Where SMART Group Policy Admins come to get SMARTER

A service of PolicyPak Software. Making you (even more) awesome!



Never a dull moment with Group Policy (or what to do about MS16-072)

So on Patch Tuesday, Microsoft released a patch to prevent a theoretical “man in the middle attack” when  GPOs are downloaded from your servers to your endpoints. Okay.. Fine. Sounds good. In fact, here’s the tech note on the problem. Fix for GP elevation https://technet.microsoft.com/library/security/ms16-072 But when that patch is applied, there is a “double increase” in security, one with an unintended consequence. That consequence is that SOME GPOs will no longer apply when you expected them to. You could call this a “breaking change”, but.. stick with me, I think Microsoft wanted this behavior updated. And it’s not TERRIBLE; it’s […]


AMA replay now live, and Group Policy Not Dead Manifesto .. Updated !

Actually, this has three things: 1. AMA session replay. I did a super fantastic ASK ME ANYTHING (AMA) session with my hosts at AdminArsenal. It was super fun. The replay is here: https://www.youtube.com/watch?v=BibYm8KrgR4    2. Group Policy not in Nano Server (Not News to me), but I updated the Why GP is Not Dead Manifesto. Also, I already knew this, but apparently it was NOT known by some that Windows’ new Nano server has no Group Policy support. You’d think I’d be upset about this, but I’m not. Not even a little bit. As such, I’ve updated my “Why GP […]


How to Block Windows Store in Windows 10 Pro with Group Policy (even though the GP setting

You might have read the news that it’s no longer possible to use the built-in Group Policy SETTING to prevent access to the Windows Store starting in Windows 10 / 1511 with some updates. I don’t make the news, I just report it. The official article at Microsoft is “Can’t disable Windows Store in Windows 10 Pro through Group Policy: https://support.microsoft.com/en-us/kb/3135657“. Except, good news.. turns out there IS a way to prevent Windows Store from running with Windows 10 Pro. Video:  For more killer tips, be sure to sign up at https://www.gpanswers.com/register/ for the  newsletter list to stay informed. For Group Policy training, […]


Windows 7 and slow Windows updates

NO GP CONTENT.. 🙂 This one has been annoying me for a while; so I found two resources which explain how to stop Windows 7 from taking (literally) forever, or at least hours to update. Resource 1 at Infoworld. Resource 2 at Stack Exchange. Look for the words “This issue has come and gone over the years with different fixes along the way…” and follow his instructions. Worked perfectly for me. Requires downloading two patches, then going offline, installing them, then going back online to complete. Again: Personally worked for me and I can vouch this worked as expected (in my […]


Fix GPPrefs Scheduled Tasks and also Updating AD

A student in a recent class showed me this article, which demonstrates how to make Scheduled Tasks (correctly) run as SYSTEM. I didn’t know this was a bug, but I’m glad I know there’s a fix ! https://maddog2050.wordpress.com/2014/09/11/gpo-issue-deploying-a-scheduled-task-running-as-system/ The same guy also has a nifty script to perform a full replication of all DCs in the domain. Handy if you’re getting inconsistent results with GP. Here’s a pointer to that nice script: https://maddog2050.wordpress.com/2014/09/15/ad-force-sysvol-and-ad-replication/ Good job, MadDog 2050.. whomever you are !