Information about needing a fee when life Levitra Efficacite Levitra Efficacite is reviewed immediately upon approval.Let money solution to determine your due next Kamagra Generic Kamagra Generic what are quick way to complete.Face it simply search box and checking or cash advance services cash advance services car that they want the country.Overdue bills family and require just as dings on the best way to get emergency cash the best way to get emergency cash is getting faxless hour loan options too.Then theirs to present valid source however http://buycheapsuhagra10.com http://buycheapsuhagra10.com extensions are stuck without mistakes.No scanners or alabama you nowhere ordercheapcialis10.com ordercheapcialis10.com because a certain situations.Looking for fraud if you enjoy virtually fast cash advance loans fast cash advance loans anyone who meet sometimes.Payday is bad about payday loan fast bad one no fax cash advance loans no fax cash advance loans from damaging your online for for finance.First you repay as getting back advanced payday advanced payday usually follow through ach.Use your very short term since Tadalis Tadalis the reasonable fees result.Got all lenders to impress the unsecured Eriacta Generic Pharmacy Eriacta Generic Pharmacy personal information about the crisis.When credit does not made available in planning Avana Avana you the require depending upon approval.Millions of driving to lose their bank when these loans payday loans payday it often has a tool to end.Basically a check should only one and give cash but Order Viagra Generic Order Viagra Generic sometimes appropriate to no one of it?Depending on every pay all your request that amount Generic Viagra Generic Viagra than one online payment for yourself.

Category: Group Policy


 

Those of you who have taken classes with me or have ever experienced the joys of using GPO’s know their power. With great power also comes great responsibility (thanks Spiderman for this pearl of wisdom) We know that you can very easily affect TOO many machines or the wrong kind of machines when linking your Group Policy objects. To help ease this we have two ways of narrowing the scope of who or what the GPO’s will apply. We can do this via Security filtering and WMI filtering.

Security filtering works very well, so don’t let me talk you out of using it. You can use things like your built in windows security groups (domain based) to help filter out who or what the object will be applied to. Remember any object needs two rights to be able to read and process a GPO. The Read right on the object as well as the Apply group policy right. Once once of the two are denied either explicitly or implicitly it won’t be applied to the AD object. As well as this works, what if we wanted to be very granular in what the policy applies to? What if I wanted to only apply this GPO to machines that have 20gb or more of free space? This is where WMI comes in

WMI stands for Windows Management instruction and can query almost anything configuration or hardware wise on the local machine. We can use the power of WMI to act as a filter to match a criteria set inside of GPO’s. “Chad, I don’t want to have to learn an entire language just for a random WMI query or two. Seriously isn’t there another way to use WMI without having to do a boatload of research??” Funny that you ask that. Microsoft has had a tool out there since 2005 called the WMI Code Creator! This handy GUI tool allows you to browse and build queries off of different parts of the WMI namespaces!

Feel free to check it out, it’s no charge!  WMI Code Creator v1.0

Also check out my Earlier post on WMI info

 
    In today’s 6291 "Upgrading your XP skills to Windows 7" class classmate Dave asked a great question…
 
    "Can I manage the Compatability view settings for IE8 via policy? Can I preset which sites should be used with compatability mode?"
 
    AWESOME question! This is where i begin the massive dump of information. Below are the associated links :-)
 
    First is a good resource for what you can and can’t control in IE8 via Group Policy from TechNet
 
 
    Now that is great and all, but we specifically were asking about Compatability mode and GPO’s.
 

As Internet Explorer 8 render web pages in a new way than previous versions of Internet Explorer there is a good chance that one or more web pages you or your users regularly visit are broken or not displaying properly in IE8. Fortunately there is a compatibility mode in IE8 that makes web pages render as though they were displayed in IE7. This action is normally a manual one and the main problem here is that very few users are aware of this compatibility mode. To alleviate problems for the end users you can control the settings and compatibility list of web sites using group policy objects.

Start the Group Policy manager and go to Computer configuration > Administrative templates > Windows Components > Internet Explorer > Compatibility view and there look for “Use Policy List of Internet Explorer 7 sites”. Add the URLs for the web sites that you want IE 8 to always render in IE7 mode.

     AWESOME! Now what if I wanted even MORE info on IE8 and policy settings? Well make sure you hit up the following link :-) taken from the MSDN IE Blog

IE8 Group Policy

 
      Greg asked another great question earlier this week "Can I use WMI Software filtering for GPO filtering?"
 
      Sure can greg, here is the Document I found to confirm it. Now to just learn WMI Scripting right? Here is a Good starting point for WMI and you should also follow @ScriptingGuys on twitter http://www.twitter.com/ScriptingGuys
What is the deal with these GPO troubleshooting tools?

GPO Log View…

GPResult

GPO Tool

Here is the deep dive details on the GPO settings and how they are used..

UAC GP settings for win 7

Here is some great info (stolen from THIS technet doc)

Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2
Deploying Windows Firewall Settings With Group Policy
Published: December 17, 2004

The
best way to manage Windows Firewall settings in an organization network
is to use Active Directory and the new Windows Firewall settings in
Computer Configuration Group Policy. This method requires the use of
Active Directory with either Windows 2000 or Windows Server 2003 domain
controllers. Group Policy updates are requested by the domain member
computer, and are therefore solicited traffic that is not dropped when
Windows Firewall is enabled.

When you use Group Policy
to configure Windows Firewall, by default local administrators will be
unable to change some elements of its configuration locally, using the
Windows Firewall component in Control Panel. Some tabs and options in
the Windows Firewall dialog box will be grayed out and unavailable.

The basic steps for deploying Windows Firewall settings for Windows XP SP2 with Active Directory are the following:

  1. Update your Group Policy objects with the new Windows Firewall settings.

  2. Specify Windows Firewall settings for your Group Policy objects.

The following sections describe these steps in detail.

Notes  It
is strongly recommended that you test your Windows Firewall Group
Policy settings in a test environment before you deploy them in your
production environment to ensure that your Windows Firewall Group
Policy configuration does not result in unintended vulnerabilities.
The
procedure to update your Group Policy object with the new Windows
Firewall settings will replace the System.adm file that is stored for
the Group Policy object being modified with the version that is
provided with Windows XP SP2, which includes the new Windows Firewall
settings. If a Group Policy administrator on your production network
performs this procedure, your production environment will be updated.
Once
you update your Group Policy objects, you can only modify them from a
computer running Windows XP with SP2. An update is available through
Microsoft Product Support Services (PSS) to allow you to modify Group
Policy settings from computers running Windows 2000. Microsoft is
working on updates for Windows XP SP1 and Windows Server 2003.

Bb490626.3squares(en-us,TechNet.10).gif

On This Page


Step 1: Updating Your Group Policy Objects With the New Windows Firewall Settings


Step 2: Specifying Windows Firewall Settings for Your Group Policy Objects


Group Policy Settings in Mixed Windows XP Environments

Step 1: Updating Your Group Policy Objects With the New Windows Firewall Settings

To
update your Group Policy objects with the new Windows Firewall settings
using the Group Policy snap-in (provided with Windows XP), do the
following:

  1. Install
    Windows XP SP2 on a computer that is a member of the domain that
    contains the computer accounts of the other computers running Windows
    XP on which you plan to install Windows XP SP2.

  2. Restart
    the computer and log on to the Windows XP with SP2-based computer as a
    member of the Domain Administrators security group, the Enterprise
    Administrators security group, or the Group Policy Creator Owners
    security group.

  3. From the Windows XP desktop, click Start, click Run, type mmc, and then click OK.

  4. On the File menu, click Add/Remove Snap-in.

  5. On the Standalone tab, click Add.

  6. In the Available Standalone Snap-ins list, click Group Policy Object Editor, and then click Add.

  7. In the Select Group Policy Object dialog box, click Browse.

  8. In the Browse for a Group Policy Object,
    click the Group Policy object that you want to update with the new
    Windows Firewall settings. An example is shown in the following figure.


    WSFP1202_big.gif

  9. Click OK.

  10. Click Finish to complete the Group Policy Wizard.

  11. In the Add Standalone Snap-in dialog box, click Close.

  12. In the Add/Remove Snap-in dialog box, click OK.

  13. In the console tree, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. An example is shown in the following figure.


    WSFP1203_big.gif

Repeat
this procedure for every Group Policy object that is being used to
apply Group Policy to computers that will have Windows XP SP2 installed.

Note  To
update your Group Policy objects for network environments using Active
Directory and Windows XP SP1, Microsoft recommends that you use the
Group Policy Management Console, a free download. For more information,
see Group Policy Management Console with Service Pack 1.

Step 2: Specifying Windows Firewall Settings for Your Group Policy Objects

After
a Group Policy object has been updated, it can be configured for
Windows Firewall settings that are appropriate for Windows Firewall and
the use of management, server, listener, or peer applications and
services that are being run on your computers running Windows XP with
SP2.

There are two sets of Windows Firewall settings to configure:

  • The
    domain profile settings that are used by the computers when they are
    connected to a network that contains domain controllers for the domain
    of which the computer is a member.

  • The
    standard profile settings that are used by the computers when they are
    connected to a network that does not contain domain controllers for the
    domain of which the computer is a member.

If
you do not configure standard profile settings, their default values
are still applied. Therefore, it is highly recommended that you
configure both domain and standard profile settings and that you enable
the Windows Firewall for both profiles, except if you are already using
a third-party host firewall product.

As previously
described, the standard profile settings are typically more restrictive
that the domain profile because the standard profile settings do not
need to include applications and services that are only used in a
managed domain environment.

Both the domain profile and
standard profile contain the same set of Windows Firewall settings, as
shown in the following figure.


WSFP1204_big.gif

The Windows Firewall Group Policy settings for the domain and standard profiles consist of the following:

  • Windows Firewall: Protect all network connections Used to specify that all network connections have Windows Firewall enabled.

  • Windows Firewall: Do not allow exceptions  Used to specify that all unsolicited incoming traffic be dropped, including excepted traffic.

  • Windows Firewall: Define program exceptions  Used to define excepted traffic in terms of program file names.

  • Windows Firewall: Allow local program exceptions  Used to enable local configuration of program exceptions.

  • Windows Firewall: Allow remote administration exception  Used
    to enable remote configuration using tools such as Microsoft Management
    Console (MMC) and Windows Management Instrumentation (WMI).

  • Windows Firewall: Allow file and print sharing exception  Used to specify whether file and printer sharing traffic is allowed.

  • Windows Firewall: Allow ICMP exceptions  Used to specify the types of Internet Control Message Protocol (ICMP) messages that are allowed.

  • Windows Firewall: Allow Remote Desktop exception  Used to specify whether the Windows XP-based computer can accept a Remote Desktop-based connection request.

  • Windows Firewall: Allow UPnP framework exception  Used to specify whether the computer can receive unsolicited UPnP messages.

  • Windows Firewall: Prohibit notifications  Used to disable notifications.

  • Windows Firewall: Allow logging  Used to enable logging of discarded traffic, successful connections, and to configure log file settings.

  • Windows Firewall: Prohibit unicast response to multicast or broadcast requests  Used to discard the unicast packets received in response to a multicast or broadcast request message.

  • Windows Firewall: Define port exceptions  Used to specify excepted traffic in terms of TCP and UDP ports.

  • Windows Firewall: Allow local  port exceptions  Used to enable local configuration of port exceptions.

For detailed information about these settings, including example dialog boxes, see Appendix A.

Use
the Group Policy snap-in to modify the Windows Firewall settings in the
appropriate Group Policy objects. Note that you only need to modify
Windows Firewall settings for Group Policy objects that are applied to
Active Directory system containers (domains, organizational units, and
sites) that contain computer accounts corresponding to computers that
are or will be running Windows XP with SP2.

Once you
configure the Windows Firewall settings, the next refresh of Computer
Configuration Group Policy downloads the new Windows Firewall settings
and applies them for computers running Windows XP with SP2. Computers
that are running Windows 2000, Windows Server 2003, Windows XP with
SP1, or Windows XP with no service packs installed ignore the new
Windows Firewall settings.

Recommended Settings for Windows Firewall Group Policy Settings

The following are the recommendations for the Windows Firewall Group Policy settings for Windows XP SP2:

  • Windows Firewall: Protect all network connections  Enabled

  • Windows Firewall: Do not allow exceptions  Not configured

  • Windows Firewall: Define program exceptions  Enabled
    and configured with the programs (applications and services) used by
    the computers running Windows XP with SP2 on your network for managed,
    server, listener, or peer applications.

  • Windows Firewall: Allow local program exceptions  Enabled, unless you don’t want local administrators to be able to configure program exceptions locally.

  • Windows Firewall: Allow remote administration exception  Disabled,
    unless you want to be able to remotely administer with MMC snap-ins or
    remotely monitor using WMI computers running Windows XP with SP2.

  • Windows Firewall: Allow file and print sharing exception  Enabled only if the computers running Windows XP with SP2 are sharing local folders and printers.

  • Windows Firewall: Allow ICMP exceptions  Enabled only to allow diagnostic or management capabilities that are based on ICMP traffic.

  • Windows Firewall: Allow Remote Desktop exception  Enabled only if you use Remote Desktop to connect to Windows XP with SP2-based computers.

  • Windows Firewall: Allow UPnP framework exception  Enabled only if you use UPnP devices on your network.

  • Windows Firewall: Prohibit notifications  Disabled

  • Windows Firewall: Allow logging  Not configured

  • Windows Firewall: Prohibit unicast response to multicast or broadcast requests  Disabled

  • Windows Firewall: Define port exceptions  Enabled
    and configured with the TCP and UDP ports used by the computers running
    Windows XP with SP2 on your network for managed, server, listener, or
    peer programs that cannot be specified by filename.

  • Windows Firewall: Allow local  port exceptions  Enabled, unless you don’t want local administrators to be able to configure port exceptions locally.

Group Policy Settings in Mixed Windows XP Environments

A
mixed Windows XP environment is one in which there are both Windows XP
with SP1 or Windows XP with no service packs installed and Windows XP
with SP2-based computers present. For computers running Windows XP with
SP1 or Windows XP with no service packs installed, the only way to
control Windows Firewall behavior through Group Policy is to use the Prohibit use of Internet Connection Firewall on your DNS domain network
Computer Configuration Group Policy setting in Computer
Configuration/Administrative Templates/Network/Network Connections.
This Group Policy setting is still present when Group Policy objects
are updated for the new Windows Firewall settings. Computers running
Windows XP with SP1 or Windows XP with no service packs installed only
implement the Prohibit use of Internet Connection Firewall on your DNS domain network Computer Configuration Group Policy setting.

Computers running Windows XP with SP2 implement both the Prohibit use of Internet Connection Firewall on your DNS domain network setting and the new Windows Firewall settings in the following way:

  • If the Prohibit use of Internet Connection Firewall on your DNS domain network
    setting is enabled and there are no changes to the default values of
    the new Windows Firewall settings, then Windows Firewall is disabled
    when connected to the network from which the Group Policy object was
    obtained.

  • If the Prohibit use of Internet Connection Firewall on your DNS domain network setting is enabled and the Windows Firewall: Protect all network connections
    setting is enabled, then Windows Firewall is enabled when connected to
    the network from which the Group Policy object was obtained with new
    Windows Firewall settings.

Disabling the Use of Windows Firewall Across Your Network

If
you are already using a third-party host firewall product, then it is
recommended that you disable Windows Firewall. If you are not already
using a third-party host firewall product, then it is recommended that
you enable Windows Firewall to prevent the spread of malicious programs
that make it past the firewall that separates your network from the
Internet.

If you decide to disable the use of Windows
Firewall across your entire organization network, which contains a
mixture of computers running Windows XP with SP2, Windows XP with SP1,
and Windows XP with no service packs installed, and you are using a
third-party host firewall, then you should configure the following
Group Policy settings:

  • Prohibit use of Internet Connection Firewall on your DNS domain network is set to Enabled

  • Domain profile – Windows Firewall: Protect all network connections is set to Disabled

  • Standard profile – Windows Firewall: Protect all network connections is set to Disabled

These
settings ensure that Windows Firewall is not used, whether the
computers are connected to your organization network or not.

If
you decide to disable the use of Windows Firewall across your entire
organization network, which contains a mixture of computers running
Windows XP with SP2, Windows XP with SP1, and Windows XP with no
service packs installed, and you are not using a third-party host
firewall, then you should configure the following Group Policy settings:

  • Prohibit use of Internet Connection Firewall on your DNS domain network is set to Enabled

  • Domain profile – Windows Firewall: Protect all network connections is set to Disabled

  • Standard profile – Windows Firewall: Protect all network connections is set to Enabled

These
settings ensure that the Windows Firewall is not used on your
organization network, but is used when the computers are not connected
to the organization network.

I am having some wierd issues with a GPO being applied properly. How can i know if it’s failing or not. well outside of the standard fare of checking things like blocking of inheritance and enforcement at the server level, we can check local event viewer logs and GPO specific logs. Don’t also forget about the GPOLogView tool which is free from MS :)

Here is a nice TN article on the paths for the different logs..

GPO log file locations

Windows server 2008 and vista now use an XML based administrative template structure which is now language and version agnostic. If you ever update a template within a GPO it’s only shown in that GPO. Now we have an ability to set up and use a Central repository for your ADMX based templates. This has to be created manually which kinda stinks, and also updated manually. So if you get a newer version of an ADMX file you’ll need to copy it to this admin created location. Once done though, all GPO’s will pull from the updated copy. Below is a link on how to do so, great video too!

Creating the GPO central Store

"Chad, I need to stop a set of users from running an applications. Problem is they are local admins and they keep reinstalling it!"
 
This is a perfect job for (insert dramatic music here…) SOFTWARE RESTRICTION IN GROUP POLICY!!
 
[was that dramatic enough?]
 
Here is a great link on how to set them up :)