Internet Explorer 10 was released for Windows 7 and Windows Server 2008 R2 machines back in February 2013. Nine months later and we are going through it again with Internet Explorer 11. For SysAdmins and IT Pros managing software updates, these new versions led to quite a significant change in how we use Group Policy to manage them.
I only recently discovered that when Windows 8 (and along with it IE10) was released they finally got rid of the “Internet Explorer Maintenance” Section of the Group Policy Editor. This section always struck me as an odd place to configure IE settings and I’m still not sure why they couldn’t just use the normal Administrative Template section.
Internet Explorer Maintenance in Server 2003 Group Policy Editor
Just a quick post because I wanted to give a worthy bit of software a shout-out.
Double Driver from http://www.boozet.org/dd.htm
This little free program lets you back up all of the drivers on your PC for safe keeping. This is really handy if you want to save them all before a major update or re-installation. I also use it a lot on PCs with older operating systems (like Windows XP) because sometimes they are a real pain to try and find from the official OEM website (HP, I’m looking at you). It’s the kind of utility you wished Microsoft had just built directly into the Windows Device Manager.
We use Group Policy to tweak the default settings on Microsoft Servers and PCs. You edit the policies using the Group Policy Editor console (gpedit.msc) but to manage the policies you use the Group Policy Management Console (gpmc.msc). The more policies you start to create, the more confusing managing them can become and with each new version of Microsoft software (Office included) new Group Policy templates are added. This article is to give you an insight into exactly what the Group Policy Management Console (GPMC) is about and how everything links together.
It’s always best to edit policies from the latest OS. This is one of the reasons to always have a VM somewhere with the latest OS purely for Group Policy. Alternatively, if you are using the latest OS then you can install the GPMC from the Remote Server Administration Tools (RSAT) and then edit the policies from there. If you don’t, it’s not a big issue but some policies won’t be available. All of the templates can be stored in a central location in Active Directory so they can be accessed by all domain machines. There is some debate whether it is best to have the policies held locally rather than in the central store but I think it works well. By default this is \\DCName\sysvol\domain.name\Policies\PolicyDefinitions. If you ever download a new template you will need to put it in there. For more details on activating the central store se the following Microsoft Support article
Inheritance & Precedence
Group Policies Objects (GPOs) are created in the Group Policy Objects folder in GPMC. Policies are then linked to Active Directory Organizational Units (OUs). You can link as many Policies as you like to an OU and you can also link the same policy to as many OUs as you like. You can also block inheritance by right-clicking an OU and disabling it. The precedence of any GPOs, i.e. what GPO policy wins out of any competing policies, can be changed in the Linked GPO tab of an OU. Normally the deepest policy wins. Continue reading
Jump down to Step 1 to skip the blurb
Any Microsoft Windows operating system has services. These are little programs that run in the background of the OS to keep things ticking over. They’re really fundamental to servers as it means that programs can run in the background without any user being logged. In fact Windows servers are fine-tuned to give better performance to background services rather than any app running on the screen.
It’s always the best principle to log on with the least amount of privileges on any PC, i.e. you shouldn’t log on to a desktop or server with full admin rights. You should log on as a normal user and only elevate the programmes authority to admin level if absolutely necessary.
Some System Administrators may want an easy life and just let everything “run as admin” as it cuts back on a lot of problems, especially when using old software. Obviously this greatly widens the security attack vector, as any user who can gain access to the machine can do anything they want on it.
However, one of the issues of running as a standard user is that you are not allowed to stop or start Windows services. That is by design, you wouldn’t really want a non-admin to stop a critical service. The problem is when you have a Service Account running (as good practice dictates) as a lowly user. To get around this you can give the Service Account permission to do whatever you want to a particular service you want. Unfortunately, this is a bit more convoluted than setting file permissions. This article will explain how to achieve this. It applies to all versions of Windows from Windows 2000 or newer. My screenshots are from the Windows 8 Developer Preview. Continue reading
I recently had an issue with the latest version of Firefox (v3.6.15). Normally, when we install Firefox on our network, we have to change the proxy settings from the default “No Proxy” to “Auto-detect proxy settings for this network”. This doesn’t normally cause much of an issue as we only use Firefox on a few select machines and can be changed by the individual user. However, it seems the default install behaviour has slightly changed to add a new option that seems to muddy the water. There is now a “Use system proxy settings” option (similar to Google’s Chrome) that seems to be selected by default for new users. Although this may seem to make sense, on our network this causes terribly slow page load times, e.g. 10 minutes to load google.co.uk. Luckily I found a way to set the “Auto-detect” option for all users.
WARNING: This seems to have changed again since Firefox 4 was released. If anyone knows how to change it please add a comment.
Just a quick article here for a late Friday afternoon article.
If you managed Microsoft Windows Active Directory based domains you should be very familiar with the management console Active Directory Users and Computers (ADUC). When you have a sprawling OU design it can be difficult to find the user, computer or group that needs your attention. I set up a few saved queries to give me an easy to read list view of certain object types. If you can’t figure out how to create a new saved query then you may be in the wrong job but the is a comprehensive guide over at the Petri IT Knowledgebase. The 3 I use most often are set up as follows
- All Devices
- A simple query where just the computer object must have a value to display
- All Users
- Same as above, just make sure you are focussing on Users not Computers
- Locked accounts
- My most useful time saver. This one is only slightly more tricky as you need to enter a custom search string. Credit goes to an article on WinodwsNetworking.com for this one. By using the string below, when somebody calls to say they have been locked out, I can quickly bring up this saved query and unlock them in a matter of seconds
You can really go to town on these queries and there is a great list already created for you, back over on the Petri IT Knowledgebase
One of our tech bods was asking how to find the System Variables in Server 2008 R2. They had previously been using Server 2003 and, although the location hasn’t really changed, it can be a bit tricky to find it. So to help others here is an elaborate diagram
i.e. Control Panel>System Properties>Advanced System Settings link>Advanced tab>Environment Variables button>Scroll down the System Variables section to find Path
I’m glad to say, R2 also lets you simply type in “Path” to the Start Menu to bring up the same end target. Now that’s progress!
Microsoft UK have asked me to represent helpdesk technicians around the world
The aim is to drive deeper connection with IT professionals through independent customers representing certain Job Roles and being the voice of the customer to and from Microsoft. This will build on the success we have had with the Audience Marketing Managers (AMMs) and the IT Evangelists (ITEs) being the public face of Microsoft to all IT Professionals in the UK.
This means I will be hopefully doing much more blogging regarding my job role, at least 2 blogs a week, trying to give in insight into the successes and struggles I face.
You can find out more about the You can find out more about the Microsoft UK IT Professional Team (including the Community Council) at this page on Microsoft’s website
They are always looking for new members so if you are interested then drop me a line on my contact page