Tag Archives: Group Policy

Office 2010 GPO settings cause the Options menu to gray out

One of the networks that I manage does not have connectivity to the Internet. It also has Microsoft Office 2010 installed on all of the clients. As such, we had set up GPOs to turn off any functionality that requires Internet access. We discovered that doing this caused the File tab | Options menu to dim as well.  After process of elimination, I found that if the following policy is set, it also causes the Options menu to dim as well:

User Configuration | Administrative Templates | Microsoft Office 2010 | Disable Items in User Interface | Disable commands under File tab | Help

Specifically, if this policy is enabled and Office Center is checked, then the Options menu is dimmed as well.  I posted this just in case someone else out there encounters this “feature.”



eventlog Security Group for Windows Event Logs

I had a bit of a hard time with this one, so hopefully I can save someone else the trouble of finding this information…

We have a security requirement to configure the ACLs for event logs so their access is restricted.  In Windows 7/Server 2008, a new virtual account, “eventlog” is required to have full access to the logs to ensure proper functionality.

Since we configure the ACLs using Group Policy, I needed to include this as part of a file permission set.  In order to do this you must search for “NT SERVICE\eventlog” on the local machine.  You will not be able to locate the account any other way.

I suspect that this can also be configured using SDDL in the new event log GP Admin Templates, but haven’t had a chance to play with that.  If anyone has any experience with this policy, please link a post to my site…

jnlp (Java Network Launching Protocol) does not run from IE, only prompts to save

If you’re running a secure network, you may encounter a situation where you try to launch a Java web app (from an SSL session) and instead IE will only give you the option to save the jnlp file.  Assuming that your JRE version is current, this is likely due to the following Group Policy being enabled:

Computer Configuration | Administrative Templates | Windows Components | Internet Explorer | Internet Control panel | Advanced Page | Do not save encrypted pages to disk

This causes IE to block saving the jnlp file to the cache, which also precludes it from launching.

IE 8 Search Provider Default Error (Group Policy Conflict)

Our Group Policy turns off IE search on our Windows 7/Server 2008 RTM/R2 machines.  We noticed that when a user first logs into one of these machines and opens IE, it displays a message that:

A program on your computer has corrupted your default search provider setting for Internet Explorer

The GPO deletes the search provider settings (since they are not used).  IE interprets this as a fault.  Microsoft has a hotfix for the problem:


WMI Query for an Installed Application

Last night, I was reading an excellent blog post by Darren Mar-Elia on why the Win32_Product class sucks.  This got me asking the question: If you wanted to create a WMI query to determine whether or not a particular application was installed on a machine, how would you do it?  A quick Google search turned up nothing useful.  Not one to shy away from a puzzle, I set out to figure a solution.

My initial approach was to try StdRegProv, but alas, the class contains only methods.  While such a class could be used in a script, it is an automatic no-go for queries (since a query only reads properties).  Now this is starting to look like the evil Sudoku puzzle I agonized over last week… 

Others on the Interweb suggested using Win32_RegistryAction class.  This is a bad idea, since the class enumerates across the ENTIRE registry.  Wanna talk slow?  Hell, you’re better off using Win32_ProductClass over this dog.  Besides, I couldn’t ever get the damn thing to work.

So instead, query the file system.  The advantage to this method is that it’s fast.  Oh, did I mention that it’s fast?  Speed cannot be underappreciated, especially if your query is tied to a GPO.  Nothing says admin-hater like a user who has to wait ten minutes to log on.

As an example, if you want to see if Office 2007 is installed (in this case, Word).  Easy enough.  Create a query as follows:

Namespace: root\cimv2
Query: SELECT * FROM CIM_Datafile WHERE Name = ‘C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE’

Be sure to note that you need double whacks!  If you’re really rambunctious, you can also specify that you’re looking for a particular version by adding a

AND Version = ‘X.X.X.X’

which is useful if you checking for a patch.  Of course, you have to know where the application is installed.  You DID standardize your install packages, didn’t you?

Oh and one more thing… don’t get too crazy with WMI queries in your GPOs… these suckers get eval’d EVERY refresh cycle.  So use them as little as possible and tear them down when you don’t need them anymore.

Don’t say I never helped you out…

Server Core/Hyper-V Server specific Group Policies

In our little digital wonderland, we are compelled encouraged by our security department to apply some rather draconian Group Policy Objects.  It’s a PITA, but security doesn’t care.  Since I’ve been doing these for a while, I can usually see whether or not a particular setting will f*** us before it’s implemented.  But considering there’s like three quadrillon settings, sometimes even I can’t always predict what will happen.  Here’s a little ditty about one of those times:

I was logged in on a remote session to one of our Server Core installs.  If I remember correctly, I was trying to install an unsigned driver (it was a DSM for MPIO to our SANs, for all you standard nerds).  Well, just like that hot chick you bumped into at the bar last week… the promised call never came.  No error, no freeze, nothing.  Just a new command prompt line.

After much heartache, we found that the culprit was two UAC policy settings:
– User Account Control: Admin Approval Mode for the Built-in Administrator Account (Enabled)
– User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode (3)
(Both of these are found in Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | User Account Control)

Now I can’t say whether it was the fact that the exe was unsigned, or that it expected UAC, but the installer was blocked from starting.  So how to fix this?  Easy!  With another GPO that overrides the offending settings to Disabled and Elevate without prompting, respectively.  Scope this GPO to apply only to the Server Core machine and you’ll make your SAs AND security happy!

Not content to leave well enough alone, I wasn’t satisfied with listing every single Server Core machine in the GPO scope.  Nope.  If you know me, you know I don’t like to half-ass anything; I’m a whole-ass kind of guy.  This is where WMI (where have you been all my life? I love you!) comes in.

In Group Policy Management, create a new WMI filter in the WMI filters node.  In this filter, give it a clever name (like Server Core Only).  For the query, use the default root\CIMv2 namespace and the following for the query text:

SELECT * FROM Win32_OperatingSystem
WHERE OperatingSystemSKU = 12
OR OperatingSystemSKU = 13
OR OperatingSystemSKU = 14
OR OperatingSystemSKU = 42

Assign this filter to your GPO and you can fuggedaboutit.  In case you’re wondering where I got the SKUs, they can be found here: http://msdn.microsoft.com/en-us/library/aa394239(v=VS.85).aspx (search for OperatingSystemSKU).  Note that SKU 42 is not listed; this is for Hyper-V Server.

Don’t say I never helped you out…