MDM & GP Tips Blog

Oct 2013

"Totally exposed" at the doctor's office.


I hurt myself, so I went to the doctor’s office.

And, it was one of these places which sees celebrity clients. Specifically, local sports stars in the Philadelphia area.

You know the routine: Take your shirt off, freeze half to death, then wait twenty minutes for the doctor to finally come in and tell you to take two Advil.

Gee, thanks.

But just before he came in, I took a picture of this computer.

(The red stuff, is obviously mine. And I blurred out a lot as I’ll describe below).

Let’s take a look at what a huge, mega error it was to leave me alone with this computer:

  • Item 1: That’s me highlighted in the blue bar in section 1. Then ALSO the FULL NAMES, BIRTHDATES and PATIENT IDs of 10 more clients. Full. Freekin’. Names. Hello HIPPA COMPLIANCE !? Also pointed to in item 1 is MY healthcare plan, so the doctor can determine if he should spring for various tests. The crappier the plan I guess, the less they try to perform tests.
  • Item 2: It’s XP. Great. So my medical records are protected by an operating system which will get no patching at all starting in April 2014. Grrrrrrreeeat !
  • Item 3: Thanks for the attack vector and giving me the computer name. When I call the nurse’s station pretending to work for IT, it’ll make me look more credible that I have this information in hand. (No no.. I wouldn’t do that.. right?)
  • Item #4: This is custom application. And, you can see the menu system: there’s a zillion settings for the Nurse, Doctor, or others.. (like me if I was being naughty) to misconfigure in this application. If they were using PolicyPak to deliver application settings, they could be guaranteed that those settings would be set and maintained. (What am I talking about? Attend my next webinar on application settings management at .
  • Finally.. The main item is.. the damn keyboard and mouse are just fully unlocked. I had 20 full minutes to poke around here. I didn’t just snap this picture when the Nurse left the room. I took it 20 minutes AFTER she left.

Did I *ACTUALLY* touch the keyboard and move the mouse around?

Look, I’m not 12 years old anymore, so.. no I didn’t.

But I could.

And if this was, instead, an APPOINTMENT for a 12 year old, you KNOW his or hands would be on that keyboard.

Are you doing everything you can at YOUR organization to be more secure? Learn how to ENSURE that the RIGHT settings are delivered so naughty people cannot do things they shouldn’t do.

In my training class, I show you exactly how to use the Group Policy infrastructure you already have to do it.

Next class: Las Vegas, Dec 2 – 6.

Sign up at .. And ensure your computers aren’t “totally exposed.”

Jul 2013

Good Group Policy Design. What it should "do" for you and your team.

One of the things I get asked about a lot is Group Policy Object “design.”

Design could mean a lot of things. Group Policy Design to me means:

  • What you name your GPOs.
  • What you put inside your GPOs.
  • What GPOs are linked where.
  • OU design.
  • Use of Blocked Inheritance and Enforced properties.

When I perform my (paid) Group Policy Health Check consulting service… these are the kinds of things I look at overall.

To be honest, and I’m just callin’ it like it is here… I don’t usually see ALL of these elements designed well.

Usually ONE, sometimes ALL of these elements are near impossible to discern what’s going on.

Here’s one big overriding tip I can suggest if you decide you want to think about design (or, more likely a redesign.)

Good: Could someone from the outside look at your design and be able to basically figure out what is going on?

Better: Could someone from the outside look at your design and be able to figure out WHY you did it?

Best: Could someone from the outside look at your design and figure out what you did and why you did it, and NOT need any extra documentation?

To be clear: I’m not saying “don’t document your naming conventions” or “don’t make careful notes about what you’re doing and why.”

I *AM* saying that a good design should “jump off the screen” at you. If you got a new boss TOMORROW and you needed to spend 10 minutes explaining WHAT was done and WHY it was done that way… would it make sense based on what you have, in Active Directory (OUs) and the GPMC (GPOs)… TODAY?

Here’s the best (two) parts about GP design:

  • Your design doesn’t have to look like anyone else. It just needs to make sense. 
  • If you screwed it up the first time, it’s not heinous to get it repaired. You do need some direction and a trusted guide though.

If “Cleanliness is next to Godliness” is a real thing, then maybe you should think about getting cleaned up.

If you’re feeling dirty all over right now, here’s your two options: take either my Group Policy training class (Live or Online) or have me perform my (paid) Group Policy Health Check consulting service … you and your company can get cleaned up .. fast.

If you’re serious about either one (training or consulting) then give Laura a call at 215-391-0096 for a quote.

You can also reserve a seat in the next live class (Denver Aug 12 -16, 2013) or get the Online University at

We have limited seats left in the Denver class, and I only take ONE Group Policy Health Check client per month. First come, first served.

See you soon.

Jul 2013

To BLOCK or NOT to Block.. That is the Question !

I got this fun email from Mads Lomholt from the Oslo Norway Norwegian Fanclub of (I didn’t know we had a Norwegian fanclub branch of, but I’m super happy to learn it’s alive and doing well!)  Here’s his question (and my answer!)

Mr Moskowitz! ? Do you take requests?

Is there any situation where blocking inheritance of GPOs (often followed by enforcing GPOs which are higher) is a good and lasting solution?

I am not an expert on this, but so far I have seen only bad things happen when people dive into blocking and enforcing GPOs.

To a certain extent I believe I understand the principles, but why not craft the OU structure to account for this instead of blocking/enforcing?

I’ve read that Microsoft states: “It is recommended that Enforced and Block Inheritance be used sparingly”, Okay. Sure.

Excited to hear the expert judgment of my question!

Mads Lomholt
Norwegian fanclub, Oslo ?

Jeremy’s answer:

Great question. Let’s clarify some items.
First: You don’t / can’t block inheritance of ONE GPO. People sometimes think that blocking is about a particular GPO. It’s not. Its about saying “From this point onward, we’re starting fresh and ignoring GPOs before this point.”
So, said another way, when you Block Inheritance upon an OU you’re starting fresh and saying that you don’t want policy setting (higher than here) from affecting your users or computers.
However, what’s also true is that you cannot block any GPOs where their links have the Enforced property. This means any GPO’s links that are enforced will always “make it through” any Block Inheritance.
So, when is Blocking Inheritance on an OU good? Well, anytime you want to “break free” from GPOs set higher up. I usually recommend Block Inheritance as a GOOD THING when OU administrators are really totally in charge of their own Group Policy desires.
For instance, in the domain, lets say Company X has:

  • North Sales OU
  • East Sales OU
  • All of Marketing OU
  • All of Research OU
  • Other OUs…

Let’s assume that the administrators in the company are:

  • Fred: OU admin, manages North Sales OU (and nothing else).
  • Mary: OU admin manages East Sales OU (and nothing else).
  • Gary: Domain admin, manages the domain AND “All of Marketing OU” and “All of Research OU” and some other OUs.

Gary might make some decisions at the domain which would affect Fred and Mary.

If Fred and Mary basically are allowed to “do their own thing” and don’t really answer to Gary, then they should Block Inheritance to create a clean slate for their OUs.
But, if there’s something REALLY important (like a security setting which should affect everyone) then Gary is able to link it to the domain and Enforce it, which will definitely affect everyone.

So, that’s a GOOD reason to use Block Inheritance.

However, going back to your original question: I often see Block Inheritance used way, way too much. And, as such, I see the Enforced property used way, way too much.

I would agree: designing first to try to avoid a lot of blocking and enforcing is ideal whenever possible. But in my case above there are perfectly fine times to use it.
Additionally, it should be noted that if administrators are well versed in Group Policy Preferences, then Item Level Targeting feature can be used to usually avoid Block Inheritances and subsequent enforces.

That’s because you’re specifically targeting WHICH users or computers should get whatever setting you want. (Note that PolicyPak ALSO hooks into the Group PolicyPreferences Item Level Targeting as seen in this demo So in this way you don’t have to have lots of weird design just to manage applications’ settings via Group Policy).

So, Mads, I think basically you answered your own question. You saw that having lots of blocking and enforcing cannot be good. But you also saw (I think) that there would be some times where you couldn’t architect around it.

I hope this article helps you and others out.

Thanks !

Jun 2013

Deliver IE Favorites using Group Policy Preferences

I created a video this morning, because I got a request from fellow team member like you — Thomas P from Massachusetts.

He wanted to know the answer to a common question, which I demonstrate in my ONLINE and LIVE Group Policy classes (

Next one: Denver, CO – Aug 12 – 16th !

He wanted to learn how to deliver IE Favorites using Group Policy. Well, Thomas P (and all the Thomas P’s out there who wanted to know) .. Here’s the video (sends you to YouTube):

Next: To see some other amazing stuff you COULD be doing with IE, here’s a second video:

Final thoughts for the day: It’s not too late to sign up for Denver for August. We DONT have unlimited seats (duh).

And you’ll be able to FINALLY learn the RIGHT WAY to transition from XP to Win7 or 8 without blowing up the network or looking like a dufus (or is it doofus?)

Regardless: You don’t want to look like one.

So, get your act together, get the training you need, and see you in Devner. (For Pete’s sake, or, really, for your own sake.)

(Course outline and pricing and stuff is right there.)

Mar 2013

Exactly why the GPMC Backspace and arrow keys don't work (and how to fix them).


Here’s an email I got in my inbox yesterday *AND* it was asked in my live Chicago class (25 awesome administrators, pumping their brains full of GP goodness.)

When two people ask the same question in the same day .. here’s the question and the answer.

Hey Dr. M. – have a good one for you.
When I try to rename a Policy in GPM, the ‘t’ on my keyboard does not type, the arrow keys do not function, & the Backspace key does not function..
I have no special program running with regards to the keyboard. I run a MS keyboard/mouse hardware.
This ONLY happens when I’m in GPMC… it does not happen when in AD Users & Computers.
Any idea? Have you see this before?
Just asking.
[Name Redacted Because I forgot to ask permission]

First, thank you for referring to me as my proper name, “Dr. M.” ?

Next, yes, I do know the answer. I’ve got a Doctorate in Group Policy-ology now for 10 years.

Your pain is caused by a bug in the MMC code. There’s been a hotfix pill you can swallow.

It’s for Server 2008 R2 SP1 and also Windows 7 SP1.

I posted about it when it happened, but, I’m guessing maybe not everyone got the memo.

Take one of these and call me in the morning:

PS: It works like a champ for me and I instantly put it on every Windows Server 2008 R2 SP1 and Windows 7 SP1 machine I build.

I hope it helps you out !

Your GP Doc..

-Jeremy Moskowitz, Enterprise Mobility MVP
Founder PolicyPak Software

Mar 2013

How to use Microsoft's latest Win 8 / Server 2012 ADMX Files

Microsoft has released its “Latest, Greatest” ADMX files which work on all GPMCs (from Windows 7 and later).

They’re downloadable here:

I’ve put together a video to help you check it out and understand it. It’s here: 

PS: PolicyPak also uses the Group Policy Central Store. So, if you’d like to see a video for how we do that, here ’tis:

Feb 2013

9 Group Policy Troubleshooting Strategies You Can Use Right now.

Troubleshooting Group Policy often makes you feel like you’re forced to “go at it alone.” You can feel a little helpless when customers are being nasty toward you, and you’re confused about where to start.

So it’s no surprise that when people come to my live Group Policy Master classes, one BIG THING they want is strategies on how to best troubleshoot Group Policy.

(Next live class: Chicago, Monday March 25 – March 29th) –

Answer: There is no silver bullet toward Group Policy troubleshooting. There is a “holistic approach” to Group Policy troubleshooting, but that takes more hands-on time (which you’d get with me if you come to class. ? ) But for now, here are some base-hit  things which you can do if you’re stuck and in a rut.

Check for disabled GPOs: If the GPO is disabled or half the GPO is disabled, you need to hunt it down. Maybe someone decided to disable a GPO link and didn’t tell you?

Understand Inheritance: Between local, site, domain, and multiple nested OUs, it can be a challenge to locate the GPO you need to fix.

WMI Filters getting in the way?: Introducing WMI filters can make troubleshooting even harder. Don’t know what WMI filters are? Maybe you have ’em and don’t even know it.

Permissions problems: Ensuring that users and computers are in the correct site, domain, and OU is one battle; however, ensuring that they have the correct permissions to access GPOs is quite another.

Different processing between different OS (XP / 7/ 8 / WS 08 / WS12): Need I say more?  You HAVE to learn the differences here, or you will be bit on the ass when you needed to have this knowledge at your fingertips (but didn’t have it.)

Replication problems: The health of the GPO itself on Domain Controllers is important when hunting down policy settings that aren’t applying.

Infrastructure problems: Group Policy processing requires that all pieces of your infrastructure are healthy, including such seemingly unrelated pieces as DNS, the services running on the client, and the ability to pass network protocols between clients and domain controllers. Good Active Directory design equals good (consistent) Group Policy processing. The first place to look when Active Directory (or replication) behaves strangely is DNS. As my good friend Mark Minasi likes to say, “The second place to look for replication problems is DNS, too.” That’s because problems with Active Directory almost always result from the DNS misconfiguration.

Loopback policy processing: Sometimes, by mistake, an administrator has enabled loopback policy processing for a computer (or multiple computers). When this happens, the user sees unexpected behavior because the GPOs that would normally apply to him are suddenly out of the ordinary. Getting a full grasp on how loopback policy processing works is very, very tricky. Not only do we have two different modes (Replace or Merge), on top of that you can have complex permission settings on the GPOs themselves, making it hard to calculate which settings a given user will take on.

Slow links: You’ve got a VPN for your Windows users or you’ve rolled out DirectAccess for a seamless VPN experience. Now how and when are your clients going to process GPOs? Well, it depends. If you’re seeing inconsistent behavior, this could be why.

Hopefully, this gives you a little shortcut if you’re stuck. So, again, the best way to get smarter in this stuff is to NOT go at it alone.

Take the class, for the love of Pete and get the secret weapons you need to solve the serious Group Policy problems you already have. With hands on labs, you’ll be pre-prepared before your next problem actually bubbles up.

Again: Next live class: Chicago, Monday March 25 – March 29th.

This will be my last one for some time – I guarantee it. If you miss this one, you literally won’t be able to take a class from me for a long, long time.

Sign up online or call 302-351-4903 and talk with Jackie and you can use a PO. Discounts for 4+ students in the same class.


See you there.


Jeremy Moskowitz (Group Policy Community)    (PolicyPak Software)

Jan 2013

Killing Java using Group Policy and other notes

Hello Team.. This last week was a biiiiig week. In no particular order

1. All the book orders have shipped, so if you don’t have yours yet, it should be very, very soon. (If you’re new and don’t know what I’m talking about, my latest 800 page book on Group Policy is available at, as a signed copy.) (More about the book at the end of today’s email.)

2. Speaking of NEW PEOPLE, we had a huge influx of people join us after reading the article "Hone your IT skills with these five web apps". is #3 in this article:

I’m not sure qualifies as an "app", but — hey, I’ll take it !
Thank you and welcome to all of our newest Team members !

3. So, the big news story of last week was.. Java.

Unless you were under a rock, you learned that the Department of Homeland security suggested that everyone (literally, not joking) DISABLE Java (at least for now.)

The rationale, is that even with the "fix" (Java 7 u11) , the fix isn’t really a "fix" at all. But rather, it simply updates the warning levels and messages to end users. (And users are so grrrrrrreat at knowing what to do when they see warning messages.) Um, no they’re not.

Okay. So, how, exactly would you stop Java capital N, NOW on all of your machines? (At least until the dust settles?)

I can tell you that there is no "in the box" way to perform this function, and ensure it’s going to work in all browsers, consistently. However, I’ve created a video (two videos really) at my "other" blog at to show you Exactly how to turn off Java NOW in your enterprise:

I did find some other "ideas" floating around on the internet. I tried those ideas and make it work, for about  two hours of banging my head against the wall, but had to give up. Sometimes you gotta just get the right tool for the right job.

Hope this helps you out and makes your company more secure..

PS: This article has some good, reasoned information about the problem and where it’s going.

4. I have some notes for folks still thinking about getting a copy of the book:

Note 1:

  I decided to "buy my own book".  That is, I wanted to see for myself how good or bad the Amazon version of my latest book was. I have to say, I found it to be a very pleasurable experience reading the book on the iPad Kindle app. (That’s all I tested it on, so your mileage may vary.)

First, on the iPad Kindle app, all the figures are in COLOR. Which is really great. I like that.

Second, what I had heard from readers about the PREVIOUS edition of the Kindle book was that figures were hard to see sometimes and tables were difficult to manage. Something must have improved in the process, because in my experience in the new book, figures will "Zoom" in and become full screen if you want. And tables have a special function to look at different cells with <- and ->  buttons. In short, I thought it was awesome and personally approve of how it works on an the iPad Kindle app.

Caveat 1: Again, I don’t own a Kindle DEVICE. I tried this out on the Kindle iPad app, so that’s all I tested.

Caveat 2: If you buy the Kindle edition of the book and hate the experience, please don’t blame me — take it up with Amazon. I only wrote the text and have zero to do with the Amazon or printed edition’s final results.

Note 2:

There are a handful of very small errata (errors) in the book. The most notable is Figure 1.1.. Yes, the first official figure in the book is misprinted. (Don’t shoot the messenger.. I went back to my writing notes, and something happened between my directive to change it, and the printing process.) In Figure 1.1, I show Vista as your management station and not Windows 8, as might be expected in a Win 8 book.
There are a handful of other little issues, and I’ll be posting the errata to the website at some not-so-far-in-the-future point. But for now, that’s the big "headsmacker".
Note that the same figure can be seen in the "Look inside" in Amazon and also when you buy the Kindle version.

5. Last call to get your own copies before I stop talking about it for a while (no guarantees).

Here’s exactly how to do it:

1.    Signed from me, "printed on dead trees" edition:

2.    Cheaper, not-signed, "printed on dead trees" edition from Amazon:

3.    Even cheaper Kindle edition:

REMEMBER: Get the version with the LEAF on the cover. All others are now.. older.
Bonus eChapters available for free at

Oct 2012

Deploying Office 2013 Using Group Policy


I found this document on Microsoft’s website I thought you might like. It’s only a mere 353 pages and describes how to deploy Office using various techniques. The one that gets the LEAST amount of talk? Group Policy.

Which is too bad. I mean, sure. If you have a killer software deployment tool already; then, yes, you should use it. I’m not saying "Don’t use it." I am, however, saying, that there are plenty of reasons you might want to use Group Policy to perform your next Office deployment.

First.. it’s free.
Second, it works.
Third, while there are multiple steps (12 steps to be exact) they are very straightforward. (If you know the steps, and do it in the right order.)

It’s straightforward in the same way where putting together a computer from scratch is straightforward. Its not hard; you just need to know how to do it and get a few tips along the way.

So of the 353 pages in the guide I just pointed you toward exactly FOUR pages focus on deploying Office using Group Policy. FOUR. F-O-U-R. Four. Four pages on deployment.

The bad news: I’m sorry. The doc just doesn’t spell it all out to ensure you’re not going to fail.
The good news: There are lots of tips on specific policy settings to use for, say, Outlook, Excel, and the like. Those are neat and helpful.
The best news: If you want to deploy Office 2010 or 2013 using Group Policy. I cover this topic in easy-to-follow detail in my "Jeremy’s 12 Step Office Deployment Program" in my LIVE and ONLINE Group Policy Training.

(Note: "Jeremy’s 12 Step Program" not to be confused with other helpful 12-step programs.)

Yep, in about an hour, I show you exactly how to deploy either Office 2010 or Office 2013, giving you the exact step-by-steps and tools and scripts you need to make this happen. Then, here’s what happens next: You try it out for yourself and see if you can do it in the lab, with me there ready to help you if you trip up.

Look, I know deploying Office 2010 or 2013 using Group Policy isn’t for everyone. Use the guide I pointed you toward for tips on Office 2013 deployment regardless on how you deploy. I think it’s a good guide with helpful stuff.

But if you want to learn how to really deploy Office 2010 or 2013 using Group Policy, I’ll see you in class.

For my USA peeps…

I’ll be teaching my 5-day FULL Group Policy Master Class (Dec 3- 7) in Tampa, FL
Click here: to check it out and/or secure your seat. We DO still have some seats left (down to seven), and we DO give discounts if you bring 3+ people or become a PolicyPak customer before your class. Call 215-391-0096 for POs or to check on discounts.

For my UK, Scandinavian, and European friends…

I’ll be teaching my 3-day ACCELERATED Group Policy Master Class. (Nov 13 – 15)
in Sweden. (Click here:
The super-general outline on the page is in Swedish.

To be clear: The Office 2010 / 2013 talk & lab is NOT included in this accelerated class. But I’ll make the lesson from my Online University available to anyone in the class who wants it as a free bonus for attending !

So, I don’t speak Swedish, so I’ll be teaching in English. This is an AMAZING opportunity to get the training you’ve always wanted, faster, from me, without a huge expense. If you only speak English like me, then CALL them at +46 08 10 20 00 and they will save you a seat. Also: if you want my full ACCELERATED class outline for this class, email me directly. Its not specifically on the site.

Jeremy Moskowitz (Group Policy Community)    (PolicyPak Software)

Oct 2012

ManageEngine ADManager Plus - Free AD Utilities to Try

The Internet is full of free Active Directory tools out there. Some are worthwhile, some aren't.

I kind of like it when companies provide free tools. Of course, they do it to increase brand awareness for their pay tools.

But thats okay by me if the tools work and do some magic that would be hard for me to do on my own, without looking up commands, functions, and tons of documentation with lots of steps.

My friends at ManageEngine offer a package suite of free AD tools called ADManager Plus. Most of these tools center around the objective of simplicity. They take cumbersome or annoying AD tasks and make them simple and straightforward. All of the tools in ADManager Plus are based on Powershell cmdlets. This requires PowerShell to be installed on the machine where these tools are run. Most of the tools list the PowerShell cmdlet the tool is based on if you prefer to simply use PowerShell. The entire suite installs in less than a minute and very intuitive to use right from the get-go.

Lets take a look at three tools in their set. The set can be downloaded here.

Note: It should be noted that ManageEngine does advertise on, but this is an independent and hopefully un-biased review. Besides, these are free tools. How can you go wrong?

Domain Controller Roles Reporter

The first free tool is their Domain Controller Roles Reporter. We all know the traditional but complex process of opening up three separate AD tools (AD Users and Computers, AD Schema and AD Domains and Trust) to figure out which DCs host the five operation master roles as well as which servers act as global catalog servers. Instead of utilizing multiple tools, Domain Controller Roles Reporter lists each DC in your AD structure as well as their assigned roles; all in one easy to view list. Imagine obtaining all of your DC roles in less than a minute. That is easily obtainable with this tool. Although my demonstration domain consists of only one domain controller, you can get the drift of this easy-to-use utility in the screen shot below.


Active Directory Replication Manager

Another great simplifying tool is their AD Replication Manager.

Any domain administrator knows the rigmarole of using AD Sites and Services to replicate designated DCs within their domain structure. Again, ManageEngine offers you a simple design in this utility. With the single click of a mouse, one can replicate all of the DCs within your domain or even forest. It will even allow you the ability to replicate any two DCs of your choosing whether they are assigned as AD Connectors or not. Each of these capabilities is illustrated in the screenshost below.




Last Logon Reporter

The Last Logon Reporter may be the standout of the bunch.

Every administrator has been asked at some point within an organization about when the last time a particular employee logged onto the network.

In an AD environment consisting of many domain controllers, this can be a time consuming task. Just trying to find which domain controller the user last logged onto is a time consuming enough. Once again, ManageEngine provides a one stop utility that allows you the ability to retrieve the information you need quickly and efficiently. Below is a demonstration of the simple two-step process that provides you with the last logon time for any user in your domain.





Terminal Session Manager

How many times have you attempted to use the Windows RDP client to connect to a remote server, only to be informed that the server has exceeded the maximum number of allowed connections. You then had to access the terminal services manager for that server from another machine in order to log the sessions off.

ManageEngine's Terminal Session Manager will search your network for remote sessions and list them all, again in one viewable list. You can then obtain information concerning any of these sessions and either disconnect them or log them off. This two-step process is outlined below.



Believe it or not, we've barely scratched the surface in covering all of the great applications that make up the ADManager Plus suite.

Other tools include a Password Policy Manager, a Local User Management utility and a DC Monitoring utility. Other applications help identify AD object name duplicates, empty passwords and we still haven't covered them all. ADManage Plus may be free, but it offers definite value to the network administrator today who will find at least one of these tools a fantastic addition to their network administrator tool belt.

Hope you like the tool roundup !