On November 17, 2004, at 12:00 pm EST, our readers discussed Group Policy with Brian Styles, CTO and founder of ScriptLogic Corporation and Brian Small, Vice President of Product Development at ScriptLogic Corporation (and founder of Small Wonders Software, which ScriptLogic acquired earlier this year).
The following is a transcript of the chat.
\[2004-11-17 11:06:11\] Adam Carheden - \[RM\] : Greetings everyone. We will be starting shortly.
\[2004-11-17 11:12:23\] Adam Carheden - \[RM\] : Hello everyone, on behalf of Windows IT Pro Magazine, I'd like to welcome you to the "Ask The ScriptLogic Experts About Group Policy" live chat.
\[2004-11-17 11:12:38\] Adam Carheden - \[RM\] : Today, we're fortunate to have Brian Styles, CTO and founder of ScriptLogic Corporation and Brian Small, Vice President of Product Development at ScriptLogic Corporation (and founder of Small Wonders Software, which ScriptLogic acquired earlier this year).
\[2004-11-17 11:12:57\] Adam Carheden - \[RM\] : They're both here today to answer your questions about Group Policy. So please go ahead and start submitting your questions, and they'll answer them one-by-one. Thank you!
\[2004-11-17 11:14:51\] Errol Kelly : Is it possible to create a policy that renames the local admin account & set a password on 2000/2003 servers?
\[2004-11-17 11:15:33\] gpinon : I don't turn on complexity requirements for passwords because users end up writing them down, but I'd like to have some minimal requirements. Is there any way to define my own set (such as at least 1 cap)?
\[2004-11-17 11:17:13\] Barb Gibbens : What do you consider some of the most important changes to GP with XP SP2?
\[2004-11-17 11:17:53\] Brian Small : Thank you for your question. The answer is unfortunately yes and no. You can rename the 'administrator' account and the 'guest' account, but there is currently no way to reset passwords through a GPO. The setting to rename the accounts is located in the "Computer\Security Settings\" location.
\[2004-11-17 11:22:48\] Brian Small : Yes, I hear that quite a bit. Unfortunately there is no setting to define your own set of password complexity without generating a password filter programmatically. For your information, here is the Windows Server 2003 password complexity requirements: 1) Is not based on the user's account name 2) Is at least 6 characters long 3) Contains characters from three of the following four character types a) Uppercase alpha characters b) Lowercase alpha characters c) Arabic numerals (0-9) d) Nonalphanumeric characters (for example !, $, #, %)
2004-11-17 11:24:56\] mike : Any chance of a webinar on this sometime soon? This chat is not something I want to sit through.
\[2004-11-17 11:27:28\] Errol Kelly : Is there a way to force you to change the password when you log onto the server every so many weeks/months?
\[2004-11-17 11:28:00\] mike : Hello Brian, will you be hosting a webinar about your product anytime soon?
\[2004-11-17 11:31:55\] Barb Gibbens : Can you give me your impression of the two or three most important GP enhancements to XP SP2?
\[2004-11-17 11:33:01\] Brian Small : Errol, Yes, you need to set the "Minimum password age" setting which is located in the "Computer Configuration\Security Settings\Account Policies\Password Policy" location. As a special note, many admins get confused on exactly where to set Account Policies. You need to specify Account Policies in the Default Domain Policy GPO at the root of the domain.
\[2004-11-17 11:34:07\] Errol Kelly : thank you
\[2004-11-17 11:34:46\] Brian Small : Hi Mike, Yes, absolutely, on our homepage at http://www.scriptlogic.com - you can view a list of events, including weekly demos of all of our products.
\[2004-11-17 11:36:33\] Jake : What do you see as the latest trends in Group Policy?
\[2004-11-17 11:38:30\] gpinon : How do I go about understanding User Rights? Some are obvious, but what is Act as part of the OS and creating tokens and global objects?
\[2004-11-17 11:38:40\] Jake : I'm interested in using Group Policies, but I'm on a mixed environment which includes some NT 4 systems. Will installing the directory services client enable the use of group policies on NT 4 clients?
\[2004-11-17 11:39:43\] Brian Small : Hi Barb, Thank you for your question. XPSP2 adds over 600 new GPO settings, bringing the total number of GPO settings to over 1300 I believe. It is my opinion that the addition of the Internet Explorer Security settings under (Computer Settings\Administrative Templates\Windows Components\Internet Explorer\Security Features\) are some of the most important additions. The are all made to mitigate vulnerabilities in Internet Explorer - and we all need that :) Also, the addition of the Windows Firewall settings are necessary to manage SP2 as well.
\[2004-11-17 11:42:06\] Brian Small : Jake, As Group Policy gets more widely utilized, third party vendors are offering ADM templates for their applications.
\[2004-11-17 11:43:00\] Brian Small : Jake, No, GPOs will not apply to NT 4 systems - they are only applied to Windows 2000 systems or later.
\[2004-11-17 11:45:35\] Brian Small : Here's a great resource from Microsoft to give you a great review of User Rights: http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/appxb.mspx
\[2004-11-17 11:45:59\] jon_r : You referred earlier in the discussion to the security policy which renames administrator and guest accounts. Do you know how this works? It can't just be a registry key, can it? I can't find it in any of the adm files? I'm interested because I want to roll out this change to certain desktops using ScriptLogic's Desktop Authority product.
\[2004-11-17 11:51:18\] Brian Small : Jon, Actually, it's not in any ADM file, it's processed by another section of GPO (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options). If you are using Desktop Authority, I believe you can achieve this with the resource kit tool "cusrmgr.exe" I believe (check the spelling) You can create a script to rename the accounts and set it in a Desktop Authority Profile.
\[2004-11-17 11:55:22\] rlevanto : What is the biggest overlooked configuration issue your customers run into?
\[2004-11-17 11:55:58\] rlevanto : What should IT administrators keep in mind as they face this week's SOX deadline?
\[2004-11-17 11:56:37\] Brian Small - Barb Gibbens : FYI - A question was asked earlier regarding XPSP2 - You can download an Excel spreadsheet with all policies listed from Microsoft at the following URL - fun stuff!
\[2004-11-17 11:56:43\] Brian Small - \[RM\] : http://www.microsoft.com/downloads/details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en
\[2004-11-17 11:56:45\] Brian Styles - \[RM\] : There was a question earlier that I attempted to respond to relating to using complex passwords. My advice would be to consider using Smart Cards or a 3rd party strong authentication solution such as RSA, Secure Computing or Authenex. This is the only real solution to vulnerable passwords -- no matter how simple or complex they might be.
\[2004-11-17 11:57:36\] rlevanto : Have most of your customers ironed out the issues with SP2 installations?
\[2004-11-17 12:00:10\] gpinon : One problem I had a while back was with some spyware that made IE always open to the about:blank page. Is that something that can be blocked through group policy, or is that an it an MS patch?
\[2004-11-17 12:02:06\] Brian Styles : Of the customers that we deal with, the general consensus tends to be cautious when it comes to SP2 rollouts. The larger the customer, the slower the adoption of SP2 has been.
\[2004-11-17 12:04:43\] Brian Styles - \[RM\] : Following-up on the SP2 issues question, there are certainly issues and many of them can be found on Microsoft's website as it relates to incompatible applications. We also have an XP SP2 Resource Center on our website at www.scriptlogic.com that contains many useful links to SP2 news.
\[2004-11-17 12:05:34\] Brian Small - rlevanto : Yes, I agree that most of our customers have not yet rolled out XPSP2.
\[2004-11-17 12:05:40\] mnetwal : I'm getting ready to roll out Group Policy and have 1200 users. What do you recommend?
\[2004-11-17 12:06:57\] Errol Kelly : I tried to deploy Acrobat reader, but there are no switches listed; how can I overcome this obstacle?
\[2004-11-17 12:07:07\] mnetwal : I'm getting ready to roll out Group Policy and have 1200 users. What do you recommend?
\[2004-11-17 12:07:47\] Errol Kelly : That gives you everything from the point you logged in, it does not give you the whole session.
\[2004-11-17 12:09:48\] Brian Styles : The IE start page is a registry value, therefore it is controllable via Group Policies. Even if there was another policy for preventing users from changing their home page, that would not necessarily stop spyware from directly modifying the registry value if the system was already compromised by spyware/malware.
\[2004-11-17 12:13:55\] mnetwal : Can I make a change to a GPO and model it before I implement the change?
\[2004-11-17 12:14:00\] mnetwal - Brian Small : Can I make a change to a GPO and then model the change before implementation?
\[2004-11-17 12:14:51\] Brian Styles : Could you be a bit more specific. There are so many parts to SOX that I fear I could go on for hours in a reply. We have at least one SOX specific white paper you should read. Please visit www.scriptlogic.com/whitepapers for the SOX paper and others.
\[2004-11-17 12:15:39\] Jake : What products do you think best address Group Policy?
\[2004-11-17 12:18:58\] Brian Small : Yes, you can use the Resultant Set of Policies feature in one of our products called "Active Administrator" - It allows you to view what settings would be applied to a user logging into a specific computer before they actually log in. You can also make virtual changes to your environment for testing purposes.
\[2004-11-17 12:19:11\] Brian Styles : There are a number of products out there that help you to manage AD and GPOs. The product which we offer that helps you to manage AD and GPOs is called Active Administrator. Here's a direct link: http://www.scriptlogic.com/eng/products/activeadmin/main.asp
\[2004-11-17 12:20:56\] mnetwal : Is there an audit trail to changes made to GPOs? If so, what is in the audit log?
\[2004-11-17 12:22:02\] Brian Styles : Is a good tool and you can't beat the price (free). However, you get what you pay for. IT provides a basic level of GPO reporting, backup & restoring. Active Administrator takes AD & GPO management to the next level by giving auditing and Group Policy history (including delta change reports), and can show you how made what changes and when down to the Group Policy level.
\[2004-11-17 12:22:57\] Jake : One more question...I'm having a lot of problems trying to enforce desktop lockdowns at my company. Is this something that GP can resolve, and what's the best way to do it?
\[2004-11-17 12:23:50\] Brian Small : Errol, Good question - GPOs can only publish MSI files. If you can get Acrobat reader as an msi, then you can use the following command line: msiexec /i "
\[2004-11-17 12:23:53\] mnetwal : Will some of your reporting capabilities assist me with both SOX and HIPAA compliance?
\[2004-11-17 12:25:26\] Brian Styles : The answer would depend a lot on your environment. Assuming you have 2000/2003 AD in place or you are migrating to it, you might want to consider our "Adminstrator's Toolbox" solution pack. IT includes both Desktop Authority and Active Administrator, giving you ultimate control over managing desktops, AD and your GPOs at a very granular level. The best advise I can give you is to plan twice, implement once. Seek the help of a professional AD consulting firm need be.
\[2004-11-17 12:26:20\] Brian Styles : You might want to check with OnDemand and attempt to package the Acrobat Reader into an MSI so that you can deploy it with GPOs.
\[2004-11-17 12:26:45\] gpinon : I have 2 AD sites replicating over IP. After rebooting the DC at my second site, replication is failing. repadmin and replmon show access denied errors on the DC from site 1. How do I go about troubleshooting this?
\[2004-11-17 12:27:40\] Brian Small : Great question - you have to turn on auditing to audit "Directory Services Access" and GPO modifications go to the Event Log. However, it's very limited - it doesn't show you what has changed, or the name of the GPO (only the GUID). We have a product called Active Administrator that does just this and more - it keeps a history of every change in Active Directory and Group Policy - who, what, when, and where.
\[2004-11-17 12:29:13\] Brian Small : Where do you see the access denied errors? In an event log entry - or you can't log into the box remotely?
\[2004-11-17 12:29:46\] Errol Kelly : Can you create a batch file that will deploy password changes to a designated OU/container using Script Logic?
\[2004-11-17 12:30:59\] Brian Small - \[RM\] : Also, I would check the permissions on the SYSVOL folder on the remote DC to ensure replication can occur for FRS.
\[2004-11-17 12:31:15\] Brian Styles : Can you be more specific about what you are trying to accomplish? Are you wanting to change the local admin's password on your clients or something else?
\[2004-11-17 12:33:57\] Brian Styles : Yes, GPOs can certainly help to lock down your 2000 & XP clients. If you have legacy clients (9x & NT), you should consider a product like Desktop Authority which does a lot of what GPOs do, but supports all Win32 clients and offers a much more granular level of control.
\[2004-11-17 12:35:25\] Brian Small : If you are trying to change the administrator's password on machines located in a specified OU, then you can create an "Application Launcher" entry using the "net user" or "cusrmgr.exe" to reset these passwords and use Validation Logic to select the particular OU.
\[2004-11-17 12:39:40\] gpinon : I see the errors in Replication Monitor log.
\[2004-11-17 12:40:22\] Brian Small : Yes, we have solutions for both SOX and HIPPA compliance. You can read about them on our website: http://www.scriptlogic.com/whitepapers/
\[2004-11-17 12:44:12\] Brian Small : I would love to help you, but we seem to be running out of time here... I would suggest checking the permissions on SYSVOL as well as contacting Microsoft support for this one.
\[2004-11-17 12:45:09\] Adam Carheden - gpinon : We're about out of time. I'd like to thank everyone for all of their questions. If you have any final questions please ask them now.
\[2004-11-17 12:46:37\] Brian Styles : Definitaly! All of our products have a part to play in enforcing the type of access controls required by the SOX and HIPAA legislation. In particular, Active Administrator covers areas of directory security and auditing, and group policy lifecycle management, both of which are essential in enforcing access controls. See our white paper on S-Ox (and shortly on HIPAA) at www.scriptlogic.com for more info on how our product range can help you.
\[2004-11-17 12:48:21\] Adam Carheden - \[RM\] : Thank you everyone for joining. We will have the chat archived on both the Windows IT Pro web site and the ScriptLogic web site tomorrow.