On November 17, 2004, at 12:00 pm EST, our readers discussed Group Policy with Brian Styles, CTO and founder of ScriptLogic Corporation and Brian Small, Vice President of Product Development at ScriptLogic Corporation (and founder of Small Wonders Software, which ScriptLogic acquired earlier this year).
The following is a transcript of the chat.
\[2004-11-17 11:06:11\]
Adam Carheden -
\[RM\] : Greetings everyone. We will be starting shortly.
\[2004-11-17 11:12:23\]
Adam Carheden -
\[RM\] : Hello everyone, on behalf of Windows IT Pro Magazine, I'd like to welcome you to the "Ask The ScriptLogic Experts About Group Policy" live chat.
\[2004-11-17 11:12:38\]
Adam Carheden -
\[RM\] : Today, we're fortunate to have Brian Styles, CTO and founder of ScriptLogic
Corporation and Brian Small, Vice President of Product Development at
ScriptLogic Corporation (and founder of Small Wonders Software, which
ScriptLogic acquired earlier this year).
\[2004-11-17 11:12:57\]
Adam Carheden -
\[RM\]
: They're both here today to answer your questions about Group Policy.
So please go ahead and start submitting your questions, and they'll
answer them one-by-one. Thank you!
\[2004-11-17 11:14:51\]
Errol Kelly : Is it possible to create a policy that renames the local admin account & set a password on 2000/2003 servers?
\[2004-11-17 11:15:33\]
gpinon
: I don't turn on complexity requirements for passwords because users
end up writing them down, but I'd like to have some minimal
requirements. Is there any way to define my own set (such as at least 1
cap)?
\[2004-11-17 11:17:13\]
Barb Gibbens : What do you consider some of the most important changes to GP with XP SP2?
\[2004-11-17 11:17:53\]
Brian Small
: Thank you for your question.
The answer is unfortunately yes and no. You can rename the
'administrator' account and the 'guest' account, but there is currently
no way to reset passwords through a GPO. The setting to rename the
accounts is located in the "Computer\Security Settings\" location.
\[2004-11-17 11:22:48\]
Brian Small
: Yes, I hear that quite a bit. Unfortunately there is no setting to
define your own set of password complexity without generating a
password filter programmatically. For your information, here is the
Windows Server 2003 password complexity requirements:
1) Is not based on the user's account name
2) Is at least 6 characters long
3) Contains characters from three of the following four character types
a) Uppercase alpha characters b) Lowercase alpha characters c) Arabic
numerals (0-9) d) Nonalphanumeric characters (for example !, $, #, %)
2004-11-17 11:24:56\]
mike : Any chance of a webinar on this sometime soon? This chat is not something I want to sit through.
\[2004-11-17 11:27:28\]
Errol Kelly : Is there a way to force you to change the password when you log onto the server every so many weeks/months?
\[2004-11-17 11:28:00\]
mike : Hello Brian, will you be hosting a webinar about your product anytime soon?
\[2004-11-17 11:31:55\]
Barb Gibbens : Can you give me your impression of the two or three most important GP enhancements to XP SP2?
\[2004-11-17 11:33:01\]
Brian Small
: Errol,
Yes, you need to set the "Minimum password age" setting which is
located in the "Computer Configuration\Security Settings\Account
Policies\Password Policy" location.
As a special note, many admins get confused on exactly where to set
Account Policies. You need to specify Account Policies in the Default
Domain Policy GPO at the root of the domain.
\[2004-11-17 11:34:07\]
Errol Kelly : thank you
\[2004-11-17 11:34:46\]
Brian Small
: Hi Mike,
Yes, absolutely, on our homepage at http://www.scriptlogic.com - you
can view a list of events, including weekly demos of all of our
products.
\[2004-11-17 11:36:33\]
Jake : What do you see as the latest trends in Group Policy?
\[2004-11-17 11:38:30\]
gpinon
: How do I go about understanding User Rights? Some are obvious, but
what is Act as part of the OS and creating tokens and global objects?
\[2004-11-17 11:38:40\]
Jake
: I'm interested in using Group Policies, but I'm on a mixed
environment which includes some NT 4 systems. Will installing the
directory services client enable the use of group policies on NT 4
clients?
\[2004-11-17 11:39:43\]
Brian Small
: Hi Barb,
Thank you for your question. XPSP2 adds over 600 new GPO settings,
bringing the total number of GPO settings to over 1300 I believe. It is
my opinion that the addition of the Internet Explorer Security settings
under (Computer Settings\Administrative Templates\Windows
Components\Internet Explorer\Security Features\) are some of the most
important additions. The are all made to mitigate vulnerabilities in
Internet Explorer - and we all need that :)
Also, the addition of the Windows Firewall settings are necessary to
manage SP2 as well.
\[2004-11-17 11:42:06\]
Brian Small : Jake,
As Group Policy gets more widely utilized, third party vendors are offering ADM templates for their applications.
\[2004-11-17 11:43:00\]
Brian Small : Jake,
No, GPOs will not apply to NT 4 systems - they are only applied to Windows 2000 systems or later.
\[2004-11-17 11:45:35\]
Brian Small : Here's a great resource from Microsoft to give you a great review of User Rights:
http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/appxb.mspx
\[2004-11-17 11:45:59\]
jon_r
: You referred earlier in the discussion to the security policy which
renames administrator and guest accounts. Do you know how this works?
It can't just be a registry key, can it? I can't find it in any of the
adm files? I'm interested because I want to roll out this change to
certain desktops using ScriptLogic's Desktop Authority product.
\[2004-11-17 11:51:18\]
Brian Small
: Jon,
Actually, it's not in any ADM file, it's processed by another section
of GPO (Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options).
If you are using Desktop Authority, I believe you can achieve this with
the resource kit tool "cusrmgr.exe" I believe (check the spelling)
You can create a script to rename the accounts and set it in a Desktop
Authority Profile.
\[2004-11-17 11:55:22\]
rlevanto : What is the biggest overlooked configuration issue your customers run into?
\[2004-11-17 11:55:58\]
rlevanto : What should IT administrators keep in mind as they face this week's SOX deadline?
\[2004-11-17 11:56:37\]
Brian Small -
Barb Gibbens
: FYI - A question was asked earlier regarding XPSP2 - You can download
an Excel spreadsheet with all policies listed from Microsoft at the
following URL - fun stuff!
\[2004-11-17 11:56:43\]
Brian Small -
\[RM\] : http://www.microsoft.com/downloads/details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en
\[2004-11-17 11:56:45\]
Brian Styles -
\[RM\]
: There was a question earlier that I attempted to respond to relating
to using complex passwords. My advice would be to consider using Smart
Cards or a 3rd party strong authentication solution such as RSA, Secure
Computing or Authenex. This is the only real solution to vulnerable
passwords -- no matter how simple or complex they might be.
\[2004-11-17 11:57:36\]
rlevanto : Have most of your customers ironed out the issues with SP2 installations?
\[2004-11-17 12:00:10\]
gpinon
: One problem I had a while back was with some spyware that made IE
always open to the about:blank page. Is that something that can be
blocked through group policy, or is that an it an MS patch?
\[2004-11-17 12:02:06\]
Brian Styles
: Of the customers that we deal with, the general consensus tends to be
cautious when it comes to SP2 rollouts. The larger the customer, the
slower the adoption of SP2 has been.
\[2004-11-17 12:04:43\]
Brian Styles -
\[RM\]
: Following-up on the SP2 issues question, there are certainly issues
and many of them can be found on Microsoft's website as it relates to
incompatible applications. We also have an XP SP2 Resource Center on
our website at www.scriptlogic.com that contains many useful links to
SP2 news.
\[2004-11-17 12:05:34\]
Brian Small -
rlevanto : Yes, I agree that most of our customers have not yet rolled out XPSP2.
\[2004-11-17 12:05:40\]
mnetwal : I'm getting ready to roll out Group Policy and have 1200 users. What do you recommend?
\[2004-11-17 12:06:57\]
Errol Kelly : I tried to deploy Acrobat reader, but there are no switches listed; how can I overcome this obstacle?
\[2004-11-17 12:07:07\]
mnetwal : I'm getting ready to roll out Group Policy and have 1200 users. What do you recommend?
\[2004-11-17 12:07:47\]
Errol Kelly : That gives you everything from the point you logged in, it does not give you the whole session.
\[2004-11-17 12:09:48\]
Brian Styles
: The IE start page is a registry value, therefore it is controllable
via Group Policies. Even if there was another policy for preventing
users from changing their home page, that would not necessarily stop
spyware from directly modifying the registry value if the system was
already compromised by spyware/malware.
\[2004-11-17 12:13:55\]
mnetwal : Can I make a change to a GPO and model it before I implement the change?
\[2004-11-17 12:14:00\]
mnetwal -
Brian Small : Can I make a change to a GPO and then model the change before implementation?
\[2004-11-17 12:14:51\]
Brian Styles
: Could you be a bit more specific. There are so many parts to SOX that
I fear I could go on for hours in a reply. We have at least one SOX
specific white paper you should read. Please visit
www.scriptlogic.com/whitepapers for the SOX paper and others.
\[2004-11-17 12:15:39\]
Jake : What products do you think best address Group Policy?
\[2004-11-17 12:18:58\]
Brian Small
: Yes, you can use the Resultant Set of Policies feature in one of our
products called "Active Administrator" - It allows you to view what
settings would be applied to a user logging into a specific computer
before they actually log in. You can also make virtual changes to your
environment for testing purposes.
\[2004-11-17 12:19:11\]
Brian Styles
: There are a number of products out there that help you to manage AD
and GPOs. The product which we offer that helps you to manage AD and
GPOs is called Active Administrator. Here's a direct link:
http://www.scriptlogic.com/eng/products/activeadmin/main.asp
\[2004-11-17 12:20:56\]
mnetwal : Is there an audit trail to changes made to GPOs? If so, what is in the audit log?
\[2004-11-17 12:22:02\]
Brian Styles
: Is a good tool and you can't beat the price (free). However, you
get what you pay for. IT provides a basic level of GPO reporting,
backup & restoring. Active Administrator takes AD & GPO
management to the next level by giving auditing and Group Policy
history (including delta change reports), and can show you how made what
changes and when down to the Group Policy level.
\[2004-11-17 12:22:57\]
Jake
: One more question...I'm having a lot of problems trying to enforce
desktop lockdowns at my company. Is this something that GP can resolve,
and what's the best way to do it?
\[2004-11-17 12:23:50\]
Brian Small
: Errol,
Good question - GPOs can only publish MSI files. If you can get Acrobat
reader as an msi, then you can use the following command line:
msiexec /i "
\[2004-11-17 12:23:53\] mnetwal : Will some of your reporting capabilities assist me with both SOX and HIPAA compliance?
\[2004-11-17 12:25:26\] Brian Styles
: The answer would depend a lot on your environment. Assuming you have
2000/2003 AD in place or you are migrating to it, you might want to
consider our "Adminstrator's Toolbox" solution pack. IT includes both
Desktop Authority and Active Administrator, giving you ultimate control
over managing desktops, AD and your GPOs at a very granular level. The
best advise I can give you is to plan twice, implement once. Seek the
help of a professional AD consulting firm need be.
\[2004-11-17 12:26:20\] Brian Styles
: You might want to check with OnDemand and attempt to package the
Acrobat Reader into an MSI so that you can deploy it with GPOs.
\[2004-11-17 12:26:45\] gpinon
: I have 2 AD sites replicating over IP. After rebooting the DC at my
second site, replication is failing. repadmin and replmon show access
denied errors on the DC from site 1. How do I go about troubleshooting
this?
\[2004-11-17 12:27:40\] Brian Small
: Great question - you have to turn on auditing to audit "Directory
Services Access" and GPO modifications go to the Event Log. However,
it's very limited - it doesn't show you what has changed, or the name
of the GPO (only the GUID). We have a product called Active
Administrator that does just this and more - it keeps a history of
every change in Active Directory and Group Policy - who, what, when,
and where.
\[2004-11-17 12:29:13\] Brian Small : Where do you see the access denied errors? In an event log entry - or you can't log into the box remotely?
\[2004-11-17 12:29:46\] Errol Kelly : Can you create a batch file that will deploy password changes to a designated OU/container using Script Logic?
\[2004-11-17 12:30:59\] Brian Small - \[RM\] : Also, I would check the permissions on the SYSVOL folder on the remote DC to ensure replication can occur for FRS.
\[2004-11-17 12:31:15\] Brian Styles
: Can you be more specific about what you are trying to accomplish? Are
you wanting to change the local admin's password on your clients or
something else?
\[2004-11-17 12:33:57\] Brian Styles
: Yes, GPOs can certainly help to lock down your 2000 & XP clients.
If you have legacy clients (9x & NT), you should consider a product
like Desktop Authority which does a lot of what GPOs do, but supports
all Win32 clients and offers a much more granular level of control.
\[2004-11-17 12:35:25\] Brian Small
: If you are trying to change the administrator's password on machines
located in a specified OU, then you can create an "Application
Launcher" entry using the "net user" or "cusrmgr.exe" to reset these
passwords and use Validation Logic to select the particular OU.
\[2004-11-17 12:39:40\] gpinon : I see the errors in Replication Monitor log.
\[2004-11-17 12:40:22\] Brian Small : Yes, we have solutions for both SOX and HIPPA compliance. You can read about them on our website:
http://www.scriptlogic.com/whitepapers/
\[2004-11-17 12:44:12\] Brian Small
: I would love to help you, but we seem to be running out of time
here... I would suggest checking the permissions on SYSVOL as well as
contacting Microsoft support for this one.
\[2004-11-17 12:45:09\] Adam Carheden - gpinon
: We're about out of time. I'd like to thank everyone for all of their
questions. If you have any final questions please ask them now.
\[2004-11-17 12:46:37\] Brian Styles
: Definitaly! All of our products have a part to play in enforcing the
type of access controls required by the SOX and HIPAA legislation. In
particular, Active Administrator covers areas of directory security and
auditing, and group policy lifecycle management, both of which are
essential in enforcing access controls. See our white paper on S-Ox
(and shortly on HIPAA) at www.scriptlogic.com for more info on how our
product range can help you.
\[2004-11-17 12:48:21\] Adam Carheden - \[RM\]
: Thank you everyone for joining. We will have the chat archived on
both the Windows IT Pro web site and the ScriptLogic web site tomorrow.