Category Archives: GPO

Looking for a GP object?

image

Take notice: My new feed address is now http://feed.feedcat.net/806052. Please re-subscribe.

 

Well, some time ago I wrote about finding the exact setting in your group policy editor, which is, certainly, quite useful. But this is vital when you try to create a new GPO or find a value in an exact existing one. But what if you want to look at the GPOs in your environment which contain settings from some area? From the age of Server 2003 there is an answer. Not the ideal one, but still, it is better than nothing.

So, you need to find which of your GPOs have settings related to security? Let’s find one:

1) Start a GPMC console and right click on a domain you want to look through:

 

image

After clicking on “Search…” you’ll get the search interface:

image

Say, we are looking for security settings in computer parts of GPO. Ok, here we go, just add this into search criteria:

image

image
image

And hit the search button:

image

As you can see: there are two GPOs in the domain (those are default ones) which contain security settings.

Wonderful! Or is it? Well, as I said, it is better than nothing, but not everything you’d like to see. What can be improved? For example, I’d like to search for the GPOs under any OU, not only from the root of the domain. Next, it’d be great to have an ability to look for the name of a particular setting. Any ideas from you, my readers?

Advertisements

Myths #1: Number of previous logons to cache

imageYou know, as an IT Pro I often meet some persistent myths about OS, protocols or whatever else. Sometimes these encounters become sooo frequent, that explaining these wrongs just bore  me to death. What’s even more amazing: these wrongs are explained usually on so many blogs, pages and other places that… Well, anyway, probably some people who know people who read my blog don’t read those blogs and pages, therefore I’ll try to show some more of these mistakes.

Let’s begin from the very basic, but one of the most frequent mistakes about Group Policy. Yeah, the one which is in the subject of the post. I saw once a man who was nearly fired because of it. Really. Like always: “the boss comes in and tells an IT guy to restrict number of times his sales managers can logon into their laptops without connecting to the company’s LAN by 15 times”. “No problem” answers the guy, changes the setting to 15 and reports the task is done. Some time later it occurs that it wasn’t and all hell’s broke loose. What’s happened and how to fix it?

First of all, it was a mistake not to check if everything works smoothly after changes (I’ve done some nasty things over it too… Bad memories Winking smile).

Next, the settings is not what many think of it. If we read its description (this is a good thing to do before a change) then we’ll see the following line: “Determines the number of users who can have cached credentials on the computer”. Number of users, not number of logons per user. That’s it. If you have notebook with 15 users using it (wow…), then the setting will help you. But no restriction for the only one.

Third. Bad news here: I don’t know actually the way to do what this boss wants. And I am not sure that it exists while using only built-in means. Still it is not a cause for telling the boss that you’ve done it Smile

Press a button–get the result

GPODo you know at which moment exactly does your GPO apply really? When you switch the radio button to “Enabled”? Or when you close a GPO console? I’ve been wondering about it for some time (but of course I was to lazy to test it myself 😉 ), but some time ago, while being on a training I asked a trainer and we conducted experiment on spot, because he didn’t know it either. During the experiment we got proof that the settings you change are implemented as soon as you press the “OK” or “Apply” button with this particular setting. You don’t believe me? Test it yourself or watch the short clip about it if you are lazy too (but remember: my English is far from ideal =( ):

Delegate permissions for creating GPO objects in other domain

imageThe task is obviously necessary to complete on your way to implementing Role-Based Administration concept. And, to be honest, being in euphoria after quick acquaintance with AGPM I thought that it was no deal at all: give an account or a group a membership in some special groups including “Group Policy Creator Owners” and voila – you’ve got it. Aha. Like hell it can succeed! =) This darn group is global and thus cannot be populated with objects from other domains. And moreover, you are unable to change the fact: everything is dimmed.

image

At least I don’t know a way to change the group’s scope (but I noted to myself to find out everything about it). So we won’t get this easy way. Will we retreat? No way. If we can’t add our object to the group, we can create other group and grant permission to the group directly. What permissions does have “Group Policy Creator Owners” group? As far as I know to create any GPO we need permissions in two places: Policies container in AD and Policies folder in sysvol. So let us delegate the permissions for the brand-new group “Role GP Creator Owners”:

1) in AD on Domain/System/Policies container:

image

image

image

image

I guess, “Create All Child Objects” is a bit overkill, and we can do better (just a guess), but the “Group Policy Creator Owners” group has these permissions, so we won’t do it worse.

2) now on a Policies folder:

image

image

That’ll do the job for us. At least at did for me, but still, I recommend to check it with support if you have it. I’ll definitely do that and fix the article if it needs it.

Group Policy Search App

“Where is this @#$% policy? I know it is somewhere in this hive” – that is the question to bother each systems administrator. It was a nightmare trying to find a setting, especially for not very experienced one. It seems like we are one step closer to the solution: while sorting out a mess which always is created in my OneNote notebooks after my vacations I ran into a post from Ask DS blog, which told me: “Alex, you can do full-text search through every GPO MS has been created”. Great news, so I wanted to try.

Step 1: go to http://gps.cloudapp.net/

Step 2: Search for something like “screen saver timeout”

Step 3: Scroll all the way down to the bottom of the page and find the section Search Results (Yeah, I know – it is “very” convenient) and look for what you are seeking for:

image

Step 4:  Click it and – voila:

image

you get path to the setting in GPEdit.msc and, what is of no small importance, registry hive where it resides. Of course, we could do this before: find the setting or registry key manually in the Excel file, but

1) now it seems a little bit easier.

2) it supports full-text search

2) it is not the only feature the application provide us with.

There is plenty of possibilities due to these new features:

1) We can display the tree of policy or the registry:

image

2) We can filter out the OSs or software settings for which we don’t want to show up:

image

3) Copy data from this page (URL of the page, and GPO specific data). Not that it makes it very more convenient than just conventional copying, but lessen the mistake possibility:

image

4) You can even add custom search to your browser or Windows:

image

The first  one adds the search to your IE

image

image

The second is archived search connector to the Windows search and gives you the opportunity to search GPO right from your Windows Explorer:

image

The latter one is, actually, my favourite: I don’t like going to any site, while I am able to search from my Windows Explorer, so anything with support of OpenSearch is just good for me, including my SharePoint. hope, you will enjoy the features too.