Resources for IT Professionals

Group Policy Team Chat

June 11, 2004

Published: July 16, 2004

Please note:Portions of this transcript have been edited for clarity

Introduction

Moderator: Julia (Microsoft)
Welcome to today’s chat. Our topic today is Group Policy. I am Julia Ziobro, your moderator for this chat and a Technical Editor in the Windows Server group. I am pleased to welcome our experts for today, including Mark, Mike, Rahul, Scott, John, Rhynier, and Michael. I will have them introduce themselves now.

Host: Mark (Microsoft)
Hello, my name is Mark Williams and I am a Program Manager in the Group Policy team.

Host: Mike (Microsoft)
Hi my name is Mike Brannigan, I'm an Enterprise Strategy and Senior Consultant, specializing in Active Directory and Windows Platforms (XP, Server 2003 etc).

Host: Rahul (Microsoft)
Hello, I am Rahul Gupta and I am developer in Group Policy Team.

Host: Scott (Microsoft)
Hi, My name is Scott Cousens, I'm a tester for Group Policy.

Host: John (Microsoft)
Hello, my name is John Kaiser and I'm the technical writing lead for Group Policy.

Host: Rhynier (Microsoft)
Hi, I'm Rhynier Myburgh, a developer in the Group Policy team

Host: Michael (Microsoft)
Hello, I'm Michael Dennis the Lead PM for Group Policy at Microsoft. Some call me the "old man" of Group Policy :-)

Moderator: Julia (Microsoft)
Today we will be discussing Group Policy, including questions you might have around the many new policy settings introduced in Windows XP Service Pack 2.

Start of Chat

Host: Mark (Microsoft)
Q: What is Group Policy.
A: The best place to learn about Group Policy is through http://www.microsoft.com/grouppolicy.

Host: Michael (Microsoft)
Q: We have issues with Group Policy settings applying when the user is a local administrator. Is this a known issue?
A: No, GP applies to administrators as well as not. What does RSoP say?

Host: Mike (Microsoft)
Q: when I tried a domain logon, the GP did not apply to the user (it was to hide all desktop icons)
A: Check that the user or a group they are in has the appropriate permissions on the GPO to allow them to read the policy and apply it. Also ensure that the setting you are making in the GPO are for the user unless the machine is also in that OU.

Host: John (Microsoft)
Q: Is there a comprehensive listing to be found somewhere that will not only list what each policy setting is, but also explains the effect of enabling or disabling it?
A: The spreadsheet showing all current .adm policy settings is located here: http://go.microsoft.com/fwlink/?linkid=15165

Moderator: Julia (Microsoft)
This might also be helpful: < http://www.microsoft.com/downloads/details.aspx?FamilyID=354b9f45-8aa6-4775-9208-c681a7043292&displaylang=en> Group Policy Common Scenarios white paper

Host: Mike (Microsoft)
Q: the policy was definitely for the user in the adm template
A: But did you check the permission on the GPO to ensure the user or a group can read and apply it?

Host: Mark (Microsoft)
Q: Is it possible to create a nested WMI filter? e.g.Select * From win32_computersystem where manufacturer Like "Compaq" OR "Dell" OR"Hewlett Packard" and then include the models also.
A: That's really a WMI issue rather than Group Policy per se. In evaluating WMI filters Group Policy will honor any valid WMI query (WQL) so it's probably best to look into the WQL language itself for the answer that this question. The WMI Scripting Guide should have this information.

Host: Mike (Microsoft)
Q: How to check GPO application
A: Resource Kit Tool GPResult - this will help your trouble shoot GPO application etc.

Host: Scott (Microsoft)
Q: no I didn’t check the GPO permissions, that is the next step. if the permissions are read and apply, what would be the next step in diagnosing the problem?
A: Another avenue to trouble shoot, look in the eventlog for any errors during logon.

Moderator: Julia (Microsoft)
This could be helpful too <http://go.microsoft.com/fwlink/?LinkId=14949> Troubleshooting Group Policy white paper

Host: John (Microsoft)
Q: Is there a "new for SP2" Group Policy document?
A: We will be releasing a document for the XPSP2 release. Check http://www.microsoft.com/technet/grouppolicy

Host: Mark (Microsoft)
A: Also, http://go.microsoft.com/fwlink/?linkid=22031&clcid=0x409 has a list of all policy settings included in XP SP2 RC1.

Host: Mike (Microsoft)
Q: Still haven’t seen the ADM settings for the XP SP2. Final
A: When you install SP2 on a Windows XP machine it places an updated system.sdm (plus wuau.adm) file on the PC

Host: Mike (Microsoft)
A: There is also a document about the Firewall settings at http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en

Host: Michael (Microsoft)
We are pleased to announce the availability of all current and previously released Group Policy Administrative Template files (.adm files). http://go.microsoft.com/fwlink/?LinkId=31057 Previously, customers could only obtain the most recent .adm files by obtaining the latest service pack or operating system. Now, these .adm files are available directly from this page.

Host: Mike (Microsoft)
Q: This may be off topic a little. I want to download a trial version of Windows Server 2003 and set up the domain controller on my home computer... is it possible to get Windows XP Home to logon to this server? just as a testbed for GP?
A: No Windows XP Home Edition cannot be a member of a Domain so you will not be able to login and receive policy etc.

Host: Michael (Microsoft)
Q: how do i run GPMC?
A: Download it from here http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en then install it on your admin machine, and then go from there...

Host: Scott (Microsoft)
Q: Are they any policies that cannot be applied via a local machine gpedit.msc, e.g. policies that can only be set and applied through an AD domain?
A: yes there are. Generally under the security settings node.

Host: Mike (Microsoft)
Q: If I'm not mistaken GP for Windows update is applied to computers not people right?
A: Correct, the Windows Update ADM file wuau.adm only sets HK Local Machine Registry Keys.

Host: Mike (Microsoft)
Q: I've noticed a difference in the speed in which updates are applied via GP. GP settings for both is the same. An admin logging in seems to get them much quicker than a regular user. Is this my imagination or...?
A: Admin accounts are usually read only and not apply - so you may not be getting all the GPs that a regular user may be getting. This would improve login time.

Host: Mike (Microsoft)
Q: actually it's almost instantaneous for an Admin vs. hours for users - is a delay that long possible?
A: If you remove all policy from a user does their login time become more "reasonable"?

Host: Mike (Microsoft)
Q: well it's not the login time that takes so long - it’s the time until the client begins receiving the updates)
A: Are you actually talking about the application of system/software updates via Windows Updates - not actually a GPO problem?

Host: Mike (Microsoft)
Q: no - just the Security Updates. I tested it in a lab and the first row (admin) received the updates fast - the second row took a long time. Strange in that the settings were the same. I thought it was a user level issue)
A: OK so this is a security patch being deployed by Windows Update or SUS ? If so then it is still a machine setting and not user related. You may be encountering issues with the settings you have set for time to do the check for updates and then the time to deploy at. Your users may have just missed their window.

Host: Mike (Microsoft)
Q: the updates are all via our SUS server.
A: There are still issues that can occur around the timing of when a client downloads the patch and when it is applied and the offset associated with this.

Host: Michael (Microsoft)
Q: if i download 2 trials of windows 2003 server, its possible to get one to join and logon to the domain isn’t it?
A: We assume so, but we are GP experts not license gurus :-)

Host: Michael (Microsoft)
Q: Are they any policies that cannot be applied via a local machine gpedit.msc, e.g. policies that can only be set and applied through an AD domain?
A: Yes, Software Installation and Folder Redirection and some security settings can only be applied via a domain based GPO.

Host: Adam (Microsoft)
Q: Can you go over exactly what happens when you select "Redeploy Application" in Group Policy's Software Installation area? I.E. what are the equivalent MSIEXEC command line options, etc? Thanks
A: This change will cause clients to "reinstall" the product, picking up any changes you've made to the msi / source files. It is useful for patching scenarios. I can't tell you the exact msiexec command line, except that you need to include "v" for the REINSTALLMODE

Host: Michael (Microsoft)
Q: I work in a school with about 1000 clients. Is the GP to deploy XP SP2 (final) still suggested to go to 10 clients at a time or are there any other strategies?
A: For any large application (or SP) you need to be aware of the network impact on the targeted set of machines. The actual number is based on your network.

Host: Mark (Microsoft)
Q: Is there a list of security settings that can ONLY be applied via a domain based GPO? Some document, hidden somewhere?
A: You should be able to locate this information in the Threats and Countermeasures security whitepaper, which you can find here: http://www.microsoft.com/downloads/details.aspx?FamilyID=1b6acf93-147a-4481-9346-f93a4081eea8&displaylang=en

Host: Michael (Microsoft)
Q: not really a question, but I've got to say, Group Policies + the GPMC is the greatest thing since sliced bread
A: Glad to hear the feedback thanks! I wonder what you need the most next in GP to put on the sliced bread?

Host: Mark (Microsoft)
Q: Do you know if 2142 has more than the 107 RC1 GP additions and if any others are planned?
A: Yes, there are a significant number of additional policy settings in RC2 (over 200 beyond what we shipped with WS 2003). Mainly around Internet Explorer.

Host: John (Microsoft)
Q: What are the main factors affecting GPO processing time?
A: Number of settings and the type in a GPO Potential use of WMI filters Essentially, it's the size of what gets downloaded to the machine will have the biggest impact.

Host: Mark (Microsoft)
Q: When will the 200 new GPS be documented?
A: Yes - after RC2 is released I will be updating the spreadsheet at http://go.microsoft.com/fwlink/?linkid=22031&clcid=0x409

Host: Scott (Microsoft)
Q: Software Installation question ? Can you go over exactly what happens when you select "Redeploy Application" in Group Policy's Software Installation area? I.E. what are the equivalent MSIEXEC command line options, etc?
A: depends on who is asking the question and what the context is. *Generally* speaking “Redeploy Application” does a reinstall. It’s *roughly* equivalent to msiexec /fv /fo /fu /fm /fs.

Host: Michael (Microsoft)
Q: I am a beginner and not a professional of any kind, I am just a fast learner and a hard worker... how is it possible to accomplish automatic updates in windows with a GPO?
A: The biggest number of settings are in the "Administrative Templates" node in GPEdit. Including the AU setting. Look in the Windows Update folder.

Host: Michael (Microsoft)
Q: I've heard several people refer to "cached GPOs" - can you describe specifically what this means?
A: They really aren't "cached", though it seems to behave like that. Once policy settings are applied they "stick" until GP removes them. Giving the impression that they are "cached". When policy fails to refresh due to being offline, the existing settings are still there and still in effect, thus the name 'cached'.

Host: Michael (Microsoft)
Starting links for Group Policy info: http://www.Microsoft.com/GroupPolicy, http://www.Microsoft.com/TechNet/GroupPolicy, http://www.GPAnswers.com

Moderator: Julia (Microsoft)
Thank you Mark, Adam, Scott, John, Michael, Mike, and Rhynier for joining us today on a Microsoft Community Chat to talk about Group Policy.

If you have further questions about Group Policy, check out the newsgroup <http://go.microsoft.com/fwlink/?LinkId=15390> Group Policy Newsgroup (microsoft.public.windows.group_policy)

If you would like further information on this topic please visit the following URL: <http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx> Windows Server 2003 Group Policy Technology Center

Host: Michael (Microsoft)
Thank you for joining us - come back again next time! Want to provide additional feedback? Go to http://www.WindowsServerFeedback.com

For further information on this topic please visit the following:

Newsgroups: microsoft.public.windows.group_policy

Windows Server: Read the archive

Website: Visit the TechNet Group Policy page

Page view tracker