Thursday, December 06, 2007

Windows Vista SP1 Release Candidate is out there!

From the Vista Team blog:
Today we're making available the release candidate (RC) of Windows Vista SP1 via Microsoft Connect, and tomorrow subscribers to TechNet and MDSN will have access to those RC bits too. In addition, the RC will be available to the public next week via Microsoft's Download Center.

Check out the Vista Team blog here!


Go get it!


Windows Server 2008 RC1 in Public Beta!

Today Microsoft made available for download the Release Candidate 1 (RC1) version of Windows Server 2008!

This build includes Group Policy Preferences - you HAVE TO try it out!

Download you evaluation copy here!



Wednesday, December 05, 2007

Group Policy Changes in WS2008 article - part 3


Just want to let you know that my latest article about "Group Policy related changes in Windows Server 2008" is released on

This 3rd article in the series deals with the new and shiny Group Policy Preferences - read more here...


I hope you like it!!!


Saturday, December 01, 2007

Formatting "Message text for users attempting to log on"

If you have ever tried defining the Security Options policy setting called: "Interactive logon: Message text for users attempting to log on", you may have had some difficulties formatting the message the way you wanted it. This blog is about "how to" workaround a minor bug in the GPEDIT tool...


The issue:

First things first - the Group Policy setting is located here:

"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\"

The value is a Multi-String registry value that allows you to make multiple lines in the message. The message pops up right after a users hits Ctrl+Alt+Del as a general warning to the user before actually logging on. But, unfortunately the formatting isn't as perfect as it could be.

What happens is, that carriage returns are lost after formatting this "pre-logon message" with GPEDIT, imagine you would want a message like this (see Figure 3):


I don't know why this should be so hard? Jump next line please...

Let's do a comma, and continue the line...
Line number 4 is ready, but let's jump line 5 & 6 now...

Line 7 finishes up this story!


Such a message would end up as (see Figure 5):


I don't know why this should be so hard? Jump next line please...
Let's do a comma, and continue the line...
Line number 4 is ready, but let's jump line 5 & 6 now...
Line 7 finishes up this story!


So, basically the problem is: line feeds/carriage returns/empty lines disappear completely!

You can actually see this within the GPEDIT GUI, but only if you hit "Apply" before "OK" - if you just hit "OK" after typing in your message you cannot see that it's actually changed by GPEDIT (so you think the formatting is working as it should). I tested this behavior with GPEDIT on Windows XP SP2 (local policy), Windows Server 2003 SP1 (domain policy), Windows Vista SP Pre-RC (local policy) and Windows Server 2008 RC1 (domain policy).

Figure 1 - I typed in my message with the format I wanted:

Figure 2 - I clicked Apply, and the formatting was changed:

If I had just click OK I wouldn't have noticed the change - anyway it's a bit annoying, right?



The solution I came up with is to modify the policy file directly/manually using Notepad. The file is located here:

"\\DOMAIN.local\SYSVOL\DOMAIN.local\Policies\{GPO-GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"

Within that file we have the relevant registry value, called "LegalNoticeText":

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,I don't know why this should be so hard? Jump next line please...," ",Let's do a comma"," and continue the line...,Line number 4 is ready"," but let's jump line 5 & 6 now...," "," ",Line 7 finishes up this story!

Notice the " " (<quote><space><quote>) sequences, which are the same as empty lines.

This is the relevant line from a working GptTempl.inf file (the correct syntax written manually), and it actually works great:

Figure 3 - Pre-logon message on a Windows Server 2003 SP1 Domain Controller: 

Figure 4 - The above inserted GptTmpl.inf line also works for Windows XP SP2 in the same domain:

So, this proves that the INI file can actually be correctly formatted so clients (tested w/WS2003 SP1 and XP SP2 in a domain) can show the message perfectly. Please notice that the behavior is similar with local policies, but my testing has been focused on domain environments so far.

If you try to modify the working policy setting using GPEDIT again - after changing just a tiny bit (or just hitting OK to an existing setting) within the GPO the formatting/syntax is ruined again unfortunately (when GPO is saved by GPEDIT)! Look here what came out of it when I tested it:

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,I don't know why this should be so hard? Jump next line please...,Let's do a comma"," and continue the line...,Line number 4 is ready"," but let's jump line 5 & 6 now...,Line 7 finishes up this story!

Notice the " " (<quote><space><quote>) sequences are gone! This gives a wrong result (no empty lines) when clients get the pre-logon message.

Figure 5 - The formatting is lost (or wrong) when GPEDIT does the job:


Please notice, if you're testing this you will have to define an additional policy setting for it to work, namely the "Interactive logon: Message title for users attempting to log on" setting.

Figure 6 - The title must be set for pre-logon message to appear



So, my conclusion is that (existing version of) GPEDIT doesn't modify the GptTmpl.inf file properly (or the registry for local policies for that matter) - for this particular value at least... My best guess is that it doesn't handle the quotes (") correctly, but I can't be 100% sure. A bug report has been made for Microsoft - so hopefully it will be fixed before the final release of Windows Server 2008 and the Remote Server Administration Tools (RSAT).

However, as mentioned you can make it work with a workaround like this: Just perform the GptTmpl.inf (below SYSVOL) editing manually, make a backup of the file when it's perfect - and never touch that GPO with GPEDIT again... Until Microsoft releases an updated version of GPEDIT anyway.


Related KB articles out there:
KB 330618
KB 238149
Technet article



Wednesday, November 28, 2007

Remote Server Administration Tools (RSAT) in beta

Microsoft Remote Server Administration Tools (RSAT) are now in Beta, available on - I just got hold on them!

The download contains:
Remote Server Administration Tools Beta Fact Sheet.docx

Still waiting to install on my Vista SP1 Beta...

Install went just fine - but some admin tools are still not included (se readme for more info).

This is the exact download location:

More info:

Sunday, November 25, 2007

Group Policy Changes in WS2008 article - part 2

Just want to let you know that my latest article about "Group Policy related changes in Windows Server 2008" is released on

This 2nd article in the series deals with the Group Policy Management Console (GPMC) version 2 - read more here...

Part 3 about Group Policy Preferences is soon to be published too.... Enjoy!


Tuesday, November 20, 2007

Windows SteadyState v2.5 Beta

If you have ever tried out the Shared Computer Toolkit - or the newer Windows SteadyState toolkit, you probably know that Windows Vista has not been supported so far... But now it's here - go get it:

Windows SteadyState 2.5 Beta

Windows SteadyState 2.5 Beta Handbook

Windows SteadyState 2.5 Beta Readme File

Supported Operating Systems:
Windows Vista: Business/Home Basic/Starter/Ultimate/Enterprise/Home PremiumWindows XP: Home/Professional with Service Pack 2

Jeremy Moskowitz in RunAs Radio

Richard Campbell & Greg Hughes from RunAs Radio talks to my good friend Jeremy Moskowitz about Group Policy - who would have guessed, right :-)

Check it out here:

My articles...

This is a list of my articles on for reference - if you haven't read them yet, please do so!

Group Policy related changes in Windows Server 2008 (Part 1: What are Starter GPOs?)
This article series deals with the new Group Policy features W2008 will bring, including GPMC v2 features and Group Policy Preferences.

Protect Public Computers with Windows SteadyState (Part 1)
This is an article series deals with the Windows SteadyState product and how to protect public computers using this toolkit.

Configuring Granular Password Settings in Windows Server 2008 (Part 1 & 2)
This article series deals with how to set Granular Password Policies for WS2008 domains.

Efficient Registry Cleanup
This article deals with Group Policy Startup scripts and why they are so powerful.

Default Deny All Applications (Part 1 & 2)
This article series deals with Software Restriction Policies and how to implement SRP in a corporate environment.

How to Force Remote Group Policy Processing
This article shows how to update Group Policy settings on remote computers using different approaches.

Managing Windows Vista Group Policy (Part 1, 2 & 3)
This article series deals with the new things in Group Policy land after Windows Vista joined the world.

All feedback is very welcome - just send me an email!

Sunday, November 18, 2007

Free PowerShell Cmdlets for Group Policy

Group Policy MVP Darren Mar-Elia has released some new PS cmdlets for handling Group Policy Objects using PowerShell.

Check them out here:

I hope you'll like it!

Tuesday, November 13, 2007

AGPM whitepaper out there

Just a "quick note" this time!

A nice looking whitepaper is available from the Microsoft Group Policy Team... This time it's an AGPM overview: Advanced Group Policy Management Overview

Group Policy Revolution Coming Up!

It's exciting, fantastic, amazing, wonderful and totally cool - Microsoft has FINALLY announced what is going to happen with the PolicyMaker stuff they got when taking over DesktopStandards... It's going to be released with Windows Server 2008 as many of us had hoped for!

This is just GREAT I can tell you - and it will available to the public with the RC1 release of Windows Server 2008, maybe even before as a separate Beta program I'm told...

Microsoft decided to call it "Group Policy Preferences" or just "GP Preferences". So, what can we do with this you ask? Well, here's some of it:

  • Map network drives
  • Set Environment variables
  • Copy Files to clients
  • Create and update INI files
  • Modify registry settings on the clients (REG_SZ, REG_DWORD, REG_BINARY, REG_MULTI_SZ, and REG_EXPAND_SZ )
  • Create Shortcuts (URL/File/Shell)
  • Open Database Connectivity (ODBC)
  • Control Devices
  • Set Folder Options
  • Define File Associations
  • Tweak Internet Settings
  • Handle Local Users and Groups (change passwords, add/remove from groups, disable users etc.)
  • Set Network Options (like VPN or Dial-Up connections)
  • Configure Power Options (Windows XP)
  • Map Printers (even TCP/IP printers)
  • Set Regional Options
  • Create Scheduled Tasks
  • Set properties on Services
  • Tweak the Start Menu
  • and so on....

As you can see, it's quite impressive and something that will make companies around the world turn to Windows Server 2008 ASAP... I think and hope anyway!

The client part, a necessary extension which must be installed on the client, will be ready for Windows XP/2003/Vista - and in both x86 and x64 editions. Windows Server 2008 already includes the CSE (Client Side Extension).

There's SO much to tell, and SO little time... But, a Whitepaper is ready (a REALLY nice of the kind) thank you Microsoft!

Download the whitepaper here:
An Overview of Group Policy Preferences

Microsoft IT Forum 2007 Barcelona

Hi there,

I've been pretty busy the last days - so I haven't have time to create this "hello from Barcelona" post, now it's here :)

This year is a little special for me as it's the first time participating as a HOL (Hands-On-Lab) Proctor and an ATE (Ask The Expert - or "Ask The so called Expert")... So I'm working for Microsoft some hours during the day, which means I cannot attend all the sessions I might want - but so far I've been very lucky.

I'm assigned to the MDOP (Microsoft Desktop Optimization Pack) labs - so for me it's SoftGrid, AGPM (Advanced Group Policy Management), Desktop Error Monitoring, DART (Diagnostics and Recovery Toolset - which is actually the good old "Administrators Pak" from the former Winternals, including the Locksmith utility to reset passwords...) - most attendees seems to focus on SoftGrid and AGPM though (as expected).

I've met a lot of Danes down here - we are around 250 this year - that is really great I think (compared to the size of the country). Many companies can see the value of TechEd apparently - I can understand why. For me it's not only the technical news, info and sessions, but also meeting people from around the world, from my own country, from Microsoft and vendors - and doing some good old "social networking" - which is very valuable, both shot and long term.

Hope to see you soon (or maybe next year).

SoftGrid is now Microsoft Application Virtualization

I hope you have tried out SoftGrid (part of the cool MDOP package) - but, now we gotta start using a new name: "Microsoft Application Virtualization" - or actually "System Center Application Virtualization Management System "...

We all know the Microsoft way of doing this by now: buy the technology/product, start selling with the good old (well known) name, change the name - and some would add: then, as the very last part of the process, change the naming within the code, like "Softricity" folder names, service names etc. (as they often "forget" about this).

Nevertheless a Public Beta version is available for the NEW version 4.5 (most have 4.2 out there I guess). The Beta is available from Microsoft Connect - just sign up and as to participate in the "Application Virtualization 4.5 Public Beta".

You then ask: what's the new stuff? First of all we of course have a lot of bugfixes, but you also have new and cool functionality worth a lot of nice words - but I'm afraid it's gonna be another time, sorry.

However, check these links:
Microsoft Application Virtualization 4.5 Beta – What’s New
Microsoft SoftGrid Application Virtualization


Hope you will like it!

Monday, November 12, 2007

ADMX Migrator version 1.2

Good news from IT Forum Barcelona:

ADMX Migrator has been upgrade and now includes:

(1) Enhancements and bug fixes to support a wider range of ADM templates for conversion to ADMX.
(2) Enhancements to code and documentation for conversion error reporting and warnings.
(3) Improved handling of internationalized ADMX templates.

Get it here:


Great stuff!


Tuesday, October 16, 2007

Sysprep - Generalize - SID

I create millions and billions of Virtual Machines - ok, maybe not that many but it feels like it. Everytime I have copied the physical files (VHD/VMC) a number of things must be done if I want to join those virtual machines to my domain(s) - most importantly: the machines SID (Security ID) must be re-generated to be unique and the computer must be renamed of course.

So, heres the thing. Back in the good old days you had to find the Windows CD, find and extract the Deploy.CAB file to you hard drive and then execute the SYSPREP.EXE tool. But, with Windows Vista and Windows Server 2008 the SYSPREP file(s) can be found below:

%WINDIR%\System32\Sysprep - ready "out of the box", just waiting for you to go for it!

And this is the important thing (and the reason why I started this blog): If you want to create a new SID, remember to CHECK the "Generalize" checkbox - or else you have to go all over again...

During the following reboot a new SID is automatically generated - and you will have to type in your Product/License Key, provide a new Computer Name, select an Administrator Password etc.

You may have known this already - personally I didn't because I tend to use the wonderful Sysinternal NewSID tool for this purpose in most cases (it's much faster)... However, that tool is not officially supported for Windows Server 2008 (or even Vista) at this time - but hopefully it will be soon?


Tuesday, October 02, 2007

Starter GPO's - what are they?

With Windows Server 2008 (Codename Longhorn) you will notice a new container called "Starter GPOs" inside the GPMC (version 2.0 - BTW this version will also be available as a separate download for Windows Vista with SP1).

This new container can hold what I would call "templates" for creating new GPO's - with the limitation that only Administrative Template settings are available. When creating new GPO's you can choose to use a Starter GPO as the source (read: template) - which makes it easy and fast to create multiple GPO's with the same baseline configuration.

But, the very cool thing is that you can now "export" those GPO templates (Starter GPO's) to a Cabinet file (.CAB) and then import into another environment - completely independent of the source domain/forest! So, you can create the PERFECT Starter GPO and then bring it around the world, share it on the Internet (if legal?), deploy it on all systems you can get a hold on etc. etc.

When you 'enable' Starter GPO's in the domain for the first time, a folder called "StarterGPOs" is created inside the SYSVOL folder (\\\SYSVOL\\StarterGPOs) - this is where all the "magic" is done... For each new Starter GPO you create, you will see a new folder below this StarterGPOs folder - each will have a unique GUID (just like normal group policies). So, when you create a new GPO with a Starter GPO as source a nice and simple COPY process is actually performed - the subfolders and files from the Starter GPO's GUID folder is just copied into the \\\SYSVOL\\Policies\[SomeNewGUID] folder - and wupti, you are ready to deploy...

Well, it may not be the same as the Templates we got with AGPM (Advanced Group Policy Management from Desktop Optimization Pack) - but, even if you don't have the required DOP license you still get a few cookies for "free"...

One last thing - remember to create a separate backup process for Starter GPO's, as they are not backed up though the GPMC "Backup All" method you have for the regular GPO's - the yhave a seperate backup procedure. So far there's no script for backing up the Starter GPO's, but I'm pretty sure it will show up (just like the "BackupAllGPOs.wsf script).

And don't worry - if you should get an error like this:

"The overall error was: The system cannot find the path specified. Additional details follow"
"[Error] The backup configuration file [C:\xxx\Backup.xml] cannot be saved. The following error occurred: The system cannot find the path specified."

when performing a backup of your Starter GPO's you are probably testing the RC0 release... That build has a known bug which has been corrected already (RC1)!

But besides from this minor detail I say: Thumbs up for Starter GPO's!


Moskowitz videos


Microsoft MVP, Jeremy Moskowitz, has 2 video interviews out there... Check them out:

Part 1 & Part 2


Saturday, September 29, 2007

GPMC Script Samples

The Group Policy Management Console (GPMC) can be scripted by using a built-in COM object.

This package contains a great deal of script examples:

System requirements:
Windows Server 2008 or Windows Vista

Download here:

Populate the Central Store?

If you are in a large international organization you might want to upload Vista ADML files for the different languages used on management computers to the Central Store.

Now you can download both ADMX and ADML files for Vista in a single package:

You might wanna pick out the languages needed only (ADML files) - as this will take up around 80MB of SYSVOL space.

GP related changes - good MS article

Check out this article, it's really good for a "quick" summary of the GP related changes in Windows Vista/Windows Server 2008 (Longhorn)

Tuesday, September 25, 2007

Windows Server 2008 RC0 is out there!

It's so exciting - Windows Server 2008 RC0 is out there and ready to be downloaded!

Read the team blog here:

Download CTP here:

.. og go get it from Technet (if you are a subscriber).


Sunday, September 02, 2007

Windows Script 5.7 released!

Microsoft just gave us an updated version of the Windows Script engine that we all love so much... This version brings very few additions, but great many fixes.

From release notes:
This release of Windows Script brings the improvements in scripting made during the Vista development cycle to downlevel platforms. During any release cycle we test with increasingly effective analysis tools designed to expose stability problems, memory leaks, and potential security weaknesses in code. The results from this testing comprise the vast majority of changes. Of course, we also include all the current security updates. This is the fastest, most robust, and secure release of Windows Script available.

Why Version 5.7?
The primary reason for changing the version number from 5.6 to 5.7 is to simplify servicing and support by synchronizing the versioning to a consistent scheme based on Vista build number. The minor version increase does not indicate significant new features. The scripting feature set is substantially the same as 5.6, with only minor additions.

What’s New
In addition to the general improvements noted above, the following are some of the notable changes in this release.

• This package includes the improved garbage collector (GC) shipped with Internet Explorer 7 and Vista. The new GC can dramatically improve the performance of applications that create large numbers of objects, such as Ajax-style web applications. These performance improvements are now available to users of earlier browsers.This work replaces and improves upon KB919237. If you have implemented KB919237, we recommend removing the registry keys.
• New progid JScript.Compact implements the JScript Compact Profile (ECMA 327). This is a profile of the ECMAScript language standard with a subset of features. See the ECMA 327 standard for more information.
• Update for new Daylight Savings Time rules.

• VBScript defines a new global function GetUILanguage that returns the current default user interface language. This is the same value returned by the Windows API GetUserDefaultUILanguage. Script authors can now write code that is aware of the current user’s language preference.
• Fix crash when calling VBScript class objects from JScript.
• Fix problems with comparisons to NaN in some versions (KB901104).VBScript and JScript
• Support for large address space on machines with > 2GB RAM (KB890048)
• Improved stack checking makes script more robust in the face of stack overflows.
• Fix miscellaneous TLS leaks and memory leaks, including using the RegEx object with more than 10 sub-matches.Windows Scripting Host
• Fixed rare deadlocks in remote scripting. Prevents occasional hangs in remote scripts.
• Fixed propagation of error return codes in remote scripting. Error codes produced by remote scripts are more reliably returned to the client.
• Fixed attempting to load nonexistent wshenu.dll which created performance problem in login scripts.

Included KB’s
This release also contains fixes described in the following knowledgebase articles.
KB919237 (superceded by new GC)

Download here:
Windows Script 5.7 for Windows 2000
Windows Script 5.7 for Windows XP
Windows Script 5.7 for Windows Server 2003
Windows Script 5.7 Release Notes


Group Policy Diagnostic Best Practice Analyzer

Microsoft just released a free tool to search for errors in Group Policy configuration - totally new and cool tool in the Best Practice Analyzer (BPA) series.

Download here:
GPDBPA for Windows XP
GPDBPA for Windows XP x64 Edition
GPDBPA for Windows Server 2003
GPDBPA for Windows Server 2003 x64 Edition

Read more here:
Microsoft KB 940122 article: "How to use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect and to analyze data"

Quote from KB article:
You can use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect data about an environment's Group Policy configuration. For example, you can use this tool to analyze a Group Policy configuration for the following purposes:

• To search for common configuration errors
• To discover and to diagnose problems
• To collect data for archiving

The account that you use to run the tool must have the appropriate permissions to access both the Active Directory database on an environment's domain controllers and the SYSVOL file structure that is maintained on those domain controllers. Additionally, the account must have local Administrator permissions on the Group Policy client.

There are two additional prerequisites for using the GPDBPA tool:
•The Microsoft .NET Framework version 1.1 or a later version must be installed on the computer on which the GPDBPA tool is installed.
•The Windows Management Instrumentation (WMI) service must be running on the environment's domain controllers.

Tuesday, July 17, 2007

Something nice for the wall

If you haven't got them already - those geeky posters from the July 2007 issue of TechNet Magazine visualizing the various features and components of Windows Server 2008 - go get them here, ready to print :-)

Tuesday, June 19, 2007

Windows SteadyState - the new and shiny Shared Computer Toolkit

Windows SteadyState is ready for download from Microsoft now - you can get it right here! It's free - you just need to pass the WGA test... Only pirate Windows users cannot pass that test, so what are you waiting for? :)

This toolkit is extremely efficient when it comes to protecting public available Windows XP computers (no support for Windows Vista unfortunately).

In short Windows SteadyState is:
- Easier to set up
- Easier to use
- More Secure

Windows SteadyState website:

Tuesday, June 12, 2007

Microsoft Virtual Server 2005 R2 SP1 released


Microsoft released Service Pack 1 for Virtual Server 2005 R2 - Enterprise Edition!

It can be downloaded here! More info available here!

Now all we need is 64bit support for the Guest OS :-)

Tuesday, June 05, 2007

Booth #914

I joined a session "Deep Dive into Microsoft Windows Vista Group Policy Changes and Troubleshooting" with Jeremy Moskowitz here in Orlando - and he was very good. He's a funny guy and it seemed like everybody in the room just loved him. Thanx for the inspiration Jeremy - you put on a nice show.

After the session I joined him at the SpecOps booth (#914) and spoke to some of the other Group Policy Gurus, like Darren Mar-Elia, J. Peter Bruzzese and the SpecOps employees. SpecOps were really focused on sharing info on their SpecOps Deploy product - so why not help them here ;-)

Tomorrow I hope to catch Derek Melber - a 'colleague' from - he was busy preparing for his upcoming Group Policy sessions so he didn't show today... I'll try to get back with a report from those sessions when possible.

I have to mention that it turned out Peter Bruzzese not only mentions me, but also quotes me, in his new book "Tricks of the Microsoft Windows Vista Master" * - as a "Vista Master" - thanx for the honor!

* Book is published by Que Publishing
ISBN-13: 978-0-7897-3689-5
ISBN-10: 0-7897-3689-6
Amazon link here!

Monday, June 04, 2007

Blogging from TechEd 2007 Orlando

Hi there,

I'm blogging "Live" from Microsoft TechEd 2007 in Orlando, Florida. It's an amazing event - and hopefully we will learn something new :)

You should be able to follow the blogs on the Microsoft Technet Denmark website in danish:

Direct links:

Saturday, May 19, 2007

Export a Local User Policy on Vista

I received an interesting question by mail the other day regarding my article about MLGO on The question was, if it is possible to export a local policy assigned to a specific user to a user on another computer...?

After scratching my head and researching a bit it seemed like nobody had a good answer for this and no GUI tool is apparently available - so I had to come up with something myself... This is the result:

The following undocumented - and probably unsupported - method worked for me:

On "Source Computer":
1. Create/modify a local policy for the "Source User"
2. Go to "C:\Windows\System32\GroupPolicyUsers\" and locate the last modified policy folder
- the folder should be named with the SID (Security ID) of the "Source User", e.g. "S-1-5-21-452792215-1268730067-2626448776-1108"
3. Copy the folder and content to the "Target Computer" into the same directory structure

On "Target Computer":
1. Rename the newly copied folder to the SID of the "Target User" (the user who should receive the "exported" policy)
- how to find the SID of a local user?
2. Set NTFS permissions on the newly renamed folder to:
- SYSTEM = "Full Control"
- Administrators group = "Full Control"
- "Target User" = "Read & Execute"
3. Test a logon as the "Target User", the policies should be correctly applied.

Done! Well, the procedure is a bid "odd", but it could be scripted if required.

Thursday, May 10, 2007

Blocking U3 USB devices


I get this question a lot: how can we block U3 devices on the network?

Well, one approach that some companies take is to simply block the physical USB ports by glue etc. - no USB devices are able to get in, so we have a "secure" system... Hmmm, this would mean that we are not able to use other USB devices either - maybe not the best solution for all of us then...

If you have Windows Vista deployed the new Device Control functionality, but most companies have Windows XP and Windows Server 2003 products in production (and probably waits for Vista Service Pack 1 before they go ahead with the Vista deployment)... So, what could they do then?

Third party software, like GFI EndPointSecurity is capable of blocking USB devices etc. - and it's does a very good job too, but there's also a free way to do it (if you ask me it's the best way to do it): implement Software Restriction Policies (SRP)!

I've been writing about the "Default Deny All Applications" approach and this is (of couse) also capable of blocking U3 devices - out of the box, built-in Windows functionality.

When the Default Security Level is set to Disallowed, nothing is able to launch except what the administrator defines as Unrestricted (and some default rules and limitations on top of this). When a user plugs in the U3 USB device NOTHING happens - no weird hacker tools, utilities, applications and whatever those 'wonderful' devices normally introduce.

Behind the scenes SRP restricts access to the U3 LaunchPad and leaves only an event in the Windows Event log:

Source: Software Restriction Policy
Event ID: 865
Type: Warning

"Access to C:\...\LaunchPad.exe has been restricted by your Administrator by the default software restriction policy level"

This limitation can be set on user and/or computer level.

After introducing SRP on your Windows computers (Windows XP and above) - you can consider your network "U3 free".

Thursday, May 03, 2007

Remote Desktop issue on multihomed machines

I have seen this issue too many times now, so I have to write this short blog about it!

Have you ever seen this error when trying to connect to a Remote Desktop enabled machine using MSTSC/Remote Desktop Client:

Remote Desktop Disconnected
The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, contact your administrator.

Well, I've seen it so many times now, especially on ISA servers... Even after the RDP sessions have worked nicely, sometimes, for some reason, the RDP settings can be changed - or even "corrupted". In most cases the above error has something to do with NIC (Network Interface Card) adapter binding to RDP.

If you are experiencing this issue go read the Microsoft KB article: "You can not establish a Remote Desktop session to a computer running one of the affected products". You will find it here - good luck!

Tuesday, May 01, 2007

WSUS 3.0 Released - nice stuff!

I'm happy to tell you that WSUS version 3.0 has been released! The release day was April 30th 2007 - a day to remember...

This version bring lots of goodies compared to it's younger brother WSUS 2.0 (who did a great job in my opinion).

So, what's new? Well, let my try to wrap up some of the really good stuff:
- Inplace upgrade over WSUS 2.0 SP1
- New setup and configuration wizard
- New MMC (Microsoft Management Console) GUI
- New views and reports (and faster reports - up to 50%)
- Cleanup wizard for management of stale clients and content
- Built-in email notifications
- New approvement rules
- Enhanced target group concepts (eg. overlapping group membership)
- Support for language sub-setting for downstream replica servers
- Peer caching
- Syncronization with MS down to every 1 hour now
- Native support for x64 platform
- NLB (Network Load balancing) and SQL Cluster support
- MOM Management Pack (will be released very soon)
- Client 'Sync me now' quick check-in
- and all the other stuff...

x86/x64 package
WSUS 3.0 Release Notes
WSUS 3.0 on SBS 2003
Deployment Guide for WSUS 3.0
Step-by-step Guide: Getting Started with WSUS 3.0

Go to WSUS Technical Library for more information, guides etc.

I think we will all benefit from this release - well, maybe not the penguin guys :)

Thursday, April 26, 2007

Windows Server Code Name Longhorn Beta 3 is PUBLIC!

Hello there,

I know it has been a while, but something great happened today :)

Windows Server Code Name "Longhorn" is available for download here:

You can download Standard, Enterprise, Web and even Datacenter editions - x86 or x64!

Go get it ASAP!!!!

Monday, February 19, 2007

Virtual PC 2007 is out there!

Go to this link and get the latest version of Virtual PC!

You must uninstall any previously installed beta versions of VPC 2007 before installing the latest edition.

You can download the release notes here!

This release of Virtual PC 2007 introduces support for the following:

  • Windows Vista™ operating system as a host operating system
  • Windows Vista as a guest operating system
  • 64-bit host operating systems
  • Hardware-assisted virtualization
  • Network-based installation of a guest operating system
  • Running virtual machines on multiple monitors
  • Support has been removed for the use of linked disks in a virtual machine

Tuesday, January 30, 2007

Windows Vista Language Packs

First of all - happy Vista Launch Day :)

I just want to write a real quick blog about Windows Vistas way of handling Display Language. With Windows 2000/XP we also had MUIs - Multilingual User Interface language packs - they were just a bit more complicated to setup (just getting the media was a seperate task). LIPs (Language Interface Pack) for Windows Vista Ultimate and Windows Vista Enterprise are now available on Windows Update!

Installing languages (we can have multiple packs installed):

The administrator installs the required language packs and users can user Regional and Language Options to set their Display Language - the language follows the user. In this case I'm, gonna select Danish...

Now all we have to do is to log off:

The GUI is not in Danish... Internet Explorer, Calculator, Control Panel, Help & Support - everything!

Other language packs are available on the Windows Update website - by the end of 2007 there should be 99 languages available according to Microsoft

Extremely cool and smooth if you ask me :)

Monday, January 15, 2007



I was looking at Darren Mar-Elia's (MVP Group Policy) tool that makes it possible to update a REMOTE computers Group Policy settings using the command line (almost like the good "old" GPUPDATE, just on speed). You can get more info and download the tool here.
I thought it might be an idea to "wrap" the tool into a simple GUI application that should make it possible to select an Organizational Unit (OU) in a domain and run the RGPREFRESH for each computer object in the OU. I know you can use a FOR command, DSQUERY and other stuff, but "normal" admins etc. might not find this easy to do.
That made me start working on a "quick-and-dirty" HTA application which should let the user select an OU and the run the RGPREFRESH command with some checkboxes for the available switches... BUT, after a short time I decided to make the application more FLEXIBLE so the user can type ANY command that should be executed for a given number of computers (selected from an OU).
The tool can now be combined with most command line utilities, fx. the wonderful PSEXEC from Sysinternals.

The FlexCommand HTA application
So, let's take a look at the tool in its current state (version 1.0).

As you can see above the GUI is pretty simple. First we should select en Organizational Unit (must be done before the application can be executed):

After selecting a given OU (hopefully one with computer objects in it) there is 2 checkboxes that can be selected.
A. Also handle computers in sub-Organizational Units?
With this checkbox selected we use "SUBTREE" in the LDAP query behind the scenes, so all computer objects in the underlying OU's will be handled too!
B. Only run command if the computer is alive (WMI)?
With this checkbox selected we check to see if the remote computer is alive - by using a WMI PING (that unfortunately can be a bit slow when a remote computer is not responding - but still faster than commands that just wait to "timeout") - before actually executing a command against the remote computer.

Then we need to type in the command, the example below is a simple PING command. It's IMPORTANT to understand, that the computernames from the selected OU (or OU's) will be inserted instead of the "{C}" signature which MUST be entered before the application can be executed.

In some cases it will be necessary to specify a FULL PATH to the command line utility that must be run - remember to user the "quote signs" on each side of the file path.

Using the PING example above, the result is the following in my test domain, and this command is repeated for each computer (that is alive in the selected OU and Sub-OUs):

The tool can be downloaded here!

Future versions
Well, I haven't thought this through 100% yet (and I know the tool is not perfect yet) but I have thought about making the following changes whenever I have time:
1. Logging - write a logfile that shows the commands that where executed
2. Reporting - give a report at the end about number of successfully executed commands etc.
3. Testmode - checkbox where you can make a "what if" execution before running "the real thing"
4. Selection between a- or synchronous execution of commands
I hope you will enjoy this "as-is" tool - it's FREE for you to USE and MODIFY (one cool thing about HTA applications).
All comments and ideas are very welcome - just send me an email for info at heidelbergit dot dk!

Best regards
Jakob H. Heidelberg

Saturday, January 06, 2007

Group Policy Update

If you have read my article series on about "Managing Windows Vista Group Policy" theres a few extra comments I would like to add...

The most important note I would like to make is that Microsoft published a tool to migrate ADM files to the ADMX file format some time ago (november 2006) - the tool was actually developed by FullAmor and licensed freely for Microsoft costumors. The tool is called "ADMX Migrator", but actually does more than just migrate templates...

The product requires "Microsoft Management Console 3.0" and "Microsoft .NET version 2.0" on Windows Vista, Windows XP SP2 or Windows Server 2003 SP1 to work - and provides the following functionality:

1. Converting/migrating ADM files to the new XML based Administrative Templates format: ADMX. You can even select multiple files to convert at one time - it's almost too easy!

2. Creating new ADMX files from scratch without the need to understand and master XML and the special syntax the templates requires. This is the "editor" part of the "ADMX Migrator" tool.
This is a very powerfull tool with lots of possibilities for admins around the world. I you haven't played with this already I will advice you to do so, you can use this link.

At TechEd in Barcelona there was a "rumor" that Microsoft will remove the builtin GPMC from Windows Vista as part of the Vista Service Pack 1 installation. I don't know if this is true and a final decision, but it was actually stated so by the Group Policy Product Manager, Michael Dennis. The reason should be, that Microsoft received some "complaints" on the fact that every user could start this wonderfull admin tool (maybe those costumors haven't heard of Group Policy settings that disallow the use of MMC, Software Restriction policies etc.?). Well, I just think it's funny to think of a Service Pack that actually remove functionality (without replacing with anything else/better) instead of adding stuff - maybe it's just me :-)

The great guys at have collected a Group policy Toolbelt that a GP admin just must have - it can be downloaded here: Within this "belt" you will find tools within an ISO file ready to be "mounted" or burned. The tools are anything from an ADM file that sets GPO logging level to third party utilities that makes tho job of a GP admin a bit more easy. Check it out the next time you have time to download about 70 MB - a lot better than finding the tools on diffenrent sites around the world.

If you haven't looked on Windows Vista Group Policy news in detail yet, here is you chance to do so. Microsoft relased this Excel document (as they have done in the past) with Vista GP settings. Very interesting reading for GP nerds like myself. We now have SO many GP settings that no man can possibly contain all the great possibilities in his head so that's why we need this sheet. As mentioned in one of my articles for there will hopefully be a search option within the MMC when Microsoft released the first service pack to Windows Vista (and in Longhorn Server). It will be interesting to see how they manage to incorporate such a crucial functionality - we must have faith in those guys :)

And BTW - when you guys are changing the code anyway, why not put a "Save changes" dialog into the GPEDIT MMC like ANY other GUI that handles important system changes. I hope that we will also see some workflow handling soon, one admin that changes the GP settings and a manager that approves the changes, making them "live" in the environment. Also versioning is needed as GP's will probably "rule the world" in a few years - not just backups, but real versioning that makes it possible to spot changes made over time and to get back to a "safe" setting fast (rollback). Well, I actually know that MS is working on this too (DOPSA - Desktop Optimization Pack for Software Assurance) - but as with Christmas presents it can be hard to wait too long - I'll get back to this in a post very soon :)

If you think I haven't done anything for a while

If you think I haven't done anything for a while, then please check out my articles on about Group Policy on Windows Vista and Longhorn Server:

And this Danish website (in danish),, about new stuff in Windows Vista for non-IT professionals:

I'm now an auther on the above sites, so there won't be much time to write in here - but I'll do my very, very best :-)

Hope you will enjoy - and Happy New Year BTW!