So on Patch Tuesday, Microsoft released a patch to prevent a theoretical “man in the middle attack” when GPOs are downloaded from your servers to your endpoints. Okay.. Fine. Sounds good. In fact, here’s the tech note on the problem. Fix for GP elevation https://technet.microsoft.com/library/security/ms16-072 But when that patch is applied, there is a “double increase” in security, one with an unintended consequence. That consequence is that SOME GPOs will no longer apply when you expected them to. You could call this a “breaking change”, but.. stick with me, I think Microsoft wanted this behavior updated. And it’s not TERRIBLE; it’s […]
Actually, this has three things: 1. AMA session replay. I did a super fantastic ASK ME ANYTHING (AMA) session with my hosts at AdminArsenal. It was super fun. The replay is here: https://www.youtube.com/watch?v=BibYm8KrgR4 2. Group Policy not in Nano Server (Not News to me), but I updated the Why GP is Not Dead Manifesto. Also, I already knew this, but apparently it was NOT known by some that Windows’ new Nano server has no Group Policy support. You’d think I’d be upset about this, but I’m not. Not even a little bit. As such, I’ve updated my “Why GP […]
You might have read the news that it’s no longer possible to use the built-in Group Policy SETTING to prevent access to the Windows Store starting in Windows 10 / 1511 with some updates. I don’t make the news, I just report it. The official article at Microsoft is ”Can’t disable Windows Store in Windows 10 Pro through Group Policy: https://support.microsoft.com/en-us/kb/3135657“. Except, good news.. turns out there IS a way to prevent Windows Store from running with Windows 10 Pro. Video: For more killer tips, be sure to sign up at http://www.gpanswers.com/register/ for the newsletter list to stay informed. For Group Policy training, […]
NO GP CONTENT.. This one has been annoying me for a while; so I found two resources which explain how to stop Windows 7 from taking (literally) forever, or at least hours to update. Resource 1 at Infoworld. Resource 2 at Stack Exchange. Look for the words “This issue has come and gone over the years with different fixes along the way…” and follow his instructions. Worked perfectly for me. Requires downloading two patches, then going offline, installing them, then going back online to complete. Again: Personally worked for me and I can vouch this worked as expected (in my cases […]
A student in a recent class showed me this article, which demonstrates how to make Scheduled Tasks (correctly) run as SYSTEM. I didn’t know this was a bug, but I’m glad I know there’s a fix ! https://maddog2050.wordpress.com/2014/09/11/gpo-issue-deploying-a-scheduled-task-running-as-system/ The same guy also has a nifty script to perform a full replication of all DCs in the domain. Handy if you’re getting inconsistent results with GP. Here’s a pointer to that nice script: https://maddog2050.wordpress.com/2014/09/15/ad-force-sysvol-and-ad-replication/ Good job, MadDog 2050.. whomever you are !
The GPanswers.com forum is closed now (thanks, spammers!)
But we encourage you to join us at LinkedIn in the “GPO Stuff” group.
Jeremy is regular there, and there is a reasonable system to prevent junk posts.
In all, we think it’s the right place to go for Group Policy-specific questions.
It’s a private group, but just JOIN it, and the owner should approve your request.
See you there !
-Jeremy Moskowitz, Group Policy MVP