TechNet Radio – 6/6 Episode Release
Welcome to TechNet your guide to the IT Univers
Charlie: Hi and welcome to TechNet Radio I’m Charlie Harger along with Mike Ward, coming up in today’s show we talk with Jeremy Moskowitz he is an authority on the Windows 2000, 2003 Server, Group Policy, Active Directory, SMS and desktop deployments, very interesting talk that Michael Murphy has with him, also on the way, Robert Scoble is back so we’ll have a conversation with him and also we’ll talk about our coverage of the upcoming TechEd, first up here’s Michael Murphy with Jeremy Moskowitz.
Michael: My name is Michael Murphy and it is my pleasure to have with us today Jeremy Moskowitz, Jeremy how are you doing?
Jeremy: Excellently.
Michael: Awesome, Jeremy runs Moskowitz Inc., that’s a company specializing in Microsoft consulting and in education, Jeremy is a noted speaker and expert of Group Policy, he’s presented at TechEd, Comdex, MCP Magazine’s tech mentor, he’s written books, he’s a noted author of six books on Windows, “Teach Yourself Windows 2000 Server in 24 hours” is actually translated into a dozen languages, his most popular book is “Group Policy Profiles and IntelliMirror” and it’s the flagship title in the Mark Menasay (?) Windows administration series, I’m very excited about Jeremy’s latest book about Windows and Linux integration and I think Jeremy we should talk a little bit about that today. Additionally Jeremy runs GPAnswers.com, and WinLinAnswers.com these are two websites dedicated to helping get people get their tough Group Policy and Windows Linux questions answered and so that is the gentleman that we have the pleasure of talking with today and Jeremy I really want to welcome you, it’s great to have you on the program today.
Jeremy: Oh go on, you make me blush.
Michael: So Jeremy, let’s start this way, you are noted as a Group Policy expert so we should set the groundwork, lay the groundwork here a little bit for our conversation what’s Group Policy and why do people care?
Jeremy: It’s funny you know I meet a lot of people and I’ll go to a party sometimes and someone will say hey, what do you do for a living and I can’t just say, you know, I’m an accountant or doctor, I say I’m a Group Policy expert and they look at me like I got six heads so then I have to start explaining what Group Policy is and over the years I’ve come up with a couple of different analogies to tell people who aren’t in the computer business, so what I usually tell people is Group Policy lets you make a wish on your servers and have your other servers and client computers embrace those wishes so you get to sort of play wizard or your own kind of deity where you make the big wish or two or three and zap all the sudden your client computers and servers and users embrace those wishes and so you become all powerful with Group Policy.
Michael: That’s a nice analogy. I like that, I like that and so for our technical audience as most of the people listening to this know, Group Policy provides a sensible way to administer and configure client machines and servers right?
Jeremy: That’s basically it and there’s two sides to Group Policy there’s the user side and the computer side, so for instance on the user side of things, those are the kinds of things we typically think of when we think of Group Policy like controlling the desktop and manipulating the control of the lead settings and deploying some software, but a lot of that stuff is user side based but a lot of it is computer side based as well; like turning on IP security, or software deployment as well you can flip to either customers or users which is really nice. So there’s thirteen what I like to call wish categories in Group Policy land, thirteen giant categories of things that you can control and then once you make those wishes those wishes are embraced by either the computer or the users depending on how you set it up.
Michael: Now with all of the folks that you talk to out there and all the work that you do with Group Policywhat do you find to be some of the challenges in, that, that the technical community faces in deploying solid group policies that can really make their lives easier?
Jeremy: Well there’s a couple things that make it challenging to get Group Policy deployed in general, the first thing is that there’s just a heck of a lot of policy settings, I mean I get asked every so often, hey Moskowitz do you know if there’s a policy setting that does fill in the blank here and even though I deal with Group Policy everyday, I’m still discovering new, cool things you can do with it. So that becomes a challenge, there’s something on the order between, depending on who you ask and what day of the week it is, there’s something on the order of between two and three thousand policy settings that you can set to engage your workstation to do what you want to do. That’s the first challenge, the second challenge is that there’s not a lot of good options when it comes to actually getting knowledge in how to make use of this, I often tell people, you know you spent all that time getting that active directory up and running you’ve got that Ferrari now and it’s really running great but are you really doing any, are you really driving that Ferrari properly. And so I like to tell people, it’s the best way to use active directory to know Group Policy and I also tell people if you don’t know, if you don’t know Group Policy you don’t know security because security, Microsoft Windows security the foundation is in knowing Group Policy. So there’s not a lot of options out there to get that foundation Group Policy and that’s why I got GPAnswers, that’s why I got the two day intensive training and workshop class, that’s available for people to sort of get up to speed on these topics that we’ve talked about so far so those are really the two kinds of challenges, lots of policy settings and not a lot of options for in terms of getting smart on that so that’s why GPAnswers was born.
Michael: And in terms of security let’s talk for a second because we know that Microsoft provides some support and documentation to customers on Group Policy so there was the Windows 2000 and Windows 2003 security guidance kits and those included security templates that could easily be applied to machines but there were some issues around those, what were some of the issues that people found with those security templates?
Jeremy: Sure, by and large the problem with security templates in general is that it’s somebody else’s idea of what a good security model would be for you. So even though Microsoft does it’s due diligence and by the way Microsoft isn’t the only organization that came up with these templates, I see these templates come and make it be available publicly from governmental organizations, governmental security organizations, and also universities and other really smart places but still the problem with those, those templates in general is that it’s somebody else’s good idea that you’re trying to sort of shoe horn into your environment and a lot of people what they would do is they wouldn’t take the quality time in to actually analyze what these templates would do they would just sort of set them and forget them and wonder why things weren’t working anymore because they’re very restrictive. Turns out actually, there’s some good news on the horizon, Windows Server 2003 with service pack 1 there’s a new tool called the SCW or the Security Configuration Wizard. And what this tool does is it says go ahead and let me take a representative sample server like a print server, lock it down and then take what I’ve done to lock it down, make a group policy out of it and then every time I add say a new printer server, automatically lock down this next printer server as I lock down the original printer server. So you’re no longer worried about what somebody else’s good idea is for print server, you use this tool, the SCW and now you are restricting a print server for your environment, custom restriction for your environment, it’s a really great tool.
Michael: So there’s a couple things that you said there, the first is and I think you would agree, security templates whether from Microsoft or another organization are only a starting point and I can take those and tweak them out for my own use or if I’m running 2003 with service pack 1 or 2003 R2 I can take advantage of the security configuration wizard, create my own certain settings using that wizard and then those get exported to an XML file don’t they?
Jeremy: You got it, there’s an SCWCND.EXE that we then use to convert that XML into a GPL and once we’ve got it in Group Policy land we’ve got every thing you need to then link it to the OUE we have our group policy servers in and every time you drop a new print server in, bam you’ve got it. Now the one key message to take away here, that sometimes gets lost in translation is that target machine has to be a server 2003 service pack 1 or R2 machine in or valid to be a valid recipient. It’s not guaranteed to work if that target machine is anything other than that.
Michael: Good, that’s good stuff, now if in fact you know lack of training and understanding of Group Policy is one of the big things that holds people back from taking those hair pin turns with their Ferrari of Active Directory, what are you doing in the near term, because I know you’re busy and you’re always doing training stuff, what can people look for from you in the next year say maybe coming to their city?
Jeremy: Sure, I’ve got lots of opportunities for people if they’re serious about taking that Ferrari for a real driving lesson. The best thing to do is to take the two day intensive training and workshop class, and you can find out more about that at GPAnswers.com and I’ve got both public and private classes so if you’ve got an organization that’s has a handful of people you’re a good candidate for that, I’m also coming to a half a dozen cities for the end of 2006 for my class and I have some good news, I’m actually doing a couple of different road show tours one with Tech Target and Microsoft and Dell it’s going to be an 18 city road tour, it’s not expressly on Group Policy, it’s actually on three topics, it’s on deployment, management and monitoring of Windows systems, so deployment, getting Windows XP and 2003 and even a little Vista out of the box and then doing some management by using Group Policy and software deployment to figure out how to get stuff to them, then monitoring, after the machine is out there, how do we actually figure out if there’s a problem or sort of just make sure it’s healthy all around so that’s 18 or 20 cities coming soon and you’ll find out about that at GPAnswers.com, and the other thing that I’ve got going on is I’ve got a multiple city road show with Net IQ and Full Armor, and they have a series called the GP University and a Group Policy University and those dates aren’t quite set yet, but the idea is that it’s going to be a full day of workshops between Group Policy essentials and some product knowledge to help you sort of figure out where the gaps are in Group Policy land and help solve them.
Michael: Awesome. So the reality is that there are resources out there for people to take advantage of but they’ve got to take advantage of them.
Jeremy: Not to mention that at GPAnswers we’ve got free newsletters and a great community forum that’s also free so if you’ve got problems, you’ve got questions we have a army of people who are just like you who have questions and have answers and are into this Group Policy thing and if you go to GPAnswers.com and you’ll find the community forum link that’s a great place to post your Group Policy question, you never know, somebody might have the answer, even when somebody like us, you know, somebody has said, no there is no way to do that, you’d be really surprised at the kinds of work arounds we’ve found at community forum on GPAnswers.
Michael: And I think that that plays into the policy theory that it really is an extremely facile tool there’s just like you said, I think with Vista in the Vista Longhorn timeframe we’re going to be looking at something like 3000 Group Policy options and the way in which I combine those options both from the user perspective and the computer perspective can really get a lot of things done.
Jeremy: Vista’s going to take it to that whole other level, while the sum total of what Vista can do isn’t quite solidified yet; obviously we’re still in beta timeframe but some of the really exciting things, like the most exciting thing for me right now is it’s ability out of the box to say which hardware devices can and can you not run for instance if you don’t want USB disk on key or the thumb drive thing to run on the doctor computers, bam, you can guarantee that when that thumb drive is attached it’s ignored, that’s really hot tamales, that’s really exciting stuff, that we just couldn’t do before.
Michael: Now that’s interesting because from a security perspective of course if I want to know that nobody could easily take data off my machine and certainly the potential for a USB drive to just slip into a USB machine or USB port and for data to leave my machine that’s real right, I’m reminded not, yea, very real and I’m reminded not long ago I know a government agency that bought 2000 computers and as part of the standard equipment they had 2 USB ports, right, yet nobody was aware of that and it was addressed as a security concern and the solution was epoxy, right, those guys went out, they bought some tubes of epoxy, they went around and put a little epoxy and disabled every USB port in the place.
Jeremy: Yea, they probably could have done that through the bios but I believe there was some rational why they couldn’t do it, I don’t know but yea, that’s basically we’re now solving you know, bigger issues with software and that’s really the charge and that’s what Group Policy is meant to do, it’s meant to help you make those wishes, figure out what those security desires, those look and feel desires, the software desires are and do it centrally, instead of running around to each machine like even with the epoxy gun or deploying software or changing a desktop background, I mean the whole point is to not run around so much so my whole charge is if you’re running out for the desktop you might be doing something wrong. So that’s where Group Policy control takes in.
Michael: Now can you speak at all, for those of us that know Group Policy a little bit, we know about ADM files and ADM template files and custom ADM files that provide preconfigured settings that I can pull and apply right in the Group Policy management console to my client machines or my servers, now that’s changing in the Vista timeframe right to ADMX files, can you speak at all as to what the distinction is between those and why we’re interested in the ADMX format?
Jeremy: Sure, let me jump to the end of the story and say that theoretically this will be a very transparent thing, and that most people won’t even notice that there’s a change. So for your average small business administrator, or medium sized business administrator, the look and feel won’t change the kinds of things you can control don’t change, but here’s what does change; ADMX, ADMX files give you a couple of, well give you one unique extra benefit, the big unique extra benefit you get is this idea of a centralized ADMX store and this actually come in the Vista client. The idea, right today with XP and 2000 machines is that if you have a custom ADM template which might say oh I don’t know, control a custom application on your desktops, that’s great, you can totally do that for instance Office 2003 comes with a set of ADM templates that control Office and I love that, when that happens, that’s terrific but what happens if you go to a different machine and you want to edit a new GPO and oops you don’t have those ADM files so now you’re kind of in trouble. With ADMX files do is sort of takes you, with Vista sort of takes you to the next level and it says you know if the central store is available then go ahead and just look in the central store and go ahead and pull them from there so that’s the main advantage point. The second advantage point is that we get out of this custom ADM templates language which you know is a little bit cumbersome and not that much fun, and we sort of move into a more industry standard XML style format, now that’s, that is another language in and of itself which may take a little bit of brain power to wrap our heads around but at least it’s industry standard and that’s something that we like. And those are really the two big benefits, the downside for those of us who have ever customized or created ADM templates, you don’t get any new benefits, for instance some of you may be aware that there’s just no way to hack at a reg binary file or an ADM file, okay great, how do you do that in ADMX land, well you don’t it doesn’t add any additional functionality I’m afraid.