Tuesday, January 30, 2007

Windows Vista Language Packs

First of all - happy Vista Launch Day :)

I just want to write a real quick blog about Windows Vistas way of handling Display Language. With Windows 2000/XP we also had MUIs - Multilingual User Interface language packs - they were just a bit more complicated to setup (just getting the media was a seperate task). LIPs (Language Interface Pack) for Windows Vista Ultimate and Windows Vista Enterprise are now available on Windows Update!

Installing languages (we can have multiple packs installed):

The administrator installs the required language packs and users can user Regional and Language Options to set their Display Language - the language follows the user. In this case I'm, gonna select Danish...

Now all we have to do is to log off:

The GUI is not in Danish... Internet Explorer, Calculator, Control Panel, Help & Support - everything!

Other language packs are available on the Windows Update website - by the end of 2007 there should be 99 languages available according to Microsoft

Extremely cool and smooth if you ask me :)

Monday, January 15, 2007



I was looking at Darren Mar-Elia's (MVP Group Policy) tool that makes it possible to update a REMOTE computers Group Policy settings using the command line (almost like the good "old" GPUPDATE, just on speed). You can get more info and download the tool here.
I thought it might be an idea to "wrap" the tool into a simple GUI application that should make it possible to select an Organizational Unit (OU) in a domain and run the RGPREFRESH for each computer object in the OU. I know you can use a FOR command, DSQUERY and other stuff, but "normal" admins etc. might not find this easy to do.
That made me start working on a "quick-and-dirty" HTA application which should let the user select an OU and the run the RGPREFRESH command with some checkboxes for the available switches... BUT, after a short time I decided to make the application more FLEXIBLE so the user can type ANY command that should be executed for a given number of computers (selected from an OU).
The tool can now be combined with most command line utilities, fx. the wonderful PSEXEC from Sysinternals.

The FlexCommand HTA application
So, let's take a look at the tool in its current state (version 1.0).

As you can see above the GUI is pretty simple. First we should select en Organizational Unit (must be done before the application can be executed):

After selecting a given OU (hopefully one with computer objects in it) there is 2 checkboxes that can be selected.
A. Also handle computers in sub-Organizational Units?
With this checkbox selected we use "SUBTREE" in the LDAP query behind the scenes, so all computer objects in the underlying OU's will be handled too!
B. Only run command if the computer is alive (WMI)?
With this checkbox selected we check to see if the remote computer is alive - by using a WMI PING (that unfortunately can be a bit slow when a remote computer is not responding - but still faster than commands that just wait to "timeout") - before actually executing a command against the remote computer.

Then we need to type in the command, the example below is a simple PING command. It's IMPORTANT to understand, that the computernames from the selected OU (or OU's) will be inserted instead of the "{C}" signature which MUST be entered before the application can be executed.

In some cases it will be necessary to specify a FULL PATH to the command line utility that must be run - remember to user the "quote signs" on each side of the file path.

Using the PING example above, the result is the following in my test domain, and this command is repeated for each computer (that is alive in the selected OU and Sub-OUs):

The tool can be downloaded here!

Future versions
Well, I haven't thought this through 100% yet (and I know the tool is not perfect yet) but I have thought about making the following changes whenever I have time:
1. Logging - write a logfile that shows the commands that where executed
2. Reporting - give a report at the end about number of successfully executed commands etc.
3. Testmode - checkbox where you can make a "what if" execution before running "the real thing"
4. Selection between a- or synchronous execution of commands
I hope you will enjoy this "as-is" tool - it's FREE for you to USE and MODIFY (one cool thing about HTA applications).
All comments and ideas are very welcome - just send me an email for info at heidelbergit dot dk!

Best regards
Jakob H. Heidelberg

Saturday, January 06, 2007

Group Policy Update

If you have read my article series on windowsecurity.com about "Managing Windows Vista Group Policy" theres a few extra comments I would like to add...

The most important note I would like to make is that Microsoft published a tool to migrate ADM files to the ADMX file format some time ago (november 2006) - the tool was actually developed by FullAmor and licensed freely for Microsoft costumors. The tool is called "ADMX Migrator", but actually does more than just migrate templates...

The product requires "Microsoft Management Console 3.0" and "Microsoft .NET version 2.0" on Windows Vista, Windows XP SP2 or Windows Server 2003 SP1 to work - and provides the following functionality:

1. Converting/migrating ADM files to the new XML based Administrative Templates format: ADMX. You can even select multiple files to convert at one time - it's almost too easy!

2. Creating new ADMX files from scratch without the need to understand and master XML and the special syntax the templates requires. This is the "editor" part of the "ADMX Migrator" tool.
This is a very powerfull tool with lots of possibilities for admins around the world. I you haven't played with this already I will advice you to do so, you can use this link.

At TechEd in Barcelona there was a "rumor" that Microsoft will remove the builtin GPMC from Windows Vista as part of the Vista Service Pack 1 installation. I don't know if this is true and a final decision, but it was actually stated so by the Group Policy Product Manager, Michael Dennis. The reason should be, that Microsoft received some "complaints" on the fact that every user could start this wonderfull admin tool (maybe those costumors haven't heard of Group Policy settings that disallow the use of MMC, Software Restriction policies etc.?). Well, I just think it's funny to think of a Service Pack that actually remove functionality (without replacing with anything else/better) instead of adding stuff - maybe it's just me :-)

The great guys at gpanswers.com have collected a Group policy Toolbelt that a GP admin just must have - it can be downloaded here: http://www.gpanswers.com/toolbelt. Within this "belt" you will find tools within an ISO file ready to be "mounted" or burned. The tools are anything from an ADM file that sets GPO logging level to third party utilities that makes tho job of a GP admin a bit more easy. Check it out the next time you have time to download about 70 MB - a lot better than finding the tools on diffenrent sites around the world.

If you haven't looked on Windows Vista Group Policy news in detail yet, here is you chance to do so. Microsoft relased this Excel document (as they have done in the past) with Vista GP settings. Very interesting reading for GP nerds like myself. We now have SO many GP settings that no man can possibly contain all the great possibilities in his head so that's why we need this sheet. As mentioned in one of my articles for windowsecurity.com there will hopefully be a search option within the MMC when Microsoft released the first service pack to Windows Vista (and in Longhorn Server). It will be interesting to see how they manage to incorporate such a crucial functionality - we must have faith in those guys :)

And BTW - when you guys are changing the code anyway, why not put a "Save changes" dialog into the GPEDIT MMC like ANY other GUI that handles important system changes. I hope that we will also see some workflow handling soon, one admin that changes the GP settings and a manager that approves the changes, making them "live" in the environment. Also versioning is needed as GP's will probably "rule the world" in a few years - not just backups, but real versioning that makes it possible to spot changes made over time and to get back to a "safe" setting fast (rollback). Well, I actually know that MS is working on this too (DOPSA - Desktop Optimization Pack for Software Assurance) - but as with Christmas presents it can be hard to wait too long - I'll get back to this in a post very soon :)

If you think I haven't done anything for a while

If you think I haven't done anything for a while, then please check out my articles on www.windowsecurity.com about Group Policy on Windows Vista and Longhorn Server:


And this Danish website (in danish), http://www.tweakup.dk/, about new stuff in Windows Vista for non-IT professionals:

I'm now an auther on the above sites, so there won't be much time to write in here - but I'll do my very, very best :-)

Hope you will enjoy - and Happy New Year BTW!