Easier GPO management using filtering

The number of group policy settings that you can use to fine tune your client and server computers are constantly growing. The more settings there are the harder it is to find them. Therefore the option “All settings” in the Group Policy Manager in Windows Vista SP1 and later and Windows 7 is a pleasure. But the best part is that you can filter out and only show polices related to exactly what you are looking for, example only settings that contain “DNS” to see settings only related to DNS.

Start gpedit.msc or the full Group Policy manager which is a part of Remote Server Administration Tools for Windows Vista and Windows 7 and go to Computer Configuration > (Policies >) Administrative templates and click “All settings”. Right click anywhere in the right pane to filter out only settings that you are interested in.

Add users to local groups on the Windows clients easily

If you want to add domain users or groups to a local group on a Windows client machine automatically, this can be done using group policies. One reason could be to easily put groups or users to the local group Remote Desktop Users to allow them to log on via RDP. To control which users or groups you want to add create a new GPO in the domain and go to Computer configuration > (Policies) > Windows settings > Security settings > Restricted groups.

Once there choose to add a group and in my example find the “Remote Desktop Users” group and after that add the user or group you want to add to the local machines which that particular group policy object applies to. More information about restricted groups can be found at http://support.microsoft.com/?id=810076

Filtering policies in new Group Policy management tool

When you install Vista Service Pack 1 the old GPMC.MSC control panel is removed. The reason for this is that there is a new and improved Group Policy management tool released in the Remote Server Administration Tool kit that was released slightly after Service Pack 1 was released to the public.

One of the new features of the new Group Policy management tool is that you can filter policy settings. Directly under “Administrative templates” for both Computer and User Configuration there is a new “All settings” category which lists all settings in “Administrative templates”. If you select “All settings” you might then right click anywhere and choose “Filter options”. It looks like the screenshot below.

By entering the information you are looking for it is very easy to find the group policy settings that you are looking for. This is becoming more and more necessary as the number of policies grows by hundreds or nearly a thousand for every new Windows version released and it is hard to find the setting one is looking for.

Download Remote Server Administration Tools (x86)
Download Remote Server Administration Tools (x64)

Turn off UAC in a domain using Group Policies

Some people for whatever reason want to turn off UAC for all or certain computers in a domain using Group Policies. This is done by setting the Computers Configuration > Windows Settings > Local Policies > Security Options > User Account Control: Run all administrators in Admin Approval Mode to disabled. As usual when turning off UAC a reboot is required for the changes to take effect.

Setting Microsoft Update to be default using a script

Windows Update in Windows Vista is wrapped in a regular window in the operating system itself rather than being opened as a web page in Internet Explorer 7. The basics are the same and it is the same underlying components in both Windows Vista and when you run Windows Update in a browser window on for instance Windows XP. Never mind, on a Vista client computer set to connect to a WSUS (Windows Server Update Services) server it will of course always check for updates there. In the Windows Update control panel on a client computer you can however choose to alternatively search for updates on Windows Update. If you deploy other software such as Office 2007 you might want to use Microsoft Update instead of Windows Update, to see if there are other updates available for Office and other Microsoft products, not only Windows.

The reason why I want to check Microsoft Update manually from time to time us is to regularly check which updates arrive to the various client computers that can be downloaded separately and then integrated into our installation media. Since opting into Microsoft Update require administrative rights on the computers I want to set Microsoft Update somehow automatically and apparently there are still no GPO settings for this, which I find rather strange. After doing some reserach I have found the solution to automatically set that Microsoft Update will be the default instead of Windows Update. The script to add is as follows:

Set ServiceManager = CreateObject(“Microsoft.Update.ServiceManager”)
ServiceManager.ClientApplicationID = “My App”
‘add the Microsoft Update Service, GUID
Set NewUpdateService = ServiceManager.AddService2(“7971f918-a847-4430-9279-4a52d1efe18d”,7,”")

Add this to a startup or login script to make sure Microsoft Update is always default.

Backing up BitLocker recovery keys to Active Directory

Using BitLocker to encrypt your system partition is a very good option to keep the computer and the data on it secure. Starting with Vista SP1 you will be able to encrypt not only the system partition but all the other partitions as well, offering even better security. When you encrypt a partition with BitLocker a recovery key is automatically generated so that you can recover the data on the computer when necessary. By default you have the choice of printing the recovery key or saving it to a USB stick or a network share.

However using a group policy setting (Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Turn on BitLocker backup to Active Directory)  you can also backup the recovery key to Active Directory, which is a very good suggestion I must say. If you are running Windows Server 2008 you do not have to anything to get this working but if you would like to use Windows Server 2003 with SP1 or later to backup the BitLocker recovery key you must use scripts provided by Microsoft to extend the schema.

Microsoft also offer a tool called BitLocker Recovery Password Viewer which can be downloaded directly from Microsoft Premier Services. When this tool is installed it introduce another tab in a computer objects Properties called “BitLocker Recovery” where the BitLocker recovery keys are listed for your viewing pleasure in the case of necessary restoration. The only negative part about the tool is that it can only be installed on a Windows XP or Windows Server 2003 computer as it require that you have installed the “Window Server 2003 Administration tools for SP1” on Windows XP to get the control panel for Active Directory Users and Computers.

UPDATE: I forgot to add the link to the page where you can find all the necessary information as well as the “extend schema”-script. Here it is!

Manage ActiveX controls with GPOs in Vista

As you might know there is no good way to control the installation or blocking of ActiveX controls for standard user accounts. Windows Vista introduces a cure to this, and it is called ActiveX Installer Service. This service is not installed by default but can be found in Programs and Features > Turn Windows features on or off. I recommend that you add this component using an unattended answer file in corporate environments. Once installed you can control if a standard user should be able to install certain ActiveX controls or not. I have not found any good step-by-step guides for configuring this so here it comes:

1. When you go to a web site and try to install an ActiveX control, an event is logged in the event viewer specifying the exact origin and http or https address where the ActiveX control resides.

2. Enter the address you found above in the group policy setting “Approved Installation Sites for ActiveX Controls” found in Computer configuration\Administrative templates\Windows Components\ActiveX Installer Service with the additional settings for example 2,2,0,0.

To allow for instance the Windows Genuine Advantage to be allowed to be installed by a regular user you can add the address http://download.microsoft.com with 2,2,0,0. Now you can refresh the policy on your test computer and go to Microsoft Download Center and there try to validate and install the WGA ActiveX control as a regular user account without administrative privileges. Voilà!