GPA - GP Answers - Group Policy

Team:

I'm racing toward getting out the door for my 30+ day trip to tour Australia and speak at Microsoft TechEd Australia and New Zealand.

But, I had a quick second to share a fun little PowerShell + GP tip... If you've NEVER used PowerShell before.. try this one. It's fun and easy.

If you want to install the GPMC on a Windows Server 2008 R2 machine via command line, you can use PowerShell. The commands are as follows:

-Import-Module Servermanager
-Add-WindowsFeature GPMC

Then, if you then run the following command you will see the status as installed

- Get-WindowsFeature GPMC

Again, leave OFF the periods. Try it.. something "special" that's unexpected and neat happens. It's super-fun !

Also.. I came across this super-nice write up of my latest book. I can't even figure out the person's name to thank him for such a nice review..  but, Thank You Mr. or Ms. Whomever you are.

Here's the review:
http://www.anotherwindowsblog.com/2010/08/book-highlight-group-policy.html

Now, get your signed copies at:
www.GPanswers.com/book

Limited number, since I'm running out the door, and won't have any to sign for a month !

Talk soon.. Gotta run !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)

Last week was a big week over here at the Group Policy HQ.

Here's four fun and informative things that I think you'll want to know.

Item 1: Quick, Informative Interview
Matt Hester, Tech Evangelist from Microsoft sits down with me and asks "What's new and cool in modern GP?" When my wife saw this video, she dubbed it "Schmoozin' with the Mosk." Anyway, it's fun and it's here: 
https://moskowitzinc.infusionsoft.com/link/33465afc20/b8a1a0

2. My TechEd 2010 speech Replay -- Application Smackdown with Applocker This was the #5 top-most rated session within all of the 900+ sessions at TechEd 2010. You get to check it out, for free! Learn how to smack down your apps.. Now! Here's the link:
https://moskowitzinc.infusionsoft.com/link/33465afc20/bbaee0

Of course, when you're ready for hands-on AppLocker training, I've got it in my GP Workshop, of course! (www.GPanswers.com/training) -- in my GP 2.0 Catchup Class.. and more information in the newest book (www.GPanswers.com/book) in Chapter 8 -- Implementing Security with Group Policy !

3. An article I wrote that found it's way into Network world This was tweeted about 80 billion times last week... "Seven tips for using group policy in Windows 7"
https://moskowitzinc.infusionsoft.com/link/33465afc20/bebc20

Sometimes I get asked if there is anything that we can do to be "safer" around Group Policy usage.

The answer is a resounding "Yes." Here are some quick tips for you to put into practice NOW, if you're not already on the right track:

Tip 1: Create, link, then disable a GPO

Sounds counter-intuitive, but this tip can be a quick fix to a big problem. I don't usually like "big fat GPOs with lots of stuff in them." That's not my preferred method of GPO creation. But there are clearcut times when you NEED multiple policy settings or multiple preference settings WITHIN a GPO .. and that's a-ok.

The problem is, you won't be able to "implement all the settings at once." So, in essence you'll have "half-created" GPOs replicating around with your clients getting those partially completed GPOs.

The tip is: Disable the GPO, add what you need to add, then ENABLE it. (You can choose your method: on the LINK, or on the GPO itself.)

So, if you're working on setting up a GPO which dictates Firewall Rules, you want to ensure that they get ALL the firewall rules one time, instead of possibly downloading the GPO (incomplete) then re-downloading it later.

Tip 2: Think, then name.

Here's the scoop:

• Chance  #1: At TechEd 2010 with NetIQ
  
  • If you're coming to TechEd, my friends at NetIQ are giving away (yes.. 100%, totally GIVING AWAY) several hundred copies of my updated Group Policy book. Holy cow !
  • I will be on hand to PERSONALLY SIGN ALL OF THEM, say Hi to you, and catch up !
  • Here's the date and time Tuesday, June 8 between 1:00 – 3:00pm at booth 601.
• Chance #2: The "Beat up" book contest
  • Do you really USE my book? I mean.. seriously.. USE IT?
  • If so, then send me a maximum of THREE PICTURES of your "beat up" book.
  • The three most "beat up" books will get free replacements from me as a way to say "Thanks for the abuse !"

Please don't abuse the books needlessly. That's just weird, and I'll be able to tell. Send the pictures (ZIPPED) please to jeremym (at ) moskowitz-inc.com to be elligable.

If you don't yet own a copy, and cannot make it to TechEd.. check out www.Gpanswers.com/book for your own (signed) copy.

Meanwhile.. I hope to see you at TechEd 2010. I've got two big things I'm doing:

• All Day Group Policy 2008 / Win7 Precon - Sunday 10.00 AM Start time. I think there is a seperate enterance fee for this; but not sure.
• WCL303 - AppLocker: Your Solution for True Application Smackdown Thursday - 8.00 AM - 9 .15 Rm 393

And, of course, the NetIQ book signing / giveaway on Tuesday, June 8th at 1 - 3.00 at booth 601.

That's it. Hope we connect ! See you there and thanks, Team !

Team:

Thanks to those folks who wrote in and thanked me for waving the banner around this issue.

Also, thanks to those folks who asked some clarifying questions. Okay, here are my summarized thoughts (basically, answers to your questions):

1. Sure, it would be great if copy machines could JOIN the Windows domain. Then, heck yeah, you could possibly use some GP trickery to make them more secure. BUT, that wasn't what I was implying. :-)

2. I supplied some GP-based security tips yesterday. One that encrypted the page file, and another one which totally removed it at shutdown. I also said that the best (bestest?) way to get protected is via full disk encryption. So, I totally stand by that.. Full disk encryption is arguably, the best (fastest / intermediate) way to get "pretty darn secure." I would however, also suggest that I would only perform the "remove page file at shutdown" for machines where there is no other possible solution for security.

Heck, let's break this "are we secure?" problem down .. way way down, just for fun here.