View Blog

Aug 2004
11

In this issue:

  • It's Issue 4...All about Service Pack 2 for XP
  • Moskowitz, inc. Technology Takeaway (r) Part I:
  • Recap and Corrections from Newsletter #3
    • Recap + Update #1: XP/SP2 gives you more -- much more
    • Recap + Update #2: How to use these 700 new settings that affect XP/SP2 ?
    • Recap + Update #3: Loading XP/SP2 will prevent admins from performing RSOPs
  • Upcoming conferences and appearances
  • Moskowitz, inc. Technology Takeaway (r) Part II:
    • What happens if I load XP/SP2 and it bluescreens ?
    • Weeding through the bajillion firewall settings in XP/SP2
    • Da Big one: ADM Template Trouble!
  • Get a signed copy of Group Policy, Profiles and IntelliMirror
  • Subscribe and unsubscribe information
     

Moskowitz, inc. www.GPanswers.com -- Issue 4

It's issue four of the Moskowitz, inc. newsletter. Windows XP's Service Pack 2 is out, and it affects you.

Unless you were living under a rock, you already knew XP/SP2 would have some impact on your systems. If you believe the hype, XP/SP2 will change everything from the climate to my bowling average. Trust me, it's not that bad -- you just need some reliable information to help you get through the change.

Microsoft has some great data on XP/SP2, and the first place you should travel to is to what I call "XP/SP2 Central" on Microsoft.comhere.

Unfortunately, while I'm sure it's in there somewhere, this site doesn't specifically highlight how Group Policy might be affected by the installation of XP/SP2. So, that, my friends, is what this newsletter is all about. (And, as late-breaking information comes out, you might expect another newsletter not too far out!) Once again, I suggest you save a copy of this newsletter (print, inbox, etc) because when Service Pack 2 for XP comes to your organization, you'll want to recall some of the juicy goodies we'll be exploring in this issue.

You can forward this newsletters to your friends but please do so in one whole piece (please don't just cut and paste.)


Technology Takeaway (r), a service of Moskowitz, inc. (Part I)

Before we dive into the new stuff for this newsletter, let's take a quick stroll back to memory lane of Newsletter 3 which also had some Group Policy goodies for XP/Service Pack 2.
 

Recap + Update #1: XP/SP2 gives you more -- much more

In the previous newsletter, I said that XP/SP2 brings about 90 new Group Policy settings to the table. Well, I seemed to not have had my coffee that day, as I failed to mention the additional 619 policy settings which affect Internet Explorer when running on XP/SP2.

Again, I have a link to Microsoft's latest spreadsheet which helps bring our the differences here.That page has now been recently updated to link to Microsoft's FINAL (not Release Candidate) version of the spreadsheet.
 

Recap + Update #2: How to use these 700 new settings that affect XP/SP2 ?

A common question is: "How do I get these XP/SP2 policy settings to show up when I create a new Group Policy Object?"

A Microsoft article on how to do that is MSKB 816662, entitled: "Recommendations for managing Group Policy administrative template (.adm) files." (In the last newsletter, I had the wrong KB article. Again, not enough coffee.) Or, an explanation in plain English with some extra advice for a holistic approach to ADM template management can be found in Chapter 5 of my new Group Policy book.
 

Recap #3 + Update #3: Loading XP/SP2 will prevent admins from performing RSOPs

As we stated in the Newsletter 3, once you load XP/SP2, all INCOMING client communication to your clients will be prohibited. If you have viruses and other little nasties running around your network -- this is a good thing. However, you'll likely want to get back the functionality that's lost by this change.

So, what do you do? You have three options:

Option 1: Turn off the Windows Firewall in XP/SP2

Result: Would let the nasties back in if they're running around your network. Maybe not the best option for all organizations... The default setting for Windows Firewall is "Enabled" for a good reason!

Option 2: Leave the Windows Firewall on, but make sure I can still perform RSoP and otherwise manage my client computers. Perform this magic using policy settings only found in the Service Pack 2 ADM files.
or
Option 3: Manually run around and enable port 445 (to get RSoP back) on specific client machines. This option is tedious and not recommended.

The net result: Opening up port 445 is essential for administrative tools to work between Active Directory and the XP machine from where you do your administration.

Again, please check out Newsletter #3 for a full account for how to turn these settings on (which turns off certain Windows Firewall settings.)

All our newsletter stuff is found here. Additionally, please check out this articlewhich highlights the precise problem in Microsoft's words.
 

Upcoming Conferences, Appearances and Classes
It's free! GROUP POLICY POWER HOUR Webinar

Seminar #2 in the "The Group Policy Power Hour!"

It's 1/2 hour of talk and demos, and 1/2 hour of Q&A!

Here's the intro:

It's true: Group Policy is now self-documenting. You just need to know where to go to get the information. And securing users' access to which Group Policy functions they can perform is important. If you needed to grant someone specific access to modify a GPO, could you do that?

Come to this session to learn some "insider goodies" about the Group Policy Management Console (GPMC). Then, ask as many questions as you want in the second half of the POWER HOUR!
http://tinyurl.com/47xxt
 

Not free... but worth it!

I'd love to see you in one of the two-day Group Policy intensive training and workshop classes.

These two-day classes get you up to speed, working with Group Policy, Security settings, ADM templates and just about all you need to know to hit the ground running -- Fast!

Again, while the training course isn't officially _endorsed_ by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy team at Microsoft.

At both MMS 2004 and TechEd 2004 Mark Williams from the Group Policy team encouraged the throngs of attendees to check out the new Group Policy book and the training! In fact, he dedicated a whole slide to the book, the training, and GPanswers.com for each of his sessions! Wow! Thanks, again Microsoft!

If you want to see the full course outline, and sign up for an upcoming public class, be sure to check out: 
www.gpanswers.com/live-class

Or... If you think you might want your own in-house training of the course (with all the personalized attention that affords), I'd love to join you on-site! If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!) I'll even travel overseas to the U.K., other parts of Europe, or Japan -- or wherever! Have passport, will travel!

Just contact me at [email protected] or call me at 302-793-3957.
 

Technology Takeaway (r), a service of Moskowitz, inc. (Part II)

Here's some fresh, new material about XP/SP2!

What happens if I load XP/SP2 and it bluescreens?

As Hitchhiker's Guide to the Galaxy says, "DON'T PANIC." Here are the steps to rollback XP/SP2 to a (hopefully) previously working condition:

  1. Boot to recovery console. You can do this by booting off any bootable Windows XP CD if you haven't previously loaded it.
  2. Using the recovery console, locate the %windir% $NTServicePackUninstall$spuninst folder
  3. Rename "spuninst.txt" to "spuninst.bat"
  4. Then, execute the batch file with "Batch spuninst.bat"

This should remove XP/SP2 AND if you have it, XP/SP1, so be careful! This will return you to Windows XP -- NO SERVICE PACK!

This could be especially troublesome on unprotected networks if youstill have little nasties running around within the network!

Why does a bluescreen happen? Matrox Millenium drivers seem to be a major cause. Load latest drivers on Matrox web site, then re-apply the XP/SP2 installation.
 

Once XP/SP2 is installed, there a bajillion firewall settings. How can I figure out what they all do?-

Microsoft has a great document just for the "Star Feature" of XP/SP2, the Windows Firewall. Learn how to make it sing and dance the way YOU want.

The document is called:Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 and you can find it here.
 

Da Big one: ADM Template Trouble!

Those of you hear me speak, know I talk about a concept called a "Management Station." Your Management Station is where you DO your Group Policy work from.

You could create a new GPO by walking up to a Windows 2000 DC, then modify that same GPO by walking up to your Windows XP PC and editing it there. In this scenario, you've used two "Management Stations" -- both the Windows 2000 DC and the Windows XP PC.

The problem we need to take a moment to discuss is what happens when you use templates from Windows XP/SP2 and use them on any management station OTHER THAN XP/SP2.

And you'll get it about 50 (yes, 50) times (with various error messages.)

Here's the link from Microsoft which describes the problem: http://support.microsoft.com/?kbid=842933

But what is this technote really saying?

It's saying that you'll need to apply a patch on any management station you modify Group Policy from. Does this mean you have to patch EVERY server and EVERY workstation? NO! You only need to patch the locations from WHERE YOU CREATE AND EDIT GPOs.

So, where do you find the patches?

If you use Windows 2000 as your management station, you can use this patch, here.

Patches for XP/SP1 and WS03-RTM are forthcoming. I'll have an announcement on the BBS when Microsoft releases them.

Follow-up on this important bug, in the Moskowitz inc. Group Policy forums. Specifically, I've started a thread here in the forumsjust for this specific bug. So, sign up for the forums, and stay tuned!
 

Get a signed copy of Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000

We've had dozens of people order books directly from GPanswers.com. If you'd like a copy, it's easy to order, and I'll sign the book to you, free!

Please note that I'm not set up to accept credit cards directly; however, you can enjoy the security of ordering through your PayPal account (and they take credit cards, including AMEX just fine.) Thanks for understanding!

Order your signed copy today by clicking here.

Oh, and if you own the book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here.
 

Technology Takeaway (r), a service of Moskowitz, inc. (Supersecret, hidden, Easter-egg Part III)

We're just giving it away!
 -- More Technical Takeaway Tips
(My way of saying thanks for making it all the way to the end of the newsletter!)
 

Bonus Tip #1

Special GOLD STAR to Andy King who has a super solution for whacking MyDoom nasties with GPOs. Just check out our ongoing support forum. Specifically, Andy posted his solution here.
Thanks Andy!
 

Bonus Tip #2 (Keeping with our XP/SP2 theme)

Check this out on Microsoft's web site for a detailed how-to install XP/SP2 using SMS.
 

Bonus Tip #3

Microsoft had a nice online Q&A chat with the guys who head up the Group Policy division within Microsoft. If you missed the chat, you can catch the transcript. Some goodies in there, for sure!

They even mentioned us -- GPanswers.com! Hey, thanks!
 

Subscribe and Unsubscribe Information

  • subscribe to this newsletter
  • unsubscribe from this newsletter

How did you get this newsletter? It's very likely you got it because you handed me (Jeremy Moskowitz) a business card at an event at some kind. And, consequently, I signed you up for my newsletter.

Or, possibly, you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: www.gpanswers.com/newsletter

If you need personalized attention in any way, just email me: [email protected] I endeavor to respond to everyone who emails.

Thanks for reading!

Jeremy Moskowitz
Author, Instructor, Infrastructure Architect
Moskowitz, inc.
[email protected]
Learn more about Group Policy at GPanswers.com !

Comments (0)

No Comments!