Group Policy

Group Policy Naming Conventions?

Jeremy Moskowitz from the GPAnswers website posted a good question today – How do you name your Group Policies? Strangely enough it had never occurred to me to have a naming convention for the GP’s – normally I just make sure they are descriptive enough in the name and use the comment fields in 2008 and newer to provide a changelog of the Group Policy and details on what it should do. However, this does rely on EVERYONE updating the group policy and I know this doesn’t always happen – even I sometimes forget to fill in this information when making a quick change, so have a standard naming convention seems a great idea. Having the author (or initials) is also important so other people can easily hunt track you down to get clarification or assistance on the settings.
Do you have any naming conventions that you use?

Fixed – Adobe Reader not opening in ie – turning off Open in browser.

Using Adobe Reader 9.04 on a Windows 2008r2 Remote Desktop server, I was finding that a lot of websites would fail to run when a pdf file was opened in the browser. Going to Edit/Preferences/Internet and unchecking the “Open pdf in browser” fixed the problem. The next problem was making this site wide and for every user on the terminal server.
Using procmon I was able to check the registry changes that occurred when this box was checked (although this does not help when the av software is constantly scanning the registry and files). By creating HKCU\ Software\ Adobe\ Acrobat Reader\ 9.0\ Original\ bBrowserIntegration as a dword and setting the value to 0, this option was checked for everyone. I did notice that the server initially checks HKLM for the same value, but in testing I found that adding this value under HKLM did not make the user interface change. I know Adobe checks other settings in the registry so I’m not sure if it was checking other locations to see if HKLM should also be set, but in that case, why check the HKLM value too?
Using the Group Policy Preferences I was able to create a new setting and now Adobe Reader works for everyone on the server.

Of course, once you know this key it’s easy to find lots of google articles mentioning bBrowserIntegration but I couldn’t find anything when I initially researched this problem. One solution that might make it easier is to download a Adobe Reader Group Policy template which you can then import (computer / Administrative Templates/ Right click and browse) to apply this and other settings. Note that I found the EULA supression did not work for me with Adobe Reader 9.04 on W2k8R2

Fixed – Group Policy settings show “An error occurred while generating report: An unknown error occurred while the HTML report was being created.”

Whilst doing some troubleshooting work for a client’s group policy settings that were not being applied to a vista machine I launched the Group Policy Management Console (gpmc) and when I went to view the Resultant Set Of Policy (RSOP) of a client machine and when I tried to view the default domain policy I received the message “An error occurred while generating report: An unknown error occurred while the HTML report was being created.” All other group policies appeared fine – it was just the default domain policy – arguably the most important one and not an easy one to restore. My first step was to use a DC that did not have the gpmc installed to use the native group policy tools within the Active Directory Users and Computers snapin. Fortunately this tool worked and I could see the settings…..lots of them.
As I knew the group policy did not seem to be corrupt I then went back into gpmc and attempted a backup of the group policies. All but the default domain policy backed up successfully.
The error message almost looked similar to issues when trying to view web pages on a server with the enhanced ie security enabled but it didn’t really make sense that it was only affecting one group policy.

After a few minutes of digging I found an entry on tek-tips (a site I don’t like to use due to the popups and nag screens) but in this case the answer worked. From Roadki11’s posting on tek-tips.com:-

Cause:
Seems to be something with importing IE security settings.

Solution:
Edit install.ins inside: {GUID of Policy}\user\MICROSOFT\IEAK

[Security Imports]
ImportSecZones=1

Set it back to “0”

Using gpmc I obtained the guid of the policy by right clicking the policy and choosing properties then I connected to c:\WINDOWS\SYSVOL\sysvol\domain\Policies\{guid}\user\Microsoft\ieak
First I made a backup and then edited install.ins, set ImportSecZones to 0 and was then able to edit the policy in gpmc.
Hopefully the background information and the instructions on how to connect to the correct file helps others.
Whilst you are in the gpmc make sure you go down to Group Policy Objects, right click, Backup All, select a location, enter the date and time stamp for the description and back those policies up. Document where the backups are stored so that if you need to restore them they are easily accessible – even on another computer.
I’ve now added the backup to our checkup and system documentation instructions so at a minimum we will have monthly backups of the group policies and a documented location for where this information is kept. In an ideal world, printing off the settings would also be a good way to document the information too.

Group Policy preference hurdle.

I’ve been wanting to use the group policy preferences at a couple of sites but been unable to due to the fact that you need to have a Vista or Windows 2008 server in the domain. I knew that one or the other was required, but I was kind of hoping that you could get away with using a Vista machine not on the domain to edit the group policy settings. Much like you can use “connect to” in eventvwr and other mmc consoles I was hoping this feature would be available so I could take my consultants laptop and edit various group policy preferences at some of my sites without needing a domain joined pc. Alas, this is not to be – in fact gpmc is not even available unless you are joined to the domain.
Here’s hoping that some enterprising company will come up with an application that will enable you to deploy group policy preferences without Vista or Windows 2008.

Group policy problems with printing.

I’m having a problem where ctrl-p doesn’t work in a kiosk mode machine with group policy restrictions and wonder if anyone has a clue? I’ve posted this to google groups.

I have a group policy enabled for a particular user for a locked down, kiosk user interface in a public area. Currently in *some* web pages the ctrl-P shortcut key will work, but on other web pages nothing happens when ctrl-p is pressed. Other shortcut keys such as ctrl-h, ctrl-r, ctrl-w activate properly (in the case of ctrl-w this option complains that the user does not have access to close the window).
We are running internet explorer as the shell in kiosk mode, but removing the kiosk mode doesn’t make any difference. Likewise, we have disabled the toolbar, but adding the toolbar back and enabling the print button also does not make any difference – the print dialog box never appears on certain web sites.

www.msn.com, http://travel.msn.com/default.aspx both work but http://travel.msn.com/New_York_City_New_York_State_list_entitylist_attractions_23164_2.aspx or http://www.helsby.net or https://absoblogginlutely.net doesn’t. There are a lot more sites that do/don’t work but these are just a couple of examples.

Anyone come across this problem before?
I’ve uploaded the resultant set of policies wizard output to https://absoblogginlutely.net/test/lock.htm – the only thing I’ve done is change the domain name for security reasons.