Tag Archives: group policy

Small Business Server 2003 Group Policy and Software Update Services (book excerpt)

Hello everyone – I am Harry Brelsford, publisher of the Advanced Windows Small Business Server 2003 Best Practices book. Periodically I like to post of book passages as a virtual book reading – I blast from the past! Today’s topic is GP and SUS. And did you know – this is exactly the type of thing discussed in our annual fall conference, the 7th Annual SMB Nation event (October 2-4, 2009, Las Vegas).

So let’s rock!

Group Policy and Software Update Services While we are talking about Group Policy, let me mention that you should be using Software Update Services (SUS) to keep your client machines updated with security patches. I only mention it here because it is administered with— you guessed it—a Group Policy. You will need to download SUS or the yet-to­be released (as of this writing) Windows Update Services (WUS) at: www.microsoft.com/windowsserversystem/sus/default.mspx.

SUS Server-Side 

The initial setup is pretty straightforward. Run the setup executable and provide an installation path. Once SUS is installed, you perform administrative tasks using a Web page with the following URL: //servername/susadmin. You need to configure only a few settings to get the SUS server-side operational. Set these under the “Set options” link on the welcome page, as seen in Figure 4-5.

Figure 4-5 

Configure SUS on the Set options page. 





y SECTIONBrelsford1 1 MBSBS 2003Consuting BestDeploymentPrac

  SUS setup will automatically set the proxy option and put in the SBS 2003 server name. Then you must decide where your server will synchronize SUS content. Some consultants prefer to run a SUS server in their consulting office and have their customer’s SUS servers synchronize from the consultant’s office instead of Microsoft itself. You can also choose to have SUS automatically approve new versions of Microsoft updates or to ask for approval (which is my personal preference). Another option allows you keep a copy of the updates locally or have each client machine pull them down from Microsoft. You can greatly reduce your bandwidth demands by keeping a local copy of the updates on your server. Another option allows you to select which languages you would like to support.If you look closely at Figure 4-5, you will see the Synchronize server link on the left. Here you have the option of a one-time immediate synchronization or configuring a schedule to automatically synchronize. The first synchronization is very time consuming (as of Fall 2004, 239 updates for the English language needed to be downloaded!). After you synchronize your server, you need to select the Approve updates page and select which updates you want to be applied to the clients. There is no “approve all” button, so you will need to select the desired updates one at a time. I found a rapid way to approve these individual updates: Select the first update you want to approach and then hit Tab, Tab, SpaceBar. Keep repeating and if you get to an update you don’t want to apply, hit Tab instead of SpaceBar. That is all there is to setting up the server side of SUS!


SUS Client-Side

And now for Group Policy! The SUS client-side configuration is handled through GPOs. If you are running Windows 2000 Service Pack 2 (SP2) or Windows XP without Service Pack 1 (SP1), you will need to download the new SUS client at the Microsoft download URL (www.microsoft.com/windowsserversystem/sus/ default.mspx). If your desktops are more current, you already have the new SUS client. When the SUS server was installed, the Administrative Template was added to allow you to create or edit SUS settings.


pter CHAPTER1 ☛4 So You AdvanceWant o Setupan and SMB DeplymentConsultan 

To automatically update the client computers with approved updates, follow this procedure:

  1. Logon to SBS 2003 as the administrator.
  2. 2.     From the Start menu, launch Server Management. 
    1. 3.        Expand Advanced Management, Group Policy Management, For­est, Domain, yourdomain. 
    2. 4.     Right-click on Small Business Server Client Computer and select Edit. 

The Group Policy Object Editor will appear.

  1. 5.        Expand Computer Configuration, Administrative Templates, Win­dows Components and select Windows Update. 

Four options need to be configured for SUS to automatically update the client computers.

  1. 6.        Select Configure Automatic Updates. Check the radio button for Enabled. 

Select the frequency you would like it to check with your server Select the install time

When satisfied click next 

  1. Click Enabled. Complete the URL for your SUS server in the form of http://S ervername.

Populate the Update and Statistics server fields with the same URL since the SBS 2003 server machine will perform all of these roles.

  1. Click Next Setting and configure the client update schedule. The default is five minutes. There is one caveat if your users are running with Local Administrator rights (which Susan Bradley will warn you about in her Security chapter): the updates will not be auto­matically applied. Instead, the updates will generate a system popup message indicating that updates are available. The user has to click OK to download and install the updates. Until these updates are installed, NO FURTHER UPDATES will install!
  2. Click Next Setting, where you will make a decision about client computer automatic reboots after updates are applied.

As much as I would like to tell you to leave this disabled, I have found
it causes a lot of turmoil with the users to have machines unexpectedly
rebooting in the middle of their projects. So it is probably better to



y SECTIONBrelsford1 ☛ MBSBS 2003Consuting BestDeploymentPrac 


  enable this option, which effectively disables the automatic reboot. Remember: if you are confused by any of the choices, just use the Explain tab on each policy settings page to get more information.GPO Exception or Override

As powerful as a GPO can be in the affirmative, an exception GPO can be just as powerful and useful by effectively denying some behavior. I’ll give you an example of an exception or override GPO. One of my clients had his users creating all sorts of local user accounts on the desktops when I arrived as the new SBS consultant. This local user malfeasance caused potential security holes in their SBS network. When I pointed this out to the guy in charge, he asked if I could lock down the system so we could control who logged onto which client computer. I created a neat little GPO that forced everyone to logon with a domain account, which prevented local logons. Note that work was performed in the SBS 2000 timeframe and can’t be exactly replicated in SBS 2003, so kindly accept the above discussion as explanatory in nature.

To create an exception GPO:

  1. Logon to the SBS 2003 server machine as the administrator.
  2. 2.   From the Start menu, launch Server Management.
  3. 3.   Expand Advanced Settings and Group Policy Management.
  4. 4.   Expand Forest, Domains, yourdomain, MyBusiness, Users, SBSUsers.
  5. 5.   Right-click on the new OU you created earlier in this chapter titled LimitThese.
  6. 6.   Select Create and Link a GPO Here and name the new GPO OverRideNoRegeditNoRun.
  7. Right-click on this new GPO and choose Edit from the dropdown list.
    1. 8.   Expand User Configuration, Administrative Templates and click Start Menu and Taskbar.
    2. 9.   Double-click Remove Run menu from the Start Menu. Select the Disabled radio button and click OK.
    3. 10.                    Under Administrative Templates, select System.

11. In the right pane, double-click Don’t run specified Windows appli­cations. Select the Disabled radio button.


Visit www.smbnation.com for additional SMB and SBS book, newsletter and conference resources.





pter CHAPTER1 ☛4 So You AdvanceWant o Setupan and SMB DeplymentConsultan


  12.  Click OK twice and close the Group Policy Editor.13.  Right-click this newly created GPO and select Enforced.

14. Under Advanced Management in Server Management, Group Policy Management, Forest, Domains, yourdomain, Group Policy Objects, click the OverRideNoRegeditNoRun GPO.

15.  Click the Scope tab in the right pane.

16.Under Security Filtering, click Remove to remove Authenti­cated Users.

This is shown in Figure 4-6.

Figure 4-6

Authenticated Users will be removed in the Security Filtering section.



17. In the Security Filtering section, click Add.

  1. 18.   In the Enter the Object name to select field, type Administrators, click Check Names, and then click OK.

You have now created an exception GPO.



y SECTIONBrelsford1 ☛ SBS 2003Consuting BestDeploymentPrac

  BEST PRACTICE: If all you want to do is keep a specific GPO from being applied to a user or group, the easiest way is to remove the Apply Group Policy permission from the GPO itself. Do this on the Security tab of the GPO property sheet, as seen in Figure 4-7.

Figure 4-7

Select Deny for Apply Group Policy as a permission restriction. You will receive a warning message relating to a Deny selection (the warning is that Deny is very powerful).




Leave a comment

Filed under Book

Group Policy Objects (GPO) Tricks!

Hi there everyone – I am harry brelsford, co-author of the Advanced Windows Small Business Server 2003 Best Practices book. I like to hold virtual book readings and I’m posting up right here, right now. BTW – I hold a big annual fall conference in early October (Las Vegas) and perhaps you’d like to attend (learn more about SMB Nation Fall here).

Group Policy TipsLet’s move on and discuss Group Policy, which is an area that didn’t get any air time in the introductory SBS 2003 book in this series (Small Business Server 2003 Best Practices). Provided here are discussions about:

  • Creating new group policy objects,
  • Group policy and software update services, and
  • GPO exception or override.

Working with Group Policies has changed. Where you used to be able right click an object such as an OU or the Domain and select Properties and the Group Policy tab, that is no longer the case. If you try, you will get You have installed the Group Policy Management snap-in, so this tab is no longer used. Instead the Group Policy Management Console will open. This console will make seeing the effects of your policies much easier. But actually editing a policy may take you a little bit to figure out.

I poked around the Group Policy Management snap-in for quite some time trying to figure out how to actually change a Group Policy Object (GPO). It seemed like everything I clicked on was a view, but not editable. Here is the solution. All you have to do is right-click on the GPO or the shortcut to that GPO and choose Edit from the context menu that appears. It is always so simple once you figure it out!



Creating New GPOs

It’s time for a little Group Policy 101. Let’s make sure we understand how GPOs work. First of all, GPOs have to be connected to a container. Valid containers for GPO’s are:

  • Sites,
  • Domains, and
  • Organizational Units (OUs).



y SECTIONBrelsford1 ☛ MBSBS 2003Consuting BestDeploymentPrac

  With SBS 2003, you will work mostly with OUs and the Domain Container. To be brutally honest, sites are more of an enterprise concept and don’t really relate to the world of SBS 2003.No matter where you create your GPO, the actual policy code will reside in the sysvol directory on the domain controller at %systemroot% \SYSVOL\ domain\Policies.

What you actually put in the container OU or Domain is a link to the GPO. You can have more than one link to the same policy because they are re-useable (another author in the GPO field refers to this as “tattooing”). GPO relationships follow the hierarchical OU tree downward, unless you specifically block the GPO from being applied. That is, a nested child OU will inherit the GPO functionality of a parent OU.

This section covers the following procedures:

·Creating a new OU

·Internet Explorer GPO trick

·Logoff command


Creating a New OU

Let’s start out by creating a new OU to hold the link to a new GPO:

  1. Logon to SBS 2003 as the administrator.
  2. Launch the Server Management console.

3.     Expand Advanced Management, select Active Directory Users and Computers, expand the domain name object, expand the MyBusiness OU, and expand Users.

  1. Right-click on the SBS Users OU and select New, Organizational Unit from the context menu.

5.     Title your new OU as LimitThese then click OK.

Now you will use the Group Policy Management snap-in:

1.      In the Server Management console under Advanced Management, select Group Policy Management.

2.   Expand Forest, Domains, your domain name, MyBusiness, Users, and SBSUsers.


pter CHAPTER1 ☛4 So You AdvanceWant o Setupan and SMB DeplymentConsultan


3.          Right click on the new OU you created above, LimitThese. Select Create and Link a GPO Here and name the new GPO NoRegeditNoRun.BEST PRACTICE: When possible, I like to use a name that will remind me about what the GPO does. For a look at the power of GPOs, complete this quick exercise:

Right-click on the NoRegeditNoRun GPO and select Edit from the context menu. As you can see, there are two main sections: Computer Configuration and User Configuration. Take a moment and observe the thousands of GPO settings available. It is here you start to see the power that Group Policy can put in your hands via GPOs.

4.          Expand User Configuration, Administrative Templates and click Start Menu and Taskbar.

  1. Scroll down to Remove Run menu from the Start Menu. Double- click on this setting to open it.
    1. Click the Enabled radio button.

You can click the Explain tab for a detailed explanation of the settings. Kudos to the Microsoft team that wrote this excellent on-line help!

7.        Click OK.

8.          Find and select the heading titled System. On the right-side pane open Don’t run specified Windows applications.

  1. Click the Enabled radio button.
  2. Click Add and enter regedit.exe in the text field.
  3. Click Add again and enter regdt32.exe in the text field.

12.       Click Add again and enter cmd.exe in the text field.

  1. Click Show. The Show Contents dialog box appears, similar to Fig­ure 4-3.
    1. Click OK twice and close the Group Policy Object Editor snap-in.





y SECTIONBrelsford1 ☛ SBS 2003Consuting BestDeploymentPrac



Figure 4-3

Observing the commands you have entered that will not run.






So what does the new GPO do at this point? Nothing. We have not put any users into the NoRegedtNoRun OU we created, so perhaps I just gottcha with that trick question, huh? But once users have been placed in the OU, they will be impacted by the GPO (the Run command will not be available from the Start menu on their desktop computer). Additionally, the users will not be able use registry editor or the command prompt.

BEST PRACTICE: A note of caution: be careful! You can really hurt yourself with group policy, so go lightly until you get a feel for it. Be especially careful that you don’t put yourself or the administrator in the OU that you just created. Why? Because you will find it difficult to administer your network with the above-cited functionality disabled.


pter CHAPTER1 ☛ 4 So You AdvanceWant o SetupBe an and SMB DeplymentConsultan


Always test your GPO on a temporary user to make sure it performs as expected, before turning it loose on your network. Go ahead and create a temporary user in the new OU. Log on to a workstation as that new user to see the effect of the policy. Log off and log back on as the administrator. See why we put our GPO in the user section instead of the computer section? It is very important to think about what it is you are trying to control. Also keep in mind that most user settings are applied at logon, whereas most computer settings are applied at boot-time.

Internet Explorer GPO Trick

Here is a tip that will help you win the hearts of your clients. People like to see their names in important places, so put the client’s company name on the title bar of Internet Explorer. How, you ask? With a GPO that will edit the Default Domain Policy:

  1. Assuming that the Group Policy Object Editor (Figure 4-3) is still open, expand the User Configuration section.

2.      Select the Windows Settings, Internet Explorer Maintenance, and Browser User Interface.

  1. Double-click on Browser Title object, select Customize Title Bars, and enter the client’s company name.

4.        Click OK.


Leave a comment

Filed under Book