MDM & GP Tips Blog

The big news is finally here: What is Microsoft doing with the "crown jewels" of the DesktopStandard acquisition? In short: It's gonna be free. Here's the breakdown of the announcement:

• The PolicyMaker technologies will officially be called Group Policy Preferences.
• There are 20-some-odd "big" things you can do, like zap down drive mapping and shortcuts and a whole lot more.
• PolicyMaker Share Manager (which helps you set up and dictate share permissions) will also be part of the set.
• They require a CSE (Client Side Extension) as do all GP extensions.
  • The CSE will ship in the box for Windows Server 2008.
  • The CSE will be an extra download for XP, 2003 and Vista
  • The CSE will not work for 2000

So, why are they called the "Group Policy Preferences" and not more something.. "Policy-ish?" I'll explain that in an upcoming newsletter. However, Microsoft has a whitepaper which details the major new categories of features and describes some other odds and ends including the distinction between a Policy and a Preference.

That paper is here which every GP admin should read.

I will be covering this in an upcoming newsletter soon as well as have FULL coverage in the next book; I promise !!

I like this idea a lot. It's a book on JUST the WS208 changes. But wait! Here's their cool deal. You can get the eBook today (it's a little rough around the edge) and any other edited eBook versions for free AND they'll also send you the printed book when it's ready. Wow. Check it out. Good job Greg (and Don.. Jones that is.) Click here. PS: Greg calls me a nice name in the book. It's fun.. check it out.

If you've never had a chance to see Mark Minasi speak, you should. He's a great friend of mine, so take it from someone who really knows him: He cares about you learning your stuff. I've just sat through his one day Windows Server 2008 "Upgrade" training. He nails 8 or 9 huge "all purpose" topics, including all the AD changes, TS changes, and IIS changes. Even some light GP changes! More stuff than should humanly be allowed to be learned in a day. A killer overview with 323 slides, which he really did a great job. In short, check out www.Minasi.com for his public and private training classes. Then take one. (But for specialized GP training, well, don't forget who your friends are!)

Administrative Templates (.admx) for Windows Vista

If you want to dump every language under the sun into the Central Store, the GP team released ALL the ADMX files in one big fat download. Pour into your Central Store. Click here.
Here.

Group Policy Management Console Sample Scripts

Vista ships with the GPMC built in. (Though adding Vista + Sp1 when it's released will remove the GPMC... see another blog post for more on that. ) Meanwhile, people have asked me about a billion times -- where are the GPMC scripts that used to be installed with the GPMC? Finally, finally.. they're here.

This took a little while to get up there.. Sorry about that. Here they are !

I am profoundly saddened to report that Ron Hrehirchuk, our original "Guy Friday" here at GPanswers.com has passed away. Ron was instrumental in getting GPanswers.com where it is today. He was hugely dedicated to his family, his job, and made an enormous effort here at GPanswers.com. We will miss him immensely.

Hello GPanswers.com blog readers. There are some big changes in the world of Group Policy. The Lead Program Manager, Michael Dennis is shifting roles within Microsoft after 9 years and 9 months on the job (to the day!).

In this GPanswers.com exclusive, I was able to interview Michael Dennis for an "Exit Interview" to find out some inside scoop about his tenure on the Group Policy team, and where he's going inside Microsoft.

Note to other websites and news sources: because this content is exclusive to GPanswers.com, you may site and source GPanswers.com. But please do not copy it wholesale to other websites.

---

[Jeremy Moskowitz, GPanswers.com]: Michael, thanks for this interview. I think lots of people would want to know what you would consider your best achievements during your time running the Group Policy team.
[Michael Dennis, Microsoft]: The biggest achievements go back some time ago, where we concentrated on developing what was to be known as "Group Policy". We had System Policy in NT 4.0, looked at that and it's problems. And, since this was in the middle of Active Directory's development, we looked at where we needed to better address the manageability of clients and servers.

The idea that Group Policy was to be built in a hierarchy and that this idea had never been done before was a big deal to us. So, we concentrated on core infrastructure: client processes, integration with Active Directory.

The byproduct of our "best achievement" was also our worst achievement. That's because the GUI that we shipped in Windows 2000 was problematic. People needed a "PhD" in Group Policy to use it effectively because administrators needed to know how "the whole thing worked." I wished we could have created the GPMC and RSOP and delivered it back then (it was in the specs.)

The other big achievement, I would say, is that you can pretty much "count on it [Group Policy] working." And we're honored that people can just count on Group Policy doing it's job. Because of that, our team has been even more focused on keeping that idea [of it "just working"] in the forefront. We have a very strong test team to make sure Group Policy does continue to "just work."

[Jeremy Moskowitz, GPanswers.com]: How did "Group Policy" get its name?
[Michael Dennis, Microsoft]: (Laughs). We were talking about this thing called "policy".
My thought at the time was that the word by itself was too broad. It means too many things to too many people.

So, when we took a step back and tried to figure out where we managed things, we saw "groups" of places that we targeted. Active Directory is used for containment [of Group Policy Objects] and also for the targeting of GPOs. So, right there that's three "groups" of things. Site, Domains and OUs can be "groups" of things in the logical sense. Then we also deal with Users and Computers: that's another two "groups" of things. And, while Group Policy objects don't link directly to security groups, we do leverage them for filtering. So, there's "groups" again.

So, "Group Policy" became the name, and I've been questioned about it ever since.

Could there be a better name? Perhaps, but in all the years that have passed nothing better has been suggested. And, regardless, "Group Policy" now has a life of it's own, both as a solution and as a technology.

[Jeremy Moskowitz, GPanswers.com]: What items do you wish could have made it into the Group Policy experience?
[Michael Dennis, Microsoft]: The good news is that the things I have been wishing for all along have been seen the light of day. Along the way, my wishes, my vision, the things I've wanted since Windows 2000's release are here now in Vista. Things like RSoP, the GPMC, the increased settings, etc make me feel very good about where Group Policy is today! I do wish we could have done those things a whole lot sooner.

Additionally, I wish that the Group Policy infrastructure was a more extensible system by partners. Our server side / client side extension model is heavy handed and requires a good deal of work by developers. Though it could be argued that our ADM/ADMX template structure does provide an easily extensible methodolgy. But, it would be even better if that part of the system enabled people to extend even more types of settings.

Lastly, I wish that the GPMC was more extensible from a reporting perspective to [3rd party tools.] That's an area which 3rd party tool vendors have been pretty vocal.

[Jeremy Moskowitz, GPanswers.com]: What are some things people don't know about the Group Policy team?
[Michael Dennis, Microsoft]: Sometimes, it's not clear to people where the Group Policy team "fits in" to the overall picture. The idea is that we build the infrastructure, we build the transport, and we build the server and client side pieces. But in Vista alone we partnered with about 120 different teams at Microsoft to get the new settings in place for this release. We're the "middleman." So, if you see a Group Policy setting who's behavior seems odd, or has "Explain text" [the text within policy settings] that could be clearer, that's not specifically the Group Policy team's doing.

Another thing is that Group Policy is not to blame for system "slowdown" issues at boot or logon. It's the Group Policy payload that's to blame if things are slow. If you tell Group Policy to do something that's heavyweight, it's going to just "do it." For instance, if you tell it to install Microsoft Office on a per-machine basis, great. But just know that it will do what you asked for, it will install all of Office before you get a logon prompt. Is that a slowdown? You betcha, but as an admin that deployed it, it's exactly what you wanted the system to do.

The good news is that Group Policy will do these things, then, once it's done it, it doesn't have to do it again, and doesn't get in your way "the second time" because we check to see what it's already done.

[Jeremy Moskowitz, GPanswers.com]: What's your favorite thing to "show off" using Group Policy ?
[Michael Dennis, Microsoft]: These days, I like to show off some of the new settings that made it into Vista. The removable devices settings [to restrict things like USB sticks, etc]; those settings people had been clamoring for. There are about 2400 settings in Vista, which brings a significantly larger level of control to the admins, so I like asking customers "What do you want to control?" and then show them how.

[Jeremy Moskowitz, GPanswers.com]: Why did you change from ADM to ADMX files?
[Michael Dennis, Microsoft]: Technically, we didn't have to get to ADMX to get to the new central store feature with Windows Vista. The big push for converting to ADMX was to allow us to support multiple languages appropriately.

In the old way, in Multilanguage environments, you would often run into a situation where the contents of the ADM files inside a GPO would be inadvertently written by another language. Historically, we borrowed the ADM format from NT 4.0 which had borrowed it from 98 which had borrowed it from 95. If XML had been around then, it would have been a good candidate for our file format.

But, now that we have XML, it became easier to support multiple languages, and it presents us future opportunities to make registry and settings enhancements with our now schematized language.

[Jeremy Moskowitz, GPanswers.com]: What was the biggest internal challenge you had to overcome while working at the GP team?
[Michael Dennis, Microsoft]: The most ongoing problem that our team faces is when we try to get other components of Windows to policy enable their feature.

Team X might respond "We just built this great new feature... why would anyone want to turn it off?" And we can understand that. But, for the most part, we worked through a lot of those issues.

Other challenges are the technicality of policy enabling some things. For instance, the new Windows Firewall with Advanced Security (WFAS). WFAS was tough to do. It's not easy or straightforward to policy-enable it right. The interface that the WFAS team did for Vista is superb, but doing it right has been tough.

The removable device policy settings, enabling these was a technical challenge, because three OTHER teams (plus the Group Policy team) had to come together to enable that in the system.

Over time, (since Windows 2000 and every release since) we've spent a fair amount of energy to put forth the right set of policy settings enabled in the system.

In versions of Windows before Vista, the product teams themselves didn't always think about policy-enabling their components. But, during Vista's development, a fair amount of teams, proactively recognized that they needed to policy enable their sections of the world, to be more manageable. They would come to us and ask "Please tell us how."

That was huge!

[Jeremy Moskowitz, GPanswers.com]: What's next for you?
[Michael Dennis, Microsoft]: I'm moving to the "Mobile Information Worker" team which is responsible for Smart Phones, PocketPCs, etc. My role will be to extend some of the management technologies in Windows Server System to Windows Mobile devices.

I will try to take my same vision and passion for manageability and apply it in this new space. Meanwhile, I'm leaving the Group Policy team in an outstanding position to move things forward without me.

[Jeremy Moskowitz, GPanswers.com]: Who is your successor?
[Michael Dennis, Microsoft]: That announcement will probably be made in another week or two. We're working on how things need to be organized, who's the right person, and how that be done. There's no rush to make an announcement. It might be a few more weeks (or maybe just a few days.)

I'll leave it to the Group Policy team to let you know so you can tell your folks on GPanswers.com.

[Jeremy Moskowitz, GPanswers.com]: Anything else you'd like to tell the GPanswers.com audience?
[Michael Dennis, Microsoft]: All thru the development of Group Policy, one key focus was to "get in front of customers" and understand what they're trying to do (from a scenarios perspective). This idea, of "scenarios that solve problems" is now imbedded in the team.

If a customer, has a well structured opinion about scenarios they'd like to see Group Policy cover, and they have a business case for doing something, they need to find a way to communicate that back to us.

We have a good feedback mechanism that's available to anyone at any time

Http://www.WindowsServerFeedback.com

There, you'll find a Group Policy button.

If your folks can say "here's my problem, here's my business case, and I need the system to be able to do this and here's why" that kind of information is very, very valuable to us. Those who make decisions about Group Policy going forward read every entry that comes thru that source.

Again, if you want to have an impact in Group Policy moving forward, tell us about what you need. But please don't just tell us "We need a policy setting that does X" without telling us "why."

The "how" is our job to figure out. What the Group Policy team really needs to know is the "why."

[Jeremy Moskowitz, GPanswers.com]: Thanks for taking the time to tell us about your experiences on the Group Policy team at Microsoft. All the best !
[Michael Dennis, Microsoft]: Thank you Jeremy, and thank you, members of GPanswers.com

There are -lots- of bugs in Vista RTM. Some are in the Group Policy space.

I'm not beating up the GP team in any way by reporting these facts to you. Indeed, it's my goal to help locate these bugs, and let you and the team know of them (together). That way, YOU can work around these bugs and THEY can whomp 'em.

So, stay tuned for lots of little things here and there which need a little spackle.

Bug #1: GP Filtering

The final policy settings appear not have been scrubbed such that there was one "At least" requirements for Vista.

There are two main sets of Vista-specific policy settings, each with their own "Requirements."

One set is: "At least Windows Vista"
The other set is: "At least Microsoft Windows Vista"

Most are in the later set. However, the FIRST set is first when you click in the "Fillter by Requirements information" so, most people (like me) will likely click that puppy and be "surprised" when most vista-specific policy settings aren't showing up.

Took me two weeks to figure out why I wasn't seeing it.
(I guess I'm slow.)

Today I had a nice chat with CEO of BeyondTrust John Moyer. We talked about the Microsoft acquisition of his previous company, DesktopStandard and where he's going with BeyondTrust.

The Old
--------
On the subject of the acquisition, former DesktopStandard CEO, Moyer said, “we had a great run with DesktopStandard and greatly appreciate all the support from our customer base and thought leaders like you, Jeremy. The acquisition validated not only the capabilities of the DesktopStandard team, but also Microsoft’s commitment to Group Policy. I am very happy that Microsoft will distribute DesktopStandard products to an even broader base of potential customers to help them manage their desktops and leverage their investments in Active Directory.”

The New
--------
Moyer has transitioned to a new role as CEO of BeyondTrust Corp. BeyondTrust was spun out of DesktopStandard to focus on enterprise security products. When I asked Moyer about BeyondTrust and why DesktopStandard’s PolicyMaker Application Security Product was not part of the Microsoft transaction he had the following to say,

“Simply put, we didn’t want to sell PolicyMaker Application Security. It was DesktopStandard’s fastest growing product. We recognized that the market for this product was just starting to take off. And we already had a successful and experienced team in place so this just made good sense.

PolicyMaker Application Security, which we have renamed to Privilege Manager, will form the backbone of BeyondTrust Corp. BeyondTrust is a new type of security company focused on helping customers to move beyond the need to place trust in users.

BeyondTrust’s flagship product, Privilege Manager, enables customers to implement the security best practice of Least Privilege. With it end-users can run all required applications and perform all required system tasks without administrative privileges. Currently, there is too much trust in IT security. Users must often be given admin privileges in order to do their jobs, forcing IT to ‘trust’ those users. The result is that these same users are often overrun by malware and can expose the network to serious threats through malicious activity.

BeyondTrust will continue to leverage Group Policy. Privilege Manager policy is applied by rule creation in the Group Policy Object Editor.”

Is it good or bad that DesktopStandard was purchased by Microsoft?

Now, before we go into the ANALYSIS of what's happened, I encourage you to read this, which does a pretty good job explaining WHAT happened.

http://www.networkworld.com/article/2307686/software/microsoft-acquires-policy-based-management-vendor-desktopstandard.html

Well, I picked one heck of a day to start my blog. Today's topic: Microsoft's purchase of DesktopStandard. Now, before we go into the ANALYSIS of what's happened, I encourage you to read this, which does a pretty good job explaining WHAT happened. http://www.networkworld.com/news/2006/100206-ms-desktopstandard.html?page=1 Okay. Now that that's out of the way, let's analyze WHAT we're going to get: The Good -------- - 21 new Client Side Extensions: You want to zap Outlook configuration down? Zaaap. You want to zap shortcuts on the desktop? Zaaap. You want to zap Printer settings? Zaaap. In all, 21 new things to Zap. -GPOVault: This is a "Check-in / Check-out" GP management system which is built right into the GPMC. I like this tool because, well, it's just built right in to the GPMC, which means I don't have to load ANOTHER console to do the dirty work. So, the idea is the Sally creates the GPO, Fred makes sure it's Kosher and Kirk puts it in play. All around a welcome addition. The unknown ----------- -PolicyMaker Registry Extension: This was a great free CSE which could be used to zap down registry changes. Who knows what the status will be of this great free tool. -Share Manager: Another CSE available for purchase which managed shares on servers. Honestly, I don't know if this tool sold well or not. The ugly -------- -PolicyManger Software Update: Imagine WSUS that actually worked with GPOs and that understood Active Directory. Now imagine it dead. Yep, this very cool product will likely not see the light of day as a Microsoft product. Microsoft already has a free patch strategy system, WSUS (again, even though it has no tie ins to AD and very little tie ins to GPOs) and SMS for industrial-strength patch management. This product kind of fit in the middle, and well, now it's dead. Analysis -------- In the end analysis -- it's great. More stuff for GPO admins to know and love. And more power to do what they love to do. Stay tuned for more info as it comes up. You bet I'll be all over this when I have more to share.