Active Directory, Exchange, Microsoft Clustering, Scripting, MOM, SQL. : Group Policy

Tip - A Quick Tip To Update Group Policy Settings On Remote Computers

Nirmal Sharma — Thu, 16 Oct 2008 17:20:47 GMT

This article explains a single command you can use to update the Group Policy settings on remote computers. Please note this applies to Windows 2000 Computers only Read more here... http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips...(read more)

WinInstall LE, MSI Creator and Configuration Builder

Nirmal Sharma — Tue, 30 Sep 2008 03:39:29 GMT

This article explains the advantages of tool WinInstall LE (a tool from Veritas software, which ships with Windows Server CD) and how to use this tool to convert EXE applications to MSI packages. About Active Directory and Group Policy You have, no doubt...(read more)

Tip - A Quick Tip to configure Group Policy settings in Workgroup Security Model.

Nirmal Sharma — Thu, 25 Sep 2008 10:14:20 GMT

This article will show how you can quickly configure Group Policy in Workgroup Security Model. This article applies to Windows 2000, Windows XP and Windows 2003. The Group Policy can also be deployed in Workgroup security model but there is no central...(read more)

Login Scripts, Computer and User Logon Scripts! - Difference

Nirmal Sharma — Sun, 23 Sep 2007 20:12:00 GMT

You may have noticed the following policy settings in Group Policy and for a while confused about these policy settings for user.

There are three places in Group Policy where you can configure programs to run when a computer starts and after a user logon to the system. These three places are under the following container:

User Configuration\Windows Settings\Scripts (Logon\Logoff)
User Configuration\Administrative Templates\System\Logon
Computer Configuration\Administrative Templates\System\Logon

In the last two, you will see the following policy settings:

Run these programs at user logon
Do not process the run once list
Do not process the legacy run list

The above policy settings appear in both: User and Computer Configuration container.

For “Run these programs at user logon” policy setting, if this policy setting is configured in both the container (user and computer) the user policy setting will run just after computer policy setting.

For last two “Do not process the run once list” and “Do not process the legacy run list” policy settings, if this policy setting is configured in both the container (user and computer) the computer policy setting will take precedence over user policy setting.

Why so? The reason is very simple. The Run Once list is configured in Local Machine HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce only. The programs in this registry key are processed only after user has logged on to the system. There is no RunOnce key for user. That is why computer RunOnce will run after user RunOnce.

Now, you may ask that there is logon programs, login scripts and logon scripts but there is no Logoff Programs? It is because a program requires system resources when it runs whereas a logoff shuts down all the applications. While a windows is shutting down a program can not stay in memory.

There is a difference between running a program and a script. Please note the difference. A program is something which is installed on users computer and you configure in “Run these programs at user logon” by specifying the full path of that program. This program runs Locally. On other hand, a script is something which is run over the network. You need to specify a complete path of the program you wish to run when a user’s login script has finished.

So the point is very clear and the script or programs are run in the following order:

Computer Startup / Script runs. Will be applicable to all the computers
User Login script runs. Will be applicable to all the users.
Computer logon programs run Will be applicable to all the computers.
User logon programs run Will be applicable to all the users.

After user login script has finished, the Winlogon at workstation will retrieve a list of programs to run on local computer from GPO.

In above, there is no conflict in policy settings so all the program will run one by one.

Group Policy Key terms:

Not Configured

This means Policy setting is not configured and Winlogon service at client end,

While processing the Group Policy Objects from domain controller, will not process this policy

setting.

Disabled

This means Policy setting is configured but Domain Controller will not publish it for

processing or Winlogon at workstation will not process this setting.

Enabled

This means Policy setting is configured and will be processed by Winlogon service at

workstation.

The Microsoft has designed two options for Group Policy for NOT processing Group Policy settings. The “Disabled” option in Policy settings are configured per policy setting whereas “Disable User or Computer Policy settings” in property of GPO is used to NOT to process any policy settings configured in the said container. The later option overrides settings configured in earlier option.

Computer policy settings only run when computer starts just before user logon. Example, you have a network drive to map for all computers. This network drive mapping will be available for all the users who log on to that system.

User policy settings only run after user log on to the system. In above example, the network drive mapping will be available to all users who logs on to the system.

Third option is filtering Group Policy settings using groups. This option doesn’t necessarily defeat the above rule but is here to process the GPO for selected users or computers. In above example, if you create a Group called “ServiceComputers” and put 4 computers in that group and apply a policy setting to this group then only the computers will receive this policy.

Other options are “Block Policy Inheritance” and “No Override”. The first option can be set on a child policy meaning you can not set this option at site level or there is no use of this option at parent policies. This option, if enabled, forces child GPO not to accept any policy settings coming from Parent GPO. The “No Override” option, if enabled, forces child GPO not to block any policy setting coming from parent GPO. If there is a conflict in the policy, the Parent GPO settings will be applied provided “No Override” option is enabled.

Why Default Domain GPO..Why...Why...Why

Nirmal Sharma — Thu, 02 Nov 2006 04:42:00 GMT

You might have few questions to yourself:

1. Why domain GPO will still apply to local admin account of client computer.

2. Why domain GPO will still apply in safe mode and safe mode with networking modes.

Interesting when you see domain GPO will still apply to a computer not connected to network.

This behaviour is by design. This is just to maintain the security of computer.

The reason and Logic behind this

Its all about the Computer Account and relationship of client computer with domain. Windows OS and Winlogon service still assumes that a PC logged on to local computer or safe mode/with networking is the member of domain as long as Computer account of this local computer exist in domain or a secure channel exists between computer and Domain Controller.

Windows OS assumes that the security of this computer should be maintained by a domain controller as long as it is the member of the domain. So GPOs will be applied when you log in Safe Mode or any other mode.

Group Policy to close off all programs before backup runs.

Nirmal Sharma — Wed, 01 Nov 2006 17:11:00 GMT

Let's say you want to implement a policy setting that can be used to close off all the programs running in computer.

Actually speaking this is not bit easy but you can deploy a script that can do your job at specifed time using Task Scheduler service.

To accomplish above you need the followings:

1. A startup or logon script.

2. tlist.exe to display list of processes running on the computer and kill.exe to kill the processes running except Windows defaults.

3. AT command to schedule the script at specified time.

You need to know the *process name* of the application you want to close or kill. You can use resource kit tool called "kill.exe* to close the process of an application. When you kill the process, application will be closed automatically.

You need to run a script using Group Policy which will run at 10.00 PM everyday. You can achieve using Task Scheduler service or using AT command in a script. Deploy this script using Group Policy.

Files opened by network clients must also be closed in order to perform backup. You can use the command outlined here to close all opened files by network users.

Please follow this article:

http://support.microsoft.com/?kbid=290585

If you don't know what all applications clients are running then you need to use some kind of programming stuff which can identify and close the application. Likewise all running applications can be closed by killing the main process that is Explorer.exe. But if you kill explorer.exe then you need to re-run it in order to perfrom backup. Using some programming stuffs you can acheive this. Here is an example:

1. You create a script.
2. Use kill.exe in this cript to end PID of explorer.exe or kill this process.
3. Run a command again to re-start this process (explorer.exe) to lunch desktop and then perform backup.

Group Policy Rule

Nirmal Sharma — Tue, 31 Oct 2006 19:17:00 GMT

Keep the following rules in mind before you apply the Group Policies:

1. Group Policies can be applied to AD-Leaf objects such as users and computers but NOT security or distribution Group.

2. Users and Computers MUST reside in the OU where you have configured Group Policy.

3. Group Policies can use GROUPS to filter the scope of policy settings.

4. By default Group Policies are applied to the following groups:

Authenticated Users

5. If the security properties are default....then Group Policy settings should apply to administrators or you because by default when you create a GPO the following Security Settings permissions are set:
*Apply Group Policy* and *Read* Permission to the following Groups:-

Authenticated Users
Domain Admins
Enterprise Admins
Administrators.

5. Group Policy processing depends on Client-Side-Extensions stored in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPTExtensions << all GUID listed for Client-Side-Extensions.

CSCs are used to process GPOs from Domain Controller. Winlogon.exe will capture a list of GPOs.

As per M$ recommendation you should remove *Authenticated Users* group and create a new Group > add all members to this group and use FILETERING technique. Now generally what happens all user objects are member of

Authenticated Users Group and the settings are mixed because from Domain Level to.........child OU the settings are applied to Authenticated Users Group.........so for example :-

If you have configured anything in the parent OU and also configured in Child OU...and all users are member of Authenticated Users Group....settings are meesed up and then Group Policy rule is applied:

Policy Settings at Parent OU Policy Settings at Child OU Result
If NOT Configured If Configured Child's setting applied
If Configured If Configured and Do not conflict Both Settings
If Configured If Configured and Conflicts Child's setting applied
If Configured If Not Configured Parent's Setting applied
If NOT Configured If Not Configured No Settings (This is default)

Copy Group Policy Settings.

Nirmal Sharma — Tue, 31 Oct 2006 16:34:00 GMT

Scenario:

You need more than one Group Policy Objects and few settings are similar and few are not but the amount of configuration is time consuming. You can avail this by copying the Group Policy settings from SYSVOL folder to destination GPO.

You will see policy contents of GPO created in SYSVOL folder in Policies sub-folder and then copy them to the newly created GPO.

This is how you do it:

A. First note down the GUID of Old GPO you want to copy:

1. Open ADUC
2. Right click on OU > Property
3. Switch to Group Policy tab
4. Click GPO > Property > note down the GUID of this GPO.

B. Next create the new GPO and find out the GUID in the same manner.

C. Follow the steps outlined below to copy contents of old GPO to new GPO you created in step B.

1. Finally goto SYSVOL\domain_name.com\policies\GUID of old GPO
2. Copy the contents of this GPO.
3. Next goto SYSVOL\domain_name.com\policies\GUID of new GPO
4. Paste the contents here or overwrite.

D. Finally make whatever changes you want to make to the copied policy.

Group Policy Troubleshooting

Nirmal Sharma — Mon, 30 Oct 2006 23:20:00 GMT

The following points should be taken into consideration while Troubleshooting Group Policy. These are the common ones:

Group Policy settings can be applied only when User account or computer account (leaf objects) are in the same container where GPO is applied.

Leaf objects or Groups must have “Read” and “Apply Group Permissions” assigned to them.

Make sure you and users have proper permissions on SYSVOL folder.

Make sure SYSVOL folder is shared properly (type net share \\ip_of_dc) from a client machine or server.

Group Policy Objects may not be processed if Client-Side-Extensions (CSE) are missing in client machine or DLL used to process GPOs are corrupted. You can find the CSE at the following registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPTExtension.

Make sure NetBIOS Helper service is running in server using services.msc snap-in.

Make sure you haven’t enabled *No Override* option on parent GPOs if yo’re using one. Check this in Default Domain GPO.

For permissions, you should have the following set for each object:

Remove *Authenticated Users* group from list of objects listed on Security Tab.

Sales Dept should have “Read” and “Apply Group Policy” permissions.

Administrators, Enterprise Administrators and Domain Administrators should be set to “Deny Apply Group Policy”.

Finally you can troubleshoot Group Policy either using GPMC (RSOP) or enabling User Environment Debugging on one of your client machine and then finding the culprit.

How to enable User Profile Debugging:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

How to manually create Default Domain GPOs

Nirmal Sharma — Wed, 25 Oct 2006 19:54:00 GMT

There is a way to create Default Domain GPO. There are two GPO created when you promote a member computer or a stand-alone server to domain controller.

These two GPOs are :

Default Domain Group Policy
Default Domain Controller Group Policy.

These GPO are stored in the SYSVOL folder. Netlogon service creates two permanent GUID for these two GPO under SYSVOL folder:

\Windows\SYSVOL\sysvol\domain.com\policies\GUID

Domain Default GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}

Domain Controller Default GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1}

Windows OS identifies default domain policies by its GUIDs located in SYSVOL folder. These GUIDs are unique for Default Domain Policy and Default Domain Controller Policy created by default.

You can use the following steps to create the Default GPOs manually:

1. Open ADUC

2. Right click on Domain_name.com > Property

3. Switch to Group Policy tab

4. Create a policy named "Default Domain Policy" or you can rename it if you want. AD Tools queries default domain policies by their GUIDs located in SYSVOL folder and not by name.

5. Click this GPO > Property > note down the GUID of this GPO created.

6. Go to SYSVOL folder and change the GUID to default domain policy or default domain controller policy.

7. Next you need to use a small script using ADSI to set this unique GUID into GPC of this policy in AD database. You can also edit Schema manually to do so.
Here are some articles that you can use to troubleshoot Group Policy:

You can also use ADSI Edit to create the GUID in GPC:

Troubleshooting Group Policy issues in Windows
http://www.microsoft.com/technet/community/columns/profwin/pw0502.mspx
How to reset security settings in GPO
http://support.microsoft.com/?kbid=226243
Scripting GPO
http://www.windowsitpro.com/Article/ArticleID/40231/40231.html?Ad=1

Using Dcgpofix.exe:

You can also use Dcgpofix.exe to restore Default GPO.

Have a look here for Dcgpofix.exe:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/48872034-1907-4149-b6aa-9788d38209d2.mspx

The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state

http://support.microsoft.com/?KBID=833783

Problem with Customized MSI Files.

Nirmal Sharma — Tue, 24 Oct 2006 18:49:00 GMT

Title of Article

Problem with manually configured MSI files.

Description

The article explains the problem with customized MSI files deploying through Group Policy - Software Installation snap-in.

Symptom

In a situation you may need to create a customized MSI for your configuration or application or vendor of an application may supply a Customized MSI to deploy application updates. MSI will work correctly when you install and double click on the local machine. You may get the error when you deploy MSI using Group Policy - Software Installation snap-in. When you open the MSI log you will get the following errors:

MSI (s) (70:78) [08:38:54:515]: Executing op: ActionStart(Name=_341744F6_503A_48FB_AB56_E563AB3D8D89.install,,)
MSI (s) (70:78) [08:38:54:515]: Executing op: CustomActionSchedule(Action=_341744F6_503A_48FB_AB56_E563AB3D8D89.install,ActionType=1025,

Source=BinaryData,Target=ManagedInstall,CustomActionData=/installtype=

notransaction /action=install /LogFile= /targetdir="C:\Program Files\xxxxx\Browser\\" /sourcedir="\" "C:\Program Files\xxxxx\Browser\rowser.exe" "C:\WINNT\TEMP\CFG2.tmp")
MSI (s) (70:F0) [08:38:54:562]: Invoking remote custom action. DLL: C:\WINNT\Installer\MSI6.tmp,

Entrypoint: ManagedInstall
MSI (s) (70!F4) [08:39:00:406]: Note: 1: 2262 2: Error 3: -2147287038
MSI (s) (70!F4) [08:39:00:406]: Note: 1: 2262 2: Error 3: -2147287038
MSI (s) (70!F4) [08:39:00:437]:
MSI (s) (70:F0) [08:39:00:453]: Leaked MSIHANDLE (12) of type 790531 for thread 1268
MSI (s) (70:F0) [08:39:00:453]: Note: 1: 2769 2: _341744F6_503A_48FB_AB56_E563AB3D8D89.install 3: 1
MSI (s) (70:F0) [08:39:00:453]: Note: 1: 2262 2: Error 3: -2147287038
Error 1001. Exception occurred while initializing the installation:
System.IO.FileNotFoundException: File or assembly name Browser.exe, or one of its dependencies, was not found..
DEBUG: Error 2769: Custom Action _341744F6_503A_48FB_AB56_E563AB3D8D89.install did not close 1 MSIHANDLEs.
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2769. The arguments are: _341744F6_503A_48FB_AB56_E563AB3D8D89.install, 1,
MSI (s) (70:78) [08:39:00:468]: User policy value 'DisableRollback' is 0
MSI (s) (70:78) [08:39:00:468]: Machine policy value 'DisableRollback' is 0
Action ended 08:39:00: InstallFinalize. Return value 3.
MSI (s) (70:78) [08:39:00:468]: Executing op: Header(Signature=1397708873,Version=301,Timestamp=881018074,LangId=1033,Platform=0,ScriptType=2

,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (70:78) [08:39:00:468]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (70:78) [08:39:00:468]: Executing op: DialogInfo(Type=1,Argument=xxxxx Browser)
MSI (s) (70:78) [08:39:00:468]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
MSI (s) (70:78) [08:39:00:468]: Executing op: ActionStart(Name=_341744F6_503A_48FB_AB56_E563AB3D8D89.install,,)
MSI (s) (70:78) [08:39:00:484]: Executing op: ProductInfo(ProductKey={B9F52B16-7040-4DA8-9D05-D6C366B468F2},ProductName= xxxxx Browser,PackageName=Browser.msi,Language=1033,Version=16842759,Assignment=1,

ObsoleteArg=0,ProductIcon=_bb32ea6.exe,,PackageCode={737A9C67-474C-4C8F-BC8E-5FE44A26BACA},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0)
MSI (s) (70:78) [08:39:00:484]: Executing op: ActionStart(Name=CreateShortcuts,Description=Creating shortcuts,Template=Shortcut: [1])
MSI (s) (70:78) [08:39:00:484]: Executing op: SetTargetFolder(Folder=23\xxxxx\)
MSI (s) (70:78) [08:39:00:484]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs
MSI (s) (70:78) [08:39:00:484]: Executing op: SetTargetFolder(Folder=25)
MSI (s) (70:78) [08:39:00:484]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Desktop
MSI (s) (70:78) [08:39:00:484]: Executing op: SetTargetFolder(Folder=23\xxxxx\)

And the following Event ID will be logged:

Event Type:     Error
Event Source:     MsiInstaller
Event Category:     None
Event ID:     11001
Date:          03/04/2006
Time:          08:39:00
User:          NT AUTHORITY\SYSTEM
Computer:     WD-UKSPARE6
Description:
The description for Event ID ( 11001 ) in Source ( MsiInstaller ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: Product: xxxxx Browser -- Error 1001. Exception occurred while initializing the installation:
System.IO.FileNotFoundException: File or assembly name Browser.exe, or one of its dependencies, was not found.., (NULL), (NULL), (NULL).
Data:
0000: 7b 42 39 46 35 32 42 31 {B9F52B1
0008: 36 2d 37 30 34 30 2d 34 6-7040-4
0010: 44 41 38 2d 39 44 30 35 DA8-9D05
0018: 2d 44 36 43 33 36 36 42 -D6C366B
0020: 34 36 38 46 32 7d 468F2}

Cause

This happens for the following reasons:

1. This happens because of the NULL returned by Winlogon service at the time of processing GPO and applications (MSI). NULL is returned only when the value is not returned to variable assigned in programming or while customizing MSI file. This variable could also be an UNC path pointing to the current machine where this MSI is being processed. MSI terminology uses UNC and %computername% variable to find machine name where it is currently being processed.

2. This also happens when variables used in customized MSI will point to a local directory in the computer where this MSI is being processed. For example: in above error browser.exe couldn’t be located by MSI Installer Service because it points to a local path.

Resolution

Make sure MSI is configured with proper variable and settings in it and while receiving Customized MSI from vendor make sure that it can be deployed using Group Policy – Software Installation snap-in.

More Information

Please visit

Group Policy:

http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.mspx