I've been testing the MS AntiSpyware product; any plans to integrate control of its settings and configuration through GPO?
A: We are exploring how to integrate Group Policy management with AntiSpyware but have nothing to announce at this time. Stay tuned!
[MSFT] JUDITHH (Expert):
Q: New to GPO and was wondering if there is a way to force/change same time zone on all pc on domain
A: Please send in feedback to https://www.WindowsServerFeedback.com to provide this policy.
[MSFT] MDennis (Expert):
Q: How do I force update of Group Policy throughout the domain?
A: There is no way to do this in the product today, why do you need this?
[MSFT] Seva (Expert):
Q: Seva. Thanks for your response. Regarding software installation during background policy refresh. Can you expand on the technical problems?
A: The technical problems are very simple one. We cannot interrupt user while user already logged on, so we cannot re-install applications, cannot uninstall applications and cannot upgrade applications. The only time safe to perform software installation is when no-one uses the applications, that is, before the user gets access to desktop.
[MSFT] MDennis (Expert):
Q: Are there any feature/functionality improvements to software installation on Longhorn that you can comment on?
A: No, we have no significant improvements to GP-SI in Longhorn. If you need something that isn't present, take a look at SMS.
[MSFT] dpower (Expert):
Q: Which policies touch the Quick Launch toolbar? They keep going away after reboots and I cannot find the policy controlling this.
A: There are settings available in Administrative Templates\Start Menu and Task Bar under User Configuration.
[MSFT] MDennis (Expert):
Useful links for Group Policy folks:
https://www.microsoft.com/GroupPolicy
https://www.WindowsServerFeedback.com
[MSFT] Seva (Expert):
Q: Seva. Thanks again. It would seem Computer assigned applications could then be processed if no one is logged on. This would seem to facilitate the use of GP for software distribution for servers (or computers that are not actively used)...
A: The same reason. User might use the application. Imagine you have computer assigned Microsoft Office and uninstalling it while user is working on a document :)
[MSFT] MDennis (Expert):
Q: (cont): Is this/Can this be a future feature of GP? (Dennis...no plugs for SMS Please ;) )
A: No, sorry
[MSFT] Seva (Expert):
Q: Is there a recommended base security template for Terminal Server 2003? What if the option for "Start a Program on Connection" is enabled under /Terminal Services? It appears to lock users into the app, but to what extent?
A: You can use Windows Security Analyzer to configure Server 2003 SP1. It is a very powerful tool that can work with Server 2003 SP1 only
[MSFT] Carolyn (Moderator):
I'd like to thank our experts for joining us today on a Microsoft Community Chat to talk about Group Policy. We are sorry we could not answer all your questions.
If you would like further information on today's topic, please visit the following URLs:
https://www.microsoft.com/technet/grouppolicy
https://www.GroupPolicyWiki.com
https://www.WindowsServerFeedback.com
We will post the transcript from today’s chat on the https://www.microsoft.com/technet/community/chats/trans/default.mspx
Thanks for your interest and feedback! We are going to leave now. You are welcome to continue chatting in the lower window. We encourage you to use it anytime we are not doing a scheduled chat.
.gif "Top of page")
Top of page