MDM & GP Tips Blog

Sep 2012

7 Things I think you'’ll like this week

Team: This is a variety pack of interesting stuff. Here goes..

Item 1: My Group Policy Master Class in Florida is ON. That is, we have enough people signed up to run the class, and I’ll be there with bells on. (See the end of this email for signup details.)

Item 2: Are you following me on Twitter? Why the heck not? I have two accounts (one for each of my two lives): jeremymoskowitz and policypak. Don’t miss out on the direct line to my brain.

Item 3: Article on how the most common fingerprint reader software can be “worked around” by the bad guys.

I like what the security team found, but it misses the fact that if the machine was using Bitlocker (see my previous musings on Bitlocker) then this attack would not be possible. To perform this attack, the user would need to boot OUTSIDE of Windows (say, using Windows PE or Linux Boot disc) then get the information that way.

Item 4: New eBook by my pal Darwin Sanoy.

I’d say something like 40 – 70% of organizations are jumping from 32-bit XP to 64-bit Windows 7. In my estimation there’s very little reason not to.

But, there are some pitfalls associated with 64-bit Windows and the applications which run on them.

So, Darwin came out with this eBook called: Under the Microscope: Deploying and Supporting Applications on 64-bit Windows


When I reviewed the book, I told him to price it at $29.99, then another $20 for the lab manuals. But he must have messed up and priced the whole kit and caboodle instead, at $9.99.

Darwin: If you’re reading this man, personally, I don’t get it. $9.99 is waaaayy too little to charge for all the awesome stuff in this book.

The eBook is 95 pages, and jam packed of stuff, I, personally didn’t even know existed. So, I love that. Thanks Darwin.

That link again is . Get a copy.

Item 5: Windows Server 2012 is out.

You can download the evaluation ISO or VHD here:

Item 6: A neat free ebook on Windows Server 2012 is out.

Introducing Windows Server 2012 (RTM Edition).

Item 7: I like this article from Greg Shields:

“We’re not allowed to access GPPs [Group Policy Preferences] because they’re handled by the Active Directory team.” it what Greg Shields hears all the time.

If this is your problem: Read this article, print it out, hand it to the boss, then ask him nicely if you can get the Group Policy training you need.

Where you ask? (See next note!)

Final thoughts..

Okay Team… my next class is in Tampa, Florida. December 3 – 7.

Sign up here:

Again, the class in on, dittily on, neighborino. So, get on a plane or hop in a car, and get your butt trained in Group Policy awesomeness already.

Yes, you’ll learn all you need to know for XP, Windows 7 and Windows 8. Yes the class is fully guaranteed. Yes, it’s me teaching the course. Yes, the costs are right on the webpage. Yes, we can give you a discount if 3+ people from your company show up. No, you cannot have any drinks from my mini-bar in my hotel room.

Instead of thinking of all the reasons you CANNOT come to the class… turn it around.

Think of all the amazing skills and knowledge you’ll have when you return.

You’ve always wanted to take my class. If you have to move a mountain or two to get here, will it be worth it?

See you in class.

-Jeremy Moskowitz

PolicyPak Software

Aug 2012

Sometimes, you gotta ask the duck.

I was going to entitle this blog post What the duck?

But I thought better of it.

Here's the deal: People often ask me how to troubleshoot things. Very, very specific things.

Instead, let's take a step back and talk about two (similar) techniques to get YOUR troubleshooting skills better aligned.

Method one: What do you think?

In Galaxy Quest, this was a deleted scene. But I loooove it. At 1 minute and 10 seconds to 2 minutes 14 seconds in, Tech Sargent Chen is being asked how to fix something". It doesn't really matter what that SOMETHING is.

Watch how he handles it end to end

How to actually perform troubleshooting (1 minute 10 seconds to 2 minutes 14 seconds.)


Yes, laugh at it of course.. but there's some actual validity to what is going on here. By simply asking What does that mean? during  a crisis, you can quickly get to the bottom of many many issues and find the root causes of a world or problems.

This very recently helped me troubleshoot a problem on my web site, but can be used for just about anything.

Method two: Ask the duck?

I had never heard of this one before, but fan John Straffin pointed this out to me when he wrote in and said he had an Ask the duck moment.

I had NO idea what he was talking about, but he pointed me toward this Livejournal entry: 

and this Wikipedia entry:

Reading it says it all. In short, re-explaining your challenge to a fake friend can help reframe your brain and make discoveries in all kinds of unique ways.

Now, I Ask the duck all the time.

Aug 2012

Bitlocker .. it aint just for Laptops


I went to the doctor today. Nothing major. (Cough, cough.)

Anyway.. I’m walking down the hall, and I see this:

Look closely at the door name: Nope, nothing special in THERE.
Then, look toward the handle. Yep… KEY in the DOOR.

That’s okay. It’s only my personal medical records in there. No biggie, right? Sigh.

So, this got me thinking about, ya know.. being Evil.. which I am not.. and none of you are. (Little known fact: Everyone on and goes thru a strict pre-screening regiment to ensure only "Non Jerkfaces" are getting these tips, thoughts, and updates.)

Anyhoo.. seeing this totally unlocked and MARKED door made me think about what it would take to be Evil if I wanted to.

And the most evil thing I could think of, was taking a drive out of a server. (No, I didn’t go in the door, and don’t know if that’s possible without a screwdriver.)

Some servers use RAID of course, which stripes the data across multiple drives. Could stealing just one drive mean I get anything? Well, with enough elbow grease I suppose I could go "block level" on that drive and see what I could find. Not easy, but, hey, possible…at least PLAUSABLE.

So this is making me think about how to protect against "Un-Jeremy stealing a server disk.

The answer is simple: Bitlocker.

If I stole a drive in the 60 seconds it took me to make the photo, I would have $100 in metal, and not much else.

I know people think of Bitlocker as a great idea for LAPTOPS. No brainer, sure.

But desktop and servers are equally vulnerable, honestly.. they’re just LESS PORTABLE.

Yes, you may have some physical security.. but.. that’s possibly circumventable. (How many times have you seen the cleaning crew in a bank branch late at night? Here in Philly at least, it’s ALL THE TIME ! No joke.)

So you could have "theoretically high" security, but still "circumventable security."

Bitlocker in Windows 8 and Server 2012 have some new features, which make me pretty happy. For my own systems, I use Bitlocker, but the big pain in the neck is WAITING for a drive to FULLY Bitlocker itself. Windows 8 now can use "Used Disk Space Only" .. which is awesome when I throw a new 1TB drive up.

For desktop and servers, there’s "Network Unlock" which also auto-unlocks machines as they boot (when they see that they’re on the network.) If they’re OFF the network, those drives, once again, become $100 pieces of metal.

So, in short, if you’re hesitant to consider Bitlocker for DESKTOPS and SERVERS.. reconsider, then start thinking about it.

I did.. in the 60 seconds it took me to take that photo.

PS: Class is filling in nicely in Tampa, FL. Smart, good looking NON-Evil people like you are joining up to learn more about managing Windows 7, 8, Server 2008 and 2012. Tampa, Florida, December.. Be there:

Q&A: Yes we take POs. No we cannot "save" a seat for you without a CC or PO. Price is right on the website. Yes, we do group discounts. Call Laura at 215-391-0096 for help with a PO or group. Yes you will get smarter. No it’s not boring. Yes, it’s me teaching. Yes, you will be tired and loving every second of it. Yes, you could possibly get a raise after taking the class because you’re smarter (no guarantees.)

Jeremy Moskowitz (Group Policy Community)    (PolicyPak Software)

Jun 2012

Group Policy Powershell for Beginners and Experts

Folks.. People are asking me how to learn more about Group Policy + PowerShell.

Well, at TechEd 2012, I worked with Jeff Hicks (PowerShell MVP) to give a one-two combo talk on Group Policy + PowerShell.

First, here is a link to the whole darn talk… !

Next, here's a link to Jeff hicks page which has the Show Notes.

Lastly.. Here are some fun pictures Jeff played the part of Professor PowerShell and I played the part of The Pointy Haired Boss.

PS: This talk mentions my Group Policy Health Check service.. which can help orgs of all sizes reduce login times, increase security, and figure out precisely what you're doing right and wrong with GP. Make contact by clicking here.

2005-01-10 14.54.122005-01-10 15.06.582005-01-10 15.31.112005-01-10 15.40.58

Jun 2012

TechEd 2011 US WrapUp


I am back from TechEd Orlando, and … Holy Moly.. I cannot fathom how much "stuff" goes on at TechEd every year.

First.. THANK YOU to everyone who I met in person, came to my talks and got to spend some time with. You guys really make TechEd fun for me.. because the amount of work leading up to TechEd is backbreaking. Thanks for being so .. great !

So, at TechEd, in my own little piece of the TechEd world, I had FOUR "duties."  Three speeches and a book giveaway and signing. I have pictures from two of these events:

Here are pictures from the Viewfinity Book Signing Event:

Yes.. that’s the line.. and EVERYONE got a copy of my Group Policy book for Windows 7. Killer !
The best part was.. MOST people were already part of the Team, and when and where to be there.. Awesome !

Also, super fun, was my speech with Jeff Hicks, PowerShell MVP. Jeff played the part of "Professor PowerShell." I played the part of the "Pointy Haired Boss." Here are the pics:

If you couldn’t make TechEd Orlando, I hope to see some of you in TechEd Europe.

If I won’t see you NEXT week, here are two other things you might want to check out THIS WEEK:

1) Tomorrow .. Tuesday, June 19th … for those in my local area (like 100 miles of Philadelphia) I’ll be speaking at the "GR8 Exchange Lync & System Center Conference." It’s not free, but it’s a really good deal at only $179. Me and lots of other speakers I think you’ll like. Check it out here:

2) Also Tomorrow.. Tuesday, June 19th… My friends at Avecto are having a webinar that DOESN’T have me. But, it looks interesting anyway, so I thought I would share. 10.00 AM EST.

Okay… Thanks Team.. and.. talk with you soon !

PS: I got a tremendous amount of feedback from my speeches at TechEd. Here’s my favorite comment:

Mr. Moskowitz is a fantastic presenter, and an absolute treat to see. His presentation showed me ideas I’ve never thought of implementing before, and now I’m VERY eager to use them at my business (although I don’t think my users will be as enthusiastic!) ? Thanks, Mr. Moskowitz!

Thanks whoever-you-are ! If you’re interested in getting me at your own organization for a private class, please email me, and make contact. I’ve got some available dates now that TechEd is over, but I’m assuming those dates will fill up fast.

Thanks !

Jeremy Moskowitz (Group Policy Community)    (PolicyPak Software)

May 2012

Warning: Group Policy Isn’t just for Swedes !

Sweden was… AWESOME ! And now I’m back and ready to kill it here in the USA.

While I was away in Sweden.. something magical happened. We had 10 people already sign up for the Salem, OR class. Holy crap. Maybe the fastest "ON" we’ve ever had. So.. um… don’t wait if you’d like to get smarter in Win7 / Win 8 / Security / GPOs and have some fun. (

So, in Sweden, I recorded a podcast in front of a super nice and warm live studio audience.

Special thanks to my hosts at (Michael Anderberg, and Johan Person, Michael Nystrom), who were super awesome to me during my time there. In this podcast you’ll learn:

– What its like to be an MVP (and if there’s a secret handshake).

– Why did I get starting diving deep into Group Policy?

– Why my childhood helped me become the GP geek I am.

– Learn a GP trick to .. um… be an Evil Genius. (Don’t do this.)

– What the big secret of GP is, that most people don’t know.

– What GP does GREAT and also NOT so great (and how to fix it.)

And.. like lots of other fun stuff.

The link is…

Enjoy.. ! And leave a comment / Tweet it. And, if you’re not following me on twitter.. whatruwaitingfor ?

Twitter: jeremymoskowitz

Jan 2012

Clean Naming for GPOs (Notes from the field): Part II


I wanted to share with you some of your peers humble suggestions for Group Policy naming. Again, what works for THEM might NOT work for you, but at least it can give you some food for thought.

From Ondrej in Slovakia:

I use names for GPO and I think it’s good way to have them this way:

-    GPO – to make unique name for GPOs
-    RDS – name of part of change (Remote Desktop Services)
-    APP – managing APPlication (Software Restriction)
-    Office2010 – name of application
-    V01 – version of GPO

-    GPO – to make unique name for GPOs
-    DisableIPV6 – short accurate name of changes in GPO
-    V01 – version of GPO

I think it’s very good to have versioning of GPO policies. When I change GPO I increase version number and I keep max 2 older GPOs for just history and help to find out changes I made.


From Charl in South Africa

who has 2,000 GPOs !

(edited a little for clarity):

"Here’s what we do:

-If the policy is domain linked, the GPO will start with the name of the domain it’s in; this works very well if you have multiple domains.

– For the GPOs linked to our old servers structure we kept the names as starting with "Servers" and these are slowly being migrated to the new servers OU structure and the names for these GPOs start with NS (New Servers – OK, it’s actually my company’s name that starts with an N, followed by S for servers).

– The OU is "Nxxxx  Servers". Next up is the GPOs linked for the XP OUs and they start with XP and similarly the Windows 7 GPOs start with NUW (Again, first letter of my company’s name being an N followed by U and W which stands for Users and Workstations).

– The next part of the name is followed by a dash (-), C and/or U and then another dash (-). This indicates whether the GPO has the Computer, User or both nodes enabled.

– The next part of the name indicates what the function of the GPO is and if there are multiple functions, these are separated by commas (,).

– Lastly, the name ends with a colon (:) followed by the department who ‘owns’
this GPO, i.e. Security, ServerOps, End User Computing, etc. Again, we only have about 5 owners.

So, on a daily basis I use the GPMC scripts to dump all the GPO names into a single file, DTS/SSIS then into SQL and then the fun starts:

– By using the dashes, commas and colons as separators, I can see with a stored procedure, which GPOs do not have owners as there is no colon and one of the owners defined after the colon. Which GPOs do not indicate whether they are Computer, User or both nodes-enabled GPOs.

– I can see which GPOs do not conform to the proper naming convention. It it does not start with a one of the five top-level GPO names, I know immediately that I have a problem.

– Digging a bit further (all automated now!) I can even see who made a GPO and indicated it is a Computer GPO, but the User node is still enabled. The exception reports only run IF something is wrong and the GPO guys from Server Ops know that Big Daddy form Security is watching them.

– For GPOs linked lower down, we use the abbreviations of the child OUs in the GPO name as well just after the top-level name.

So, by looking at a GPO name, I can identify where it is linked, whether is Computer/User/both, function and owner. Here’s an example:

I.e. XP-C-Power management, Screensaver lockdown:SO

I can quickly parse this, and see that the GPO is linked to OU containing XP machines, Computer node enabled, sets power management and screensaver and belongs to Server Ops.

How’s that for being in empowered?"

Jan 2012

A Clean naming Convention for GPOs

Many people ask me: Is there an ideal way to name GPOs?

Well, yes and no.

First, the big problem is that the swimming pool where the GPOs live that is, the Group Policy Objects node in the GPMC just sort of all runs together. One big blaaaah of all the GPOs.

So, first off there is no way to partition them or organize them. They're all just there.

Therefore, having a naming convention that works for your company could prove to be a lifesaver.

There no right or perfect way to create a GPOs name. One suggestion is a four part naming convention.

Part I: The Where.

Part II: The What.

Part III: The Who

Part IV: The Type.

For instance a GPO might be in charge of opening Port 123 on Sales Computers. Great. So, here's a name I might use:

EAST SALES COMPUTERS Firewall Open Port 123 (C) – JeremyM

All four elements are there. And in the Group Policy Objects list, all the GPOs are listed Alphabetically, so you'll see each Where together quickly. The (C) tells me that the C-omputer side of the GPO is used and not the user side. The name on the end shows who is the ultimate owner of the GPO or who is in charge or who to contact for issues or updates. (You could also put this in the GPO comment fields.)

Another perfectly fine choice is to re-arrange this list. Like:


This will sort with all the Computer side GPOs grouped together first, then WITHIN that, all the EAST SALES COMPUTERS linked GPOs.

Again you're welcome to have the names be anything you want.. just note that whatever's first that's what's sorted upon based upon Alpha. Having all four elements makes things a lot easier, in this guys opinion.

A final trick here, is that sometimes I use an Underscore character _ to signify GPOs which are domain linked or are special in some way. For instance  _PolicyPak License GPO Expires 1-1-14 will bubble up to the top quite easily seen by everyone (as underscore is sorted BEFORE the letter A.) q

What's your naming convention? There's Shoot me your email with your solution. Thanks !

Dec 2011

Office 365 - Lync download (broken. Annoying.)

If this saves you an hour, I have done my due diligence.

In short, if you’re trying to get a new Win7 machine going with Office 365, installing the Lync client is the first step.

Except the download won’t "start."


I even ran Process Monitor against it to see what it was doing, and the install is in an endless loop looking for an MSI registry key that doesn’t exist.


Well, there IS a workaround, but I had to dig for it.

Look for a nice post from a helpful Microsoftie here. This helped me out, and hope it will help you out too.