Group Policy Management Overview

We use Group Policy to tweak the default settings on Microsoft Servers and PCs. You edit the policies using the Group Policy Editor console (gpedit.msc) but to manage the policies you use the Group Policy Management Console (gpmc.msc). The more policies you start to create, the more confusing managing them can become and with each new version of Microsoft software (Office included) new Group Policy templates are added. This article is to give you an insight into exactly what the Group Policy Management Console (GPMC) is about and how everything links together.

It’s always best to edit policies from the latest OS. This is one of the reasons to always have a VM somewhere with the latest OS purely for Group Policy. Alternatively, if you are using the latest OS then you can install the GPMC from the Remote Server Administration Tools (RSAT) and then edit the policies from there. If you don’t, it’s not a big issue but some policies won’t be available. All of the templates can be stored in a central location in Active Directory so they can be accessed by all domain machines. There is some debate whether it is best to have the policies held locally rather than in the central store but I think it works well. By default this is \\DCName\sysvol\domain.name\Policies\PolicyDefinitions. If you ever download a new template you will need to put it in there. For more details on activating the central store se the following Microsoft Support article

Inheritance & Precedence

Group Policies Objects (GPOs) are created in the Group Policy Objects folder in GPMC. Policies are then linked to Active Directory Organizational Units (OUs). You can link as many Policies as you like to an OU and you can also link the same policy to as many OUs as you like. You can also block inheritance by right-clicking an OU and disabling it. The precedence of any GPOs, i.e. what GPO policy wins out of any competing policies, can be changed in the Linked GPO tab of an OU. Normally the deepest policy wins. Continue reading →

How To – Allow non-admins to start and stop system services

Jump down to Step 1 to skip the blurb

Any Microsoft Windows operating system has services. These are little programs that run in the background of the OS to keep things ticking over. They’re really fundamental to servers as it means that programs can run in the background without any user being logged. In fact Windows servers are fine-tuned to give better performance to background services rather than any app running on the screen.

It’s always the best principle to log on with the least amount of privileges on any PC, i.e. you shouldn’t log on to a desktop or server with full admin rights. You should log on as a normal user and only elevate the  programmes authority to admin level if absolutely necessary.

Some System Administrators may want an easy life and just let everything “run as admin” as it cuts back on a lot of problems, especially when using old software. Obviously this greatly widens the security attack vector, as any user who can gain access to the machine can do anything they want on it.

However, one of the issues of running as a standard user is that you are not allowed to stop or start Windows services. That is by design, you wouldn’t really want a non-admin to stop a critical service. The problem is when you have a Service Account running (as good practice dictates) as a lowly user. To get around this you can give the Service Account permission to do whatever you want to a particular service you want. Unfortunately, this is a bit more convoluted than setting file permissions. This article will explain how to achieve this. It applies to all versions of Windows from Windows 2000 or newer. My screenshots are from the Windows 8 Developer Preview. Continue reading →

Configuring Firefox proxy settings for all users

I recently had an issue with the latest version of Firefox (v3.6.15). Normally, when we install Firefox on our network, we have to change the proxy settings from the default “No Proxy” to “Auto-detect proxy settings for this network”. This doesn’t normally cause much of an issue as we only use Firefox on a few select machines and can be changed by the individual user. However, it seems the default install behaviour has slightly changed to add a new option that seems to muddy the water. There is now a “Use system proxy settings” option (similar to Google’s Chrome) that seems to be selected by default for new users. Although this may seem to make sense, on our network this causes terribly slow page load times, e.g. 10 minutes to load google.co.uk. Luckily I found a way to set the “Auto-detect” option for all users.

WARNING: This seems to have changed again since Firefox 4 was released. If anyone knows how to change it please add a comment.

Continue reading →

Using Saved Queries to filter Active Directory Users and Computers

Just a quick article here for a late Friday afternoon article.

If you managed Microsoft Windows Active Directory based domains you should be very familiar with the management console Active Directory Users and Computers (ADUC). When you have a sprawling OU design it can be difficult to find the user, computer or group that needs your attention. I set up a few saved queries to give me an easy to read list view of certain object types. If you can’t figure out how to create a new saved query then you may be in the wrong job but the is a comprehensive guide over at the Petri IT Knowledgebase. The 3 I use most often are set up as follows

• All Devices
  • A simple query where just the computer object must have a value to display
• All Users
  • Same as above, just make sure you are focussing on Users not Computers
• Locked accounts
  • My most useful time saver. This one is only slightly more tricky as you need to enter a custom search string. Credit goes to an article on WinodwsNetworking.com for this one. By using the string below, when somebody calls to say they have been locked out, I can quickly bring up this saved query and unlock them in a matter of seconds
  • (&(&(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))))

You can really go to town on these queries and there is a great list already created for you, back over on the Petri IT Knowledgebase

How to add a Path to the System Variables in Windows 2008 R2

One of our tech bods was asking how to find the System Variables in Server 2008 R2. They had previously been using Server 2003 and, although the location hasn’t really changed, it can be a bit tricky to find it. So to help others here is an elaborate diagram

i.e. Control Panel>System Properties>Advanced System Settings link>Advanced tab>Environment Variables button>Scroll down the System Variables section to find Path

I’m glad to say, R2 also lets you simply type in “Path” to the Start Menu to bring up the same end target. Now that’s progress!