Vol. 18, #7 - February 18, 2013 - Issue #917
Group Policy Troubleshooting
- Editor's Corner
- From the Mailbag
- Group Policy Troubleshooting Improvements in Server 2012/Windows 8
- Tip of the Week
- Recommended for Learning
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- Events Calendar
- Webcast Calendar
- Register for Webcasts
- Darren's Group Policy Blog posts
- Group Policy Articles
- 5 Free Tools for Managing and Supporting Windows
- How to do PowerShell on your phone
- 5 ways Microsoft Office 365 will make your workday more productive
- 4 Ways Storage Has Improved in Windows Server 2012
- From Brussels to Munich: Europe's Contributions to Cybersecurity
- An Inside Look at Identity Management at UC Davis
- Identity Management White Papers for Cloud and Hybrid IT
- How IT pros can control their private cloud computing destiny
- Application and OS updates for virtual desktops: Not so simple
- Why hypervisor tiering is the future of multiple hypervisor management
- Java malware, fileless malware pose threats to desktop security
- This Week's Links We Like. Fun Stuff.
- Support Thousands of End-Users Without Leaving Your Desk
- SAVE THIS NEWSLETTER so you can refer back to it later for helpful tips, tools and resources!
- FORWARD THIS NEWSLETTER to a colleague who you think might find it useful!
- SEND YOUR FEEDBACK to [email protected] if you have any comments or suggestions!
This week's newsletter is all about Group Policy troubleshooting improvements in Windows Server 2012/Windows 8 and includes a guest editorial by Darren Mar-Elia, Group Policy MVP and Founder, SDM Software, Inc. But before we hear from Darren, it's important to remember that it doesn't really matter if an improvement makes a feature more attractive, it's only important that it make the feature function better:
From the Mailbag
In the previous issue Cloudy Thinking - Identity Management (Issue #916) of this newsletter we posted the following Reader Needs Help item from Jim in Florida:
I've been struggling with find a method or software to block IP address from hackers that are trying a dictionary attack on my 2007 MS Exchange server. I have several clients that also have this issue. The ideal method or software would see that there is more than X amount of connection attempts from the same IP address and then block the connection. If you could post this question out to the community I would appreciate it.
Here are some of the suggestions we received from our readers:
Check into Albine. It offers the service he was requesting and more. I use it to keep Facebook from tracking me.
--Mark, a LAN Administrator from Indiana USA
Editor's Note: You can find more info about Albine here:
In my opinion you shouldn't try to solve this problem on the XCHG server but rather on the firewall in front of it. Almost every current firewall I know allows for detecting hammering and blocking the IP addess/port combination (important, because there might be some legitimate traffic on other ports).
--Martin, an IT Manager from Austria
The only software that comes to mind is NFR (Network Flight Recorder), The software would monitor the number of simultaneous connection from a single IP, and if certain conditions were met, would write an ACL rule to your router and block that IP for whatever duration you specified. Checkpoint software has since purchased NFR and has incorporated it into the Checkpoint IPS Blade application. The appliance uses stateful inspection so blocking IP addresses by content could be fine-tuned. The only issue could be accidentally blocking legitimate IP's. Clients using Active Sync on Smartphone's with PUSH technology, and the multitude of service providers that they would be connecting from could be an issue.
# iptables --table filter -A INPUT --protocol tcp --source 0/0 --destination-port ssh -m hashlimit --hashlimit 2/minute --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW --jump ACCEPT
Of course, that requires Linux....
Another (also Linux) option is "fail2ban", which is a script which monitors text log files looking for entries matching patterns which indicate failures, and then taking configurable actions in response. I'm not sure whether it has been ported to Windows, but if it has then it certainly can be made to work as long as a text log file is available.
Another option is a SIEM which takes proper log entries from the subject Windows server and feeds them in to an IPS which can dynamically configure a firewall to temporarily block connections from the offending source IP address ... but if the reader was ready to deploy such a complex and expensive solution then I doubt he would be asking here...
--Jay, a Security Manager from Barcelona, Spain
Our issue VMware Snapshots (Issue #915) included a guest editorial by Erik Zandboer, a vSpecialist Technical at EMC Computer Systems (Benelux). A reader named Bruce had some additional thoughts concerning this topic and shared his feedback with us as follows:
As a former VMware TSE working in this specific area and present VCP 3 & 4. I found this inaccuracy in the article by Erik Zandboer.
>Reverting is easy -- you delete the snapshot file.
This is somewhat dependent on what VMware product you are using. I am uncertain on the exact usage under Workstation or Fusion. Under ESX/Vsphere, this is a completely inaccurate statement. Point in fact. I work in a very large development environment where we have about 6000 VMs with an average of 6 snapshots per VM. You could look at this as we have about 40,000 VM (really depends on your point of view). Our developers normally revert (both with and without memory snapshots) between the various snapshots to test different aspects of our product and how it interacts with the OS. Our developers may have a directory tree of snapshots for testing an individual VM (example2). I've redacted a pair of examples.
Sure this is a nightmare when it comes to SAN storage migration or other processes like that, but it's integral to our development process. I've had to write at least 2 different implementations of a copy process to assist with moving large numbers of these VMs around. (storage example is example1). We've got something on the order of 40 TB and it's going to grow to about 80 TB soon.
Thank you for this section... Best practices when using VMware snapshots
Normally when I talk about this "Snapshots are NOT a backup", I normally add "they are a backup enabler".
When I was a TSE, we would normally state "snapshots should only be kept for 1 to 2 days" or basically long enough to test to see if your maintenance was successful and then delete/commit the snapshot.
Additionally there should be a distinction between "Production" and as in our case "Production Development" environments. All of the statements that Erik says are completely applicable in a Production environment. There is another unknown percentage of VMware environments that use the second scenario. I'd only ran across 2 during my 2 years as a TSE and now for the past 2 years I've been trying to maintain ours.
Send us feedback
Got anything more to say about what's in this week's mailbag? Email us at [email protected]
Group Policy Troubleshooting Improvements in Server 2012/Windows 8
And now on to our guest editorial by Darren Mar-Elia...
To be sure, there was not that much in the way of revolutionary new features or functions added to Group Policy in Server 2012. But what did happen is that Microsoft made some key improvements in the troubleshooting tools you have available and it's those I want to cover in this article. The two keys improvements that are most of interest to me are improvements to Resultant Set of Policy (RSoP) reporting in GPMC and better tooling for determining when the two pieces of a GPO—the AD and SYSVOL part—are out of sync. So let's look at each of these in detail to see what has changed.
Improved RSOP Reporting
One of the hardest things to determine in a Group Policy environment is why a client is not receiving policy properly. To be sure, there are a lot of moving parts within policy that make delivering settings confusing and problematic. That said it is nice when you can get hint of why a workstation or server is behaving the way it is. I've always used the Group Policy Results feature within GPMC in the past to determine what is going on with policy on a given workstation or server. GP Results goes out and talks to WMI on the remote system in question, and grabs summary data and settings data from that machine based on what policies were delivered. This information is extremely helpful when starting the troubleshooting process for Group Policy. That said it didn't always give useful information that you could act on to solve the problem. With the release of the GPMC version in Windows 8 and Server 2012, the information provided in this report gets a lot better. To start with, the Summary screen now provides "hints" as to where problems may be causing GPOs not to apply as you expect, as shown in Figure 1 below.
Figure 1: Viewing the new GP Results Summary Data
As you can see what is new simplified approach that provides high-level information and warnings about GP processing for the computer and user. In both cases, the "No Errors Detected" message shown above shows that GP processing worked as expected for both the computer and user. However, some additional information provides important warnings about this computer or user's processing cycle that may be relevant for troubleshooting problems. First, it tells me whether a fast or slow link was detected by computer and user. This can be useful because some policy areas do not run when a slow link is detected (e.g. Software Installation or Folder Redirection). Next it also warns me that the Block Inheritance flag has been set on the OU where the computer and user accounts reside. This means that, unless "upstream" GPOs are marked as Enforced, they will not be processed by the computer or user. This is good information to know since it lets me know that some GPOs that I'm expecting to get processed are not being, because of that flag. Finally, it gives me alerts as to the replication status of the GPOs being processed by the computer and user. In this example above, the "Test Tattoo" GPO is out of sync between AD and SYSVOL and as such this computer and user may not be getting the correct settings. Really good information to know up front!
In addition to this improved high-level alerting and warning system for the Summary page, the Details page has been re-organized to give you more information as well. In previous versions of GPMC, this Details page provided a list of the settings that were applied to the computer and user, as well as information about applied and denied GPOs (and why they were denied). This information is all still there, but has been expanded upon. For example, as you can see in Figure 2, this page now provides detailed timing for each policy area that was processed (under the Component Status section):
Figure 2: Viewing Detailed GP Results Data in GPMC
If you look at the Component Status section above, you will now see a "Time Taken" column that indicates how long each phase of the GP processing cycle tool for that computer or user. The "Group Policy Infrastructure" phase is the first part of the GP processing cycle, that determines which GPOs apply to a given computer or user.
In addition, under the Applied and Denied GPOs sections, you know get much more detail about the GPO, including which link of the GPO was the one actually being processed, whether it's status has been modified (e.g. user configuration side disabled, etc.) and whether it has any WMI Filters associated with it. All this leads to having more intelligence about what's going on at an end-client when GP processing occurs.
Not in GPResult.exe!
All of this new and improved information is very good for Group Policy troubleshooting. However, one quick thing to note about it, is that it was not made available in the command-line version of GP Results—namely the gpresult.exe utility. This is unfortunate, since many folks use that as their primary GP troubleshooting tool. That said, if you want to generate this information from the command-line, you can still use the PowerShell-based Group Policy Module and its Get-GPResultantSetOfPolicy cmdlet to generate the same HTML RSOP report as what you see in GPMC.
Group Policy Replication
The second key feature improvement I wanted to talk about is the new Group Policy Replication Status tool in GPMC for Windows 8 and Server 2012. In previous versions of Windows, if you wanted to figure out whether the AD & SYSVOL pieces of a GPO were in sync across all DCs, you had to use the clunky and often inaccurate gpotool.exe command-line utility. With the new version of GPMC, we now have both domain-wide and GPO-specific replication reporting. Figure 3 shows an example of the domain-wide Status reporting:
Figure 3: Viewing Domain-Wide GPO Replication Status Reporting
I accessed this feature by clicking on the domain-name node in GPMC and then selecting the Status tab on the right-hand pane, then pressing the "Detect Now" button in the lower right of this pane. What this feature does, at the domain level, is look at the replication status of all GPOs across all DCs to ensure that GPO content is in-sync. The "baseline" by which in-sync is measured is, by default the PDC emulator domain controller within each domain, because that is the default DC that originates GPO changes. You can change that baseline DC using the "Change" hyperlink shown above. One thing to note in this Status tool is that it not only checks GPO version numbers between AD & SYSVOL but it also checksums the file contents within SYSVOL on each DC vs. the baseline. This is more thorough than GPOTool ever did, but it will also take long to validate if you run this domain-wide status check in a large AD environment and especially if DCs are spread across a Wide Area Network (WAN).
As a result, an alternative to the domain-wide test is to perform a status check on a given GPO. You can do this by selecting the GPO under the Group Policy Objects node in GPMC, and then selecting the new Status tab in the right-hand pane, and clicking the same "Detect Now" button in the lower right, as shown in Figure 4:
Figure 4: Checking an Individual GPO's Replication Status
Even though I only have two DCs in my test environment, you can see above that the 2nd DC is in sync with the first.
Command-line Status Checking Missing
This replication status feature is great, but for those looking for command-line automation, similar to RSOP and gpresult.exe, you will not get the functionality you're after. In this case, in fact, there is no functional equivalent in either command-line or PowerShell utilities for performing this replication status check.
Down-level Access to These Features
You might be wondering how accessible these new features are for down-level systems, especially if you don't have plans to deploy Windows 8 or Server 2012 any time soon. The good news is that all the features I've talked about here are mostly accessible. You will likely get less information if you, for example, run the RSOP report against an XP client, but you can certainly run the report just fine against XP, Windows 7 or Windows 8 machines (and their server equivalents). And the same holds true with the replication status reporting—it will work just fine even if your DCs are Server 2003, which is good news!
About Darren Mar-Elia
Darren Mar-Elia is the CTO and Founder of SDM Software, a Group Policy solutions company. Darren has 30 years of IT and Software experience in the Microsoft technology area, including serving as a Director of Infrastructure at Charles Schwab, IT Architect at Autodesk, CTO of Windows Management Solutions at Quest Software, and Senior Director of Product Engineering at DesktopStandard. He has been a Microsoft MVP in Group Policy technology for the last 10 years, and has written and spoken on Active Directory, Group Policy and PowerShell topics around the world. He maintains the popular Group Policy resource site GPOGuy.com, and has been a Contributing Editor for Windows IT Pro Magazine since 1997. He has written or contributed to 13 books on Windows and enterprise networking topics. Darren also speaks frequently at industry conferences on Windows infrastructure topics.
- Company: SDM Software:
- Website: GPOGuy.com:
Send us feedback
Got questions or suggestions about troubleshooting Group Policy? Email us at [email protected]
Tip of the Week
Two tips this week! First a PowerTip from the Hey, Scripting Guy! Blog that shows you how to find processes using a lot of virtual memory on a Windows computer:
And second, here's a follow-up tip to last week's tip about getting the most life out of rechargeable batteries. From discussions with colleagues who know a lot more about hardware than I do, the consensus is that the best charger for rechargeable batteries is the Maha:
The following review provides details:
My colleagues also recommend Eneloop batteries as the best rechargeable batteries:
Contact me at [email protected] if you have a tip you'd like to share with our readers.
Recommended for Learning
Your Editor recently bought an iPod Touch (5th generation) to see what all the fuss is about. This is the first Apple device I've played with in a while and I must admit it's pretty cool though it can be a huge time waster...
Anyways, to come up to speed quickly on how to use the device I also got the following book from O'Reilly:
iPod: The Missing Manual. 11th Edition
Missing Manuals are excellent books for beginners (I much prefer them over Dummies books) but they can be a bit wordy and watered-down for techies like myself. For example, I'm about halfway through the book and could summarize the important things I've learned on a couple of flashcards. In fact, I wish they included some tear-out flashcards in the back of the book. Still, I'm glad I got the book as not everything about the iPod Touch is as intuitive as one might expect.
Here are some other Missing Manuals that Windows users might want to check out:
Windows 8: The Missing Manual (available for pre-order)
Windows 7: The Missing Manual
Office 2010: The Missing Manual
Quote of the Week
"Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure. You are thinking of failure as the enemy of success. But it isn't at all. You can be discouraged by failure or you can learn from it, so go ahead and make mistakes. Make all you can. Because remember that's where you will find success." --Thomas J. Watson
Until next week,
BTW feel free to:
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at [email protected] and we’ll try to troubleshoot things from our end.
Admin Tools We Think You Shouldn't Be Without
SolarWinds trio of free tools helps you manage and remove inactive computers and users from Active Directory, and allows you to add users in bulk. Download your three free tools today!
Free Tool – Idera Server Backup Free for your Windows and Linux servers. Back up in minutes to any disk-based storage, restore files in seconds with DiskSafe® technology.
Start discovering sensitive data in your file systems in the next 10 minutes with StealthSEEK – it’s that simple – download now:
Free Trial: NetWrix Change Reporter Suite, a simple IT infrastructure auditing tool that tracks changes made to all critical IT systems and reports on the "4W detail" – Who changed What, Where and When.
The Brocade ICX 6450 is a 458 port switch for the most demanding environments:
- Microsoft Lync Conference 2013 on February 19-21, 2013 in San Diego, USA
- Microsoft Management Summit on April 8-12, 2013 at the Mandalay Bay in Las Vegas, USA
- Microsoft TechEd North America on June 3-6, 2013 in New Orleans, USA
- Microsoft Worldwide Partner Conference on July 7-11, 2013 in Houston, USA
- Microsoft TechEd Africa 2013 on April 16-19, 2013 in Durban, South Africa
Add your event
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 100,000 subscribers about? Contact [email protected]
Register for Webcasts
Add your Webcast
PLANNING A WEBCAST you'd like to tell our 100,000 subscribers about? Contact [email protected]
We'll begin with some of my favorite posts from Darren's Group Policy Blog:
- Configuring Event Logs with Group Policy:
- Expensive Group Policy Preferences Item-Level Targeting:
- Gaining Insight Into Group Policy And Desktop Performance:
- Cleaning Group Policy When Removing a Machine from the Domain:
- Best Practices for Group Policy Design Talk — Slides Posted:
- Where Are My Group Policy Settings?
- The Virtues and Vices of GPO Deny ACEs:
- Disabling Print Screen through Group Policy:
- Backing up and restoring the Local GPO:
Next we have some articles on Group Policy from WindowsNetworking.com and WindowsSecurity.com:
- Group Policy: Enforce vs. Enforced vs. Force:|
- Leveraging Group Policy Preferences:
- Group Policy: fact or fiction?
- Group Policy Processing Benchmarks:
- Top 10 Reasons Why Group Policy Fails to Apply (Part 1):
- Top 10 Reasons Why Group Policy Fails to Apply (Part 2):
- Best Practices for Configuring Group Policy Objects:
- Quick Guide to Troubleshooting Group Policy Security Settings:
Also be sure to check out Derek' Melber's recent series of three articles on Group Policy Settings (WindowsNetworking.com):
Now on to other stuff...
5 Free Tools for Managing and Supporting Windows
Russell Smith shows you how to reduce management and costs with these free tools from Microsoft (BizTech Magazine):
How to do PowerShell on your phone
Using this demo guide you can explore PowerShell from any web-capable device: your phone, your tablet, or your Raspberry Pi (Goatee PFE blog on TechNet):
5 ways Microsoft Office 365 will make your workday more productive
If you're burning the candle at both ends and juggling endless priorities, Office 365 can probably help (Microsoft Medium Business Blog):
4 Ways Storage Has Improved in Windows Server 2012
Russell Smith describes the new storage features improve performance that can help organizations manage costs (BizTech Magazine):
From Brussels to Munich: Europe's Contributions to Cybersecurity
Matt Thomlinson, General Manager, Trustworthy Computing at Microsoft, shares some thoughts about the cyber security conferences he recently attended in Europe in these two posts (Microsoft Security Blog):
An Inside Look at Identity Management at UC Davis
Identity management lets UC Davis streamline access, improve security and automate routine IT and HR tasks (EdTech Magazine):
Identity Management White Papers for Cloud and Hybrid IT
Tom Shinder, Principal Knowledge Engineer, SCD iX Solutions Group at Microsoft, shares some links to two whitepapers on identity management in the world of hybrid IT (The Private Cloud Man blog on TechNet):
How IT pros can control their private cloud computing destiny
While the private cloud is not for every organization, it can deliver a wide-range of benefits to those that leverage it effectively. Inside this exclusive tip, review the key steps necessary to build a successful private cloud and how to eventually take advantage of a hybrid cloud environment.
Application and OS updates for virtual desktops: Not so simple
Many organizations are eager to implement virtual desktops to simplify application and operating system updates – but taking this approach is not as easy as you might think. Discover the pros and cons of leveraging this virtual desktop strategy and find out whether or not it's right for your organization.
Why hypervisor tiering is the future of multiple hypervisor management
With so many advanced technologies available, multi-hypervisor environments are becoming the norm. As a result, IT pros are looking for new tactics and tools to better manage their dynamic infrastructures. In this tip, learn how hypervisor tiering can resolve top multi-hypervisor management challenges.
Java malware, fileless malware pose threats to desktop security
Ensuring desktop security is a top priority for all organizations, and in most cases, antivirus software can effectively protect your systems. However, there's a new type of threat causing significant concerns – the fileless bot. Find out more about this undetectable malware that's finding its way into organizations.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]
All of us have a preferred way to handle the steering wheel as we drive. But modern studies have determined that many of us are doing it all wrong....
One of the problems in visiting other solar systems has been that traveling faster than light was impossible... Well, it seems it isn't after all:
Experience Norway from a boat, on skis and from a paraglider in this breathtaking interactive 360° video. Just use arrow-keys or mouse to change the view in any direction you want:
In 1967, Walter Cronkite gave a tour of the home office of 2001 on his show "The 21st Century".
Finally, here's one contributed by a reader who says it's long been one of his favorites:
WServerNews - Editors
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.