MDM & GP Tips Blog

Aug 2009

First Look at Windows 7

Part 1: My First 7 days with Windows 7

Let's go right to the punchline: Overall; positive.

Okay, now let's get to what's great, what's not and what's just weird.

Actually, before we do that, let's start off with my new hardware. If you know me, you know I love to do demos. I do demos left and right in my training courses, at WinConnections and TechEd, and other sundry events.

And, of course, I need to use a laptop lug around and do that. My laptop of choice has always been Dell. I've been a Dell man, since, well, Dell Laptops had TRACKBALLS in them, and not touchpads.

Yes, _that_ long.

Now, for the first time ever I went Lenovo. Honestly, the new Dell E series just seemed too "humongo" for me. The whole package, including the power supply just looked too.. Bulky.

Yep, that was my "very technical reason" for not getting another Dell. I'm sure they're great inside, but their aesthetics (at least compared to my Dell D620) was not an improvement (to me, anyway.) So, I got a Lenovo T500. The name alone makes me feel like I'm perpetually the star in my own personal Terminator film. I bought it cheap from the "Lenovo outlet store." It has a T9600 Core2Duo processor on board, and I fitted it myself with (oh drool!) 8GB RAM and 500GB hard drive @ 7200RPM (killer!)

Then I waited to get my hot little hands on Windows 7. I was in the beta program, so I got a "free key" to use when the beta ended.

Last Thursday night, I installed Windows 7, 64-Bit edition on my new monster laptop.

Before that, I had previously went to Lenovo's website and downloaded ANYTHING associated with the T500 + Vista. That is to say, since all Vista drivers are "upward" compatbile to Windows 7, having them "at the ready" seemed to be a good idea. I put them on an external USB disk.

My first 24 hours wasn't great. I installed Windows 7. I took all the updates. Then I installed all the T500 / Vista drivers. I rebooted when necessary. Finally, when I installed the video driver software, Windows 7 just hung and hung and hung and hung at the "Please wait" page.

Arrrgh. And this was AFTER I had already activated Windows 7 (Stupid, Stupid, Moskowitz.)

Well, I knew I could boot to Safe Mode and hack and slash my way out of this. But the more I thought about it.. why was I installing drivers for something that was, well, working already?

So I didn't.

I re-formatted and re-installed Windows 7. In my experience, more manufacturer software equals slower and more unstable machine. Said another way, if I can "get away with" the drivers that are included as part of Windows 7, I should have a faster and more stable system overall ... instead of having to know exactly WHICH drivers and in WHAT ORDER I should be installing them.

So that's what I did. I loaded Windows 7, I took all of Windows' updates (it had several driver updates for my system.) There were two devices Windows didn't have "built in drivers" for, and I did, indeed, install those from the Lenovo website. And that was it. I was done.

That being said, it wasn't totally a bed of roses.

This T500 system has this newfangled idea of having TWO video chips instead of just one. Let's call these two chips the "Good one" and the "Awesome one." Honestly, I don't ever, ever need the "Awesome one." I don't play games, so I don't need "awesomeness." "Awesome graphics" don't make my demos any faster, and honestly, that's all I care about for this machine.

This newfangled idea of two chips sounds great, but for me it just wasn't working perfectly with my total re-install. Every time I closed the lid and re-opened it, it thought my laptop display was "Display 2." All the stuff I was working on just disappeared.

You could say: "Well, Moskowitz, if you installed the drivers from Lenovo, you wouldn't be having this problem." Except, remember .. when I did install the drivers, that's exactly when the machine went into "mega hang" mode.

So, I needed a Plan B.

To fix this, I adjusted the T500's bios to say "Kill the Awesome chip. Only let me use the Good chip." And magically, all my troubles went away.

I'm sure, really, really sure, this is because I didn't choose to install Lenovo's "mega video driver" or something for the secondary video driver chips.

But I'm okay with that. I honestly need my laptop to do EXACTLY two things: display on the panel when I want to, and display outward on the VGA port for projecting when I want to.

Nothing fancy. So, no "awesome chip settings with crazy drivers" for me, thank you very much.

So, how is my overall experience with Windows 7 compared to Windows Vista? Well, my biggest problem with Windows Vista was that it was slow. Yes, lots of people complained about it being slow, but I tried to take an empirical approach and learn WHY my experience with Vista was slow.

For me, personally, I learned the "slow culprit" was the "Windows Search" service. On my previous laptop, the D620, where I tried to run Vista, every time I ran Filemon / Procmon, I could see it. Spinning it's wheels, doing it's thing -- ALL THE TIME and slowing me down.

As for Windows 7, I'm sad to say, that my initial experience is the same in this particular regard. Windows 7 still appears to (at least with my files) churn and churn and churn.

Maybe I haven't given it a fair shake. It's true, I didn't let it "settle in for three days" before getting frustrated and turning it off. I do have 60GB of "data" for it to pour over. So, in fairness, I'm going away next weekend, and I'm planning on turning ON the search service BEFORE I LEAVE, and see what happens when I return.

But for now, I have uninstalled the Windows 7 search feature, and you also (oddly) seem to need
to DISABLE the search service to really kill it (according to my Procmon traces.)

Here's the payoff though: Man, is this lappy fast! Right now, I'm really happy with the speed. Applications pop. Demos snap. Everything is like a crisp clean spring morning. Between a new processor, new OS, the 64-bits, 8GB of RAM and a 7200 RPM HD, darn tootin' this thing better fly.

Here are some miscellaneous notes about my first 7 days, in no particular order:

- I have a wacky wacky "Cannon" all-in-one printer, fax, scanner thing. And that driver was included in Windows 7. And, it even shows me the "ink levels" while printing; just like the driver I previously needed to download from Cannon then hand-install on XP. Neat.

- I'm pretty "keyboard centric." So about 1000 times a day, I type the following key sequence when working on XP: Ctl-Esc, R, cmd, enter. In XP, this would open the Start menu, R would hit the Run command, and CMD would get me to a command prompt. Now on Win 7, the same sequence makes NOTHING happen, because (even though I've put RUN back on the Start menu) there's no keyboard shortcut for 'R'un. gRRRR.

- I have ONE piece of hardware that, darn it, I cannot use, and man, I'm disappointed. It's a USB-connected phone system that's voice activated and hooks into Outlook. It just crashes every time it runs. Just flat out crashes. Can't really get to the bottom of this. If anyone else has this device, it's called ArialPhone, and I'd love to hear if it's working for anyone out there on Win 7 or even Vista. (PS: Even "XP compatibility mode" likely won't get me out of this one; unless I want to run a copy of Outlook *INSIDE* that fake XP machine, which I don't.)

- I have two other Outlook plug-ins which worked great on XP, but won't do their magic on Windows 7. Oddly, two *OTHER* Outlook plug-ins are working swimmingly. So, I don't know where the problem is. Still hacking on this one.

- The Beta for the App-V client 4.6 is out, and includes 64-bit support. Honestly, the thing seems ROCK SOLID to me, but my understanding is that it's planned to be Beta for a while before it goes gold. AppV Applications in cache seem to run WAY WAY faster than they did in AppV 4.5. It took me about an hour to convert all my existing 4.5 sequenced apps to 4.6.

- My wife walked behind me to see what I was working on. And it was my Windows 7 desktop. She saw the huge, huge icons that Windows 7 defaults with and asked "Are you in safe mode?" I can totally see her confusion, as Windows 7, in my opinion, looks totally bizzare with those big honkin' icons. The fix? While on the desktop, hold down Control and use the scroll wheel of your mouse to adjust. Kooky.

- Lots of people seem to be all "gaga" about the new taskbar. Honestly, I don't love the "mixed metaphor" of applications running and applications' icons all jumbled together. I've reset it act a little more like XP did, and I'm a little saner now.

But, all around, 95% of my applications are working. Everything that's "broken" seems to be revolved around Outlook in some way. Everything else is working great. So, I'm not sure if I can blame Windows or what here. Regardless, I'll get to the bottom of these and shake out my final bugs.

But in short, my first week -- pretty solid after getting thru the bumps. I do have that "last mile" to push through, and I'll keep you posted as things progress.



Jul 2009

Policy vs Preference

Team: I had this email exchange with a friend of mine the other day.

The email title was: "Policy vs. Preference (I don't get it.)"

I thought you'd like it. Read all the way thru to the end for how to get more information TOMORROW, Friday at 12.00 PM EST.

[Note, we're having some login issues to the web accounts. Sorry if you're affected right now; we're working to fix it... Thanks.]



OK I'm having serious brain 'problem.' What, really, is the difference between an unmanaged policy setting and a preference (GPPreferences-style)?

I CAN remember, at this late hour, that managed policy settings are in the Policies key of the registry. Seems to me that unmanaged policy settings (which equate to settings that can tattoo, right?) are elsewhere, yeah? So what makes them different than changes made by Preferences?

I am just trying to hone my use of terminology and make my boss understand "Policy" vs "Preference" vs "PolicyPak". THANKS!!!!

Okay Frank.. So.. I'm sure there's some "complete and proper definition" somewhere at Microsoft about what a Policy is vs. a Preference.

But when I talk with people about "Policy" Vs. "Preference" here's the litmus-test I use to determine "which is which."

I define policy as "three things"... that is, these three things need to be TRUE for you to be able to call it a "True Policy." A policy means that the setting:

1. Properly goes to the "Policies" keys in the registry (one of only FOUR sanctioned locations)


2. UI lockout occurs such that users cannot scoot around it


3. UI lockout / setting reverts when GPO falls "out of scope" (ie: You whack the GPO.)

So, "Prohibit Access to the Control Panel" is a true POLICY. It meets these three criteria.

If you crack open the ADM/X, you'll see that the registry punch goes to the Policies keys... and once set, users cannot scoot around it.

A Preference is EVERYTHING ELSE.

So.. some criteria to check if it's a Preference would be:

1. Does it store its keys anywhere in the registry? (ie: OUTSIDE the 4 proper Policies keys?)


2. Does it still permit a user to manipulate the UI? (ie: No UI lockout?)

So, 99% of hand-created ADM or ADMX templates and a large percentage of GP Prefs items are just that.. Preferences. (Note that many GP Preferences items have a scope which are NOT the registry. For instance, "Local users and groups" deals with the local SAM and NOT the registry. Others, deal with services. But for the purposes of this discussions, I think you're asking about REGISTRY items, and many of the GP Preferences items are, indeed, registry focused.)

So, let's examine the GP Preferences "Internet Explorer Settings." They're Preferences.

Why? Because... once a user gets the settings...

Test #1: The keys aren't contained in the "Policies" keys
Test #2: Users can scoot around and change the values to whatever they want
Test #3: If you whack the GPO with a preference, what happens? It "tattoos" or "leaves behind" the settings you set.

Do note, if you whack the GPO with a GP Preference, on some items there is an extra flag which is called "Remove when no longer applies" which will DELETE THE VALUE (not REVERT the value). Which, could be harmful to your application. Ouch.

So, where does PolicyPak fit in?

In contrast.. POLICYPAK will "bridge the gap" when it comes to Registry punches and settings Applications' settings.

The free PolicyPak Community edition is able to:

1. Write keys anywhere in the registry


2. Performing UI lockout

and magically

3. Reverting to the value you want when no longer applies (not totally deleting the value!)

PS: There's a guide which I wrote to help clear up a lot of these questions. Let me know what you think:



Jul 2009

Backing up (even quicker)

Quick update #1: About the "backing up GPOs" stuff we talked about this week...

I forgot all about Darren Mar-Elia's PowerShell cmd-lets (free!)

If you don't want to wait for Win 7 but want to use Powershell to manage GPOs now, head on over to and get their free Powershell GPMC cmdlets.

To backup up all GPOs in a domain using the SDM Powershell cmdlets, just use:

Get-sdmgpo * | export-sdmgpo -location c:gpbackups

Neat !

Jul 2009

Automating your backups....


Last week, we talked about backing up your GPOs, and how you should be, ya know, "just doing it."

Then I got some emails asking me about "automating that backup."

Turns out.. that's easy too! Here's two ways (I'm sure there are more.)

Way #1: VB-scripts via the GPMC scripts
The older GPMC had built-in scripts. The newer GPMCs require that you download the sample scripts. These are great and super helpful and can be found here:

You can see examples of using the scripts if you head over here:

The script you want to play with is called "BackupAllGPOs.vbs."

It's easy as pie. Or punch. Or something that's easy.

Way #2: If you're a Powershell geek / geekette
The newest GPMC with Win7 and WS08/R2 supports lots of SIMILAR constructs (create GPOs, backup, restore, etc), but now you can ALSO use PowerShell. So, to "get" the GP-related commands into Powershell, I typed

"Import-Module grouppolicy -verbose"

then I was able to run this quick command

"backup-gpo -all -path c:SavedGPOs"

And, blammo. Instant backup of my GP-world.

There's more to the command, of course; but that's its simplest use.

Again, easy as falling off a log... if you know the secrets.

Dec 2008


Why isn't Group Policy Working on this client?
Did You Check the DNS Configuration of the Client?

One of the most frequently encountered problems with Windows 2000 and above is that things just 'stop working' when DNS gets out of whack. Specifically, if you're not seeing Group Policy apply to your client machines, make sure their DNS client is pointing to a Domain Controller or other authoritative source for the domain. If it's pointing to the wrong place or not pointing anywhere, Group Policy will simply not be downloaded.

As a colleague of mine likes to say, 'Healthy DNS equals a healthy Active Directory.'

Moreover, in the age of Windows 2003/2008 with its multiple forests with cross-forest trusts, Group Policy could be applying from just about anywhere and everywhere. It's more important than ever to verify that all DNS server pointers are designed properly and working as they should. For instance, if clients cannot access their 'home' Domain Controllers while leveraging a cross-forest trust, they won't get Group Policy.

Finally, to put a fine point on it, DNS leverages only the fully qualified name. It's not enough to verify that you can resolve a computer named xppro1 as opposed to The first is actually the NetBIOS name and not the fully qualified domain name. The second is the fully qualified domain name. If you find yourself in a DNS resolution situation where resolving the NetBIOS name will work, but the fully qualified name will not work, then you have a DNS problem that needs to be addressed.

Aug 2008

More freeness awesomeness -- WinInstall LE

Remember the good ol' days? When right on the Windows CD-ROM was a great little free MSI repackaging tool called WinInstall LE?

Well, then it just went away.

A lot happened since then. WinInstall broke free, and became their own company. Then they were bought out by Attachmate. Then finally sold to Scalable software.

And look what happened? It's free again! So, if you're looking for a great little MSI repackaging tool (totally free) check it out here.

Oh yeah, and they mention me in the press quote. Because, you know I like free stuff!

May 2008


  • Policy or Preference: Who wins the smackdown?
  • Announcing: Downloadable eChapters of Jeremy's two new upcoming books!
  • Kansas City Class: ON! Will you be there?

Welcome to Newsletter #28.

One of the questions I get all the time is: "Which one 'wins' if a Policy and a Preference overlap?"

Think you know the answer? I thought I did too; so let's see how that shakes out. Next,

I'm happy to announce my two new upcoming books on Group Policy.

  • Group Policy Fundamentals, Security, and Troubleshooting
  • Creating the Secure Managed Desktop: Group Policy, SoftGrid, and Microsoft Deployment and Management Tools

Right now, you can zip on over to and learn about them, or a little later in the newsletter I'll give you the full rundown of the two books, what's new, and tell you why I had to expand it into two books!

I'm also super excited to announce our new Partner/Affiliate. Sign up, and everyone you recommend for a training (or newsletter signup) means some extra dough in your pocket. More, later in the newsletter.

This Month's Newsletter Sponsored by: NetIQ

Are you stepping on other administrator's toes when managing Group Policy? It happens a lot, but there are some strategies to help you address that. In this new whitepaper, "Group Policy Management Challenges" authored by Group Policy guru Jeremy Moskowitz and NetIQ you'll learn some immediate techniques to get working better today.

Download it now

Getting Down to Business: Policy vs. Preferences

Microsoft has a Group Policy blog entry called "GP Policy vs. Preference vs. GP preferences" which you should all stop and read right now. Really. I'll wait. I know you'll come back, because there's a lot more to learn on this subject. Check it out here.

And while I really dug that blog entry, and it was really well written and smart, there are some other angles to that Policy vs. Preferences story. And that's what I want to cover here.

How, exactly does the Group Policy engine deal with overlaps between policies and preferences? Well, there’s the short answer, the middle-length answer, and the long answer. Let’s go over all of them. (We’re old friends now—you knew I would anyway, right?)

The Short Answer: Policy Wins over Preferences

The short answer is that if there’s a conflict between a policy setting and a preference setting, the policy setting will win. (So, for instance, items in Computer and User Configuration | Policies should always win over Computer or User Configuration | Preferences.)


Because only policies actually lock out the user interface of the application they manage (Explorer, Office 2003, etc.).

Preferences don't.

Remember, preferences are suggestions that you can give to the user’s application, but the user can usually just wipe them out if they want. (Although, GPPEs will re-apply again at policy refresh time by default.)

Here's a quick example to prove the point. In the example in Figure 1, I’m clicking Help to ensure that the Help menu is on the Start Menu for all Windows Vista machines using GPPEs. True, this is the default anyway, but by selecting it here, I’m laying down a preference that is always put on the machine.

Figure 1

However, if I use the policy setting User Configuration | Policies | Administrative Templates | Start Menu and Taskbar | Remove Help menu from Start Menu, as seen in Figure 2, the Help option disappears in the Windows Vista Start Menu.

Figure 2

But the general case here is that policies always beat preferences. Rock always beats scissors. Or does it? Can the rock crumble when it’s hit by the scissors? Let’s continue onward to see at least one interesting case where it doesn’t work that way.

The Middle-Length Answer: Sometimes Preferences Win over Policy

You need to be careful to assume that policy always wins over preference. In fact, that’s not always true. Here’s an example we can use to prove it:

  1. Create a single GPO and link it to a Windows Vista or Windows Server 2008 machine that uses the Internet Settings preference extension to set the Internet Explorer 7 proxy server to with port 8080. You can see a shot of this in

    Figure 3

  2. Then, use Group Policy’s Internet Explorer Maintenance to set the proxy to with a port of 8282. You can see a shot of this in

    Figure 4

    Click on image for larger view
  3. Then, refresh your client via GPupdate and fire up Internet Explorer 7.

Uh oh. This seems to break the laws of nature! How can preferences win over policy? Because Internet Explorer Maintenance policy isn’t really policy. Indeed, by setting the IE Home page using Internet Explorer Maintenance, the value goes to HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings in a value called ProxyServer, as seen in Figure 5. And since this is not a place for a true policy, it must actually be a preference.

Figure 5

Click on image for larger view

Indeed, the value that’s being set is exactly the same for both the IE Group Policy Preference and Internet Explorer Maintenance.

Why does one win over the other? I’ll show you the nuances of why in the next section.

But for now, it turns out there is a clever way to attain our goal; which is to force an IE proxy server and lock it down so users cannot change it.

Check out an obscure Administrative Templates policy setting named Disable changing proxy settings (located in User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer). A-ha! That’s true policy, so hopefully that will perform some kind of lockdown, as shown in Figure 6!

Figure 6

But why then does that Administrative Templates setting named Disable changing proxy server settings work in a way the other guys don’t? Because IE 7.0 (and 6.0 and 5.0) are all coded to look in the proper policies keys. And if there’s a value there that IE recognizes, then IE makes sure to honor that.

And it does.

The end result is that true policy wins. You can see this in Figure 7 where the proxy server entry’s values are taken from the preferences, but it’s locked down via the policy.

Figure 7

For most people, the medium-length answer will be good-enough. But you’re not most people. You’re looking for the most detailed knowledge you can get. So if you’re curious to know why the Internet Explorer GPPE won against the Internet Explorer Maintenance Group Policy settings, read on for The Longer Answer.

The Longer Answer: Understanding CSE Timing and Overlap

To get to the bottom of this mystery, we need to understand when Group Policy applies. Recall that the Group Policy system is a last-written-wins technology. So, if you have an overlap between, say, the domain level and the OU level, the default is that the OU level will win because it was written last.

But now things become markedly more confusing. Not only is there overlap between Active Directory levels (site, domain, OU) for some of the features above, there’s overlap at the feature level, where two or three CSEs compete to write their data last.


There is some order in this chaos. But to understand it you’ll need an intimate understanding of what happens when the CSEs process (in the foreground and in the background). In short, the CSEs process in the order seen in Figure 8. This is a script you can download from called FindGPOsByPolicyExtension.wsf.

This exposes the same information as if you went to the following Registry key on a machine with the GPPE extensions loaded: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.

There, you’ll see the registrations for all CSEs. The GUID of each CSE dictates the order in which things will process. They’ll process alphabetically, by GUID. So, Wireless Group Policy fires off first (that’s a classic Group Policy setting), then Group Policy Environment (that’s a new GPPE CSE), then Group Policy Local Users and Groups (another new GPPE CSE), then Folder Redirection (a classic Group Policy CSE), and so on.

Figure 8

Click on image for larger view

So on the surface, it appears that if you had a conflict with both classic Group Policy settings and newer GPPE settings, you could just see which one ran last and bank on that setting always “winning.”

But that’s only true if the two CSEs end up writing to the exact same places. While this is precisely what we encountered with the Internet Proxy server setting, usually two technologies don’t write to exactly the same place. The tie will be broken when an application is coded to look in the proper policies keys. And, if there’s a policy setting in those keys, the target application will honor the policy, not the preference.

In our mystery, it’s now easy to understand why the Internet Explorer GPPEs (listed as Group Policy Internet Settings) in Figure 8 “won” over the IE Maintenance settings (listed as Internet Explorer Zonemapping and Internet Explorer Branding). The new Internet Explorer GPPE CSE (Group Policy Internet Settings) applies after the original Internet Explorer CSEs.

But in neither case are we actually applying policy. We’re really just applying preferences—using two different kinds of technology. We finally got it to work the way we wanted when a true policy was applied, and Internet Explorer saw the policy in the policies keys and acted accordingly.

Whew. All this stuff can give you a headache. This “who will win” stuff is really confusing, and I haven’t tested every case. Be sure to test all interactions in a test lab before you roll out settings into production.

Other Items That Can Affect Group Policy and GPPE Processing

If you download Chapter 4 of Book 1 , you will learn about various policy settings found at Computer Configuration | Policies | Administrative Templates | System | Group Policy that have the configuration option to “Process Even If the Group Policy Objects Have Not Changed.” (It's in the section called “Using Group Policy to Affect Group Policy.”)

If this option is turned on for a particular CSE, then that CSE will always try to rewrite its configuration data—upon every single refresh. Again, that’s not the default for classic Group Policy, but it is an option on a CSE-by-CSE basis.

However, this same “always try to rewrite configuration data” mantra is held by the GPPE CSEs by default, but it can also be set such that the data is laid down once and never rewritten.

So knowing this information, you might have to do a little mental math to figure out which one is going to win if you have conflicting policies plus the wildcard settings.

The Group Policy Results reports, which is discussed in Chapter 2 of Book 1, are going to be helpful in figuring out which settings ultimately applied, but they’re not going to be helpful in your understanding of why the setting ultimately applied.

Hopefully, this newsletter helps you out. This section is lightly lifted from Chapter 10 of Book 1 where I discuss this topic in even more depth.

If you want to conquer Group Policy Preference Extensions, consider taking my Group Policy 2.0 Training at

OMG: Now Jeremy has Two Books on Group Policy!

I've been in deep, deep quarantine the last 9 months or so. I spent three quarters of a year to get the most awesome tips, tricks, how-tos, and deep-dive information on Group Policy to you. And it took two books to do it. So, let me explain how the two books work.

The books are Companion Books to each other. Not exactly "Volume I/Volume II." But, they do go together like peanut butter and jelly.

Lucy and Desi. Group and Policy.

You get the idea.

Start out with Book 1, which is really called Group Policy Fundamentals, Security, and Troubleshooting. You already know this book, but it’s been rev’d for 2008 with the following new superpowers:

  • How to create a modern management station with RSAT and the GPMC 2.0
  • GPMC 2.0 Features: Filters, Comments, and Starter GPOs
  • Microsoft’s Advanced Group Policy Management Tool (AGPM)
  • Powershell with Group Policy (ooohhhh yeahhh!)

And the crown jewels...

  • The Group Policy Preference Extensions: 21 new features you positively must have

But to make room for all that stuff, I moved some “Group Policy Friends of the Family” from Book 1 to Book 2. Book 2 is really called

Creating the Secure Managed Desktop: Group Policy, SoftGrid, and Microsoft Deployment and Management Tools. But now Book 2 is fortified with EVEN MORE AWESOMENESS. Re-read the title of Book 2 again. Let’s break it down:

The main title is:
“Creating the Secure Managed Desktop”

And you do that by first knowing Group Policy Fundamentals (that’s Book 1). You’ll take your Group Policy knowledge and put it to PRACTICAL use here in Book 2. Start out by using Microsoft new Microsoft Deployment Toolkit.

Then move on to create the managed desktop with Roaming Profiles, Offline Files, the Sync Manager and more.

Deploy software to your machines using Group Policy and Microsoft’s newest tool: SoftGrid. Yep, to my knowledge this is the only book that has any real, meaty SoftGrid coverage. We have three MEGA chapters on SoftGrid. You’ll learn how to deploy your first servers, learn all about the architecture, and learn how to sequence applications like a pro. Truly a one-of-a-kind resource. I had help from Shortstop Eric Johnson with two SoftGrid chapters. Way to hit one (well, two) out of the park!

Continue on and learn how to lock down machines. Use WSUS to protect and patch your machines (thanks to Greg Shields for that awesome chapter), use Network Access Protection (NAP) to keep unhealthy machines off the network, and learn to use Windows SteadyState to put the full smackdown on your most critical machines.

Wrap up the book with a little printer magic and finishing touches, and I’m totally confident you’re going to love this newest member of the Group Policy book family.

Here’s the best part: you can pre-order copies at Or, better yet (and this is going to blow your mind)

you can download just specific chapters you might want, today, as eChapters

That’s right. I’ve worked it out so you can buy just the chapters you need. Some people will want BOTH the eChapters and the actual books. Some may want one medium. It’s up to you. Your choice.

Just head over to and explore the books’ contents then select “Download eChapters now.” When you do, you’ll be able to select the chapters from each book. Go ahead and mix and match. Just put checkmarks next to the chapters you want to download and select “Buy Selected eChapters Now” as seen here.   We have a FAQ on the same page you should read before you buy. But by all accounts, people are very happy with their PDF purchasing experience.

If you want signed copies, select Pre-Order Your Signed Hard Copy Now. Then once we get the books in stock, we’ll send them to you right away.

We’re expecting the first one at the end of April, and the second one at the end of May.

So, not far off. Pre-order your hard copy now and you'll be the first kid on the block when the books come in. .

Let me know what you think of the chapters as you download them!

About Training

I hate the word "bootcamp," but I guess that's what it is. So, if you want your butt kicked in Group Policy (in a kind, gentle way), then join me for the full week of Group Policy awesomeness:

  • Two Day Essentials Group Policy Training and Workshop
  • Two Day "Group Policy 2.0" Training for Vista, Server 2008 and the Group Policy Preference Extensions and
  • One-Day Advanced Group Policy Training

"I finally figured out how we would block out USB ports, games and lockdown users. This alone made the entire class an extremely valuable and fun learning experience. I learned how to use Vista's event viewer to track a single event in group policy - so easy but powerful!

I learned how to set up various restrictions on a PC for different users. A tremendously valuable feature! I cannot wait to get back to the office and implement what I have learned.

I highly recommend the whole week to anyone who has anything to do with Group Policy. Nothing beats these classes, nothing." -- Mark Latham, PC Support Specialist, Mercy Regional Medical Center

Learn more about each course here:

You can take the full week, or join us for just the classes you need.

Announced Classes:

  • May 5 - 9: Kansas City, MO (Lenexa, KS, really)
    • Class is declared ON. If you sign up now, you'll be guaranteed a seat.
    • It's the full week: Group Policy Essentials Course, Group Policy 2.0 Catch-up and Advanced One Day Course
  • No other cities are announced yet. Maybe more coming soon, but I suggest if you want to get GP 2.0 with Group Policy Preferences training, then come to Kansas City!

For any public class, sign up online at:

What about OTHER CITIES in 2008?

We have a new "Suggest a city" form at .

Even if you've used this before, please re-suggest your cities, as we have a new back-end tracking system. Thanks !

Private courses

I have limited dates remaining in 2008 for private classes. But call me soon, and we might be able to work it out. If you think you might want your own private in-house training (with all the personalized attention that affords), don't keep it a secret.

Call me.

If you have even a handful of in-house people interested in the training (about 6–8), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, Japan—or wherever! Have passport, will travel!

Join the thousands of administrators (and managers!) who have gotten smarter using the technology they already have.

For a public class, sign up online at:
For a private class, just contact me at [email protected] or call me at 302-351-8408.


Become a Partner/Affiliate

Amazon had a great idea. Put up some links on your web site for stuff you love, and when people buy stuff you recommend, you get some extra dough. We now have a similar program. It's super easy to sign up and get started. We provide you with your own tracking links and you get credit each time someone signs up for a class or signs up to be on our Newsletter/Tips.

It's that easy. Learn more about the program and start making some extra dough today by checking out

Don't forget our Sponsors

I can't tell you how often I hear that people LOVE the Solutions Guide we have at Inside, you'll find both free and third-party products which extend the reach of Group Policy, or let you do something you haven't discovered before!

So, head on over to the Solutions Guide and see what other goodies are available!

Be a "Booster"

Do you feel you get value out of and want to see us grow? Well, I'm a Group Policy guy, not a web guy, so I need to pay for my web services somehow and enhance the site and bring you more stuff (both features and content).

If you'd like to help out, please consider making a one-time donation, or become a monthly Booster for just $5 a month. If you and just 500 other people do it, I'll be able to pay for all the web bills each month and really take the site up a notch.

To help and donate, here's how:

Thank you for your support!

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription .

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription information, we have a one-stop-shop page at the following address:

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: [email protected]

Please POST your technical question on the forum whenever possible.

If you have questions about ordering a book or signing up for a public class, contact my assistant Margot at: [email protected] . I endeavor to respond to everyone who emails.

Thanks for reading!