Category Archives: Information Technology

IT Professional and Security related content

Installing GPMC on Windows Server 2008 and Windows Vista Service Pack 1

Posted on by
Reply

For some time now, we’ve had inquiries about where the Group Policy Management Console (GPMC) is located in Windows Server 2008 or Windows Vista SP1. It’s well documented that Server 2008 includes GPMC but, it does not appear in the administrative tools.

The Group Policy Management Console is included in Windows Server 2008; however, you must install it before you can use it. The domain controller promotion process installs GPMC on the server, in addition to adding the domain controller to the domain. Additionally, you can install GPMC on a member server as long as it’s a member of the domain. Let’s look at two ways to install GPMC on Windows Server 2008 (other than through DCPROMO).

Installing GPMC using Server Manager (Windows Server 2008)

The Group Policy Management Console is a Feature in Windows Server 2008. You install Features using Server Manager. Once installed, you can access the feature using Server Manager or you can the specific management console (like gpmc.msc).

  1. Open Server Manager by click Start and then point to Administrative Tools. Click Server Manager
  2. Click Features in the console tree. In the Features pane, click Add Features
  3. Select Group Policy Management from the list of available features in the Add Feature Wizard. Click Install.
  4. Start using GPMC or close Server Manager.

There’s another way to install GPMC using Server Manager, which usually installs quicker that using the Server Manager user interface. Server Manager includes a command line utility for installing Features and Roles named ServerManagercmd.exe.

Installing GPMC from the Command Line

  1. Open an elevated command prompt.
  2. In the command prompt, type ServerManagercmd –install gpmc
  3. Start GPMC from the command prompt by typing start gpmc.msc
  4. Close the command prompt.

Installing GPMC on Windows Vista Service Pack 1

Installing GPMC on Windows Vista Service Pack 1 can be a little confusing. First, you must download the Remote Server Administration Tools for Windows Vista Service Pack 1 before you can install GPMC. You may remember that GPMC was included in Windows Vista RTM; however Service Pack 1 removes it. After installing RSAT, you then want to install GPMC. Installing RSAT simply includes the Remote Server Administration tools on the Windows Vista SP1 computer but does not deploy for use—you’ll want to choose which RSAT tools you want used on the computer.

  1. Download and install the Remote Server Administration Tools (http://go.microsoft.com/fwlink.?LinkID=95703).
  2. After the installation is complete, then click Start, click Control Panel, and then click Programs.
  3. Click Turn Windows Features on or off from Programs and Features.
  4. Click Remote Server Administration Tools and then click Feature Administration Tools from the Windows Features dialog box.
  5. Click Group Policy Management Tools and click OK to complete the installation.

You’ll now see Group Policy Management included under the list of Administrative Tools (On Vista, you may need to actually show the Administrative Tools on the start menu – this can be done through Control Panel –> Taskbar and Start Menu –> Start Menu –> Customize–> System Administrative Tools). You can also start GPMC from the command line or run/search menu by typing gpmc.msc.

– Mike Stephens

User Profile Policies in Windows Server 2008 and Windows Vista

Posted on by
Reply

Windows Vista made numerous changes with how user profiles work. In fact, the changes are too numerous to describe here (you can read more about the changes with user profiles in the Managing Roaming User Data Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=73435). However, the policy settings for user profiles from earlier versions of Windows remain and Windows Vista introduces five new policy settings.

Four of the five new policy settings for user profiles exist under Computer ConfigurationAdministrative TemplatesSystemUser Profiles (the remaining policy setting uses the same path under User Configuration). These five policy settings apply only to computers running Windows Server 2008 or Windows Vista, however; these policy settings can co-exist in GPO’s applicable to clients earlier than Windows Vista. Operating systems other than Windows Vista ignore the policy settings. Let me begin with the policy settings under the computer configuration and then close with the single user setting.

The first of these policy settings is Delete user profiles older that a specified number of days on system restart. This policy setting accepts a numeric value, represented in number of days. Windows uses this value to determine the how long it retains dormant user profiles. When you enable this policy, Windows deletes all user profiles older than the value provided. This policy setting measures one day as 24 hours since the last time Windows loaded the profile.

NOTE: Microsoft released a hotfix to correct problems specific to this policy setting. You can view more about the issue and related fix from Microsoft Knowledgebase article 945122 (http://support.microsoft.com/?kbid=945122).

Sometimes, in earlier versions of Windows, the registry portion of the user profile fails to unload. Many times this failure prevents the user from subsequent logons to the same computer. Windows Server 2008 and Windows Vista always unload the registry portion of the user profile, even if it must forcefully do so. The policy setting Do not forcefully unload the user registry at user logoff counters the default behavior of Windows Vista. When enabled, Windows Vista does not forcefully unload the registry and waits until no other processes are using the user registry before it unloads it.

The policy setting Set roaming user profile path for all users logging onto this computer provides you a way to create a shared user profile path for a specific computer. When you enable this policy, all users use the profile path specific in the policy when logging onto a computer receiving the policy. There is a small catch-there is an order of precedence. Windows reads profile configurations in the following order and uses the first configured setting.

  1. Terminal Services roaming profile path specified in the Terminal Services policy setting.
  2. Terminal Services roaming profile path specific in the user object.
  3. Per-computer roaming profile path specified in the above described policy setting.
  4. Per-user roaming profile path specified in the user object.

For example, if you configure the Terminal Services roaming profile path using the Terminal Services policy settings and, you also configure the per-computer roaming user profile policy setting, then Windows uses the roaming profile path from the Terminal Services policy. This result is due to the order in which Windows reads the roaming user profile path.

The last policy setting for user profiles under the Computer configuration is the Set maximum wait time for the network if a user has a roaming user profile or remote home folder. At logon, Windows Vista typically waits 30 seconds for an active network connection, when you configure the user with a roaming user profile or remote home directory. In cases such as wireless, VPN, or NAP-protected networks, it may take more time before the network connection becomes active. When enabled, Windows waits up to the number of seconds specified in the policy setting for an active network connection. Windows immediately proceeds with logging on the user as soon as the network connection is active or the wait time exceeds the value specified in the policy setting. Windows does not synchronize roaming user profile or use the remote home folder if the logon occurred before the network connection became active.

One policy setting for user profile exists under the User Configuration category. Actually, it is more of an Offline Files/ Folder Redirection policy setting. Windows Vista automatically marks all redirected folders as available offline. Windows Vista keeps track of all folders marked offline and synchronizes the contents of these folders between the local computer and the network location where you store the files. This synchronization process occurs at logon, periodically throughout the user session, and at logoff. You configure the policy setting by entering network paths that you only want synchronized during logon and logoff. Windows then places these specified network paths offline during the user session.

Windows Server 2008 and Windows Vista Service Pack 1 provide several new Group Policy settings that affect User Profiles. Many of these new policies settings help overcome profile limitations with earlier versions of the operating system. Be sure to evaluate these settings to see how can help with your environment.

– Mike Stephens

Bulk exporting and importing WMI filters for Group Policy

Posted on by
Reply

Here is an updated version of the blog post which was originally published on the Group Policy blog. Check it out!

Did you know you can import/export WMI filters using GPMC? However, your export is limited to one filter at a time – filter to a single .mof file. You then take the exported .mof file to a different domain and use GPMC to import each file. This is great when you only have one or two WMI filters. What about if you have 15 or 20? No worries! You can do this using the LDIFDE utility. (This is a long but detailed explanation).

First, you need to find the WMI Filter you want to export (and eventually import). GPMC writes WMI filters in the Domain partition at:

CN=SOM,CN=WMIPolicy,CN=System,DC=contoso,DC=com.

The LDAP filter you use to return all WMI filters is (objectclass=msWMI-Som). You can narrow the number of returned items if you know the name of the WMI Filter by using
(&(objectclass=msWMI-Som)(msWMI-Name=filtername)). You can lean more about LDAP search filter syntax from MSDN (http://msdn2.microsoft.com/en-us/library/aa746475.aspx). The following sample command line gives you and idea of how to export the WMI Filter:

LDIFDE -f output.txt –d “dc=contoso.com” –r ”( objectclass=msWMI-Som)” –p subtree

In the example above, -f designates the name of the output file that stores the exported WIM filter objects. Next, -d designates the based distinguished name; that is, where the search for objects starts. In this example, it starts at the beginning of the domain. The –r is an inclusive LDAP search filter. In this example we only want objects of the class
msWMI-Som returned by the query. Lastly, the –p designates that type of search we want to use. A subtree search means the search begins at the designated base distinguished name and searches the entire depth of the tree for objects matching the designated filter—similar to using dir /s on a directory when searching for a file.

Your options may vary. If you have problems exporting the items then add –j (one dash, the letter J, a space, and one period) to the command line to create a log file in the current folder. A successful output.txt file looks similar to the following:

dn: CN={1154EFFC-0090-4F23-8865-C8D555BF696E},CN=SOM,CN=WMIPolicy,CN=System,DC=contoso,DC=com
changetype: add
objectClass: top
objectClass: msWMI-Som
cn: {1154EFFC-0090-4F23-8865-C8D555BF696E}
distinguishedName:
CN={1154EFFC-0090-4F23-8865-C8D555BF696E},CN=SOM,CN=WMIPolicy,CN=System,DC=con
toso,DC=com
instanceType: 4
whenCreated: 20070808151246.0Z
whenChanged: 20070808151246.0Z
uSNCreated: 40979
uSNChanged: 40979
showInAdvancedViewOnly: TRUE
name: {1154EFFC-0090-4F23-8865-C8D555BF696E}
objectGUID:: EPDEbOIaGEWyX3Z/b+eiKw==
objectCategory: CN=ms-WMI-Som,CN=Schema,CN=Configuration,DC=contoso,DC=com
msWMI-Author: Administrator@CONTOSO.COM
msWMI-ChangeDate: 20070618142622.740000-000
msWMI-CreationDate: 20070618142257.735000-000
msWMI-ID: {1154EFFC-0090-4F23-8865-C8D555BF696E}
msWMI-Name: Imported WMIFilter2
msWMI-Parm1: This is the description for the filter
msWMI-Parm2:
1;3;10;45;WQL;root\CIMv2;Select * from win32_timezone where bias =-300;

Once you successfully export the WMI Filters; you then need to prepare the output file for import.

Prepare the output file for importing:

  1. First, save the file as another file name.
  2. Then, you need to download the GUIDGEN utility (this is not so important when importing the WMI filter into a different domain). As a reference, this is a guid: {DF380E6C-DB23-44ed-9BF6-435559503347}.
    • You MUST change the guids to import into the same domain or it will NOT import.
  1. Change the guid (to include open and closing curly braces) in the DNCNdistinguishednamename, and msWMI-ID attributes (use the same guid in each of these attributes).
  2. If importing into a different domain, change the LDAP path to reflect the new domain in the dndistinguishedName, and objectCategory attributes. Only change the domain portion of the LDAP path.
  3. Next, you need to remark out the whenCreatedwhenChangedUSNcreatedUSNChangedobjectguidmsWMI-ChangeDate,  and msWMI-CreationDate attributes. Do this by inserting the # character and a space at the beginning of the line for each of the listed attributes.
  4. Optionally, you can change the text displayed in msWMI-NamemsWMI-Author, and msWMI-Parm1 attributes.
    • msWMI-Name is the display name of the WMI Filter shown in GPMC.
    • msWMI-Author is the UPN format for the person creating the WMI filter.
    • msWMI-Parm1 is the description text shown for the WMI filter in GPMC.

The final file should look similar to the following.

dn: CN={4464D2C2-9063-4953-AE6F-A0D231EBF3CD},CN=SOM,CN=WMIPolicy,CN=System,DC=fabrikam,DC=com
changetype: add
objectClass: top
objectClass: msWMI-Som
cn: {4464D2C2-9063-4953-AE6F-A0D231EBF3CD}
distinguishedName:
CN={4464D2C2-9063-4953-AE6F-A0D231EBF3CD},CN=SOM,CN=WMIPolicy,CN=System,DC=fabrikam,DC=com
instanceType: 4

whenCreated: 20070618142257.0Z

whenChanged: 20070618142622.0Z

uSNCreated: 26483

uSNChanged: 26485

showInAdvancedViewOnly: TRUE
name: {4464D2C2-9063-4953-AE6F-A0D231EBF3CD}

objectGUID:: 7sA6lK0PVE2fGNOSDTS5Kw==

objectCategory: CN=ms-WMI-Som,CN=Schema,CN=Configuration,DC=fabrikam,DC=com
msWMI-Author: Administrator@fabrikam.COM

msWMI-ChangeDate: 20070618142622.740000-000

msWMI-CreationDate: 20070618142257.735000-000

msWMI-ID: {4464D2C2-9063-4953-AE6F-A0D231EBF3CD}
msWMI-Name: Imported WMIFilter2
msWMI-Parm1: This is the description for the filter
msWMI-Parm2:
1;3;10;45;WQL;root\CIMv2;Select * from win32_timezone where bias =-300;

You’re almost ready to import the WMI filters. However, importing or adding a WMI Filter object into AD is a system only operation. You need to enable system only changes on a domain controller for a successful LDIFDE import. To do this, on the domain controller you are using for importing, open the registry editor and create the following registry value.

Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters
Value Name: Allow System Only Change
Value Type: REG_DWORD
Value Data: 1 (Binary)

Next, you’ll need to reboot the domain controller to activate the new setting. Once the domain controller is rebooted, you can use LDIFDE to import the file into AD. Use the following command:

LDIFDE  -i –f input.txt

If you have problems then add –j . (one dash, the letter J, a space, and one period) to the command line to create a log file in the local folder. Once the import is complete you should delete the System Only Registry key and reboot the domain controller to deactivate the setting. A successful import looks similar to the following.

Connecting to “hq-con-dc-01.fabrikam.com”
Logging in as current user using SSPI
Importing directory from file “import-wmi.ldf”

Loading entries
1: CN={4464D2C2-9063-4953-AE6F-A0D231EBF3CD},CN=SOM,CN=WMIPolicy,CN=System,DC=fabrikam,DC=com
Entry DN: CN={4464D2C2-9063-4953-AE6F-A0D231EBF3CD},CN=SOM,CN=WMIPolicy,CN=System,DC=fabrikam,DC=com
changetype: add
Attribute 0) objectClass:top msWMI-Som
Attribute 1) cn:{4464D2C2-9063-4953-AE6F-A0D231EBF3CD}
Attribute 2) distinguishedName:CN={4464D2C2-9063-4953-AE6F-A0D231EBF3CD},CN=SOM,CN=WMIPolicy,CN=System,DC=fabrikam,DC=com
Attribute 3) instanceType:4
Attribute 4) showInAdvancedViewOnly:TRUE
Attribute 5) name:{4464D2C2-9063-4953-AE6F-A0D231EBF3CD}
Attribute 6) objectCategory:CN=ms-WMI-Som,CN=Schema,CN=Configuration,DC=fabrikam,DC=com
Attribute 7) msWMI-Author:Administrator@FABRIKAM.COM
Attribute 8) msWMI-ID:{4464D2C2-9063-4953-AE6F-A0D231EBF3CD}
Attribute 9) msWMI-Name:Imported WMIFilter2
Attribute 10) msWMI-Parm1:This is the description for the filter
Attribute 11) msWMI-Parm2:1;3;10;45;WQL;root\CIMv2;Select * from win32_timezone where bias =-300;

Entry modified successfully.

1 entry modified successfully.

The command has completed successfully

And there you go: you’ve successfully exported and imported WMI filters.

-Mike Stephens

Managing Power with Group Policy: Part 3 of 3

Posted on by
Reply

It’s time we wrap up our discussion on managing power using Group Policy. The previous blog posts discussed managing power on Windows Vista (and Windows Server 2008). Today, I’ll cover how we can achieve the equivalent for Windows XP.

The key to managing power on Windows XP is Group Policy preferences. The Group Policy Management Console (GPMC) included with Windows Server 2008 and (soon to be released) Remote Server Administration Tools contains the management portion of portion of preferences. Next, you need preference client side extensions that allow Windows XP to process Group Policy objects that contain preference configuration data. Group Policy preferences client side extensions are available from Microsoft for Windows VistaWindows Server 2003, and Windows XP.

Preferences provide two preference items you can use to configure power on Windows XP (or Windows Server 2003 and Windows Server 2003 R2). The first of these items is the Power Option item. Figure 1 shows you the properties on a Power Option preference item. This is one of the great features with preferences—the configuration screen closely resembles the screen you actually use on the operating system.00-manage-power-p3The Power Option preference item gives you the ability to configure hibernation, prompting for password when the computer resumes. Also, you can configure the Power button action when you close the lid of the computer (laptop), press the power button, or press the sleep button.

One of the cool things about preferences is you have control over which settings you want to configure and ones that you do not. Figure 1 shows each setting in the preference item underlined with a single green line. This means the setting in the item is enabled and the setting applies as configured. Using Figure 1 as an example, the Always show icon on the taskbar is enabled but, the checkbox is not selected. During Group Policy processing, this preference item configures Always show icon on the taskbarPrompt for password when computer resumes from standby, and Enable Hibernate as off. This result is because the setting in the item was enabled (green underline) and the checkbox is cleared (off). This is a very powerful feature because it allows you full control over the setting you want to configure and the setting that you do not. Let’s look at another example.01-manage-power-p3The above image shows another configured Power Options preference item. In this example, Always show icon on the taskbar has a red dashed underline, which means the setting is disabled. This means when Group Policy applies this preference item, Prompt for password when computer resumes from standby and Enable hibernation are enabled and, Always show icon on the taskbar is ignored. You enable and disable a setting by using the function keys on the keyboard.

  • F5 enables all the settings in a preference item
  • F6 enables the currently selected setting in a preference item
  • F7 disables the currently selected setting in a preference item
  • F8 disables all the setting in a preference item

NOTE:
Preference items are not policy settings, which means they are not enforced—just applied. Users with the proper privileges may have the ability to change the preference setting to another selection. However, preference item settings return on the next Group Policy refresh, unless configured otherwise.

The other power preference item is Power Scheme. The Power Scheme preference item allows you to create, modify, and delete power schemes. This allows you to configure a Windows XP computer to use one of the pre-existing power schemes or modify the settings included in one of the pre-existing power schemes or, just you create your own—it is your choice. Each power scheme has settings for two options: Plugged in or Running on batteries. From there, you define the time out settings for turning off monitors, hard disks, system standby and system hibernate. The Power Scheme preference item has the same enable/disable feature as the Power Option preference item and behaves in the same fashion.

The one difference with the Power Schemes preference item is the Action field. The action field determines the action Group Policy processing applies to the specific preference item. Configuring a Power Scheme preference item to Create; does just that—it creates a new power scheme. However, if, on the computer applying the preference item, a power scheme with the same name exists, the preference item does nothing. Delete and Update do just what they describe—delete and update. However, Update does provide additional functionality other than updating an existing power scheme with new settings. If you configure your Power Scheme preference item to update a power scheme that does not exist on the applying computer, then a new power scheme is created with that name. Lastly, configuring the preference item with Replace has similar results to using Update. When using Update, the Power Scheme preference item only updates the enabled settings within the preference item on the existing named power scheme—leaving all other settings as they are. Replace, however; actually deletes the named power scheme from the computer and then creates a new power scheme based on the settings configured in the Power Scheme preference item.

Other things to remember with power management preference items:

  • You can configure power management preference items in both computer and user configurations. Understand, user configuration apply after computer configuration. This results in the user settings replacing the current power settings, which could have been from another preference item.
  • Local Administrators are Administrators. This means they can change their power configuration. Standard users cannot.
  • When Group Policy applies power management preference items; those items become the current power management scheme—even after the user logs off.
  • Power management preferences item support background refresh—your settings can change.

That wraps up Managing Power with Group Policy. Three blog entries, six categories, 34 policy settings, and two preference items later, it should be easy to see how combining these Group Policy features could save your company significant resources. It may be a good time to review how you could implement some of these features and savings you may gain.

Managing Power with Group Policy: Part 1 of 3
Managing Power with Group Policy: Part 2 of 3
Managing Power with Group Policy: Part 3 of 3

-Mike Stephens

Managing Power with Group Policy: Part 2 of 3

Posted on by
Reply

Last time, I introduce new Power Management policy settings included in Windows Vista. In the first of a three parts, I wrote about ButtonHard Disk, and Notification policy settings. Today, I continue to review Power Management by writing about Sleep and Video and Display power management policy settings.

As a reminder, these categories and their policy settings are located under Computer Configuration\Policies\Administrative Templates\System\Power Management. These policy settings are Windows Vista policy settings and apply only to computers running Windows Vista. Also, these policy settings can co-exist in policies applicable to clients earlier than Windows Vista. Operating systems other than Windows Vista will ignore the settings.00-manage-power-p2I’ll start with the Sleep power management category and its policy settings. As I wrote in part one, Windows divides most Power Management policy settings into Plugged In or On Battery policy settings (Plugged In or On Battery actually appears in the name of the policy setting). This gives the category 12 policy settings total; 6 for Plugged In and 6 for On Battery. These policy provide the means to adjust how Windows Vista behaves prior to entering, during, and waking from sleep mode. I’ll begin by providing the name of each policy setting and a summary of its intent.

The policy setting Turn on Applications to Prevent Sleep Transitions, when enabled, provides application and services a way to prevent Windows Vista from entering sleep mode (including but not limited to Hybrid SleepStand By, or Hibernate).

Enabling the policy setting Specify the System Hibernate Timeout allows you to enter a value, in seconds, to indicate how much idle time elapses before Windows enters into hibernate. Another related policy setting is Specify the System Sleep Timeout, only the value entered (in seconds) indicates how much idle time elapses before Windows enters sleep mode.

The policy setting Require a Password when a Computer Wakes works exactly as it is written—it prompts the user for password when the computer wakes. It is also important to know this is the default behavior for Windows Vista, even when you set this policy setting to Not Configured.

Windows Vista includes a Hybrid Sleep mode. Hybrid sleep saves the system state and additional information to a hiberfile. Windows uses this file when it wakes from Hybrid Sleep mode. When enabled, the policy setting Turn Off Hybrid Sleep prevents Windows from creating the hiberfile, which disables Hybrid Sleep mode.

The last setting in this category controls the behavior (or state) of a computer running Windows Vista while in sleep mode. Recently manufactured computers conform to the specification know as Advanced Configuration and Power Interface, or ACPI. This specification is the most popular standard for computer power management. The ACPI specification describes standby states when a computer is sleeping. A portion of the specification labels these standby states as S1, S2, S3, and S4 (you can find more information on ACPI and the specifics to these states at http://www.acpi.info/). When you enable the policy Allow Standby States (S1-S3) when sleeping, Windows Vista may use standby states S1 – S3 while in sleep mode. If you disable the policy, Window Vista only allows the computer to use hibernate (standby state S4) as a sleep state.01-manage-power-p2The last category in Power Management is Video and Display Settings. This category has four policy settings total, two when Plugged In and two when On Battery. The first policy setting controls a new feature included in Windows Vista– Adaptive Display. Adaptive Display Timeout, on by default, extends the time Windows waits to turn off the display if you repeatedly turn on the display using the keyboard or mouse. Enabling Turn Off Adaptive Display Timeout disables Adaptive Display timeout resulting in Windows turning off the display once the idle timeout time is exceeded, which is controlled by the remaining policy in this category. The Turn Off the Display policy settings, when enabled, allows you to enter a value in seconds indicating the maximum allotted idle time before Windows turns off the display.

Two blogs complete and one more to go. Next time, I’ll conclude Managing Power with Group Policy by discussing how to use Window Server 2008 to manage power on Windows XP workstations.

Managing Power with Group Policy: Part 1 of 3
Managing Power with Group Policy: Part 2 of 3
Managing Power with Group Policy: Part 3 of 3

-Mike Stephens

Managing Power with Group Policy: Part 1 of 3

Posted on by
Reply

This post was originally published in the Group Policy Team blog.

Many of you probably know about the power management improvements included in Windows Vista and that you can manage power using Group Policy. However, did you know that you can manage power on Windows XP using Group Policy as well? I decided to update the “Power” blog series to show you how Windows Server 2008 can help you manage power at the desktop for both Vista and Windows XP.

Windows Vista provides a tremendous amount of power management support through Group Policy. Power management is comprised of 34 policy settings grouped in 6 different categories. The categories I will write about this week include ButtonHard DiskNotification, and base Power Management settings.

These categories and their policy settings are located under Computer Configuration\Policies\Administrative Templates\System\Power Management. These policy settings are new with Windows Vista and apply only to computers running Windows Server 2008 or Windows Vista or. Also, these policy settings can co-exist in policies applicable to clients earlier than Windows Vista. Operating systems other than Windows Vista ignore the settings.00-manage-power-p1Power management Group Policy settings target computers therefore; the majority of the settings are under the Computer Configuration. The main category, Power Management, contains two settings, one settings allows you to deploy one of the standard power management configurations and the others allows you to specific a GUID of a customer power management configuration.

Under Power Management is the Button Category. This category has eight policy settings. You can further categorize these policy settings into two categories of four: policies for when the computer is plugged-in and for when the computer is on battery. The four settings allow you to define the actions performed when the user presses the power or sleep button or, when the user closes the lid of the computer. The last setting controls the power button located on the Start menu. Enabling any of these policy settings gives you a choice of HibernateShut downSleep, or Take No Action.01-manage-power-p1The next category is Hard Disk. This category has two policy settings. As with the other power management categories, it categorizes these policy settings for when the computer is plugged-in and when the computer is on battery. You use this policy setting to shut down the user hard drive after a specified amount of inactivity. Enabling this policy setting allows you to provide the number of seconds before Windows reduces power to the hard drive.02-manage-power-p1The last category for the blog entry is Notification. These five policy settings allow you to configure the notification levels and actions for Low Battery and Critical Battery events. Also, you can disable Low Battery user notification. Low Battery and Critical Battery level policy settings allow you to set the level where Windows will trigger Low Battery or Critical Battery actions. You determine each level by entering a percentage of remaining battery power. Your choice of settings for Low Battery and Critical Battery actions include: HibernateShut down,Sleep, and Take No Action.

Don’t ignore power management; sure, it is only a small amount of money saved per client. But add that amount up over time and across multiple computers and you could save a substantial sum of cash from reduced power usage, less wear-and-tear, as well as environmental cooling benefits.

Managing Power with Group Policy: Part 1 of 3
Managing Power with Group Policy: Part 2 of 3
Managing Power with Group Policy: Part 3 of 3

-Mike Stephens

Windows Logon Options in Vista/2008: Part Two of Two

Posted on by
Reply

Previously, I wrote about two of the policy settings under the computer configuration. Today, I’ll finish writing about the Windows Logon Options policy category by covering the remaining policy setting under the computer configuration and all of the policy settings under the user configuration.

All operating systems based on Windows NT (Windows Vista, Windows XP, Windows 2000, Windows Server 2003, and Windows Server 2008) have a security feature named Secure Attention Sequence (SAS). The purpose of the SAS is to alert the operating system that a user is ready to perform a secure action, such as logging on the computer. You see the results of SAS when you press CTRL+ALT+DEL to logon to Windows or when prompted to insert your smartcard. Both are results of a Secure Attention Sequence.

Sometimes, software must simulate a Secure Attention Sequence. Most commonly, software designed for accessibility or ease of access have this requirement. Windows Vista has a policy setting that allows you to control what software can simulate a Secure Attention Sequence name Disable and enable software Secure Attention Sequence.

This policy setting has four options, when enabled. These options are:

  • None—disallows any user mode software from simulating a Secure Attention Sequence.
  • Services—allows software running as a service to simulate a Secure Attention Sequence.
  • Ease of access applications—allows software specifically designed for ease of access to simulate a Secure Attention Sequence.
  • Services and Ease of access applications—allows both service and ease of access applications to simulate a Secure Attention Sequence.

Disabling this policy, which is the same as leaving it not configured, allows only Ease of access application running on the secure desktop to simulate a Secure Attention Sequence.

This concludes the computer policy settings, which leaves three remaining user policy settings. The first of these policy settings is the Set action to take when logon hours expire.

You can configure permitted logon hours for each user in their respected user account. Enabling this policy allows you to configure the action Windows should perform when the user’s logon hours expire. For more information about configuring logon hours read “Assigning Logon Hours” from Microsoft TechNet. These options include:

  • Lock—locks the current session and prevents the user from unlocking the session outside of their permitted logon hours.
  • Disconnect—disconnects the user from the current session and prevents the user from reconnecting to the session outside of their permitted logon hours.
  • Logoff—logs the user off the computer and prevents further logons outside of the user’s permitted logon hours. Choosing this setting can result in possible data loss.

00-logon-p2
By default, Windows does not enforce user logon hours. However, once enabled, Windows warns the user before their logon hours expire and then performs the action you configured when the user’s logon hours expire. When setting this policy setting, you should consider the Remove logon hours expiration warnings.

The Remove logon hours expiration warning, when enabled, allows you to configure Windows not to notify the user of the pending action before their logon hours expire, By default, Windows does not enforce user logon hours. Therefore, enabling this policy setting does not display warning unless the Set action to take when logon hours policy setting is enabled.

The last user policy setting is equivalent to the computer configuration setting Report when logon server was not available during user logon. Windows displays a notification to the user explaining they have logged on using cached credentials because the logon server was not available. Enabling this policy could expedite the reporting of logon problems. And, as with the other policy, serves as an excellent way to further troubleshoot logon problems. Use this setting when you want to apply the policy setting to a specific user and not to the entire computer.

Sufficed to say, these policy settings can help you secure your corporate environment during off hours as well as assist with detecting possible logon problems earlier rather than later.

-Mike Stephens

Windows Logon Options in Vista/2008: Part One of Two

Posted on by
Reply

This is the first of a two part series I originally published on the Group Policy Team blog – updated for Windows Server 2008.

I wanted to bring to your attention some new policy settings for Windows Server 2008 and Windows Vista. The Windows Logon Options policy settings are located under both the Computer and User Configurations\Policies\Administrative Templates\Windows Components\Windows Logon Options. This policy category has six policy settings, equally divided between user and computer configurations. These policy settings apply to computers running and users logging onto Windows Server 2008 and Windows Vista. Earlier versions of Windows will ignore most of these policy settings.

NOTE: Read the explain text of each policy setting before you combine these policy settings with earlier policy setting in a single Group Policy object.

00-logon-p1I’ll start with highlighting two of the three policy settings under the Computer Configuration. The first of these is the Display information about earlier logons during user logon. When enabled, Windows displays a message after the user logs on. The message contains the date and time of the last successful logon; the date and time of the last unsuccessful logon; and the number of unsuccessful logons since the last successful logons by that user. The user must then acknowledge the message before Windows presents the user desktop.01-logon-p1I know, this sounds like one of those annoying logon prompts that users click through—perhaps. However, I see this as another step in securing Windows on the workstation and the network. Most users know when they logged on last. Additionally, they know when they have typed their password wrong multiple times. Enabling this policy provides this information to users at each logon. Users can then evaluate this information with their own logon patterns to determine if there has been an attempt to compromise their account. And, you can use this policy setting to assist with troubleshooting account lockout issues. It’s certainly useful for servers, where only administrators should have ever been logging on through the console or Terminal sessions.

NOTE: This policy setting requires the logging on user account to be a user account from a Windows Server 2008 functional domain. Users logging on with user accounts stored in domains functioning at Windows Server 2003, Windows 2000 native, or mixed mode encounter an error message stating Windows could not locate the account information and prevents the user from logging on to the domain.

The other valuable policy setting in this category is the Report when logon server was not available during user logon. Windows displays a notification to the user explaining they have logged on using cached credentials because the logon server was not available. Enabling this policy could expedite the reporting of logon problems. And, as with the other policy, serves as an excellent way to further troubleshoot logon problems.02-logon-p1Stay on the look out for some of the new policy settings in Windows Vista and 2008. Sometimes, enabling a policy ahead of time can help you troubleshoot later.

-Mike Stephens

Deploying Legal Notices to domain computers using Group Policy

Posted on by
Reply

Every so often, I’ll talk with a customer wanting to deploy a legal notice to their workstations using Group Policy. Sounds simple, right? Well, it is actually a little tricky to make the legal notice work correctly. Here is a solution that I share with customers that want to do this and have it look right.

It’s a natural assumption to have this done through Group Policy. Every computer in the domain applies it—it makes the job easy. Searching the Microsoft Knowledgebase does yield a few results—here is one.

310430 How to configure Windows Server 2003 to display a message when users log on
http://support.microsoft.com/default.aspx?scid=kb;EN-US;310430

The following shows the security policy setting that helps us accomplish this task. So, we follow the article and view the results.00-legal

NOTE: These examples are from a computer running Windows Vista Service Pack 1 with Remote Server Administration Tools. However, you can use Windows Server 2003 or Windows XP with the Group Policy Management Console (GPMC) to accomplish these results.

Now, notice our Legal Notice on a Windows Vista SP1 computer and on Windows Server 2003 computer.01-legal

02-legal

Where is the formatting? How quickly we go from pretty to… “not so pretty”. There’s no way we are going to let the legal department see this. We have to fix it. But first, let’s briefly explain why this is happening.

This problem originates from Windows NT 4; when we added Legal Notice Text to the operating system. At that time, it was a single string and did not support carriage returns. We made several attempts to change this behavior shortly after Windows 2000. Interestingly enough, those changes resulted in using a comma (,) as a delimiter for the carriage return. Kinda cool huh?…. Not!

Eight years later, legal council craft very concise legal goo—which just might have a few commas included within the text. Then, administrators would have to enclose grammatical commas in quotation marks so Windows would not parse it as a carriage return. That didn’t work well.

In Windows Server 2003, we changed the editor to accept a carriage return; now allowing you to format your text within the policy, as we did in the example. Well, that only solves the comma problem because there was not a change on how Windows parses the strings. Windows now inserts the commas and quotes for you when it writes the policy setting. And, as you can see in our example; we started with two paragraphs or more and ended with a single blob of text in window. Lastly, this behavior has not changed with Windows Server 2008 or Windows Vista Service Pack 1. So—how do I format this text?

You need to use a script to have your legal notice text appear properly formatted. Figure 4 shows a script you can use in a computer startup script (not a user logon script). The script writes the legal notice text to the policy registry key—just as if it were applied using the security policy settings. But, the script allows you to keep your formatting.

Here is the code for the script. Copy and paste this code into a text file. Be sure to save the text file with a .vbs extension or it will not run correctly. Each command should appear on its own line (no text wrapping) as some of the text in the example is wrapped for readability.

‘=========================================================================
‘
‘ VBScript Source File —
‘
‘ NAME: legal.vbs
‘
‘ AUTHOR: Mike Stephens , Microsoft Corporation
‘
‘ DATE: 11/26/2007
‘
‘ COMMENT: sample computer startup script to deploy legalcaption and legaltext
‘

‘ ==========================================================================
set wShell = CreateObject(“Wscript.Shell”)

strLegalCaption = “Legal Notice”Const POLICY_KEY = “HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\”

Const LEGAL_CAPTION_VALUENAME = “legalnoticecaption”

Const LEGAL_TEXT_VALUENAME = “legalnoticetext”strLegalText = “”strLegalText = strLegalText & “The easiest way is to insert the entire paragraph on one

line, between the quotation marks.” & vbcrlf &vbcrlf

‘ Copy the line above and repeat for each paragraph in the legal notice.
‘ Remember it is best to limit your notice to two paragraph that contain no more than 4
‘ sentences.

wShell.RegWrite POLICY_KEY & LEGAL_CAPTION_VALUENAME, strLegalCaption, “REG_SZ”
WShell.RegWrite POLICY_KEY & LEGAL_TEXT_VALUENAME, strLegalText, “REG_SZ”

You’ll want to modify the sample code from Figure 4 to include your legal notice. Let me explain the script and which part requires your modifications.

Line 1: set wShell = CreateObject(“Wscript.Shell”)

This line creates a Windows Scripting Host shell object. The script uses method (or function) from the shell object to write to the registry.

Line 2: strLegalCaption = “Legal Notice”

Line 2 creates a variable named strLegalCaption and assigns the text Legal Notice to the variable. This is the text Windows uses for the title of the legal notice dialog box, which appears when the user presses CTRL+ALT+DEL.

Line 3-5:

Const POLICY_KEY = “HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\”
Const LEGAL_CAPTION_VALUENAME = “legalnoticecaption”
Const LEGAL_TEXT_VALUENAME = “legalnoticetext”

These lines create what is called a constant. Constants mean just that- they remain constant—their values cannot change; unlike the values of a variable, which can change. Line 3 is representative of the registry key location to which the script writes. Line 4 holds the registry value name for the legal caption (title of the dialog box) while line 5 holds the value of the legal text (message in the dialog box). Constants work similarly to search and replace features found in text editors and word processors. When Windows runs the script, it looks at the constants declared in the script and then searches the remainder of the script for those words which are designated as constants. It then replaces the word with the assigned value. Then, Windows continues running the script.

Line 6: strLegalText = “”

Line 6 creates a variable named strLegalText and assigns and empty string to the variable. The is equivalent to a blank line (without a carriage return).

Line 7:

strLegalText = strLegalText & “The easiest way is to insert the entire paragraph on one
line, between the quotation marks.” & vbcrlf & vbcrlf

This line is the important line. This line defines the text of your legal notice ( the text appearing in the dialog box). The registry value name LegalNoticeText is a single string value. Therefore, the script must concatenate your entire legal text notice into one line of text, to include carriage returns.

The first part of line 7 shows strLegalText = StrLegalText &. This command phrase handles concatenating your paragraphs into a single line of text; so we can write it into the single string registry value. The next phrase in the script is between the quotation marks. This represents the first paragraph of your legal notice. You’ll want to paste the entire paragraph between the quotation marks. The best way to do this is paste your paragraph into notepad ensuring that word wrap is off (click Format from the menu to ensure there is not a check next to Word Wrap).

Position the cursor to the end of the first line. Use the delete key to move the text on the next to the current line. Be sure to keep your spaces. Follow this process until the entire paragraph is on one line (you’ll more than likely have to scroll to the right. Make sure you have an opening and closing quotation marks. It is likely your script will fail if the command is not on a single line.

NOTE: Quotation mark (“) represents the beginning and end of string when using Vbscript. Any alpha-numeric characters between the quotation marks, including spaces is included in the string—just like if you were typing a long file name as an argument for a command line application. Be certain your legal text does not include any quotation marks. If possible, you single quote marks (‘).

Copy and paste your original line 7 and repeat the above for each paragraph you want included in your legal text. Things to look for are:

  • Inserting quotation marks between the beginning and ending quotation marks.
  • The entire command is not on a single line
  • You keep the & vbcrlf & vbcrlf immediately after the ending quotation mark at the end of each line that represents a paragraph in your legal text.

My legal text notice in this example is three paragraphs with the last paragraph being a single sentence. Therefore, lines 7-9 will look similar for my example script.

strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie sind mit Vernunft und Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen.” & vbcrlf & vbcrlf
strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie sind mit Vernunft und Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen.” & vbcrlf & vbcrlf
strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren.” & vbcrlf & vbcrlf

Line 8, 9 (Sample script in Figure 4)

wShell.RegWrite POLICY_KEY & LEGAL_CAPTION_VALUENAME, strLegalCaption, “REG_SZ”
WShell.RegWrite POLICY_KEY & LEGAL_TEXT_VALUENAME, strLegalText, “REG_SZ”

These two lines do all the work. Both lines use the Windows Scripting Host shell object to write to the registry of the local computer. This is accomplished using the RegWrite method. The first parameter to the RegWrite method is the full registry path (hive and value name). The second parameter is the value the script writes into the value name. The last parameter is the data type if the value name—in this case both value are strings, which are REG_SZ data types.

Line 8 uses the POLICY_KEY constant and the LEGAL_CAPTION_VALUENAME constant to build the path to which the scripts writes. StrLegalCaption is the variable we used to hold the value of the legal caption. Line 9 uses the POLICY_KEY constant and the LEGAL_TEXT_VALUENAME constant to build the path to which the script writes. StrLegalText is the variable we used to hold the value of the legal text.

Below is the example script created for contoso.com’s legal text notice, which is based on the sample script from Figure 4.

‘=========================================================================
‘
‘ VBScript Source File —
‘
‘ NAME: legal.vbs
‘
‘ AUTHOR: Mike Stephens , Microsoft Corporation
‘
‘ DATE: 11/26/2007
‘
‘ COMMENT: sample computer startup script to deploy legalcaption and legaltext
‘
‘ ==========================================================================set wShell = CreateObject(“Wscript.Shell”)

strLegalCaption = “Legal Notice”Const POLICY_KEY = “HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\”

Const LEGAL_CAPTION_VALUENAME = “legalnoticecaption”

Const LEGAL_TEXT_VALUENAME = “legalnoticetext”strLegalText = “”strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie sind mit Vernunft und Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen.” & vbcrlf & vbcrlf

strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie sind mit Vernunft und Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen.” & vbcrlf & vbcrlf

strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren.” & vbcrlf & vbcrlf

‘ Copy the line above and repeat for each paragraph in the legal notice.
‘ Remember it is best to limit your notice to two paragraph that contain no more than 4
‘ sentences.

wShell.RegWrite POLICY_KEY & LEGAL_CAPTION_VALUENAME, strLegalCaption, “REG_SZ”
WShell.RegWrite POLICY_KEY & LEGAL_TEXT_VALUENAME, strLegalText, “REG_SZ”

If you can, disable your existing Group Policy object that contains your legal text notice security policy settings. Now, create a new Group Policy object and assign this at the level appropriate for your environment. Configure this GPO with a computer startup script and include your script. Refresh Group Policy and then logoff your workstation. Press CTRL+ALT+DEL.

03-legal

– Mike Stephens

Security Policy Settings and User Account Control

Posted on by
Reply

This post was originally published in the Group Policy Team blog in September 2006—anticipating the launch of Windows Vista. Here it is again—refreshed—for the upcoming launch of Windows Server 2008.

User Account Control in Windows Server 2008 and Windows Vista requires all users run in a standard user mode; its purpose: to limit the user’s ability from changing critical operating system files or expose their computer and network to viruses and malware. Windows displays an authorization dialog box when a task requires administrative privileges, such as opening the Microsoft Management Console (MMC). You, the administrator, provide administrative credentials to “elevate” your privileges for the specific process (You can read more about User Account Control, on the Microsoft Windows Vista TechNet site http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx). Windows Server 2008 and Windows Vista provide you with nine security policy settings to control how User Account Control behaves. You can locate these security policy settings in the Local Group Policy Editor under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options or Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options when editing domain-based GPOs using GPMC included in Windows Server 2008 or when using Remote Server Administration Tool on Windows Vista Service Pack 1.00-secpolThese security policy settings apply only to computers running Windows Server 2008 or Windows Vista RTM or later. These security policy settings can co-exist in GPOs applicable to clients earlier than Windows Vista. Operating systems other than Windows Server 2008 and Windows Vista ignore the settings.01-secpolBefore I begin, I want to tell you about another feature with security policy settings. This valuable feature is a little hard to find. Each security policy setting has “explain” text similar to registry-based policy settings. Simply double-click on the security policy setting and then click on the Explain tab to view detailed information about the security policy setting; enabled and disabled behavior; and default values. Now, let us move on to the User Account Control policy settings.02-secpolWindows Vista provides nine security policy settings to control the behavior of User Account Control. You can enable these security policy settings in Local Computer and Domain-based Group Policy objects. Each security policy setting starts with “User Account Control” and then the actual name of the policy settings. The Group Policy Object Editor lists security policy settings in alphabetical order, so just scroll to the end.

The first of these policies controls the Admin Approval Mode for the built-in administrators account. When enabled, the Admin Approval mode is on for the built-in administrator account causes Windows prompts the administrators for any operations requiring an elevation in privilege. The prompt gives the administrator the choice to Permit or Deny the request for elevation. When disabled, Admin Approval mode is off. The built-in administrator account runs all applications using full administrative privileges and does not prompt for elevation.

The next two security policy settings control the type of prompt for User Account Control uses. These security policy settings are Behavior of the elevation prompt for administrators in Admin Approval Mode and Behavior of the elevation prompt for standard usersBehavior of the elevation prompt for administrators in Admin Approval Mode security policy setting provides three choices

  • Prompt for Consent –provides a dialog box asking you to either Permit or Deny the request for elevation.
  • Prompt for Credentials –provides an authentication dialog box asking you to provide administrative credentials to permit the request for elevation.
  • Elevate without Prompting –automatically permits the request for elevation without prompting the administrator.

The Behavior of the elevation prompt for standard users security policy setting provides two choices. Prompt for Credentials and Automatically deny elevation requests where Windows denies all requests for elevation and displays an Access Denied error message.

When enabled, the Detect application installation and prompt for elevation security policy setting causes Windows to detect heuristically for installation packages that require an elevation of privilege and triggers a User Account Control prompt for elevation. Disabling this security policy setting disables detection process.

Enabling the security policy setting Only elevate executables that are signed and validated enforces Windows Vista to validate the Public Key Infrastructure (PKI) certificate chain before permitting it to run. Disabling this security policy setting does not enforce validation of the PKI certificate chain.

The next security policy setting listed is, Only elevate UIAccess applications that are installed in secure locations. UIAccess applications are applications designed specifically to assist with user accessibility. These applications typically send information to other applications. The on-screen keyboard is an example of a UIAccess application. When enabled, Windows enforces UIAccess application to run from a secure location. These secure locations include:

  • …\Program Files\… including all sub folders.
  • …\Windows\System32\…
  • …\Program Files (x86)\… including all sub folders (64-bit versions).

Your desktop appearance changes when Windows Vista prompts you for elevation. Windows displays a gradient shade of gray over your existing desktop and then you see the prompt for elevation, in color. Actually, Windows switches your desktop to a secure desktop before prompting you for elevation. This describes the enabled behavior of the security policy setting Switch to the secure desktop when prompting for elevation. When disabled, Windows prompts for elevation on your existing desktop.

Some applications read or write registry information or files to locations that Windows protects from normal users. This usually requires the user to run the application as an administrator until an application upgrade becomes available. Windows Vista helps by providing virtualized file and registry writes to areas previously protected from normal users. This feature redirects writes destined for protected locations to locations where users have write access. The security policy setting Virtualize file and registry write failures to per-user locations provides this behavior, when enabled. When you disable this security policy setting, applications attempting to write in protected locations fail as with earlier versions of Windows.

The last security policy setting controlling User Account Control behavior is probably the most important one. Run all users, including administrators, as standard users is a security policy setting the affects all other User Account Control security policy settings. Enabling this policy turns on Admin Approval Mode and enables all other User Account Control polices to their default values. Disabling this policy turns off Admin Approval Mode and disables all related User Account Control security policy settings. Lastly, changing this security policy setting requires a reboot.

So, when you are evaluating your security policy during your Windows Server 2008 or Windows Vista deployment, look at the explain text for each security policy setting. Make sure you fully understand its impact before changing a security policy setting. Then, do not forget to include User Account Control policy settings in your security policy. These security policy settings can help you keep your computer, network, and data safe and secure.

– Mike Stephens